Glossary¶
Short definitions for SigID product, OAuth, identity, tenant, agent, wallet, and webhook terms. Values shown in backticks use the API, token, or serialized spelling.
| Term | Meaning |
|---|---|
| AAL | Authentication Assurance Level. SigID uses assurance levels such as AAL1, AAL2, and AAL3 to describe how strongly a user authenticated. |
| ACR | Authentication Context Class Reference. OIDC clients can request ACR values when they need a minimum authentication assurance level. |
| Access token | Token presented to APIs as proof that the caller has authenticated and has been granted specific scopes or authorization context. |
| Active organization | Organization context selected for the current user session. Tokens may include an org claim when an organization is active. |
| Actor claim | The OAuth token exchange act claim that records the actor, often an agent, acting for the token subject. Nested actor claims represent a delegation chain. |
| Agent | Software principal with its own SigID identity, lifecycle, keys, anchors, and optional capabilities. Agents are distinct from human users. |
| Agent key | Cryptographic key registered to an agent for challenge-response authentication, signing, or key rotation. |
| Agent status | Agent lifecycle state such as pending, active, suspended, deleted, or revoked. |
| AMR | Authentication Methods References. Token claim describing methods used during authentication, such as password, MFA, OTP, federation, or proof-of-possession. |
| API key | User-owned credential for calling SigID APIs where API key authentication is enabled. The self-service API key flow returns the raw key only once at creation. |
| Application | OAuth client configuration inside a tenant. Applications define client IDs, redirect URIs, token endpoint auth method, scopes, origins, and related OAuth settings. |
| Audience | Token recipient that an API must validate before accepting a token. The aud claim should match the protected resource. |
| Audit log | Record of security-relevant, administrative, or operational activity used for investigation, compliance, and support. |
| Authorization Code with PKCE | OAuth flow for browser, mobile, desktop, and native app login without exposing client secrets to public clients. |
| Authorization snapshot version | Token version claim that records authorization state at mint time, such as tenant, subject, organization, or actor authorization version when present. |
| Break-glass administrator | Emergency administrator account or recovery path kept outside normal enforcement failure modes. |
| Chain family | Blockchain address and signing family for wallets. SigID wallet code supports evm and solana families. |
| Chain ID | Wallet network identifier that includes the chain family, such as evm:1 or solana:mainnet-beta. |
| CIBA | OpenID Connect Client-Initiated Backchannel Authentication for clients that cannot redirect the user through a browser. |
| Claims parameter | OIDC request parameter used to ask for specific ID token or UserInfo claims. |
| Client credentials | OAuth flow for service clients acting as themselves rather than on behalf of a human user. |
| Client secret | Secret value used by confidential clients at the token endpoint. It must stay on the server side. |
| Confidential client | OAuth client that can keep credentials secret, such as a backend web application or server-side service. |
| cnf claim | Confirmation claim used for sender-constrained tokens, including DPoP-bound tokens with a public key thumbprint. |
| Consent | User approval for an application to receive scopes, profile claims, connected-app access, or delegated authority. |
| Consent grant | Stored authorization showing that a user approved an application or delegated access until it expires or is revoked. |
| Connected app | Application with an active consent grant or connection to the user's SigID account. |
| Delegation | Scoped authority granted from one subject to another, often from a human to an agent. Delegation can be narrowed by scopes, expiry, policy, rate limits, and wallet spend controls. |
| Delegation chain | Multi-level delegation path represented by parent delegation records and nested act claims in delegated tokens. |
| Device Authorization | OAuth flow for CLIs, televisions, and input-constrained devices where the user approves a device code on another screen. |
| DPoP | Demonstrating Proof of Possession. OAuth mechanism that binds a token to client-held key material. |
| Dynamic Client Registration | OAuth/OIDC mechanism for creating clients through a registration endpoint when the deployment enables it. |
| Enterprise SSO | Organization-managed sign-in through an external OIDC identity provider, routed by verified domains or organization policy. |
| Event type | Dotted event name such as auth.login.success or tenant_user.suspended. |
| Global account | User-owned SigID account reused across tenant applications. Tenant applications should still store tenant-local subjects for app identity. |
| Hosted auth | SigID-hosted authentication and consent surface where applications redirect users for login, MFA, SSO routing, consent, and OAuth authorization. |
| ID token | OIDC token containing claims about the authenticated user for the client. APIs should generally authorize with access tokens, not ID tokens. |
| Identity anchor | Agent identity proof or registration method, such as erc8004, did_web, did_key, or client_credentials. |
| Identity portal | User-facing surface for account security, authenticators, sessions, app permissions, linked sign-in providers, delegations, and related user settings. |
| Identity session | Global SigID session used by first-party identity surfaces. OAuth application sessions are separate application-owned sessions. |
| Idempotency key | Client-provided retry key, sent as idempotency-key, that lets supported write endpoints avoid duplicate side effects. |
| Introspection | OAuth endpoint for trusted backends to check whether a token is active and inspect returned token metadata. |
| JTI | JWT ID claim used to identify a specific token for tracking, replay defense, and revocation-related workflows. |
| JWKS | JSON Web Key Set used by applications and APIs to validate JWT signatures. |
| Known device | Device record recognized by SigID from prior sign-in activity. Known devices help users review and manage account access. |
| MCP | Model Context Protocol, used by agents and MCP servers to expose tools and resources to AI clients. |
| MFA policy | Tenant policy that controls when multi-factor authentication is required: optional, required for all users, or required for admins only. |
| OAuth Protected Resource Metadata | Discovery metadata that helps OAuth-aware clients understand a protected resource's issuer and authorization requirements. |
| OpenAPI | Machine-readable API description exposed by deployments for generated clients, documentation, and integration tooling. |
| Organization | Shared business account, workspace, department, or customer unit inside a tenant. |
| Organization member | User membership inside an organization, with organization-specific role and access context. |
| Pairwise subject | Tenant- or sector-scoped OIDC sub value used for eligible third-party user or agent tokens. First-party, system, and some client-credentials tokens may use non-pairwise subjects. |
| Passkey | Phishing-resistant WebAuthn credential used for primary sign-in. |
| Security key | Device-bound hardware WebAuthn credential used as a second factor. |
| Policy | Conditional authorization rule applied after authentication and scope checks. |
| Principal | Authenticated subject plus tenant-scoped authorization context, including scopes, roles, tenant, session, organization, and delegation data when present. |
| Problem Details | RFC 7807 style API error response shape used by SigID API errors, alongside OAuth-compatible error fields where applicable. |
| Provisioning source | Source that created or linked a tenant user, such as manual, invite, scim, sso, domain_auto_join, or self_service. |
| Public client | OAuth client that cannot safely keep a client secret, such as a browser-only, mobile, desktop, or CLI app. Public clients should use PKCE. |
| Pushed Authorization Request | OAuth request pattern where authorization parameters are posted to the server before browser redirect. |
| Refresh token | Credential used to obtain new access tokens without another interactive login, when the flow and policy allow it. |
| Refresh-token family | Group of related refresh tokens created through rotation. Family-level revocation can invalidate access tokens minted by that family when token claims include the family ID. |
| Revocation | OAuth endpoint or action used to revoke refresh tokens, token families, or other credentials. |
| Rich Authorization Request | OAuth request parameter for structured, fine-grained authorization details. |
| Role | Named tenant or organization authorization bundle used by policies and management APIs. |
| Scope | Permission string requested by an application, API, or agent and carried in tokens when granted. |
| SCIM | Directory provisioning protocol for creating, updating, suspending, and removing users from an external identity system. |
| SIWE | Sign-In with Ethereum wallet authentication. |
| SigID Passport | User-facing name for the global SigID account that can activate access across tenant applications. |
| Signing backend | Where wallet signing keys are held and used. SigID wallet backends include software, hsm, and tss. |
| SSO policy | Policy controlling whether sessions are tenant-wide or app-scoped, with app-level overrides able to override tenant defaults. |
| SSO provider | Enterprise identity provider used by an organization for login. |
| Subject | Actor in authorization. SigID subject types are human, agent, system, and anonymous. |
| Subject type | Classification attached to a subject or token so APIs can distinguish human users, agents, system principals, and anonymous subjects. |
| Tenant | Isolation and administration boundary that owns applications, users, organizations, policies, agents, webhooks, billing, and audit context. |
| Tenant-local subject | Stable subject identifier within one tenant. It may be pairwise in eligible third-party contexts; use the validated sub claim together with tenant context as an application user key. |
| Tenant user | Membership record connecting a global account or invited email to a tenant. It is not the same as the global SigID account. |
| Tenant user status | Tenant membership state such as pending, active, suspended, or removed. |
| Token endpoint auth method | Method an OAuth client uses at /oauth/token, such as none, client_secret_post, client_secret_basic, or configured private_key_jwt. |
| Token exchange | OAuth flow used to mint a reduced delegated token from a subject token and, when required, an actor token. |
| Trusted device | Device trusted for a bounded period so policy may skip repeated MFA prompts. Trust can expire, be cleared, or be revoked. |
| UserInfo | OIDC endpoint that returns user claims based on the access token and granted scopes. |
| Vault | Credential store for third-party service secrets, tokens, and tool access. |
| Vault grant | Authorization that allows a subject to access a specific stored credential without exposing broader vault contents. |
| Verification flags | Additive agent verification proofs such as key ownership, proof-of-work, ERC-8004 verification, DID verification, reputation threshold, and owner verification. |
| Verified domain | Organization domain that has passed ownership verification and can be used for SSO routing or domain-based membership behavior. |
| Wallet | Managed or referenced account used for signing blockchain transactions under SigID authorization controls. |
| Wallet budget | Per-transaction, daily, monthly, and allowlist limits applied to managed wallet signing operations. |
| Wallet model | Wallet custody and execution model. SigID wallet models include delegated_eoa, self_custody, and smart_account. |
| Webhook delivery | Signed HTTP event sent to a tenant receiver, with delivery state tracked for retries and troubleshooting. |
| Webhook signing secret | Secret used by a receiver to verify that webhook deliveries came from SigID. |
| Webhook subscription | Tenant configuration that selects an endpoint and subscribed event types. |