| Active organization |
Organization context selected for the current user session |
| Agent |
A software principal with a stable SigID identity and one or more identity anchors |
| Anchor |
External proof method for an agent, such as ERC-8004, did:web, did:key, or client credentials |
| Application |
OAuth client configuration inside a tenant |
| ACR values |
OIDC authentication context values requested by a client to require a minimum assurance level |
| Audience |
Token recipient an API must validate before accepting the token |
| Authorization Code with PKCE |
OAuth flow for browser and native login without exposing client secrets |
| Break-glass administrator |
Emergency administrator account or path kept outside normal enforcement failure modes |
| CIBA |
OpenID Connect Client-Initiated Backchannel Authentication for clients that cannot redirect the user |
| Claims parameter |
OIDC request parameter used to ask for specific ID token or UserInfo claims |
| Client credentials |
OAuth flow for service clients acting as themselves |
| Consent |
User approval for an application to receive scopes, profile claims, or delegated access |
| Delegation |
Reduced authority granted to an agent or service to act for another principal |
| Device Authorization |
OAuth flow for CLIs and input-constrained devices |
| DPoP |
Demonstrating Proof of Possession, used to bind tokens to key material |
| Dynamic Client Registration |
OAuth/OIDC mechanism for creating clients through a registration endpoint |
| Event type |
Dotted event name such as auth.login.success or tenant_user.suspended |
| Global account |
User-owned SigID account reused across tenant applications |
| Identity portal |
User-facing surface for profile, authenticators, sessions, and connected applications |
| Identity session |
Global SigID session used by first-party identity surfaces |
| Introspection |
OAuth endpoint for checking token status from a trusted backend |
| JWKS |
JSON Web Key Set used to validate token signatures |
| MCP |
Model Context Protocol, used by agents to call external tools and resources |
| Organization |
Shared business account, workspace, department, or customer unit inside a tenant |
| Pairwise subject |
Tenant-local OIDC subject that prevents cross-tenant user correlation |
| Passkey |
Phishing-resistant WebAuthn credential |
| Policy |
Conditional authorization rule applied after authentication and scope checks |
| Pushed Authorization Request |
OAuth request pattern where authorization parameters are posted to the server before browser redirect |
| Rich Authorization Request |
OAuth request parameter for structured, fine-grained authorization details |
| Refresh token |
Credential used to obtain new access tokens without another login prompt |
| Scope |
Permission string requested by an application, API, or agent |
| SCIM |
Directory provisioning protocol for creating, updating, suspending, and removing users |
| SIWE |
Sign-In with Ethereum wallet authentication |
| SigID Passport |
Global user identity reused across tenant applications |
| SSO provider |
Enterprise identity provider used by an organization for login |
| Tenant |
Application or organization boundary that owns clients, users, policies, agents, and billing |
| Tenant-local subject |
Stable user identifier within one tenant |
| Tenant user |
Membership record connecting a global account or invited email to a tenant |
| Token exchange |
OAuth flow used to mint a reduced delegated token |
| Vault |
Encrypted credential store for third-party service tokens and tool access |
| Webhook delivery |
Signed HTTP event sent to a tenant receiver |
| Webhook subscription |
Tenant configuration that selects an endpoint and event types |
| Wallet budget |
Limits applied to managed wallet signing operations |