The glossary contains terms that are commonly used throughout this documentation.
This represents and enables authorized access to data provided by an OAuth 2.0-based
Must be kept confidential.
When an Access Token becomes invalid or expires, a new Access Token can be obtained via a
This acronym refers to an application programming interface.
Confidential Clients are OAuth clients that can keep their API credentials secret (e.g. secure servers).
A bank or credit union.
This represents authenticated identity information about a user in an OpenID Connect-based
The OAuth 2.0 industry standard allows users to delegate scoped access to third parties who wish to act on the user's behalf.
OpenID Connect (OIDC)
The OpenID Connect (OIDC) industry standard is an identity layer built on top of OAuth 2.0 that provides authenticated information about the user to third party apps.
PKCE (Proof Key for Code Exchange)
PKCE (pronounced 'pixie') is an extension that adds additional security to the OAuth2 authorization code flow.
Public Clients are OAuth clients that are incapable of keeping their API credentials secret (e.g. mobile apps or Single-page applications (SPA)).
A Refresh Token is a credential used to obtain a new
Access Token per the RFC.