Let’s be honest — app security is full of acronyms and jargon.
Note: This article belongs to Bonus Content section in our Application Security series.
From JWTs and PKCE to SAML, scopes, and statelessness — it’s easy to feel like you’ve accidentally opened a cryptography PhD textbook.
This glossary cuts through the noise. Whether you’re a developer, architect, QA, or just curious — here’s a quick guide to the most essential identity and security terms we keep bumping into throughout this series.
Use it as a cheat sheet, a reference, or just something to finally settle those Slack debates. 😉
🧩 The Glossary
| Term | Definition | Analogy | Example |
|---|---|---|---|
| Access Token | Credential used to access protected resources; usually short-lived. | Like a hall pass—you get access where and when allowed. | Authorization: Bearer eyJhbGciOi... |
| ID Token | Token containing identity information about the user; used in OIDC. | Like a digital driver’s license—proves who you are. | Payload: "sub":"1234567890","email":"[email protected]" |
| JWT (JSON Web Token) | Self-contained token with claims; cryptographically signed. | Like a sealed envelope—you can verify authenticity anytime. | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
| Opaque Token | Token with no readable content; validated via introspection endpoint. | Like an unmarked keycard—you must scan it to see if it works. | POST /introspect with token=abcdef |
| PKCE | OAuth extension for public clients to secure code exchange. | Like a secret handshake during code exchange. | Use code_challenge + code_verifier |
| Implicit Flow (Deprecated) | OAuth flow returning tokens directly in the redirect URI—no code exchange; less secure. | Like sneaking in without ticket validation. | https://app/callback#access_token=... |
| Authorization Code Flow | Secure OAuth flow using a short-lived code and exchanging it for tokens. | Like redeeming a voucher for a ticket. | grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA |
| Refresh Token | Long-lived token used to obtain new access tokens without re-login. | Like a backstage pass—reusable for re-entry. | POST /token with grant_type=refresh_token |
| HttpOnly Cookie | Cookie inaccessible to JavaScript; reduces XSS-based token theft. | Like a locked mailbox—you need the server key to open it. | Set-Cookie: refresh=abc; HttpOnly; Secure |
| Client-Side | Code that runs in the browser (React, Angular); considered untrusted. | Like store display—visible to everyone. | UI logic in a React component |
| Server-Side | Code that runs on the backend (Node, Django); controlled and secure. | Like a vault-room—only you have the key. | Token verification in an Express middleware |
| Stateless Authentication | No session state on server; each request bears its own token. | Like a digital ticket—you carry proof every time. | Sending JWT in Authorization header |
| Stateful Authentication | Server stores session data (via cookies or IDs); ties user to server memory. | Like a membership card logged in a ledger. | Session ID stored in Redis |
| XSS (Cross-Site Scripting) | Injection of malicious scripts into trusted pages. | Like graffiti scrawled on a public wall. | <script>alert('XSS')</script> |
| CSRF (Cross-Site Request Forgery) | Trick a logged-in user into submitting unwanted requests. | Like forging a signed cheque. | Malicious hidden form auto-submitted on page load |
| SSO (Single Sign-On) | One set of credentials grants access to multiple apps. | Like a master key for all doors. | Logging in via Google to multiple SaaS apps |
| SAML | XML-based protocol for exchanging auth assertions between IdP and SP. | Like a diplomatic envoy carrying a sealed letter. | <saml:Assertion>...</saml:Assertion> |
| OIDC (OpenID Connect) | Identity layer on top of OAuth 2.0; issues ID tokens for authentication. | Like checking passport after visa approval. | id_token=eyJ... returned alongside access token |
| Scopes | Define granular permissions an app requests. | Like selecting “read-only” vs “full-access” to a file. | scope=profile email |
| Audience (aud) | Intended recipient of the token; used to validate usage. | Like addressing a letter to the right department. | "aud":"https://api.example.com" |
| Issuer (iss) | Entity that issued the token; used to verify origin. | Like the official stamp on a document. | "iss":"https://auth.example.com" |
| BFF (Backend for Frontend) | Pattern: a dedicated backend service tailored to a specific frontend to handle auth and data. | Like a personal assistant who handles tasks for you. | A Node service that proxies React app requests |
| Authorization Server | Service that authenticates users and issues tokens. | Like a ticket booth handing out validated tickets. | /oauth/token endpoint |
| Resource Server | Hosts protected APIs; validates access tokens before serving data. | Like a concert hall checking tickets at the door. | /api/users guarded by JWT middleware |
| Token Rotation | Practice of issuing new tokens and revoking old ones to minimize risk. | Like changing locks after every tenant moves out. | Rotate refresh token on each exchange |
| JWKS | JSON Web Key Set: endpoint exposing public keys for verifying JWT signatures. | Like a public key directory in a city hall. | GET /.well-known/jwks.json |
| Audience Restriction | Ensures token is valid only for its intended audience. | Like an invite stamped “Not to be used elsewhere.” | Middleware checking token.aud |
| Nonce | Unique value in auth requests to prevent replay attacks. | Like a one-time password embedded in a letter. | "nonce":"abc123xyz" in OIDC request |
| Introspection Endpoint | OAuth endpoint to validate and fetch metadata of opaque tokens. | Like scanning an ID badge to confirm validity. | POST /oauth/introspect with token=opaque123 |
| SameSite Cookie | Cookie attribute that restricts cross-site sending to mitigate CSRF. | Like club policy banning off-list entries. | Set-Cookie: session=xyz; SameSite=Strict |
| Security Headers | HTTP headers enforcing security policies (CSP, X-Frame-Options, etc.). | Like security signage and locks in a building. | Content-Security-Policy: default-src 'self' |
| Claims | Key-value pairs in a token conveying user or session info. | Like ingredients listed on a package. | "role":"admin","email":"[email protected]" |
| Token Expiry | Timestamp after which a token is invalid. | Like a parking meter that runs out. | "exp":1715629413 |
Wrapping Up
Security doesn’t need to be overwhelming — especially when you have the right words in your toolbox.
Bookmark this glossary, share it with your team, or drop it into onboarding docs. The more fluent you are in this language, the safer (and more confident) your applications will be.
Have a Question?
Still confused about something we didn’t cover? Leave a comment — we’re happy to help!
