Skip to Content
ReferenceGlossary

Glossary

Quick definitions for the terms the docs use most.

TermMeaning
Access tokenRS256 JWT issued by Synq. Audience = brand slug. What your backends verify on every request. ~1 hour lifetime.
AppAn OIDC client. A web app, backend, mobile app, agent, or CLI. Has a client_id and (for confidential clients) a client_secret.
audAudience claim on a token. On access tokens, the brand slug. On ID tokens, your client_id.
Audit log entryAppend-only record of a meaningful action. actor, action, resource, metadata, timestamp.
azpAuthorized party claim on access tokens. The client_id that obtained the token.
Backend sessionYour app’s own session (cookie, JWE, etc.) holding the user id and tokens. Separate from Synq’s own session cookie.
BrandA trust surface inside an org. Owns theming, BYO OAuth credentials, scope vocabulary, and one or more Apps. The thing the end user sees on the consent screen.
client_idPublic identifier for an App. Sent on every OAuth request. Not secret.
client_secretConfidential identifier for an App. Held only by the App’s backend.
Confidential clientAn App with a client_secret. Web apps, backends, m2m.
ConnectionA BrandConnection row: per-brand BYO OAuth credentials for one provider, encrypted at rest.
Consent grantA record that user U granted scopes S to app A. Stored once, reused on subsequent sign-ins for the same (U, A, S).
Device codeRFC 8628 opaque token used by a CLI / agent to poll /oauth2/token.
Device flowOAuth grant for clients that can’t open a browser. Pair: device_code (opaque) + user_code (human-readable).
expExpiry claim on a token. Unix seconds.
iatIssued-at claim on a token. Unix seconds.
ID tokenRS256 JWT issued alongside the access token (when openid scope is requested). Audience = your client_id. Carries the user’s profile claims.
Internal appA first-party Aerosol product that consumes Synq tokens. Not user-facing terminology.
issIssuer claim. Always https://synq.id for Synq.
JWKSJSON Web Key Set at /.well-known/jwks.json. Public keys used to verify access and ID tokens.
kidKey ID. Header claim on a JWT identifying which JWKS key signed it.
m2mMachine-to-machine. The client_credentials grant. No user, no consent, no refresh token.
nonceA random value sent in /oauth2/authorize and echoed in the ID token. Verify on receipt to prevent replay.
oauthCallbackIdA globally unique, immutable identifier on a brand. Appears in per-brand OAuth callback URLs so Synq can route incoming callbacks back to the right brand.
OIDCOpenID Connect. The identity layer on top of OAuth 2.0.
OIDC clientThe OIDC name for what Synq calls an App.
Organization (org)A developer entity. Holds billing, members, roles, API keys, webhooks, audit log, token gates.
PKCEProof Key for Code Exchange. Required for public clients. Synq enforces S256.
promptOIDC parameter on /oauth2/authorize. none, login, consent, select_account.
ProviderAn external auth source: Google, Apple, Microsoft, Discord, Facebook, X, Telegram, Matrica, Solana wallet.
Public clientAn App that can’t hold a client_secret. SPAs, mobile, CLIs. Protected by PKCE.
Refresh tokenOpaque, single-use. Exchanged at /oauth2/token for a new access + refresh token pair. ~30 days sliding.
ScopeA capability an app may request. OIDC standard ones (openid, profile, email, offline_access) plus any brand-defined scopes.
subSubject claim. The Synq user id. Stable, opaque, durable.
Synq DashboardThe admin UI at dashboard.synq.id for managing orgs, brands, apps, webhooks, members, roles.
Token gateA rule that checks whether a wallet holds at least N units of a given SPL token. Public check endpoint.
User codeRFC 8628 human-readable code shown to the user during device flow.
Webhook deliveryA POST from Synq to your URL with a signed payload. At-least-once, deduped via Synq-Delivery.
Last updated on