Glossary
Quick definitions for the terms the docs use most.
| Term | Meaning |
|---|---|
| Access token | RS256 JWT issued by Synq. Audience = brand slug. What your backends verify on every request. ~1 hour lifetime. |
| App | An OIDC client. A web app, backend, mobile app, agent, or CLI. Has a client_id and (for confidential clients) a client_secret. |
aud | Audience claim on a token. On access tokens, the brand slug. On ID tokens, your client_id. |
| Audit log entry | Append-only record of a meaningful action. actor, action, resource, metadata, timestamp. |
azp | Authorized party claim on access tokens. The client_id that obtained the token. |
| Backend session | Your app’s own session (cookie, JWE, etc.) holding the user id and tokens. Separate from Synq’s own session cookie. |
| Brand | A trust surface inside an org. Owns theming, BYO OAuth credentials, scope vocabulary, and one or more Apps. The thing the end user sees on the consent screen. |
client_id | Public identifier for an App. Sent on every OAuth request. Not secret. |
client_secret | Confidential identifier for an App. Held only by the App’s backend. |
| Confidential client | An App with a client_secret. Web apps, backends, m2m. |
| Connection | A BrandConnection row: per-brand BYO OAuth credentials for one provider, encrypted at rest. |
| Consent grant | A record that user U granted scopes S to app A. Stored once, reused on subsequent sign-ins for the same (U, A, S). |
| Device code | RFC 8628 opaque token used by a CLI / agent to poll /oauth2/token. |
| Device flow | OAuth grant for clients that can’t open a browser. Pair: device_code (opaque) + user_code (human-readable). |
exp | Expiry claim on a token. Unix seconds. |
iat | Issued-at claim on a token. Unix seconds. |
| ID token | RS256 JWT issued alongside the access token (when openid scope is requested). Audience = your client_id. Carries the user’s profile claims. |
| Internal app | A first-party Aerosol product that consumes Synq tokens. Not user-facing terminology. |
iss | Issuer claim. Always https://synq.id for Synq. |
| JWKS | JSON Web Key Set at /.well-known/jwks.json. Public keys used to verify access and ID tokens. |
kid | Key ID. Header claim on a JWT identifying which JWKS key signed it. |
| m2m | Machine-to-machine. The client_credentials grant. No user, no consent, no refresh token. |
nonce | A random value sent in /oauth2/authorize and echoed in the ID token. Verify on receipt to prevent replay. |
oauthCallbackId | A globally unique, immutable identifier on a brand. Appears in per-brand OAuth callback URLs so Synq can route incoming callbacks back to the right brand. |
| OIDC | OpenID Connect. The identity layer on top of OAuth 2.0. |
| OIDC client | The OIDC name for what Synq calls an App. |
| Organization (org) | A developer entity. Holds billing, members, roles, API keys, webhooks, audit log, token gates. |
| PKCE | Proof Key for Code Exchange. Required for public clients. Synq enforces S256. |
prompt | OIDC parameter on /oauth2/authorize. none, login, consent, select_account. |
| Provider | An external auth source: Google, Apple, Microsoft, Discord, Facebook, X, Telegram, Matrica, Solana wallet. |
| Public client | An App that can’t hold a client_secret. SPAs, mobile, CLIs. Protected by PKCE. |
| Refresh token | Opaque, single-use. Exchanged at /oauth2/token for a new access + refresh token pair. ~30 days sliding. |
| Scope | A capability an app may request. OIDC standard ones (openid, profile, email, offline_access) plus any brand-defined scopes. |
sub | Subject claim. The Synq user id. Stable, opaque, durable. |
| Synq Dashboard | The admin UI at dashboard.synq.id for managing orgs, brands, apps, webhooks, members, roles. |
| Token gate | A rule that checks whether a wallet holds at least N units of a given SPL token. Public check endpoint. |
| User code | RFC 8628 human-readable code shown to the user during device flow. |
| Webhook delivery | A POST from Synq to your URL with a signed payload. At-least-once, deduped via Synq-Delivery. |
Last updated on