Glossary

This glossary provides definitions for common terms used throughout the authentik documentation.

Views:

A

Access Token

Bearer token used to access protected APIs.

Assertion Consumer Service (ACS)

Service Provider endpoint that receives SAML assertions.

Application

An application is what you authenticate into with authentik, and they are displayed on the "My applications" page on the User interface.

Audience (aud)

Intended recipient of a token.

Authorization code

Short-lived code exchanged for tokens.

Authorization endpoint

Endpoint where users authenticate and consent.

Authorization Server (AS)

OAuth2 role that issues tokens and hosts authorization endpoints.

B

Back-channel logout

Server-to-server logout notification.

Back-channel

Direct server-to-server communication.

Blueprints

Declarative files to template and reconcile authentik config.

Brand

Per-domain settings for UI, default flows, and behavior.

Base DN

Root DN (Distinguished Name) under which LDAP searches occur.

Bind DN

Account DN (Distinguished Name) used to authenticate to LDAP.

C

Claim

A piece of information about a subject.

D

Dynamic in-memory stage

Ephemeral stage appended at runtime; exists only in memory.

Distinguished Name (DN)

Unique path identifying an entry in LDAP.

E

Entity ID

Unique identifier for an IdP or Service Provider.

F

Flow

An ordered sequence of stages.

Front-channel logout

Logout via browser redirects or iframes.

Front-channel

Browser-mediated communication via the user's agent.

G

Grant type

OAuth2 mechanism for obtaining tokens.

I

ID token

OIDC token describing the authenticated user.

Identity Provider (IdP)

Authority that authenticates users and issues assertions/tokens.

IdP-initiated SSO

SSO flow started at the Identity Provider.

Introspection endpoint

Endpoint to validate opaque tokens.

Issuer (iss)

Entity that issued the token.

J

JWK

JSON representation of a cryptographic key.

JWKS

JSON Web Key Set used to verify JWTs.

JWT

Compact, signed JSON token format.

L

LDAP search filter

Expression selecting entries to return.

LDAP

Lightweight Directory Access Protocol for directory services.

N

NameID

Primary identifier for a user in SAML.

Notification rule

Policy-filtered event triggers that send notifications via transports.

Network Access Server (NAS)

Device that sends RADIUS requests to the server.

O

ObjectClass

Schema class that defines required/allowed attributes.

OIDC discovery document

Provider metadata at the well-known URL.

OpenID Provider (OP)

OIDC authority that authenticates users and issues tokens.

Outpost

Separate component providing services like reverse proxying, deployable anywhere.

P

Passkey

Discoverable FIDO2 credential, often synced across devices for passwordless login.

PKCE

Proof Key for Code Exchange hardens the code flow.

Policy

A yes/no gate evaluated by type and settings.

Property mappings

Define how data is exposed to apps and stored from sources.

Provider

A way for other applications to authenticate against authentik.

R

RADIUS auth methods

PAP, CHAP, MS‑CHAPv2, and EAP methods.

RADIUS messages

Access‑Request/Accept/Reject and Accounting messages.

RADIUS shared secret

Pre‑shared key between NAS and RADIUS server.

RADIUS

Remote Authentication Dial-In User Service protocol.

Redirect URI

Callback URL the provider redirects to.

Refresh token

Long-lived credential to obtain new access tokens.

Relying Party (RP)

OIDC client that relies on the OP for identity.

Response type

OAuth/OIDC response expected from the authorization endpoint.

Revocation endpoint

Endpoint to invalidate access or refresh tokens.

S

SAML assertion

SAML statement with authentication and attribute data.

SAML binding

Transport mechanism for SAML messages.

SCIM endpoints (Users,Groups)

RESTful endpoints for provisioning operations.

SCIM externalId

Client-supplied stable identifier for correlation.

SCIM provisioning lifecycle

Create, update, deactivate, and delete user records.

SCIM PATCH

Standardized partial update operation.

SCIM resource

Typed object like User or Group managed via SCIM.

SCIM

System for Cross-domain Identity Management.

Scope

Permission strings requested by a client.

Service Provider (SP)

Application that relies on the IdP to authenticate users.

Single Logout (SLO)

Terminates sessions across parties in a federation.

Source

Location from which users and their attributes can be accessed by authentik.

SP-initiated SSO

SSO flow started at the Service Provider.

Stage

A single verification or logic step within a flow.

Subject (sub)

Unique identifier of the token's principal.

System tasks

Longer-running background tasks in authentik.

T

Token endpoint

Exchanges codes or credentials for tokens.

U

UserInfo endpoint

OIDC endpoint returning user claims.

V

Vendor‑Specific Attribute (VSA)

Attribute namespace for vendor extensions.

W

WebAuthn

W3C standard for phishing‑resistant authentication with FIDO2 authenticators.