Glossary
Access Token
Section titled “Access Token”- Definition: A credential (often a JWT) issued by the authorization server that the client uses to access the resource server. It represents the client’s authorization and typically has an expiry time and scopes attached. The resource server validates this token.
Administrator
Section titled “Administrator”- Definition: An IT administrator responsible for managing identity provider configurations within a customer organization.
Admin Portal
Section titled “Admin Portal”- Definition: A customizable web interface for customers’ IT administrators to manage identity provider configurations.
AI Agent Identity and Attestation
Section titled “AI Agent Identity and Attestation”- Definition: A process by which an AI agent proves its identity to an authorization server, often using cryptographic evidence (e.g. signed JWT assertions or hardware-backed keys), so the server can trust requests coming from that agent.
API Endpoint
Section titled “API Endpoint”- Definition: A specific URL where an API can be accessed to perform specific operations or retrieve data.
API Key
Section titled “API Key”- Definition: A unique identifier used to authenticate API requests to Scalekit, allowing secure access to the platform’s features and services.
- Definition: Another term for an application, representing the software product or service sold to customers.
Application
Section titled “Application”- Definition: The software product or service offered by B2B App developers to customers.
- Example: A workspace can contain multiple applications.
Audit Log
Section titled “Audit Log”- Definition: A record of all activities and changes made within the B2B App, used for security and compliance purposes.
Authentication
Section titled “Authentication”- Definition: The process of verifying the identity of a user or system attempting to access the B2B App.
Authorization
Section titled “Authorization”- Definition: The process of determining what actions or resources a user is allowed to access within the B2B App.
Authorization Server
Section titled “Authorization Server”- Definition: The server in OAuth that authenticates clients and issues tokens (could be a part of your SaaS or a third-party IdP like Okta Azure AD, etc.). It essentially says “Yes, client X, here is a token proving you are authenticated and allowed to do Y.”
Authorization URL
Section titled “Authorization URL”- Definition: The URL to which users are redirected to grant authorization for the B2B App.
B2B App
Section titled “B2B App”- Definition: An application designed for use by other businesses or organizations to streamline operations.
B2B SaaS App
Section titled “B2B SaaS App”- Definition: A type of B2B App delivered over the internet, allowing access without local installation.
Claims
Section titled “Claims”- Definition: Information about a user that is passed from an identity provider to a service provider during authentication.
Client Credentials Flow
Section titled “Client Credentials Flow”- Definition: The OAuth process where a machine client exchanges its client ID and secret for an access token from the auth server. No user involved. The resulting token represents the machine and carries scopes for what it can do.
Configuration
Section titled “Configuration”- Definition: The settings and parameters that define how the B2B App interacts with Scalekit and other services.
Connection
Section titled “Connection”- Definition: A link between the B2B App and a customer’s identity provider for enabling Single Sign-On (SSO).
- Example: Each organization can have its own unique connection.
Customer
Section titled “Customer”- Definition: A business or organization that uses the application to meet specific needs.
Custom Attribute
Section titled “Custom Attribute”- Definition: Additional fields added to user data in Scalekit for storing extra information.
Dashboard
Section titled “Dashboard”- Definition: The main control panel within Scalekit for configuring settings, viewing analytics, and managing integrations.
Deprovisioning
Section titled “Deprovisioning”- Definition: The process of removing user access and accounts when they are no longer needed or authorized.
Directory Provider
Section titled “Directory Provider”- Definition: An organization offering directory services, including identity providers.
Directory Sync
Section titled “Directory Sync”- Definition: A module in Scalekit for automatic provisioning and deprovisioning of user accounts.
Documentation
Section titled “Documentation”- Definition: Comprehensive guides and references that explain how to use and integrate with Scalekit’s features and services.
Dynamic Client Registration
Section titled “Dynamic Client Registration”- Definition: A protocol (RFC 7591) that allows a client application to programmatically register itself with an authorization server to obtain credentials (client ID/secret, etc.). Useful for large-scale or third-party ecosystems where manual registration of clients is not feasible or to enable self-service integration in a controlled way.
Environment
Section titled “Environment”- Definition: Different versions or instances of an application, such as test and live environments.
- Example: Each environment has its own settings and is isolated for security.
Error Handling
Section titled “Error Handling”- Definition: The process of managing and responding to errors that occur during API calls or application operations.
Federation
Section titled “Federation”- Definition: The process of establishing trust between different identity providers and service providers for seamless authentication.
ID Token
Section titled “ID Token”- Definition: A JSON Web Token (JWT) issued by the identity provider containing user identity information.
Identity Provider (IdP)
Section titled “Identity Provider (IdP)”- Definition: A service that verifies user identity and provides information about user attributes.
IdP Simulator
Section titled “IdP Simulator”- Definition: A tool that mimics the behavior of an identity provider for testing integrations.
Integration
Section titled “Integration”- Definition: The process of connecting Scalekit with other systems or services to enable seamless data flow and functionality.
- Definition: A standard format for representing claims securely between two parties. It is a compact, URL-safe means of representing claims securely between two parties.
Logout
Section titled “Logout”- Definition: The process of ending a user’s session and revoking their access to the B2B App.
Machine-to-Machine (M2M) Authentication
Section titled “Machine-to-Machine (M2M) Authentication”- Definition: Methods for verifying identity between two automated services or software entities without human intervention. Ensures a client program (machine) is trusted by the service it calls, typically via tokens, keys, or certificates.
MFA (Multi-Factor Authentication)
Section titled “MFA (Multi-Factor Authentication)”- Definition: A security feature that requires users to provide multiple forms of verification before accessing the B2B App.
Model Context Protocol (MCP)
Section titled “Model Context Protocol (MCP)”- Definition: A new protocol (spearheaded by Anthropic and others) to standardize how AI models (assistants) can interact with external tools and data. It defines how AI agents can discover available “tools” (APIs) and the context to call them. For auth, MCP leverages OAuth 2.1 – effectively requiring AI agents to go through a secure authorization process to get access to those tools. Think of it as an evolving standard to make AI to SaaS integrations plug-and-play, with security built-in via OAuth.
Mutual TLS (mTLS)
Section titled “Mutual TLS (mTLS)”- Definition: A transport layer security mechanism where both client and server present certificates to mutually authenticate each other during the TLS handshake. Provides strong assurance of identities at connection level and encrypts the traffic. Used in high-security environments and internal service-to-service auth.
Normalized Payload
Section titled “Normalized Payload”- Definition: A standardized format for data sent from Scalekit to the B2B App.
- Definition: A standard protocol for authorization enabling limited access to user data.
OAuth 2.0/OAuth 2.1
Section titled “OAuth 2.0/OAuth 2.1”- Definition: An authorization framework widely used for granting access to resources. OAuth 2.0 defines various flows (grant types) for different scenarios (authorization code, client credentials, etc.). OAuth 2.1 is an incremental update that compiles security best practices (PKCE required, no legacy flows, etc.). In M2M context, OAuth’s Client Credentials Grant is most relevant, allowing a service to get an access token using its own credentials.
OAuth 2.0 Token Exchange (RFC 8693)
Section titled “OAuth 2.0 Token Exchange (RFC 8693)”- Definition: A protocol that lets one token be exchanged for another—for example, an AI agent exchanging its machine-client token for a token scoped to call a downstream service on behalf of a user or another service. Enables delegation and impersonation scenarios.
- Definition: A standard protocol for authentication that builds on OAuth 2.0.
OpenID Connect (OIDC)
Section titled “OpenID Connect (OIDC)”- Definition: An identity layer on top of OAuth 2.0 (often used for user authentication). Mentioned here because the discovery document and id_token concepts come from OIDC. OIDC isn’t directly about M2M auth (it’s user-centric), but the OIDC discovery (
.well-known) and JWT usage are leveraged in service auth too.
Organization
Section titled “Organization”- Definition: The customers of B2B Apps, typically businesses.
- Example: Each business is considered an organization with its own users.
PKCE (Proof Key for Code Exchange)
Section titled “PKCE (Proof Key for Code Exchange)”- Definition: An extension to OAuth used to prevent interception of authorization codes. The client generates a random secret (code verifier) and sends a hashed version (code challenge) in the auth request, then must present the original secret when redeeming the code. Ensures that even if an attacker intercepts the auth code, they can’t exchange it without the secret. PKCE is now recommended for any OAuth client that can’t secure a client secret – including mobile, SPA, and some machine clients.
PKI (Public Key Infrastructure)
Section titled “PKI (Public Key Infrastructure)”- Definition: The system of certificate authorities, processes, and tools for managing digital certificates (like those used in mTLS). Involves issuing certs, distributing them, rotating when expired, revoking if compromised, etc. A robust PKI is needed to effectively use certificate-based auth at scale.
Provisioning
Section titled “Provisioning”- Definition: The process of creating and managing user accounts and access rights in the B2B App.
Rate Limiting
Section titled “Rate Limiting”- Definition: A mechanism that controls the rate of requests a user or application can make to the API within a specific time period.
Refresh Token
Section titled “Refresh Token”- Definition: A long-lived token that can be used to get new access tokens without re-authenticating. In M2M auth, refresh tokens are rarely used because the client can just use its credentials again. Refresh tokens are more for user-based flows to avoid prompting the user frequently.
Resource Server
Section titled “Resource Server”- Definition: The API or service that the client wants to use – it receives tokens from clients and decides whether to accept them (by validating them). In our context, your SaaS API is a resource server that expects a valid token for requests.
Role-Based Access Control (RBAC)
Section titled “Role-Based Access Control (RBAC)”- Definition: A method of regulating access to resources based on the roles of individual users within an organization.
SAML Assertion
Section titled “SAML Assertion”- Definition: A statement by an identity provider indicating a user’s authentication status.
- Definition: SCIM (System for Cross-domain Identity Management) is a standard protocol for automating the provisioning and deprovisioning of user accounts and their attributes between an identity provider and a service provider.
Scopes
Section titled “Scopes”- Definition: Strings that define what access is being requested or granted in an OAuth token. For example,
read:inventoryorpayments:create. Scopes let the token carry permissions, enabling the resource server to allow or deny requests based on scope. Principle of least privilege is implemented by granting minimal scopes.
Service Account
Section titled “Service Account”- Definition: A non-human account used by a software service. In context, it’s an identity set up for a machine to use. For example, a service account could be created for “Data Sync Service” in a customer’s tenant on your app. Service accounts have credentials (like client ID/secret or keys) to authenticate, and usually have roles or scopes assigned just like a user would. They enable organization-level or service-level tokens without tying to an actual person.
Service Provider
Section titled “Service Provider”- Definition: An entity offering a product or service to another organization or individual, especially in SSO contexts.
Session
Section titled “Session”- Definition: A period of interaction between a user and the B2B App, typically starting with authentication and ending with logout.
Social Connection
Section titled “Social Connection”- Definition: Allows users to sign in using their social media accounts.
SSO (Single Sign-On)
Section titled “SSO (Single Sign-On)”- Definition: An authentication method that allows users to access multiple applications with a single set of credentials.
Team Member
Section titled “Team Member”- Definition: Individuals from the B2B App developer’s company who use Scalekit to manage applications.
- Roles: Can include developers, product managers, or customer support staff.
Tenant
Section titled “Tenant”- Definition: An isolated instance of the B2B App for a specific customer organization, with its own data and configurations.
- Definition: A piece of data that represents a user’s authentication status and permissions, used for accessing protected resources.
- Definition: An individual who uses the B2B App, typically belonging to a customer organization.
User Attribute
Section titled “User Attribute”- Definition: Properties describing a user’s identity, used for authentication and access control.
Webhook
Section titled “Webhook”- Definition: A mechanism for the B2B App to receive notifications or updates from Scalekit.
Webhook Payload
Section titled “Webhook Payload”- Definition: The data sent by Scalekit to the B2B App when a webhook is triggered, containing information about the event.
Workspace
Section titled “Workspace”- Definition: A centralized hub for B2B App developers to manage applications and settings.
- Example: Think of it as a command center for efficient application management.
Zero Trust Security
Section titled “Zero Trust Security”- Definition: A security model where no user or device is inherently trusted, even if inside the network. Every access request must be authenticated, authorized, and continuously validated. For M2M, this means authenticating every service communication, minimizing implicit trust, and verifying identities at multiple layers (network & application). It often involves micro-segmentation and strict identity and access management for every machine identity.