Skip to main content

Glossary

OAuth 2.0, OIDC, and ConsentKeys terminology explained simply.

A

Access Token

A credential that grants access to protected resources. Think of it as a temporary key card.

Example: eyJhbGciOiJSUzI1NiIs...

Lifetime: Usually 1 hour

Used for: Calling APIs on behalf of the user

Authorization Code

A temporary code returned after user authentication that your backend exchanges for tokens.

Example: code_abc123xyz

Lifetime: 10 minutes

Single-use: Can only be exchanged once

Authorization Endpoint

The URL where users start the authentication process.

ConsentKeys: https://pseudoidc.consentkeys.com/auth

###aud (Audience) JWT claim specifying who the token is intended for (usually your client_id).

Example: "aud": "ck_abc123"

B

Bearer Token

A token that grants access to whoever "bears" (possesses) it. Include in the Authorization header.

Example:

Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

C

Claims

Pieces of information about the user contained in tokens.

Standard claims:

  • sub - User ID
  • email - Email address
  • name - Full name
  • picture - Profile photo URL

Client

Your application that uses ConsentKeys for authentication.

Types:

  • Public client: Cannot keep secrets (SPAs, mobile apps)
  • Confidential client: Can keep secrets (backend servers)

Client ID

Public identifier for your application.

Example: ck_abc123def456

Public: Yes, can be exposed in frontend

Client Secret

Private key that proves your application's identity.

Example: secret_xyz789abc

NEVER expose in frontend code!

Code Challenge

SHA-256 hash of the code verifier, sent in the authorization request (PKCE).

Code Verifier

Random string generated for PKCE, sent during token exchange.

UI where users approve what data your app can access.

CORS (Cross-Origin Resource Sharing)

Browser security mechanism that restricts cross-origin HTTP requests.

Why relevant: If calling ConsentKeys from a different domain, CORS must be configured.

CSRF (Cross-Site Request Forgery)

Attack where a malicious site tricks a user's browser into making unwanted requests.

Protection: Use the state parameter.

E

exp (Expiration Time)

JWT claim indicating when the token expires (Unix timestamp).

Example: "exp": 1703980800 (December 30, 2023)

G

Grant Type

The OAuth flow being used.

ConsentKeys supports:

  • authorization_code - Standard OAuth flow
  • client_credentials - Machine-to-machine

H

Cookie that cannot be accessed via JavaScript, protecting against XSS attacks.

Recommended for: Storing session tokens

I

iat (Issued At)

JWT claim indicating when the token was created (Unix timestamp).

ID Token

JWT containing user identity information (claims).

Contains:

  • sub - User ID
  • email - Email address
  • name - Display name
  • Other profile claims

Must be: Verified before use

iss (Issuer)

JWT claim identifying who issued the token.

ConsentKeys: "iss": "https://pseudoidc.consentkeys.com"

J

JWT (JSON Web Token)

Compact, self-contained way to transmit information as a JSON object.

Structure: header.payload.signature

Example:

eyJhbGciOiJSUzI1NiIs.eyJzdWIiOiJ1c2VyXzEyM.SflKxwRJSMeKKF2Q

JWKS (JSON Web Key Set)

Set of public keys used to verify JWT signatures.

ConsentKeys: https://pseudoidc.consentkeys.com/.well-known/jwks.json

M

Passwordless authentication URL sent via email.

Advantages:

  • No password to remember
  • Automatic email verification
  • Resistant to credential stuffing

Lifetime: 15 minutes

N

nonce

Random value used to prevent token replay attacks.

Usage:

  1. Generate random string
  2. Include in authorization request
  3. Verify it's in the ID token

O

OAuth 2.0

Industry-standard protocol for authorization.

Key concept: Allows apps to access resources on behalf of users without passwords.

OIDC (OpenID Connect)

Identity layer built on top of OAuth 2.0.

Adds: User authentication and identity information (ID tokens)

OIDC Discovery

Standard endpoint that describes the provider's configuration.

ConsentKeys: https://pseudoidc.consentkeys.com/.well-known/openid-configuration

Returns: Available endpoints, supported features, etc.

P

PKCE (Proof Key for Code Exchange)

Security extension for OAuth that prevents authorization code interception.

Pronounced: "Pixie"

Required for: Public clients (SPAs, mobile apps)

How it works:

  1. Generate random code_verifier
  2. Hash it to create code_challenge
  3. Send challenge in authorization request
  4. Send verifier in token exchange
  5. Server verifies they match

Pseudonymous Profile

User identity that doesn't reveal real-world information.

ConsentKeys approach:

  • Each user gets a unique sub (subject) identifier
  • Different for each application
  • Cannot be reverse-engineered to find email

R

Redirect URI

URL where users are sent after authentication.

Example: https://pseudoidc.consentkeys.com/callback

Must: Match exactly what's registered (including protocol, port, path)

Refresh Token

Long-lived token used to obtain new access tokens without re-authentication.

Note: ConsentKeys doesn't currently issue refresh tokens

Resource Server

API that requires access tokens (your backend).

S

Scope

Permission requested for accessing user data.

ConsentKeys scopes:

  • openid - Required for OIDC
  • profile - User's name, username, photo
  • email - Email address
  • address - Physical address

Example: scope=openid profile email

state

Random value for CSRF protection in OAuth flows.

Usage:

  1. Generate random string
  2. Store in session
  3. Include in authorization request
  4. Verify it matches on callback

sub (Subject)

JWT claim containing the user's unique identifier.

Example: "sub": "user_7f8a9b2c1d3e4f5a6b7c8d9e0f1a2b3c"

Properties:

  • Unique per user
  • Consistent across sessions
  • Pseudonymous (doesn't reveal identity)

T

Token Endpoint

URL where authorization codes are exchanged for tokens.

ConsentKeys: https://pseudoidc.consentkeys.com/token

Token Introspection

Checking if a token is valid and retrieving its metadata.

Endpoint: https://pseudoidc.consentkeys.com/introspect

Token Revocation

Invalidating a token before it expires.

Endpoint: https://pseudoidc.consentkeys.com/revoke

U

UserInfo Endpoint

URL that returns user profile information when given an access token.

ConsentKeys: https://pseudoidc.consentkeys.com/userinfo

Example response:

{
  "sub": "user_123",
  "email": "user@example.com",
  "name": "John Doe"
}

X

XSS (Cross-Site Scripting)

Attack where malicious scripts are injected into trusted websites.

Relevance: Never store tokens in localStorage (vulnerable to XSS)

Common Acronyms

AcronymFull TermMeaning
OIDCOpenID ConnectAuthentication layer on OAuth 2.0
JWTJSON Web TokenCompact token format
JWKSJSON Web Key SetPublic keys for verification
PKCEProof Key for Code ExchangeSecurity extension for OAuth
CSRFCross-Site Request ForgeryAttack type/protection method
CORSCross-Origin Resource SharingBrowser security policy
XSSCross-Site ScriptingInjection attack type
SPASingle-Page ApplicationClient-side web app
APIApplication Programming InterfaceSoftware interface
URIUniform Resource IdentifierWeb address
TLSTransport Layer SecurityHTTPS encryption

Quick Reference

OAuth 2.0 Flow Summary

1. User clicks "Login"
2. App redirects to Authorization Endpoint
3. User authenticates (magic link)
4. User approves consent
5. App receives Authorization Code
6. App exchanges code at Token Endpoint
7. App receives Access Token + ID Token
8. App calls UserInfo Endpoint
9. App receives user profile data

Token Lifetimes

TokenTypical LifetimeRenewable?
Authorization Code10 minutesNo (single-use)
Access Token1 hourVia refresh token
ID Token1 hourNo
Refresh Token7-30 daysYes (rolling)
Magic Link15 minutesNo (single-use)

HTTP Status Codes

CodeMeaningCommon Cause
200OKSuccess
302FoundRedirect (normal in OAuth)
400Bad RequestInvalid parameters
401UnauthorizedInvalid/expired token
403ForbiddenInsufficient permissions
404Not FoundEndpoint doesn't exist
429Too Many RequestsRate limit exceeded
500Internal Server ErrorServer-side error

See Also