Glossary — identity, JWT & APIs (sign-in)
Vocabulary for tokens, identity, and calling APIs after login. This is help text; exact claim names and behaviour follow Intastellar’s current docs and metadata.
OAuth 2.0 vs OpenID Connect (OIDC)
Meaning: OAuth 2.0 is an authorization framework — access to resources (often APIs). OpenID Connect builds on OAuth and adds identity — an ID token and standard claims about the user.
In practice: “Sign in with …” flows often use OIDC scopes (openid) plus OAuth access tokens for APIs. Your app registration and docs list what Intastellar exposes.
ID token
Meaning: A JWT (usually) that represents authentication — who signed in, for which client, at what time.
In practice: Validate issuer, audience, and lifetime on your server before trusting claims; do not treat the raw ID token as a session cookie unless your pattern explicitly allows it.
Access token
Meaning: Credential presented to resource servers (APIs) to prove the caller is allowed to perform an action.
In practice: Typically short-lived; refresh or re-auth per your product’s rules — see Sessions, cookies, and tokens.
JWT (JSON Web Token)
Meaning: A compact, signed (or encrypted) structure with header, payload (claims), and signature.
In practice: Use libraries to verify signatures against the provider’s JWKS; never decode and trust the payload without cryptographic verification in production.
Claim
Meaning: A name/value pair inside a token — e.g. subject, email, name.
In practice: Available claims depend on scopes and account settings; handle missing claims gracefully in your UI.
sub (subject)
Meaning: Stable identifier for the user within the issuer — the primary key for “this account” in many apps.
In practice: Prefer sub + issuer as your internal user key rather than email alone (emails can change).
iss (issuer)
Meaning: Who issued the token — identifies the authorization server.
In practice: Must match the issuer you configured; mismatch means wrong environment or token mix-up.
aud (audience)
Meaning: Which client(s) the token is intended for.
In practice: Reject tokens where audience does not match your client/API; prevents token replay to the wrong app.
nonce
Meaning: One-time value bound to an authorization request to mitigate replay in implicit/hybrid-style flows and to tie the ID token to the request.
In practice: Generate per login attempt; verify in the ID token when your stack requires it.
JWKS (JSON Web Key Set)
Meaning: A published set of public keys used to verify JWT signatures from the issuer.
In practice: Your backend should fetch and cache JWKS from the documented endpoint; rotate keys when the provider rotates them.
Resource server / API audience
Meaning: The API that accepts access tokens and enforces scopes or policies.
In practice: Separate “login worked” (ID token / session) from “call this API” (access token with correct audience and scopes).
Last updated