Glossary of Terms

Key terminology used in the platform.

access token
See OAuth access token.
An abbreviation for Advanced JavaScript and XML—A term for a set of related web development techniques that can be used together to update parts of a webpage without reloading the entire page.
A type of Dashboard item designed to inform app or API administrators about an issue such as an SLA (Service Level Agreement) violation.
anonymous user
A user who is browsing the platform without logging in. Anonymous users can see public content but cannot post to Boards, write comments or ratings, or create resources such as apps.
A key resource in the Community Platform. An API provides a business with a way of using the Internet to extend business capabilities to connect with new customers in new ways. In this context an API is a Web service exposed outside the enterprise, typically using RESTful design principles, and often with JSON content.
API access request
A specific type of Connection Request; a request, initiated by an app team member, to establish a contract between the app and an API. An API access request governs the relationship between an app and an API for the life of the connection. When an app team member requests a connection to an API on behalf of the app, the API administrator is notified of the pending request and can approve or deny the request.
API Administrator
One of the roles defined in the Community Platform is that of the API Admin. Each API must have at least one Admin, and can have more. The API Admin approves or rejects connection requests, moderates the API's Board, views and manages alerts and trouble tickets, and manages documents, policies, and other information associated with the API. The API Admin can also view performance and usage data for the entire API, and can invite others to be Admins for the same API.
API Board
The API Board allows any member to post discussions pertaining to a specific API, or create trouble tickets pertaining to issues associated with the operation of a particular API.
Navigation: APIs > API Name > Board
API Gateway
The Akana API Gateway provides service integration and gateway services for APIs. It bundles Akana Policy Manager with one or more message handling intermediaries.
An app (application) is a piece of software that delivers specific capabilities to its users. In the context of the Community Platform, an app is a piece of software that consumes one or more APIs.
App Board
The App Board allows development team members to create private discussions with other team members pertaining to their specific application development projects. Team members can also create trouble tickets pertaining to issues associated with application development.
Navigation: My Apps > App Name > Board
App ID
When an app developer registers an app in the platform, it is assigned an App ID. The App ID is a unique identifier for your app within the platform. All API calls include the App ID.
app team member
One of the roles defined in the Community Platform is that of the app team member. Each app most have at least one team member and can have more. An app team member initiates contract requests, such as API access requests, moderates the app's Board, and views and manages trouble tickets relating to the app. The app team member can also view performance and usage data for the app's API usage, and can invite others to be team members for the same app. All app team members have the same rights.
See SAML assertion.
Assertion Consumer Service (ACS) endpoint
In SAML, the endpoint where the service provider will receive SAML assertions from the identity provider.
Artifact Resolution Service (ARS)
In SAML, a service that you must set up if you want to use the HTTP Artifact binding (supported for single sign-on SAML response messages). You can then use the service to retrieve the full message using the artifact. See HTTP Artifact.
authorization endpoint
See OAuth authorization endpoint.
authorization server URL
See OAuth authorization server URL.
A tenant-specific cookie. This is the platform's authorization token. This cookie indicates the level of access allowed. It is valid only for 30 minutes and must be renewed at that time. It also includes other information, such as the APIs, apps, and groups the user is a member of. When any of this information changes, the token must be renewed.
Because the AtmoAuthToken includes a lot of information about the user, in some cases the token is long, and could potentially cause requests to fail if the server has a limitation on HTTP header length. For this reason, container configuration properties include authTokenMaxLength. When the AtmoAuthToken would be greater than the max length, the platform creates a mini auth token, and saves the full auth token in the database.
auto-connect feature
The platform's auto-connect feature allows an API Admin to set up the API so that when a new app is created on the platform, a contract with the API is created automatically. The API Admin specifies the details of the access granted with the auto-connect feature, such as whether access is to the sandbox or production environment, or whether access is limited to specific operations or a specific transaction volume (via the Licenses feature, implemented with scope mapping).
Base URL
In setting up the SAML identity provider in Policy Manager, the platform provides a specific URL to be used for instances where the Identity Provider, when encountering an error, returns the error response to the default Service Provider endpoint rather than just showing the error on the authentication page. PingFederate is an example of an Identity Provider that returns an error response in this way.
To construct the endpoint to be used for error responses, the platform needs to know the <protocol_scheme>://<host>:<port> of the container where the SAML Web SSO domain is initialized. This is the base URL.
bearer token
Used in OAuth, the bearer token is a security token with the property that any party in possession of the token (the bearer) can use it. Using a bearer token does not require proof of possession of cryptographic key material (proof-of-possession).
In the Community Platform, every resource, such as an app or API, has a Board that displays all feed entries for the resource. Users with approved connections to the resource can post items to the resource's Board according to privileges. For example, a member of a specific app team can post items to the Board for that app. Users with approved connections also see relevant Board items in their personal home Feed.
Board item
An individual entry on a resource's Board. A Board item can be an Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
bpel file
A bpel file is a Business Process Execution Language file. BPEL itself is an abbreviation for Web Services Business Process Execution Language (WS-BPEL), an OASIS standard executable language which is a standard format for specifying actions within a business process, used by webservices. When the Site Admin or Business Admin creates an export file from the platform, such as an API export file, the export ZIP file (package file) includes BPEL files.
Business Administrator
One of the roles defined in the Community Platform is that of the Business Administrator. A business can own one or more APIs and apps, and must have at least one Administrator. The Business Administrator automatically has administrator rights over all the APIs and apps owned by the business as well as all the users who are part of the business. For more information, see What roles can a Business Administrator perform?
CA SiteMinder
CA SiteMinder® is a popular commercial access management product. The platform supports use of CA SiteMinder for login or for OAuth support.
callback URL
Redirect URL. See OAuth callback URL.
CER file
A message generated by a certificate authority in response to a request for a digital identity certificate.
When uploading app credentials, the app developer can upload either a CER file or a CSR file.
See also: CSR file.
Certificate Authority
A Certificate Authority (CA) issues certificates and guarantees the validity of the binding between the certificate owner and its public key. The CA is a trusted authority, and any certificate issued by the CA identifies the owner of the certificate. Therefore the private key that corresponds to the public key in the certificate is deemed to be known only by the specific owner. Two Certificate Authority options are supported. The Platform Tenant (Host) provides a simplified version of a Certificate Authority that can issue and renew X.509 certificates, or the app developer can import a certificate that was issued outside the platform.
Navigation: My Apps > Details > Security
challenge question
A question that the Business Admin chooses as part of a security feature. When signing up to the platform, the user must provide the answer to one or more security questions, if the platform is set up to require them. The user's answers are stored in the database, and the user must answer one or more security questions on demand to perform certain functions such as resetting a password or changing the user profile.
In OpenID Connect a claim is a piece of information about an end-user, which is returned to the Relying Party by the OpenID Connect Identity Provider after both the end-user and the Relying Party have authenticated. The OpenID Connect specification defines some standard claims; additional claims can be added. Depending on the process flow that's supported by the Identity Provider and requested by the Relying Party, claims might be returned in the UserInfo Response or in the ID Token.
Examples of standard claims: given_name, family_name, email. For more information, refer to the Standard Claims section of the OpenID Connect specification.
clock skew
The allowed difference between the clock setting on the issuing machine and the consuming machine, expressed in seconds. An example of where this is used is in the JWT Bearer Assertion OAuth grant settings. At runtime, if the difference is greater than the value allowed in the clock skew setting, validation of the assertion will fail.
code (user)
Any one of the four types of codes sent to users for different events: signup code, registration code, reset code, or invitation code.
Connect provider
In OpenID Connect, the identity provider is called the Connect provider.
A relationship between resources in the Community Platform—such as the API access relationship between an app and an API that it's using.
connection request
A workflow process that governs the relationship between two resources for the life of the connection. It is a request to establish a connection between resources; for example, an API access request or a follow request.
connector domain
In the context of the platform, a connector domain is an independent domain that provides authentication services; for example, Google®, Facebook®. Users can log in by authenticating with the connector domain rather than signing up as platform users.
An Akana container instance performs a specific web service management function in an API Gateway deployment. Instances have a unique Instance Name, Description, and Listener configuration relative to the deployment requirements.
A specific type of connection that defines a consumption relationship between an app and an API. When an app admin (app team member) wants the app to be able to consume an API, he/she initiates a request for API access. The API access relationship is a contract, and is subject to an approval workflow. The contract is requested by the app team member and is approved or rejected by the API admin; it can then be cancelled or suspended by the API admin or cancelled by an app team member.
The contract governs access rights and QoS (Quality of Service) policies for all transactions between the app and the API. It also provides a convenient way of collecting and presenting metrics and usage data.
contract request
A request for a contract.
Acronym for Cross-Origin Resource Sharing. CORS allows users to access resources from within the browser serving a web page, and defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.
The platform includes a policy, CORSAllowAll; if this policy is selected as part of an API definition, all cross-origin requests to the API are allowed.
CSR file
Acronym for Certificate Signing Request; a message sent to a certificate authority to request a digital identity certificate.
When uploading app credentials, the app developer can upload either a CER file or a CSR file.
Because the platform supports CSR import, the app developer does not need to get a signed certificate from a CA. Instead, the developer can generate a CSR from the key pair that he/she created, and can import that directly.
When a CSR is imported, the platform uses its internal Certificate Authority to create the CER from the request. Therefore, in order to support CER, the platform's own certificate authority must be configured.
See also: CER file.
CSRF attack
In a cross-site request forgery (CSRF) attack, a malicious user exploits the fact that an authorized user has already authenticated with another site and has the site's cookie in their browser cache. Malicious code from one browser tab can leverage the authentication already granted in another tab to execute actions unknown to the authorized user.
The platform includes a feature to help prevent CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
CSRF token
A platform token that is used only if the CSRF prevention feature is in effect. The CSRF token is sent when the user logs in, and can be used in making subsequent API calls to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
Csrf-Token cookie
A platform cookie that is used only if the CSRF prevention feature is in effect. The value of the Csrf-Token cookie is sent as a custom header value in request messages to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
The user's Dashboard, also called home page or feed, is the first page the user sees after logging in. The Dashboard includes information relating to apps and APIs the user is associated with. An individual user's Dashboard is an aggregation of all the Board items from all the resources that the user is following. An individual user can modify the types of information that are displayed on his/her Dashboard. See also Dashboard entry.
Navigation: Dashboard tab.
Dashboard entry/item
An informational item that appears on a user's Dashboard. The entries on a specific user's Dashboard are Board items for resources the user is following. A Dashboard entry can be any of the following: Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
Default theme
When Simple Developer theme (Simple Dev), an additional customizable code base with a separate URL, was added, the original code base of the developer platform was named Default Theme, for differentiation. Default Theme is the standard user interface, which includes Site Admin and Business Admin capabilities.
deployment zone
If an API is hosted on the platform and using the proxy capability, the API owner can specify the deployment zones, such as a geographical area or a specific data center, that the endpoint will be proxied in.
Dev Console
The Developer Console (Dev Console) is a web-based REST client provided as part of the Community Manager user interface so that developers can test different APIs in the context of their app. It is available for any app added to the platform, on the Apps > Dev Console page.
A developer of an app that will consume an API.
discovery (OpenID Connect)
In OpenID Connect, "discovery" is the process of determining information about the OpenID Connect identity provider. The Relying Party sends a request to the Discovery Endpoint published by the provider. The request includes resource (end-user ID), host, and type of service requested.
discovery endpoint (OpenID Connect)
Same as Discovery URL (see below).
discovery URL (OpenID Connect)
A URL published by the OpenID Connect provider for a relying party to send requests. Path: {oauth-provider-url}/.well-known/openid-configuration. Also known as a well-known configuration URL.
The discovery URL represents the location of the identity provider's endpoint and other values that the relying party (application) will need to set up connectivity.
In the Community Platform, an authorized user can create a discussion topic about a resource (app or API) on the resource's Board. A discussion is typically, but not necessarily, created by someone other than the owner or administrator of the resource. Discussion entries are not threaded; users comment on the original item rather than on the comments/replies to the original item. Users can, however, mark or unmark the discussion itself and/or one or more discussion comments.
Each discussion has a title and one or more comments. The visibility of a discussion is controlled by the visibility of the resource it's associated with; for example, a discussion about a Limited (Private) API can only be seen by administrators and Private API Group members associated with that API.
duration (on monitoring charts)
In the app and API monitoring charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
Acronym for Elliptic Curve Digital Signature Algorithm. ECDSA is a variation of the Digital Signature Algorithm (DSA).
Entity ID
In SAML, a unique identifier for an entity. A SAML entity can be a Service Provider or an Identity Provider.
As a service provider, you define the Entity ID. When setting up your account with the Identity Provider you must specify the Entity ID, which must be unique within the IdP so that the IdP can identify your Service Provider.
The Entity ID is used as the value of the <Issuer> element inside the SAML protocol message. In an authentication request, the <Issuer> element contains the Entity ID of the Service Provider; in the SAML response, it has the Entity ID of the Identity Provider.
From the perspective of the Service Provider, the Entity ID is analogous to the client_id in OAuth.
enumeration (of users)
The term user enumeration, user enum, or simply enum refers to a security vulnerability that allows an unauthorized user to compile a list of valid user accounts that are authorized to log in to an application. For example, if an unauthorized user can try to sign up with an existing email address, and the application returns a message that an account already exists for that email address, the application is giving away information.
The platform includes enhanced security settings that can be activated to help prevent enumeration of users.
An API contract can apply either to the Sandbox environment, which is a testing area, or the production environment.
epoch time
Epoch time, also called Unix time, is defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time; Thursday, 1 January 1970. In some cases the developer platform uses this value in response messages, expressed in milliseconds.
A Site Admin or Business Admin can output all the information about one or more of certain resources, or an entire business, to an export file. The information can then be imported into another platform instance. Information is exported to a specially formulated ZIP file called a package file.
Full export is only available to a Site Admin or Business Admin. An API Admin can export an API.
extension grant type
In addition to the four standard grant types, the OAuth 2.0 specification defines Extension Grant Types. These are governed by the OAuth specification, which says:
"The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the authorization server) as the value of the "grant_type" parameter of the token endpoint, and by adding any additional parameters necessary."
A JWT Bearer Assertion is an extension grant type that is generally used when the app already has a JWT Assertion that represents the resource owner. The app sends the JWT Assertion to the authorization server's Token Endpoint to get an access token for later use.
A small icon, typically 16x16 pixels, associated with a website or a specific webpage.
Implementation varies, but typically the browser displays the favicon in the address bar, on the tab next to the page title, and next to the page's name in a list of bookmarks.
follow request
A specific type of Connection Request used to establish a "follow" relationship between a user and a resource that can be followed. Currently, only apps, APIs, and groups can be followed.
A way of sharing information and content in the platform. Forum types include: Alerts, Contract Requests, Discussions, Group Membership Requests, Reviews, Tickets.
Forum types and Board item types are essentially identical. The difference is in implementation; the forum is viewed by the Business Admin or Site Admin in Forum view (Administration > Forum), and is an overall view of Board items from all boards on the platform.
forum entry
An individual content contribution by a specific user, to one of the forum types. A forum entry is essentially exactly the same as a Board item entry.
A forum entry is essentially exactly the same as a Board item entry. However, in the user interface,
1) The term "group" is used in many instances to refer to any of the following types of groups in the Community Platform: app teams, Private API groups, API Administrator groups, Site Administrator groups, or independent groups.
2) "Group" is sometimes used specifically to mean a Private API Group.
group membership request
An invitation to a specific user, whether a platform user or not, to join a specific platform group.
IdP domain
Abbreviation for identity provider domain.
The HMAC hashing algorithm uses a symmetric key to create a hash for message security. HMAC can be used with cryptographic hash algorithms such as MD5 or SHA-1.
HTTP Artifact
One of the binding options supported by the SAML protocol. HTTP Artifact is useful in scenarios where the SAML requester and responder are using an HTTP user-agent and do not want to transmit the entire message, either for technical or security reasons. Instead, a SAML Artifact is sent, which is a unique ID for the full information. The IdP can then use the Artifact to retrieve the full information. The artifact issuer must maintain state while the artifact is pending.
HTTP Artifact sends the artifact as a query parameter.
Community Manager currently supports this binding option for SAML responses, but not for SAML requests.
One of the binding options supported by the SAML protocol.
HTTP POST sends the message content as a POST parameter, in the payload.
Community Manager currently supports this binding option for SAML, for both requests and responses.
HTTP Redirect
One of the binding options supported by the SAML protocol.
When HTTP Redirect is used, the service provider redirects the user to the identity provider where the login happens, and the identity provider redirects the user back to the service provider. HTTP Redirect requires intervention by the User-Agent (the browser).
Community Manager currently supports this binding option for SAML requests.
identity provider
An identity provider (sometimes abbreviated as IdP) is an entity responsible for verifying user identity and issuing identity information, usually in the form of a token. A common example is a website that allows users to log in using a Facebook or Google identiy; in this scenario, Facebook and Google are identity providers. In OpenID Connect, the identity provider is called the Connect provider.
In terms of SAML, the identity provider verifies the identity of the user in response to a request by the Service Provider, and then responds with a SAML assertion.
In SAML, abbreviation for Identity Provider.
When information is exported from one instance of the platform to an export file (package file), it can be imported to another instance of the platform.
Only a Site Admin or Business Admin has permission to perform functions relating to import.
independent group
A group that exists independently of any single app or API. Any authorized user can create an independent group, and becomes the first administrator. The administrator can then invite other members and can remove members and change a member's role. There are three roles; admin, leader, and member. All members can see resources the group is linked to. Admins have full rights over the group.
interval (on monitoring charts)
In the app and API monitoring charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
invitation code
A unique code generated and sent to a specific user in an email if a platform member invites the user to a platform group, such as an app team, API Admin group, or independent group.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
invitation status
A value that shows a group member's relationship with the group. When a new member is invited to a group, the member has an initial status of Pending. Depending on the user's response, the status can change to Accepted or Rejected. Other possible status values are: Cancelled, Removed, or Deleted.
An acronym for JavaScript Object Notation, JSON uses a subset of the JavaScript syntax to describe an object clearly and succinctly. One of the advantages of JSON over XML for API messages is that message content conveyed in the JSON format is much more concise than the same content conveyed in XML, consuming less bandwidth.
JSON Web Key
A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key (for example, an RSA key).
JSON Web Key Set
A JSON data structure that represents a set of Jason Web Keys.
See JSON Web Key.
JWT bearer assertion
See JWT token (OpenID Connect).
JWT token (OpenID Connect)
Acronym for JSON Web Token. In the context of OpenID Connect, a JWT token is a a compact, URL-safe means of representing claims to be sent from one party to another over the web. The claims in a JWT are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.
The OpenID Connect Provider can issue a JWT token from either the Authorization Endpoint or the Token Endpoint. This is one of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The other is by publishing a UserInfo endpoint.
Acronym for Lightweight Directory Access Protocol; an open, industry-standard protocol used by the platform to support single sign-on.
In the context of a Private API Group, a leader is a senior group member. A leader can invite additional members to the group and can change another member's status, from member to leader or vice versa.
legal agreement (API)
The platform allows the API Admin or Business Admin to upload one or more legal agreements associated with an API. When a legal agreement is active for an API, an app developer must accept the legal agreement in order to request a contract with the API.
The platform supports the following file formats for legal agreements associated with an API: HTML (htm or html extension) or text (txt extension).
A License is a tailored API access package designed by the Business Admin/API Admin and offered to the app developer. A license includes one or more license terms, each of which can include multiple scopes, giving access to specifically designated operations, and multiple quality of service (QoS) policies, and also one or more legal agreements applicable to the license.
For more information on the License feature, see Licenses: Feature Overview.
license term
A license term defines the access that is being offered in a license (scope) and the level of access (QoS policy). Each license term includes one or more scopes plus, optionally, the quality of service limits/policies to be applied to all scopes in the license term. Scopes apply to both visibility and access; policies apply only to access. To have any impact, a license term must include at least one scope.
Users can give positive feedback to items such as discussion topics and associated comments, reviews, and other resources such as tickets, using the Mark function. Choosing Mark provides positive feedback, in the same way as "Like" in Facebook®. The Mark value toggles on and off, so a user can mark or unmark a discussion comment. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
MAC token
Acronym for Message Authentication Code. Used in OAuth 2.0, the MAC token is a security code that is typed in by the user of a computer to access an account or a portal. The code is attached to the message or request sent by the user. The MAC token attached to the message must be recognized by the receiving system in order to grant the user access. MAC tokens are commonly used in electronic funds transfer (EFT) transactions to maintain information integrity.
In the context of a Private API Group, a group member has access to all information relating to the Private API and the group, including tickets and discussions. Members cannot invite additional members or change the status of other members. A member can be promoted to leader status by the API Admin or by another leader.
membership request (invitation)
An invitation to another individual, whether a registered user or not, to join a Community Platform group or team such as an app team. API Administrators can invite others to be API Administrators; app team members can invite others to the app team. A Site Administrator, Private API Administrator, or Independent Group member can also issue a membership request in the same way.
Depending on the platform's settings, some type of user-generated content, such as reviews, discussions, and comments, might be moderated. If moderation is turned on for a specific type of content, such as discussions, and a user adds that type of content, it has a Pending state until it's approved. Certain authorized users can approve content; for example, a discussion for an API might need to be approved by an API Admin or Business Admin. Once the new content is approved, it is visible to all users who have visibility of the resource (app, API, or group). For more information, see What is moderation and how does it work? (Administrator help).
A mask generation algorithm, based on a hash function, defined by RCF 2437 (10.2.1), the RSA Cryptography Specification Version 2.0.
The My APIs quick filter provides a list of APIs that a member who is an API Provider has added. Each API includes functional and usage documentation, and download files.
Navigation: My APIs quick filter
My Apps
The My Apps quick filter is a dashboard that displays all the apps defined by a member. The dashboard is used to manage your app workflow from setup to a live production site.
Navigation: My Apps quick filter
A random string, uniquely generated for each request. A nonce is used to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. Over a secure channel, it is still an added security measure.
OAuth is an open standard security protocol for authorization that allows you to share private resources stored on one site with another site without having to share credentials. One advantage of OAuth is that it supports both authentication and authorization in such a way that an application does not need to give access to the user's credentials. For example, in the platform you can sign in using your Facebook credentials, or on the API Details page you can share an API to Facebook, Twitter, and LinkedIn. These elements of the platform are configured as private resources.
OAuth access token
In OAuth, an access token is essentially a pass, a credential that gives authorization to access the requested and approved resource or resources for as long as the access token remains valid. In some cases, access tokens can be renewed by means of a refresh token; in some cases they cannot. For more information, refer to the OAuth 2.0 specification (external site).
For more information on access tokens, see What is an Access Token?
OAuth authorization code
With the OAuth 2.0 Authorization Code grant type, the resource owner (consumer; for example, the app user) is redirected to the authorization server and gives authorization for the app to access the resource. The authorization server then redirects the consumer back to the client app with an authorization code. The client app presents this authorization code, along with the app's authentication credentials, back to the authorization server, requesting an access token (and optionally a refresh token). The client then uses the access token to call the service on behalf of the resource owner. A refresh token can be used to extend the lifetime of this session.
OAuth authorization endpoint
The endpoint for the OAuth Authorization Server. This is the endpoint on the authorization server where the resource owner provides credentials, such as username and password, in and grants authorization to the client app to access the resources or a specified subset of the resources.
When setting up an OAuth domain, Site Admins must specify this value. Additionally, if an API is using a third-party OAuth provider rather than an OAuth domain set up on the platform, the API Admin must specify this value in the OAuth setup wizard. For more information, see What are the OAuth 2.0 Endpoints and how do they work? and the OAuth 2.0 specification (external site).
OAuth authorization server
In an OAuth implementation, the authorization server collects the resource owner's credentials, gets the resource owner's permission for the app to access the resources, and passes back the authorization token to the app so that the app can then access the resources.
OAuth authorization server URL
As part of setting up the OAuth domain, the Site Admin must specify the Authorization Server URL. This is the URL that the browser for the resource owner (app user) will be accessing for the OAuth grant. It is the URL at which the OAuth Provider accesses the requests, for both Authorization Endpoint and Token Endpoint.
The URL must be accessible to all the apps and end users that might use APIs that are referencing the OAuth domain. The Authorization Endpoint and Token Endpoint for OAuth 10.a and OAuth 2.0 will use different paths according to the specific OAuth version. Firewalls and DNS servers must be set up for this URL so that end users and apps can access the URL.
OAuth callback URL
Redirect URL. The URL to which the API sends the response message with the token.
OAuth grant provisioning UI
In the platform, the OAuth grant provisioning UI is the HTML page, used in Test Client, where the resource owner signs in and authorizes access, for the purposes of using Test Client.
The grant provisioning UI has the potential to include the logo for the application, pulled from the application information, and for the OAuth provider, as set up in the Branding tab in the OAuth Provider domain setup.
OAuth grant types
OAuth 2.0 supports four different grant types; each has a different process flow. Grant types are designated as 2-legged or 3-legged depending on the number of parties involved. The 2-legged grant types are Client Credentials and Resource Owner Password Credentials; the three-legged grant types are Authorization Code and Implicit.
For more information on OAuth grant types (for API admins) see What grant types does OAuth support? and How does OAuth 2-Legged and 3-Legged Authorization work?
OAuth grant types: 2-legged
The number of legs used to describe an OAuth request refers to the number of parties involved; 2-legged or 3-legged. When the client is also the resource owner, it is a 2-legged flow. OAuth 2.0 includes the following 2-legged grant types; Client Credentials and Resource Owner Password Credentials.
OAuth grant types: 3-legged
The number of legs used to describe an OAuth request refers to the number of parties involved. The most common process flow includes three parties; a client, a server, and a resource owner. This is a 3-legged flow. OAuth 2.0 includes the following 3-legged grant types; Authorization Code and Implicit.
OAuth grant types: Authorization Code
A 3-legged OAuth 2.0 grant type: An authorization code is returned to the client through a browser redirect after the resource owner gives consent to the OAuth Authorization Server. The client then exchanges the authorization code for an access token. Resource owner credentials are never exposed to the client app.
OAuth grant types: Client Credentials
A 2-legged OAuth 2.0 grant type: The client presents its own credentials to the OAuth Authorization Server in order to obtain an access token. This access token is either associated with the client's own resources, rather than a specific resource owner, or is associated with a resource owner for whom the client is otherwise authorized to act.
OAuth grant types: Implicit
A 3-legged OAuth 2.0 grant type: An access token is returned to the client through a browser redirect in response to the resource owner authorization request. This grant type is suitable for clients that do not support keeping client credentials confidential (for use in authenticating with the OAuth Authentication Server) such as client applications implemented in a browser using a scripting language like JavaScript.
OAuth grant types: Resource Owner Password Credentials
A 2-legged OAuth 2.0 grant type: The client collects the resource owner's password and exchanges it at the OAuth authorization server for an access token, and often also a refresh token. This grant type is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operation system or a highly privileged application, since the client must discard the password after using it to obtain the access token.
OAuth refresh token
In OAuth 2.0, certain grant types support use of refresh tokens to facilitate longer access periods. This is useful in scenarios that extend over time, such as as a regular monthly payment amount.
In OAuth 1.0a, once an access token is generated it is valid until revoked by the user. OAuth 2.0 introduces expiration of access tokens and adds a second type of token, a refresh token, that can be used in conjunction with the access token to allow users to give long-term permissions but yet maintain security. This process helps ensure that if a specific access token is compromised, a new one can be generated from the refresh token, which can be stored in the database on the server.
The access token grants immediate access but only for a limited time. The access token comes with two additional values: expires_in, which indicates the life of the access token, and refresh_token which can be used to get a new access token when the current token expires. Additional user approval is not needed, but the expiration and renewal add security to the process. When (or before) the access token expires, the refresh token can be used to generate a new access token.
For more information, see What is a Refresh Token?
OAuth resource server
The server where the resources are stored. The resource server accepts requests and responds to approved requests using access tokens.
OAuth token endpoint
In OAuth 2.0, the token endpoint is the endpoint on the authorization server where the client app sends the authorization code, client ID, and client secret and receives in exchange an access token which allows the app to access the approved resources. For more information, see What are the OAuth 2.0 Endpoints and how do they work? and the OAuth 2.0 specification (external site).
An open standard for authenticating users, now deprecated in favor of OpenID Connect.
OpenID Connect
An identity layer on top of the OAuth 2.0 protocol that allows the client to verify the identity of an end-user based on authentication by an authorization server. OpenID Connect was released in February 2014 and is gaining popularity. For example, Google has moved from OpenID to OpenID Connect for products such as the Google+ API, used by the platform's Google login domain. For more information, see Welcome to OpenID Connect (external site).
package file
The ZIP file that is created as a result of using the export function. The package file can be imported into another instance of the platform by a Site Admin or API Admin.
password reset code
See reset code.
A federated identity management system based on the SAML protocol. PingFederate® supports SSO, SLO, and other federated identity standards. It can also be used as an OAuth 2.0 provider.
The platform supports PingFederate provider as a domain type (set up by the Site Admin).
A file format used for keystores. The private key and certificate can be stored in the same PKCS12 file. In the platform, this format is used for uploading the app keystore file in Dev Console. The file extension can be p12 or pfx.
Policy Manager
Akana Policy Manager is the core product that provides the underlying infrastructure for the platform. Message handling intermediaries integrate with Policy Manager which attaches policies and provides a policy decision point as well as the policy administration point.
The Policy Manager console is the user interface for the Akana API Gateway.
Private API
Private APIs are visible to members who have been invited to join a Private API Group. Once a member has accepted a Private API invitation, the Private API is displayed with a unique icon.
Private API Group
A group associated with a Limited (Private) API and created by an API admin for that API. Each member has a group member role, either as member or leader. Each group can have multiple leaders as well as members.
proxy API
When an API Admin or Business Admin sets up an API on the Community Platform and chooses to use the Proxy feature, all traffic to the API endpoints is channeled via the platform. This offers significant benefits, including the ability to apply policies and monitor traffic at the proxy.
production environment URL
A unique gateway URL (service endpoint) that provides access to the production endpoint of an API. The production endpoint URL becomes available when you request production access, and go live after production access has been approved.
Navigation: My Apps > Apps
In the context of the Community Manager user interface, the user profile page allows you to edit your user details (firstname, lastname, username, and avatar) and settings (email, password, and notifications settings).
Navigation: Profile (to the right of Logout in the top navigation)
proxy API
When you set up your API on the Community Platform and choose to use the Proxy feature, all traffic to your API endpoints is channeled via the platform. This offers significant benefits, including the ability to apply policies and monitor traffic at the proxy.
Public Key Integration
The Public Key Integration section of My Apps > App Details > Security allows you to use Public Key Infrastructure (PKI) for secure message signing. When you initially create your app, a shared secret is generated by default. If you would like to override the shared secret, you can upload a Certificate Signing Request (CSR). The Certificate Authority associated with the platform will generate a public/private key pair using the uploaded CSR.
Navigation: My Apps > Details > Security
QoS (quality of service) policy
A QoS policy defines the level of service being offered to an app that is accessing an API; for example, the number of transactions per minute that are allowed for the app. In the platform, QoS policies are tied to license terms.
A URL pattern for which an authentication request is valid. In OpenID Connect, a realm is designed to give the end user an indication of the scope of the authentication request. The identity provider must present the realm when requesting the end-user's approval for an authentication request. The identity provider uses the realm to identify the relying party.
redirection endpoint
In general, a redirection endpoint or URL is a URL that an application provides to another app, when directing the user to the second app to perform some function and then return the user once the function is complete. For example:
  • Login: If the user is logging in with Google, the platform directs the user to Google and provides a redirect URL. When Google has authenticated the user, Google redirects the user back to the platform using the redirect URL.
  • OAuth: if an app is requesting access to one or more of the user's Facebook resources, such as the Calendar, the app directs the user to a Facebook authorization page, and provides a redirect URL. Facebook authenticates the user, collects the user's permission for the app to access the resources, and then uses the redirect URL to return the user to the app.
refresh token
See OAuth refresh token.
registration code
A unique code generated and sent to a specific user in an email if the Site Admin adds the user (currently supported only via the API). The code is only valid for the account it is generated for, and expires after a pre-set period.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
relying party
In OpenID Connect, the app that is providing a service to the end-user is called the relying party. The relying party trusts the identity provider (Connect provider) to authenticate the user. In the context of the Community Platform, when OpenID Connect is used for login, the platform is the relying party and the Site Admin sets up the OpenID Connect identity provider in Domains setup.
reset code
A unique code generated and sent to a specific user as a result of a password reset request. The code is only valid for the account that requested it, and expires after two days by default. Expiration time is configurable by the Site Admin.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
restricted API access
Restricted access for an app means that the app's access to the API is restricted to a subset of the API, as defined by scope mapping, or to a specified, agreed-upon quota as defined by a QoS policy. Compare: unrestricted API access.
In the Community Platform, a Resource is an item, such as an App or API, which has its own Board and set of activities.
Resource server
See OAuth resource server.
Users can write reviews for any apps, APIs, or groups that they have access to. In the developer portal, reviews are created from the Details page for the resource. Each review includes a subject line and a comment.
Other users can comment on the review, and can mark reviews that they like.
Depending on the platform configuration, reviews might be moderated. If so, the review must be approved by an Administrator before it is published.
A review is actually a Board item even though, in the user interface, reviews are not displayed on the Board for the resource, but instead are displayed on the Details page.
In terms of using the API, all operations that work for Board items work for reviews also.
Within a Private API Group, each group member has a role, either as Member or Leader. The Private API Admin cam invite team members and designate roles.
Within an independent group, each group member has a role, either as Member, Admin, or Leader. An Admin can invite or remove other team members and designate roles.
Other roles on the platform include App Team Member, Site Administrator, API Administrator, and Site User.
A popular and secure public key cryptography algorithm.
Acronym for Security Assertion Markup Language. SAML is an identity federation standard that enables single sign-on. It is an XML-based standard for exchanging authentication and authorization data between a service provider (providing a service to the user) and an identity provider (providing user identity verification for the service provider).
One usage, in the context of the platform, is by OpenID Connect where it is used to provide single sign-on. The plaform acts as the relying party.
SAML Artifact
In SAML, a unique ID used by the service provider (SP) and identity provider (IdP) to reference a specific user session or transaction. The SP can use the Artifact to query the IdP for information about the user.
SAML assertion
A SAML assertion is an XML document returned by the Identity Provider to the Service Provider after authentication of the user. The assertion has a very specific structure, as defined by the SAML standard. A SAML assertion has a <Subject> element which contains information about the user. It might have conditions and attributes associated with the information being conveyed. It is digitally signed and asserts that the user has been authenticated.
Note: the above definition applies to an authentication assertion, which applies in the context of the platform's support of SAML. There are other types of SAML assertions.
Single sign-on over the Web using the SAML protocol.
sandbox endpoint URL
A unique gateway URL (service endpoint) that provides access to an APIs sandbox environment. The Sandbox Endpoint URL becomes available after requesting access an API using the Request API Access Wizard.
Navigation: Add APIs in My Apps > API Management, or Request API Access in My Apps.
A subset of a license. A scope is the bridge between the top level of the hierarchy, which is a license, and the bottom level, an operation. At the business level, the Business Admin defines the scope with a name and basic attributes. Then, at the API level, the API Admin assigns specific operations to one or more scopes for the API. These operations are included in any license that the scope is assigned to.
scope mapping
If your API is using the Licenses feature, scope mapping is the key to defining which portions of your API will be available for which licenses. The scopes and licenses themselves are defined by the Business Admin, but at the API level you determine which operations are assigned to which scopes. This in turn determines which licenses will be available to app developers requesting access to your API.
The platform includes search functionality on certain specific pages and on platform-wide content. For example, a user can search on the apps list or APIs list for a specific app or API; the Site Admin can search for a specific user in the Users List. Search is available on many other areas of the user interface. Some examples: Board posts, tickets, and alerts; help documentation (question mark at top right; then, Browse Docs).
Search results are limited to those resources the user performing the search has permission to see. For example, a user who does not have access to a specific private API will not see it on the list.
security challenge question
See challenge question.
security domain
An application or collection of applications that all share, and trust, common security. The same security mechanism is used for all within the security domain, for authentication, authorization, and/or session management. A user who is authorized on one part of the security domain is considered authorized for other parts.
In a tenant/partner scenario, all tenants share the same security domain and are considered to be trusted. So, for example, app owners on one tenant have access to API information on another tenant seamlessly and without any additional security authorization.
Service Provider
In terms of SAML, the Service Provider (SP) offers a service to the user and allows the user to sign in by using SAML. When the user attempts to sign in, the SP sends a SAML authentication request to the Identity Provider (IdP). The IdP validates the request, authenticates the user, and creates a SAML assertion that represents the user's identity and, in some cases, sends additional information about the user in the form of associated attributes. The SAML assertion is digitally signed and encrypted and then sent back to the service provider that initiated the request.
Identity federation software at the SP receives the assertion, verified the authenticity, decrypts, and shares the information with the application.
Acronym for Secure Hash Algorithm; a family of cryptographic hash functions including SHA-0, SHA-1, SHA-2 (see SHA-256), and SHA-3.
SHA-1 is a cryptographic hash function, broadly used and trusted.
When you hash a value with SHA-1, the hash function returns a 160-bit string. This is the message digest. The value is hashed and sent with the message; at the receipt point, the value is hashed again, and the two hash values are compared. When the two hash values match, it is a secure, reliable indication that the message hasn't changed; the message at the receipt point is an accurate duplication of the message at the send point.
Part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each is named according to the number of bits in the output; so, whereas SHA-1 has 160 bits in the hash output, SHA-256 has 256.
Shared Secret
A shared secret is a value generated for an app developer within the secure environment of the platform. The shared secret is known only to the app developer and the platform, and is used for authentication in secure send/receive communications.
Navigation: My Apps > Details > Security
signup code
A unique code generated and sent to a specific user in an email when the user signs up for the platform. The code is only valid for the account that requested it, and expires after seven days.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
site administrator
An individual who has responsibility for keeping the site running smoothly. The Site Admin has access to additional parts of the user interface for configuration and monitoring purposes. There can be more than one site administrator. For more information, see What functions are available to the Site Administrator in the platform?
Simple Developer theme
Simple Developer theme, also called Simple Dev, is an additional customizable code base, with a separate URL, that you can choose as an additional installation option. During installation, when you install Default Theme (the standard user interface which includes all admin capabilities), you can choose to also install Simple Dev. This new theme includes a streamlined user interface, providing a simplified user experience for app developers.
The API admin, Site Admin, and Business Admin capabilities available in the Default Theme are excluded from the Simple Developer theme for the sake of simplicity. One installation can have both themes, with multiple customizations of each, sharing the same database. Each theme has a different URL.
Simple Developer theme offers an easily customizable look and feel, and is easily extensible.
In SAML, abbreviation for Service Provider.
A cryptographic protocol used to add security to messages by encryption. SSL uses X.509 certificates and asymmetric security. The session key is used to encrypt the messages. SSL offers encryption and identification.
Abbreviation for single sign-on, a feature allowing a user to sign in once for more than one system rather than signing in separately to each system.
If an app offers single sign-on, this means that the app, acting as a Service Provider (providing services to an end user) uses an Identity Provider, an entity that provides authentication and possibly authorization services, to verify the identity of an end user logging on to the app. The user signs in to the Service Provider, and the Service Provider either implicitly or explicitly requests authentication from the Identity Provider. Once authentication is received, the Service Provider delivers the requested service to the end user.
Swagger ( is a specification and framework implementation for dynamically generating API documentation for RESTful webservices. The platform includes an implementation of Swagger that works in conjunction with the Add a New API Wizard. For more information, see What is Swagger and how does it work?
A tag is essentially a keyword or key phrase that's added to a piece of content, or information associated with a resource, to assist in search results. Several different types of resources can have tags assigned to them; for example, apps, APIs, groups, and tickets. Multiple tags are separated by commas.
For example, if an app is a movie general knowledge game, the app owner might assign tags of movie, game, general knowledge; or an API owner can add a category or product line to the metadata for certain APIs so those APIs will come up in search results for that term.
target API
If an API is using the platform as a proxy, the TargetAPI is used to define the destination ("next-hop") endpoint for the API.
target host
When defining a domain in the platform, it is possible to define a virtual host address for each login domain. This is the target host. Example: <role>/<company>.com.
The tenant is a distinct developer portal and community that is logical separated from any other communities that may be hosted in the same product instance.
The Tenant is managed by the Site Administrator.
Test Client
The platform includes an API testing interface that acts as an easy-to-use test client for any API that is fully integrated, with an API definition in the platform. This test tool allows developers to thoroughly test all capabilities of the API.
It can be used for prototyping, testing, and troubleshooting apps against an API. It includes OAuth support for retrieving the OAuth token in order to process the message.
In Default Theme, the tool is called Dev Console; in Simple Developer Theme, it is called Test Client.
See also Dev Console.
One instance of the portal. More than one theme can be defined during the installation process and can then be customized for different purposes or audiences. Each theme has a separate URL. For more information, see What is a platform theme? (Site Admins only).
A type of feed entry, representing a trouble ticket created to raise an issue with a resource (app or API) or a connection. Tickets are typically created by a consumer of an API. Any member of the community can comment on a ticket, but it can only be marked as Resolved by the original creator or by an administrator of the target resource. For example, if Joe writes a ticket about an issue with the SkyBlue API, only Joe or the SkyBlue API Admin can mark the ticket as Resolved.
An access object sent to the requestor (client app) after authentication is complete and authorization has been granted. The token enables the client app to request access to the end-user's resources. OAuth, OpenID Connect, and SAML use tokens. There are different types of tokens, as defined in the applicable specification; for example, access tokens and bearer tokens.
token endpoint (OAuth)
The token endpoint first authenticates the client application. It then allows the client application to send the code received from the authorization endpoint; in exchange, it generates an access token and sends it to the client application.
Users connect to the authorization endpoint; apps connect to the token endpoint.
Trusted Certificate Authority
A Trusted Certificate Authority (CA) is a third party identity that is qualified with a specified level of trust. Trusted CA Certificates are used when an identity is being validated as the entity it claims to be. Certificates imported into the Platform Tenant (i.e., Host) must be issued by a Trusted Authority. Trusted CA Certificates must be configured prior to importing X.509 certificates for applications running on the platform.
Navigation: My Apps > Details > Security
To unmark a discussion, ticket, or other resource means to remove a mark previously placed on the resource. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
unrestricted API access
Unrestricted API access for an app means that the contract is not limited to a specific license. The app has full access to all operations of the API. Compare: restricted API access.
UserInfo Endpoint (OpenID Connect)
One of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The OpenID Connect Provider can publish a UserInfo endpoint, which is a protected resource that returns claims about the authenticated end-user.
The client sends a request to the UserInfo Endpoint using an access token. The UserInfo Endpoint returns the user info to the client app.
The OpenID Connect Provider can issue an ID Token (JWT token) from either the Authorization Endpoint or the Token Endpoint.
Each app or API on the platform much have at least one version, and can have multiple versions. When a user creates an app or API on the platform, the first version is created automatically; when using the API it's important to complete both actions. If there is only one app or API version, deleting that version also deletes the app or API.
Acronym for a virtual IP address.
A setting that controls the types of users who can see a resource, such as an app, API, group, license, or scope, and any associated items such as discussions and tickets.
There are three possible values. The first two are applicable to all resources that have visibility settings; the third is applicable only to apps, APIs, and groups.
  1. Public: anyone can see the resource, even anonymous users.
  2. Private: the resource is restricted to those who have been specifically invited to have visibility of the resource, usually by joining a private group that has visibility of the resource.
  3. Registered Users: the resource is visible to all users who have logged in, but is not visible to anonymous users.
well-known configuration URL (OpenID Connect)
In the Open ID Connect protocol, the Well-Known Configuration URL is a specific URL published by the OpenID Connect provider. The platform can use this URL to retrieve other values it needs such as Authorization Server URL, Token Endpoint URL, UserInfo Endpoint URL, and security parameters used for tokens.
Note: If the well-known configuration URL uses the HTTPS protocol, the issuer certificate of the server must be trusted by the platform. Also, the issuer certificate of the server must be part of the cacerts file on the Community Manager container JRE.
Workflow defines the sequence of steps that are followed in a business process, including such related data as conditions (for example, a ticket must be resolved before it can be closed), state (for example, a ticket can have states of Open, Resolved, and Closed), or role (for example, a certain step can only be completed by an Administrator).
Defining the workflow for a business process gives you control over the process and allows you to monitor and customize as needed to streamline the business process.
The platform includes default out-of-the-box workflows for certain resources, such as API contracts, and allows you to customize the workflow for several key resources.
workflow action
Certain types of activities on the platform must be done in a specific sequence. These are often managed by workflows. Each workflow action changes the state of the resource. Some examples of workflow actions are: requesting or approving an API contract, sending a group membership invitation, or changing the status of a ticket.
X-Csrf-Token_fedmemberID header
A custom header used by the platform to protect against CSRF attacks. For details, see What is the CSRF prevention feature? (Site Admin help).

Back to top