Glossary
This glossary defines key terms and concepts used throughout the ThunderID documentation.
A
Access Token
A credential issued by the authorization server that an application uses to access protected resources on behalf of a user. ThunderID issues access tokens as JSON Web Tokens (JWT).
Application
A registered entity in ThunderID that represents a client application (such as a web app, mobile app, or backend service). Each application has a unique client ID, an associated authentication flow, and an optional registration flow.
Application Template
A predefined configuration blueprint for creating applications. ThunderID provides four templates: spa (Browser App), server (Full-stack App), mobile (Mobile App), and m2m (Backend Service).
Authentication Flow
A flow that defines how users sign in to an application. Authentication flows use a node-based graph to orchestrate steps such as credential verification, social login, OTP validation, or passkey authentication. Each application references one authentication flow.
Authorization Code
A temporary code issued during the OAuth 2.0 authorization code grant. The application exchanges the authorization code for an access token at the token endpoint.
Authorization Endpoint
The OAuth 2.0 endpoint (/oauth2/authorize) where user authentication begins. The endpoint redirects the user to the sign-in experience and, upon successful authentication, returns an authorization code to the application.
B
Browser App
An application type for browser-based single-page applications built with frameworks such as React, Angular, or Vue. Browser apps are public clients that use PKCE for security.
C
Client Credentials
An OAuth 2.0 grant type for machine-to-machine communication. The application authenticates directly using its client ID and client secret, without user interaction.
Client ID
A unique identifier assigned to each registered application. The client ID identifies the application when making OAuth 2.0 requests to ThunderID.
Client Secret
A confidential key assigned to server-side (confidential) applications. The client secret authenticates the application at the token endpoint.
F
Flow
A configurable sequence of steps that defines a user journey in ThunderID. Flows use a node-based graph representation where each node represents an action or interaction. ThunderID supports three flow types: Authentication, Registration, and User Onboarding.
Flow Handle
A human-readable identifier for a flow (for example, default-basic-flow). Applications and other resources reference flows by their handle.
Full-stack App
An application type for server-rendered web applications built with frameworks such as Express, Spring, or .NET. Full-stack apps are confidential clients that receive a client secret for server-side authentication.
G
Grant Type
The method an application uses to get an access token. ThunderID supports the following grant types: authorization_code, client_credentials, refresh_token, and urn:ietf:params:oauth:grant-type:token-exchange.
Group
A named collection of users within an organization unit. Groups enable role-based access control and simplify permission management across multiple users.
I
ID Token
A JSON Web Token (JWT) issued by ThunderID that contains claims about the authenticated user, such as name, email, and profile information. ID tokens follow the OpenID Connect specification.
Identity Provider
An external authentication service (such as Google or GitHub) that ThunderID can integrate with for social login. Identity providers enable users to sign in using their existing accounts on third-party platforms.
Introspection Endpoint
The OAuth 2.0 endpoint (/oauth2/introspect) that validates an access token and returns information about the token, including its active status, scopes, and expiry.
J
JSON Web Key Set (JWKS)
A set of public keys published at the /oauth2/jwks endpoint. Applications and resource servers use JWKS to verify the signatures of tokens issued by ThunderID.
JSON Web Token (JWT)
A compact, URL-safe token format used by ThunderID for access tokens and ID tokens. Each JWT contains encoded claims and a digital signature for integrity verification.
M
MCP Server
The Model Context Protocol (MCP) server built into ThunderID. The MCP server exposes ThunderID management capabilities (such as application and flow management) to AI-powered development tools like VS Code Copilot.
Mobile App
An application type for native or cross-platform mobile applications built with Swift, Kotlin, React Native, or Flutter. Mobile apps are public clients that use deep links or universal links for redirect URIs and require PKCE.
M2M (Machine-to-Machine)
See Backend Service.
O
OAuth 2.0
An authorization framework that ThunderID implements to enable secure, delegated access to resources. ThunderID supports OAuth 2.0 endpoints including authorization, token, introspection, and JWKS.
One-Time Password (OTP)
A temporary code sent to a user's phone number via SMS for authentication or verification. ThunderID supports SMS OTP as both an authentication and registration method.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that ThunderID implements. OIDC enables applications to verify user identity and retrieve basic profile information through ID tokens and the UserInfo endpoint.
Organization Unit
A logical grouping of users within ThunderID. Each organization unit can have its own user types, policies, and configurations. ThunderID includes two default organization units: Default and Customers.
P
Passkey
A passwordless authentication method based on the WebAuthn/FIDO2 standard. Passkeys use public-key cryptography and biometric verification (such as fingerprint or face recognition) to authenticate users without passwords.
PKCE (Proof Key for Code Exchange)
A security extension for the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. ThunderID requires PKCE for browser apps and mobile apps, and supports the S256 and plain code challenge methods.
Prompt Node
A flow node that displays an interactive UI to the user and collects input. Prompt nodes contain UI components such as text fields, buttons, and social login options.
Public Client
An application that cannot securely store a client secret, such as a browser-based or mobile application. Public clients use PKCE instead of a client secret to secure the authorization code exchange.
R
Redirect URI
The URL where ThunderID redirects the user after authentication. Each application must register one or more authorized redirect URIs. For mobile apps, this can be a deep link or universal link.
Refresh Token
A long-lived token that an application uses to get new access tokens without requiring the user to sign in again. ThunderID issues refresh tokens alongside access tokens when the refresh_token grant type is enabled.
Registration Flow
A flow that defines how new users create accounts. Registration flows can include steps such as collecting user attributes, verifying email or phone number, and setting up credentials.
Role
A named set of permissions within an organization unit. Roles define what actions a user can perform. ThunderID includes a default Administrator role with full system permissions.
S
Scope
A permission boundary that limits what an application can access. ThunderID supports the following OIDC scopes: openid, profile, email, phone, and address. The system scope grants access to ThunderID management APIs.
Social Login
An authentication method that allows users to sign in using their existing accounts on external identity providers such as Google or GitHub.
T
Task Execution Node
A flow node that performs a server-side operation such as credential validation, user provisioning, or OTP verification. Task execution nodes use onSuccess and onFailure references to determine the next step in the flow.
Theme
A design configuration that controls the visual appearance of the sign-in experience. Themes define colors, typography, and styling for the ThunderID Gate UI.
ThunderID Console
The administrative web interface for managing ThunderID. Access the ThunderID Console at https://localhost:8090/console to manage applications, users, flows, and other resources.
ThunderID Gate
The user-facing sign-in, registration, and recovery UI. ThunderID Gate renders the authentication and registration experiences defined by the application's flows and theme.
Token Endpoint
The OAuth 2.0 endpoint (/oauth2/token) where applications exchange authorization codes for access tokens, refresh access tokens, or request tokens using client credentials.
Token Exchange
An OAuth 2.0 grant type (urn:ietf:params:oauth:grant-type:token-exchange) that allows exchanging one token for another. This enables advanced scenarios such as delegation and impersonation.
U
User
An entity in ThunderID that represents a person or account. Each user belongs to an organization unit, has a user type, and has a set of attributes defined by the user type schema.
User Attributes
The profile data associated with a user, such as username, email, given_name, family_name, phone_number, and picture. The available attributes are determined by the user type schema.
User Onboarding Flow
A flow that defines post-registration steps for new users, such as completing a profile or accepting terms of service.
User Type
A category of user that specifies the attributes, validation rules, and registration settings for users belonging to that type. Each user type is associated with an organization unit and determines whether self-registration is allowed. ThunderID includes two default user types: Customer (allows self-registration, belongs to the Customers organization unit) and Person (managed by administrators, belongs to the Default organization unit).
Backend Service
An application type for server-to-server communication without user interaction. Backend services use the client credentials grant type and authenticate with a client ID and client secret. Also referred to as M2M (machine-to-machine).
