> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Glossary ## Access Token - **Definition**: A credential (often a JWT) issued by the authorization server that the client uses to access the resource server. It represents the client's authorization and typically has an expiry time and scopes attached. The resource server validates this token. ## Administrator - **Definition**: An IT administrator responsible for managing identity provider configurations within a customer organization. ## Admin Portal - **Definition**: A customizable web interface for customers' IT administrators to manage identity provider configurations. ## AI Agent Identity and Attestation - **Definition**: A process by which an AI agent proves its identity to an authorization server, often using cryptographic evidence (e.g. signed JWT assertions or hardware-backed keys), so the server can trust requests coming from that agent. ## API Endpoint - **Definition**: A specific URL where an API can be accessed to perform specific operations or retrieve data. ## API Key - **Definition**: A unique identifier used to authenticate API requests to Scalekit, allowing secure access to the platform's features and services. ## App - **Definition**: Another term for an application, representing the software product or service sold to customers. ## Application - **Definition**: The software product or service offered by B2B App developers to customers. - **Example**: A workspace can contain multiple applications. ## Audit Log - **Definition**: A record of all activities and changes made within the B2B App, used for security and compliance purposes. ## Authentication - **Definition**: The process of verifying the identity of a user or system attempting to access the B2B App. ## Authorization - **Definition**: The process of determining what actions or resources a user is allowed to access within the B2B App. ## Authorization Server - **Definition**: The server in OAuth that authenticates clients and issues tokens (could be a part of your SaaS or a third-party IdP like Okta Azure AD, etc.). It essentially says "Yes, client X, here is a token proving you are authenticated and allowed to do Y." ## Authorization URL - **Definition**: The URL to which users are redirected to grant authorization for the B2B App. ## B2B App - **Definition**: An application designed for use by other businesses or organizations to streamline operations. ## B2B SaaS App - **Definition**: A type of B2B App delivered over the internet, allowing access without local installation. ## Claims - **Definition**: Information about a user that is passed from an identity provider to a service provider during authentication. ## Client Credentials Flow - **Definition**: The OAuth process where a machine client exchanges its client ID and secret for an access token from the auth server. No user involved. The resulting token represents the machine and carries scopes for what it can do. ## Configuration - **Definition**: The settings and parameters that define how the B2B App interacts with Scalekit and other services. ## Connection - **Definition**: A link between the B2B App and a customer's identity provider for enabling Single Sign-On (SSO). - **Example**: Each organization can have its own unique connection. ## Customer - **Definition**: A business or organization that uses the application to meet specific needs. ## Custom Attribute - **Definition**: Additional fields added to user data in Scalekit for storing extra information. ## Dashboard - **Definition**: The main control panel within Scalekit for configuring settings, viewing analytics, and managing integrations. ## Deprovisioning - **Definition**: The process of removing user access and accounts when they are no longer needed or authorized. ## Directory Provider - **Definition**: An organization offering directory services, including identity providers. ## Directory Sync - **Definition**: A module in Scalekit for automatic provisioning and deprovisioning of user accounts. ## Documentation - **Definition**: Comprehensive guides and references that explain how to use and integrate with Scalekit's features and services. ## Dynamic Client Registration - **Definition**: A protocol (RFC 7591) that allows a client application to programmatically register itself with an authorization server to obtain credentials (client ID/secret, etc.). Useful for large-scale or third-party ecosystems where manual registration of clients is not feasible or to enable self-service integration in a controlled way. ## Environment - **Definition**: Different versions or instances of an application, such as test and live environments. - **Example**: Each environment has its own settings and is isolated for security. ## Error Handling - **Definition**: The process of managing and responding to errors that occur during API calls or application operations. ## Federation - **Definition**: The process of establishing trust between different identity providers and service providers for seamless authentication. ## ID Token - **Definition**: A JSON Web Token (JWT) issued by the identity provider containing user identity information. ## Identity Provider (IdP) - **Definition**: A service that verifies user identity and provides information about user attributes. ## IdP Simulator - **Definition**: A tool that mimics the behavior of an identity provider for testing integrations. ## Integration - **Definition**: The process of connecting Scalekit with other systems or services to enable seamless data flow and functionality. ## JWT - **Definition**: A standard format for representing claims securely between two parties. It is a compact, URL-safe means of representing claims securely between two parties. ## Logout - **Definition**: The process of ending a user's session and revoking their access to the B2B App. ## Machine-to-Machine (M2M) Authentication - **Definition**: Methods for verifying identity between two automated services or software entities without human intervention. Ensures a client program (machine) is trusted by the service it calls, typically via tokens, keys, or certificates. ## MFA (Multi-Factor Authentication) - **Definition**: A security feature that requires users to provide multiple forms of verification before accessing the B2B App. ## Model Context Protocol (MCP) - **Definition**: A new protocol (spearheaded by Anthropic and others) to standardize how AI models (assistants) can interact with external tools and data. It defines how AI agents can discover available "tools" (APIs) and the context to call them. For auth, MCP leverages OAuth 2.1 – effectively requiring AI agents to go through a secure authorization process to get access to those tools. Think of it as an evolving standard to make AI to SaaS integrations plug-and-play, with security built-in via OAuth. ## Mutual TLS (mTLS) - **Definition**: A transport layer security mechanism where *both client and server present certificates* to mutually authenticate each other during the TLS handshake. Provides strong assurance of identities at connection level and encrypts the traffic. Used in high-security environments and internal service-to-service auth. ## Normalized Payload - **Definition**: A standardized format for data sent from Scalekit to the B2B App. ## OAuth - **Definition**: A standard protocol for authorization enabling limited access to user data. ## OAuth 2.0/OAuth 2.1 - **Definition**: An authorization framework widely used for granting access to resources. OAuth 2.0 defines various *flows* (grant types) for different scenarios (authorization code, client credentials, etc.). OAuth 2.1 is an incremental update that compiles security best practices (PKCE required, no legacy flows, etc.). In M2M context, OAuth's **Client Credentials Grant** is most relevant, allowing a service to get an access token using its own credentials. ## OAuth 2.0 Token Exchange (RFC 8693) - **Definition**: A protocol that lets one token be exchanged for another—for example, an AI agent exchanging its machine-client token for a token scoped to call a downstream service on behalf of a user or another service. Enables delegation and impersonation scenarios. ## OIDC - **Definition**: A standard protocol for authentication that builds on OAuth 2.0. ## OpenID Connect (OIDC) - **Definition**: An identity layer on top of OAuth 2.0 (often used for user authentication). Mentioned here because the discovery document and id_token concepts come from OIDC. OIDC isn't directly about M2M auth (it's user-centric), but the OIDC discovery (`.well-known`) and JWT usage are leveraged in service auth too. ## Organization - **Definition**: The customers of B2B Apps, typically businesses. - **Example**: Each business is considered an organization with its own users. ## PKCE (Proof Key for Code Exchange) - **Definition**: An extension to OAuth used to prevent interception of authorization codes. The client generates a random secret (code verifier) and sends a hashed version (code challenge) in the auth request, then must present the original secret when redeeming the code. Ensures that even if an attacker intercepts the auth code, they can't exchange it without the secret. PKCE is now recommended for any OAuth client that can't secure a client secret – including mobile, SPA, and some machine clients. ## PKI (Public Key Infrastructure) - **Definition**: The system of certificate authorities, processes, and tools for managing digital certificates (like those used in mTLS). Involves issuing certs, distributing them, rotating when expired, revoking if compromised, etc. A robust PKI is needed to effectively use certificate-based auth at scale. ## Provisioning - **Definition**: The process of creating and managing user accounts and access rights in the B2B App. ## Rate Limiting - **Definition**: A mechanism that controls the rate of requests a user or application can make to the API within a specific time period. ## Refresh Token - **Definition**: A long-lived token that can be used to get new access tokens without re-authenticating. In M2M auth, refresh tokens are rarely used because the client can just use its credentials again. Refresh tokens are more for user-based flows to avoid prompting the user frequently. ## Resource Server - **Definition**: The API or service that the client wants to use – it receives tokens from clients and decides whether to accept them (by validating them). In our context, your SaaS API is a resource server that expects a valid token for requests. ## Role-Based Access Control (RBAC) - **Definition**: A method of regulating access to resources based on the roles of individual users within an organization. ## SAML Assertion - **Definition**: A statement by an identity provider indicating a user's authentication status. ## SCIM - **Definition**: SCIM (System for Cross-domain Identity Management) is a standard protocol for automating the provisioning and deprovisioning of user accounts and their attributes between an identity provider and a service provider. ## Scopes - **Definition**: Strings that define what access is being requested or granted in an OAuth token. For example, `read:inventory` or `payments:create`. Scopes let the token carry permissions, enabling the resource server to allow or deny requests based on scope. Principle of least privilege is implemented by granting minimal scopes. ## Service Account - **Definition**: A non-human account used by a software service. In context, it's an identity set up for a machine to use. For example, a service account could be created for "Data Sync Service" in a customer's tenant on your app. Service accounts have credentials (like client ID/secret or keys) to authenticate, and usually have roles or scopes assigned just like a user would. They enable organization-level or service-level tokens without tying to an actual person. ## Service Provider - **Definition**: An entity offering a product or service to another organization or individual, especially in SSO contexts. ## Session - **Definition**: A period of interaction between a user and the B2B App, typically starting with authentication and ending with logout. ## Social Connection - **Definition**: Allows users to sign in using their social media accounts. ## SSO (Single Sign-On) - **Definition**: An authentication method that allows users to access multiple applications with a single set of credentials. ## Team Member - **Definition**: Individuals from the B2B App developer's company who use Scalekit to manage applications. - **Roles**: Can include developers, product managers, or customer support staff. ## Tenant - **Definition**: An isolated instance of the B2B App for a specific customer organization, with its own data and configurations. ## Token - **Definition**: A piece of data that represents a user's authentication status and permissions, used for accessing protected resources. ## User - **Definition**: An individual who uses the B2B App, typically belonging to a customer organization. ## User Attribute - **Definition**: Properties describing a user's identity, used for authentication and access control. ## Webhook - **Definition**: A mechanism for the B2B App to receive notifications or updates from Scalekit. ## Webhook Payload - **Definition**: The data sent by Scalekit to the B2B App when a webhook is triggered, containing information about the event. ## Workspace - **Definition**: A centralized hub for B2B App developers to manage applications and settings. - **Example**: Think of it as a command center for efficient application management. ## Zero Trust Security - **Definition**: A security model where no user or device is inherently trusted, even if inside the network. Every access request must be authenticated, authorized, and continuously validated. For M2M, this means authenticating every service communication, minimizing implicit trust, and verifying identities at multiple layers (network & application). It often involves micro-segmentation and strict identity and access management for every machine identity. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |