Key concepts and terms


Access code

In the Hosted Login version of two-factor authentication, an access code is a random, one-time password sent to a user (either by email or by text message) following a successful authentication. To be fully logged on, the user must retrieve the access code and the type it into the Access Code Required screen.

Access schema

Restricts API clients to specific attributes within an entity type. This provides a way to grant an API client (and any administrators/developers who use that client) access only to the user profile attributes needed to carry out a specific business activity: if an API client doesn’t need access to a user’s home address or phone number you can ensure that the client won’t have access to those attributes.

Access token

Mechanism (in Hosted Login, a JSON web token) that tells websites and applications which resources that you should have access to. When you request access to a resource, the server or app checks your access token to make sure you’re actually allowed access to that resource.

As a general rule, access tokens are “bearer tokens,” which means they provide access to anyone who has possession of (i.e., who bears) that token. No identity checks are performed when you access a resource; instead, possession of the token is all that matters.

Account merge

Process by which a user can log on to a website or app by using a social login provider, then have that social login account "merged" with their existing Identity Cloud account. For example, suppose Karim Nafir typically logs on to the Identity Cloud by using an email address ( and password. Let's further suppose, however, that one day Karim logs on by using his Google account, which also employs the email address Because the email address matches an existing account, Karim is given the option of merging the two accounts. By doing so, he can access the same account and the same user information regardless of whether he logs on with an email address and password or if he logs on by using his Google account.


Feature that restricts access to a website or mobile app based on a user's age: users below a specified age (or users who have not provided a birthdate) are denied access.


In Console, the term agent refers to anyone who has bene granted one or more administrative roles.

Agent group

Provides a way to display different sets of attributes to different agents each time those agents search for user profiles in the Console. For example, one group of agents might see a user's first name, last name, display name, email address, phone number, and country of residence when they do a search. A second groups of agents might see a user's first name, last name, email address, API client name, account creation date, and last login date when they do a search.

Allow list

Typically used to specify the only items that should be given access to a resource or be allowed to carry out a particular activity. For example, API clients have an IP allow list that specifies the IP addresses that are allowed to use the API client to call Identity Cloud APIs: if your IP address isn't on the allow list then you won't be able to make API calls from that address.


Although it's not important to the generic definition of an allow list, we should still note that not all the Identity Cloud APIs respect the use of the IP allow list.

Anti-forgery state token

Helps guard against Cross-Site Request Forgery (CSRF) attacks. To do this, the anti-forgery state token is included in an initial authentication request and is then returned by the authorization server. The client can then compare the original token value with the returned value and verify that they are the same. If they aren't, that suggests that a CSRF attack of some sort might have occurred.

API client

Makes authenticated requests against Identity Cloud REST APIs. Typically, these API calls are used for logins and registrations: when a user logs on to or registers with a website, that logon or registration is managed by using an API client (referred to in the Console as a property). API clients are also involved when administering a website: access to site resources (such as user profiles) is dictated, in part, by the client used to make a management request. Different types of API clients have different sets of permissions and different levels of access.

API client feature

Specifies the permissions granted to an API client. The Identity Cloud supports the following feature types:

  • access_issuer. Permission to issue access tokens scoped for use with all clients.

  • direct_access. Read and write access to all user records. You can also use this client type to manage flows and flow components.

  • direct_read_access. Read access to all user records.

  • login_client. Scoped with read and write access to only the currently authenticated user. It can only be used with sign-in and registration based API endpoints. All client-side API calls should be made using a client with this feature.

  • metadata. Does not update the lastUpdated attribute when posting updates to a user record. This client feature set is commonly used with third-party integrations. This type of client can only be provisioned by the Akamai team.

  • owner. Has complete admin access to the application. The application owner credentials should only be used for administrative configuration purposes, such as provisioning additional API Clients, updating client settings, and managing your schema.

  • Read more about API clients

API-based implementation

Identity Cloud implementation in which user logins and registrations are managed primarily by using the Authentication APIs and not by using the JavaScript SDK or Hosted Login. API-based implementations offer organizations additional flexibility, but are also much more labor-intensive. For example, instead of leveraging prebuilt Hosted Login screens and forms, organizations doing an API-based implementation must create these elements themselves.

Application client

A special type of API client that serves as a "bridge" between the original Identity Cloud login and registration services and the new OAuth/OpenID Connect login and registration service used by Hosted Login. Application clients (which are automatically created and assigned any time you create an OIDC login client) are primarily used to maintain settings that play a major role in determining the Hosted Login look and feel.


Specific form of authentication that enables users or system processes to prove their identity by using tokens.


A recognizable piece of information belonging to a specified user account; for example, a user's first name, a user's mobile device number, and the last time a user logged on are all examples of user profile attributes. If Identity Cloud entity types can be liked to user databases (and they can), then attributes are very similar to the fields found in a database.


Examination of the management controls within an information technology infrastructure. For example, in Console you can retrieve audit information for user profiles; this information reports all the changes made to the user account for a specified time period (up to 90 days). The available data includes information about when a user last logged on or logged off as well as any changes made to the user’s user profile.


Process of confirming an identity (typically a user identity). The goal of authentication is to answer the question, "Are you really who you say you are?" Often shortened to AuthN (Authentication).


Process of verifying an authenticated user's access to resources. The goal of authorization is to answer the question, "Now that we know who you are, what are allowed to do?" Often shortened to AuthZ (Authorization), authorization takes place after a user has been authenticated.

Authorization code

Server-supplied information used in the OAuth/OIDC authentication process. After a successful authentication, the client is given an authorization code. That code can be presented to the token endpoint and exchanged for an identity token, an access token, and a refresh token.

Authorization grant / authorization flow

Specifies how authorization requests are made (for example, what information must be presented to the authorization server) and how those requests are handled. Hosted Login supports the following authorization grant types:

  • authorization_code Clients receive an authorization code they can exchange at the token endpoint for an access token, a refresh token, and an identity token.

  • implicit. The authorization endpoint directly issues clients an access token and/or an identity token, and does so without requiring the client to visit the token endpoint.

  • refresh_token. Clients exchange a refresh token for a new access token (a fairly common exchange considering the fact that access tokens have, at most, a one-hour lifespan).

  • client_credentials. Clients obtain an access token by supplying the credentials of an OIDC confidential client rather than the credentials of an individual user. In Hosted Login, this grant enables you to obtain the configuration access tokens required to call the OIDC Configuration APIs.

  • hybrid. Combines the authorization_code and the implicit grant types.

  • Read more about the grant types supported by Hosted Login

Authorization request

When using OAuth 2.0 (like Hosted Login uses), an authorization request is nothing more than a user asking to be authenticated and then logged on to a website or app. Typically, these requests are made in a web browser, and by clicking a link similar to the following:

Authorization rules

Specify "extra" conditions that Hosted Login users must meet before they can fully log on. After a user has been authenticated, authorization rules can verify that the user meets any (or all) of the following conditions:

  • The user profile has values for organization-required attributes such as *mobileDeviceNumber**.
  • The user meets the site or app's minimum age requirements (based on the value of the birthday attribute).
  • The user has agreed to the terms of service and privacy policy.
  • The user has agreed to the required user consents.
  • The user has verified their email address.

If the specified criteria have not been met the user must resolve those issues before they can be logged on (e.g., the user must supply their mobile device number or agree to the terms of service).


Basic authentication

REST API authentication method in which an API client ID and client secret are base 64-encoded to create an authorization code included in your API call. Basic authentication can be used with many of the Identity Cloud REST APIs; the remaining APIs typically rely on token-based authentication.

Bcrypt password hashing

Hashing function that stores Identity Cloud passwords. When a user logs on to a Akamai-powered web site, his or her password is "hashed;" that is, the Bcrypt algorithm is used to convert the user password (e.g., password) to a hashed value (e.g., $2a$04$ieykoinw2dh2O6Z/qN6ARu281.2wtcjZ4PRxk. Vu78SW3B8mckmAq). The hashed value is then compared to the stored password to determine whether or not the user will be authenticated.

In addition to hashing, Akamai employs additional techniques (such as using a password "salt") to create password hashes that are extremely difficult to crack.

Bearer token

Token that provides access to anyone who has possession of it (i.e., anyone who bears that token). Access tokens are bearer tokens: when you present an access token no identity checks are performed to verify that the token really belongs to you. Instead, possession of the token is all that matters.


Callback URL

See redirect URI.


Acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." CAPTCHA is a challenge/response test used to determine whether or not the user is human. The goal behind CAPTCHA is to prevent bots and other automated processes from performing specified activities on websites. The ubiquitous “I’m not a robot” checkbox is an example of CAPTCHA.

Capture UI

Server-side "daemon" that performs authentication, registration, single sign-on, backplane registration, settings communication, flow construction, and user tracing through the flow. Each time a user completes a flow screen (for example, the initial sign-on screen), Capture UI determines the correct response and directs the widget to render the next screen.


See Customer Identity and Access Management.


In OAuth/OIDC, claims provide a way for you to return information about a specific attribute or set of attributes. For example, instead of returning the entire profile scope, you could return just the user's name and birthdate.

Client credentials grant

Grant type in which authentication and authorization takes place by supplying the credentials of an OIDC confidential client rather than the credentials of an individual user. In Hosted Login, this grant enables you to obtain the configuration access tokens needed to call the OIDC Configuration APIs.

Client ID

The "username" for an API client. Client IDs are not secret: knowing a client ID is equivalent to knowing a user's username or email address.

Client reputation

Proprietary Akamai technology that analyzes an IP address and, based on such things as attacker persistency, number of targeted applications, severity of the attack, magnitude, industry, and previous attacks targeting a customer’s applications, determines the likelihood of this IP address engaging in some sort of web attack (e.g., a direct denial of service attack).

Client secret

The password for an API client. Unlike client IDs, client secrets are secret: client secrets should be treated as confidential, and should never be shared with anyone, including Akamai. If a client secret should be exposed (or if a user who had access to a client secret leaves your organization), Akamai strongly recommends that you use the Console to reset the secret for the affected API client.

Code challenge

Mechanism used in the Authorization code + PKCE grant type to enable users to authenticate without having to pass the client secret used by a confidential OpenID Connect client.

Confidential client

OpenID Connect client that includes a client secret, a client secret that must be passed as part of an authorization request. Hosted Login supports the use of confidential clients primarily as a way to offer widespread support for OAuth and OIDC. However, Akamai discourages the use of confidential clients (and the Authorization Code for Web Apps grant type). Instead, it's recommended that you use the Application Code + PKCE grant type for user logins and registrations.

Configuration API

REST API used for managing flows, clients, settings, and other various aspects of an organization's Identity Cloud ecosystem. Typically referred to as CAPI.

Configuration client

A special type of API client that's used to obtain the administrative access tokens required by Hosted Login, Webhooks v3, and Custom providers. To obtain an administrative access token you don't authenticate by using your own user name and password; instead, you authenticate by using the client ID and client secret of the configuration client.

Note that configuration clients are only used for getting administrative access tokens: they aren't used as part of the login and registration process.


Users consent (or lack thereof) to using their personal data for a specific activity. According to the European Union's General Data Protection Regulation, consent must be:

  • Freely given.
  • Specific to an activity.
  • Informed.
  • An unambiguous indication of the user's wishes.


The next generation of Identity Cloud management tools. Among other benefits, the Console provides:

  • One location for all your management tools, with a unified look and feel.
  • Delegation of administrative authority by using a single mechanism: roles.
  • Full-fledged user profile search capabilities, including the ability to write queries that employ wildcard characters and Boolean operators such AND and OR.
  • The ability to export user profile data. The Console also allows you to export audit data for a specified user.
  • Full application and API client management.
  • Detailed access to your entity type schemas.


Defines certain properties that data in a database must comply with; for example, the Length constraint defines the maximum number of characters that an attribute can have.

Cross-Site Requests Forgery (CSRF) attacks

Attacks that occur when a user, legitimately logged on to a trusted website, is tricked into running an unauthorized command (typically from a malicious link that has been embedded within that trusted site).


Computer software project providing a library and command-line tool for transferring data using various protocols.

Custom (configurable) IdP

Enable you to create your own social login providers, and without having to rely on Akamai support services. This means that any social login identity provider can be used to register for an account or to log on to your website or app, provided that the identity provider uses one of the following protocols:

Customer Identity and Access Management

Typically shortened to CIAM. Technology that enables organizations to securely capture and manage user identity and profile data, and to control user access to applications and services. CIAM provides a safe and secure way for users to log on to web sites and mobile applications, and to be confident that their personal data and transactions are safe and secure.

CIAM vendors typically offer a number of services, including user registration, self-service account management, user preference and consent management, and single sign-on. These vendors also include services that assist with data security and data governance.

Customer Insights

The Identity Cloud’s premier reporting and data analytics tool. With Customer Insights you can use reports and dashboards (either those that ship with the product or those that you build yourself) to learn more about your user base. Those learnings are largely based on demographic information such as geographic location, preferred gender, age range, etc.


Data integrations

Combines data from disparate sources into a single, comprehensive, and user-friendly package. For example, if you use Salesforce Marketing Cloud, you can use a data integration to sync user profile data with your Salesforce contact data. This provides a richer and more complete view of your users than you would get if you looked at your user profile data and Salesforce contact separately.

Data migration

Process of copying an existing use data store to the Identity Cloud. Data migration is often used when you switch from one Customer Identity and Information Management to the Identity Cloud: data migration enables you to move all your user accounts and account information (including passwords) to the Identity Cloud, and without requiring users to recreate their accounts on the Identity Cloud.

Deny list

Indicates items that should not be given access to a resource or items that should not be used when a resource ism activated. For example, the SIEM delivery service includes a deny list (also known as a block list)of SIEM events: any events shown on the deny list do not trigger event notifications.

Direct Denial of Service attacks

Type of web attack in which the goal is to flood a site with bogus requests, so many requests that the site becomes unbearably slow, or even crashes. These bogus requests tend come from thousands of locations (typically by hijacking malware-infected computers or phones), making it impossible to stop the attack simply by blocking a given IP address.

Discovery document

Collection of OpenID Connect (OIDC) values that can be retrieved by a client, enabling those clients to configure themselves. For example, you should never have to specify the public key for a client. Instead, your OAuth client can connect to the discovery document (also known as the well-known endpoint) and retrieve the latest copy of the public key for itself.

You can retrieve your discovery document by adding /.well-known/openid-configuration to the end of your Hosted Login domain URI. For example, if your Hosted Login URI is then your discovery document can be found here:

Distinguisher field

Attribute that limits Console agent access to user profiles. For example, you can limit an agent to accessing profiles from a specific country by setting the user_distinguisher_field setting to You can then set the distinguisher value to US; at that point, agents assigned this access level will only be able to work with the user profiles of US residents.

Domains allow list

When present, the Identity Cloud only accepts token URLs from the domains shown on the allow list. (If your allow list is blank (the default value), the Identity Cloud accepts token URLs from any domain.) The fewer domains you accept tokens from the more secure your environment.

If you decide to use the allow list feature it's important that you only allow list domain names and never domain IP addresses. As a cloud-based enterprise, we use dynamic IP addresses that are guaranteed to change (and to change randomly rather than on a set schedule). If you allow list the IP address for an Identity Cloud server (e.g.,, you could suffer a disruption in service if the server's IP address changes.



Functions available through a REST API. For the Identity Cloud, these functions include such things as retrieving a user account, updating an API client, or creating an entity type. Endpoints are typically expressed as URLs; for example: In the API documentation you'll often see endpoints referred to as operations.


Original name for social login, the process of using a social media account to log on to a third-party site. The name "Engage" lives on in the Social Login Engage Dashboard, the primary tool for setting up social logins in Akamai's Identity Cloud.


Somewhat-technical name for an individual user or, more correctly, a user profile in a user profile database (entity type). For example, to search for a user, you use the entity.find endpoint.

Entity type

User profile database. Each Identity Cloud implementation includes a single entity type: user. You can modify this database as needed, or create new entity types.


Value used to verify the version of a custom provider. Based on the Etag, it's easy to determine whether or not a provider has been updated since the last time you checked the provider: if the current Etag differs from the last Etag, that indicates that the provider has been modified in some way.

Event filter

Enables you to more specifically target the Webhook v3 events you'll receive notifications for. For example, instead of receiving a notification any time a user profile is changed in any way (for example, any time a user changes their middle name or adds their birthday), you can limit notifications to profile changes of more importance or interest. For example, you might receive notifications only when a user changes their password or their email address: after all, an unexpected flurry of password changes could indicate that a security breach has taken place.

Event pipeline

Provides a way for servers and other components to quickly and easily share event information. Each time an event occurs within your Identity Cloud implementation, information is collected about the event and handed off to the event bus, which is responsible for making sure that event records get sent to the appropriate locations. That event data is then transferred to the event store by using the event pipeline.

Event store

Backend database where Webhook v3 events are temporarily stored. Events remain in the event store for 7 days.



Automatic restoration of the primary system (a computer server, system, hardware component, or network) following a failover. For Identity Cloud customers, failback typically refers to Amazon Web Service data centers and databases.


Automatic switching to a redundant or standby computer server, system, hardware component or network any time the primary system fails. When the service is restored, the failback process restores service to the primary system. For Identity Cloud customers, failover typically refers to Amazon Web Service data centers and databases.


Fields provide a way to connect the information entered by or displayed to an end user with the information stored in an Identity Cloud user database (entity type). For example, an entity type likely includes a middleName attribute for storing a user's middle name. To display that middle name on a form (and to give the user a chance to change their middle name) a field named middleName might be displayed on a form. That field retrieves information from the middleName attribute and, if needed, writes updated information back to that attribute.


JSON file that defines the screens, forms, and fields displayed on an Identity Cloud web page. Flows play an integral role in defining the Identity Cloud user experience.


Collection of user profile fields that correspond to a specific Identity Cloud task. For example, the traditionalRegistrationForm form contains the information users must supply in order to create a new Identity Cloud account.


Hosted Login

The Identity Cloud's flagship product for managing user logins and registrations. Hosted Login is based heavily on standard protocols such as OAuth 2.0 and OpenID Connect. In addition, the v2 version of Hosted Login adds a number of more-sophisticated features, included two-factor and risk-based authentications.

Hybrid grant

Hosted Login authorization grant that combines two different grant types (authorization code and implicit) in the same authorization request. For example, a hybrid grant might be used to initially obtain an identity token and an authorization code. Information found in the identity token can then be used to perform some sort of preprocessing (e.g., set up UI preferences). When preprocessing is complete, the authorization code can then be exchanged for an access toke, a refresh token, and an up-to-date identity token.


i18n string

Hard-coded strings that must be included in the i18nStrings key if a flow is to be translatable. (i18n is a "numeronym" in which the 18 represents the 18 letters between the first i and the last n in the word internationalization. Internationalization involves designing a software application so that it can be easily adapted for us in various languages and regions.)

Identity and Access Management

Typically shortened to IAM. Framework for business processes that facilitates the management of electronic or digital identities. This includes policies for managing digital identity as well as the technologies needed to support identity management. IAM is typically employed for internal organizational use and CIAM employed for customer-facing websites and applications.

Identity Provider

Entity that does two things:

  • Creates, maintains, and manages identity information for principals
  • Provides authentication services to relying party applications within a federation or distributed network. By using an IDP, you effectively outsource user authentication to a third-party.

Identity token

Enables applications and websites to know exactly who you are. Identity tokens:

  • Assert the user's ID
  • Indicate the issuing authority (e.g., Akamai)
  • Optionally specify how, and when, the user was authenticated
  • Are generated for a particular audience (client)
  • Include an issue date and an expiration date
  • Optionally contain user profile details such as name and email address
  • Are digitally signed so that the intended recipients can verify it

Identity tokens are typically not used for authorization; that's because these tokens often contain personally-identifiable information (like a name and/or an email address extracted from a user profile).

Implicit grant

In Hosting Login, a grant type in which the authorization endpoint directly issues clients an access token and/or an identity token, and does so without requiring the client to visit the token endpoint.


Specifies the entity that issued an access token. By default, a Hosted Login issuer will look similar to this:

In the preceding URL, e0a70b4f-1eef-4856-bcdb-f050fee66aae is your Akamai customer ID number.


Janrain Template Language

Used on HTML-based screens and forms to provide the a custom user experience for end users. For example, the JTL tag { firstName } indicates that the user's actual first name should be displayed in the form (e.g., "Welcome, Bob!"). Often shortened to JTL.

JavaScript SDK

The original Identity Cloud login and registration process, a process that relies on the "widget" and on the use of the various JavaScript SDKs. The JavaScript SDK is being phased out, and is currently available only to legacy Identity Cloud customers. Organizations new to the Identity Cloud use Hosted Login rather than the JavaScript SDK.

JSON web keys

Standard method for representing a cryptographic key using JSON (JavaScript Object Notation). In the Identity Cloud, JSON web keys are used to sign identity tokens and Webhooks v3 event notifications, and are also required to download SIEM event delivery events. JSON web keys come in private/public pairs: the Identity Cloud might sign a token by using the private key, and organizations would then use the public key to decrypt the signature and verify that the token was issued by Akamai.

JSON web token

Open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object; these tokens are used extensively in OAuth/OIDC authentication and authorization. Often shortened to JWT, and pronounced “jot.”


See Janrain Template Language.


Listener endpoint

Server configured to receive and process webhook event notifications. Each organization is responsible for owning, configuring, and maintaining their own listener endpoints.

Local Storage

Type of web storage that enables websites and apps to store and access data in the browser, and without assigning an expiration date to that data. Among other things, that means the data stored in the browser is not deleted when the browser window is closed.


Set of parameters that define the user's language and region; among other things, the locale is often used to determine the language employed in rendering an application's user interface.


For the Identity Cloud, localization primarily involves translating the text that appears on Hosted Login or JavaScript SDK end user screens. Out-of-the-box, all user screens are displayed by using US English. However, organizations have the option of translating that screen text into a host of different languages. Just keep in mind that organizations are responsible for doing their own translations and their own localization.

Login policy

In Hosted Login, login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type and by defining the login URL . All OpenID Connect clients (both public and confidential) must be associated with a login policy.



Child window in an application that temporarily disables the main window: users must interact with the modal window before they can return to the main window. For example, if a user clicks the Change Password link, he or she must either change their password or dismiss the Change Password dialog box before they can continue.

Most of the Identity Cloud screens presented to an end user are modal windows.

Multifactor authentication

Security system that requires more than one method of authentication in order to verify a user’s identity. Multifactor authentication requires two or more pieces of evidence; that evidence can be derived from what the user knows (for example, a password); what the user has (e.g., a security token), or what the user is (for example, a fingerprint or a face scan). Requiring more than one piece of credentialing information provides additional layers of security: for example, even if a hacker has stolen your password he or she must still be able to pass an iris scan before gaining access to a resource.



Arbitrary alphanumeric value used to verify OAuth/OIDC token validity. To help guard against replay attacks, the nonce should be changed each time it is used.

The term nonce comes from the English word nonce, which refers to a word coined for one specific occasion. For example, fluddle, a cross between a flood and a puddle, was coined in 1995 to describe driving on a water-logged British road.


OAuth 2.0

Framework that enables clients (either apps or websites) to obtain both authentication and authorization. As a framework, OAuth 2.0 establishes a standard set of message flows using JSON (JavaScript Object Notation) and HTTPS; however, OAuth does not dictate the process by which clients use these message flows. (That's where OpenID Connect comes in.)

One-time password

Auto-generated character string that authenticates a user for a single transaction or session. One-time passwords (OTPs) are often used in multi-factor authentication systems: the user typically enters his or her username and password and then, when prompted, enters an OTP sent to them by text message or email in order to gain access the system.

OpenID Connect

OpenID Connect (OIDC) is an "identity layer built on top of OAuth2." That simply means that OIDC is employed in user authentication and authorization: the technology helps to verify that you are who you say you are. At its core, OIDC is a secure mechanism that enables an app or a website to:

  • Contact an identify service provider and authenticate the user.
  • Receive an access token that determines the behaviors that the user is, and is not, allowed to carry out.
  • Securely retrieve any personal information (such as information extracted from a user profile) needed by the user or by the system.
  • Periodically refresh the user session, and prevent that session from timing out.

OpenID provider

Service that specializes in registering OpenID URLs. Often shortened to OP.


Password history

Identity Cloud technology that keeps track of (and prevents the reuse of) the last X number of passwords that a user has employed. (Where X can range from 0, meaning that passwords aren't tracked at all to 10.) For example, suppose password history is enabled and a user currently uses the password p@ssw0rd. If the user needs to change their password, password history prevents them from reusing the password p@ssw0rd. Instead, they'll have to pick a different password.

Password history is also referred to as unique password enforcement.

Password salt

A random number added to a password before that password is hashed. Using the password salt makes the resulting hashes extremely difficult to crack: a hacker would have difficulty decrypting the hashed passwords even if that hacker had the hashes values and knew the encrypting algorithm.


Information transmitted in a JSON web token. Also includes additional information about the user or the token as needed.

Personally identifiable information (PII)

Any information that could be used to identify a specific person. An email address or a telephone number are examples of personally identifiable information (typically shortened to PII). A user's middle name -- Robert -- would, by itself, not be enough information for you to identify a specific person.


User profile attribute type that can store an indefinite number of objects. For example, the profiles plural contains all the data collected from all of a user's social media profiles, with each social media provider having its own set of attributes contained with the plural.


API development environment (ADE) used by more than 5 million developers and 100,000 companies worldwide. ADEs help support, simplify and formalize API development.

Progressive profiling

Strategy in which you gradually build up a user profile over time, and in context. With progressive profiling, personal data for a user is not collected all at once (e.g., at registration). Instead, data is collected over time, and only when needed to support the user experience.

Progressive profiling/registration supports the concept of data minimization: you only collect the data you actually have a use for. You say you don't need to know a user's gender? Then don't ask users for their gender.


Process of moving a flow from the development environment to the production environment.

Proof Key for Code Exchange (PKCE)

An OAuth 2.0 extension (pronounced "pixie") that enables an OIDC client to conduct an authentication and authorization session without having to pass along a client secret (password). Because no secret is exchanged, PKCE authorization code requests are far more secure than standard authorization code requests.

Protected resource

Any OIDC resource that requires authentication and authorization before it can be accessed. Your organization's home page is probably not a protected resource (assuming users don't have to log on before they can access the home page). Downloadable files available only to subscribers would be an example of a protected resource. By default, Hosted Login includes only a single protected resource: the user profile.

Public client

A type of OIDC login client that doesn't have a client secret; as a result, no client secret is passed as part of an authorization client. Public clients are used with the Authorization + PKCE grant type, a grant type recommended when authenticating and authorizing Hosted Login users.

Push claims

In Hosted Login, provides a way to ensure that a specified set of claims are returned following a successful login, and without having to hardcode the claims parameter in each authorization request.



Advanced form of CAPTCHA that makes an initial assessment as to whether or not an account asking for access to a resource is a bot. If there is a high degree of confidence that a legitimate user is requesting access, then access will be allowed with minimal disruption. Suspicious accounts will need to complete one or more CAPTCHA challenges before being granted access.

Redirect URL

URL that users are redirected to following a successful authentication. Also referred to as a callback URL.

Refresh token

Enables a client to stay logged on to a web site or application indefinitely. Refresh tokens are required because access tokens (which actually grant access to a resource) are typically short-lived. However, right before an access token expires a refresh token can be used to request a new access token and keep the session itself from expiring.

Relying party

Service, site, or entity that depends on a third-party identity provider to identify and authenticate users requesting access to a digital resource. Often shortened to RP.

Replay attack

Network attack in which valid information (such as a user password) is intercepted and then fraudulently used in an attempt to gain access to a resource.


Anything (a web page, a video, a downloadable file) that can be accessed by an OIDC client. See also protected resource.

Resource indicators

Mechanism that enables you to specify where an access token can be used. For example, when you present an access token to a resource server, the server can introspect the token and see if it (the resource server) is authorized to accept the token.

Resource owner

In technical terms " ... any entity capable of delegating access to a protected resource.” For more practical purposes, a resource owner is typically used to refer to an end user, More specifically, a resource owner is an end user who is requesting permission for their OIDC client to access a resource on the owner's behalf.

Response mode

when using Hosted Login, the response mode specifies how you want codes and token returned. Hosted Login supports the following response modes:

  • query. The server response is sent as query parameters in the redirect URI. This is the least secure response mode.

  • fragment. Similar to query mode, except that codes and tokens are not passed along when the client is redirected. However, URI fragments are stored in your browser’s history and in server logs, which increases the security risk.

  • form_post. Response values are encoded (using the application/x-www-form-urlencoded format) as body parameters, and are transmitted to the client by using the HTTP POST method. This is the most-secure response mode.

  • Read more about Hosted Logins supported response modes

Response type

When using Hosted Login, the response types specifies the items you want returned to the client following a successful authentication. With Hosted Login you return:

  • An authorization code. This code can the be exchanged at the token endpoint for an access token, a refresh token, and an identity token.

  • An access token. The authorization endpoint returns only an access token following a successful authentication. Refresh tokens and identity tokens aren't returned.

  • An identity token. The authorization endpoint returns only an identity token following a successful authentication. Refresh tokens and access tokens aren't returned.

It's also possible to combine response types in different ways. For example, this syntax causes the authorization endpoint to return an access token and an identity token:

response_type=access_token id_token


In Console, a reverse-queryable attribute is any attribute that, when used in a search term, can be prefaced by a wildcard character. For example, you can't search for all the users who have Gmail accounts (email = "*") unless the email attribute has been configured as reverse-queryable.

Risk-based authentication

Hosted Login security feature that can selectively require (or not require) two-factor authentication. For example, with risk-based authentication an ecommerce site might allow users to log on without having to go through 2FA. However, if those users attempt to access their account information in order to make a purchase, 2FA might then be required. That's because the act of accessing a user account is a much riskier activity that simply logging on and browsing a site.



Security Assertion Markup Language, an XML-based protocol for authenticating and authorizing user logins. SAML 2 is one of three protocols (along with OAuth 2.0 and OpenID Connect) that can be used to create custom social login identity providers.


"Blueprint" that specifies how a database is constructed. In the case of Akamai entity types, schemas specify the attributes included in each entity type, as well as the datatypes, rules, constraints, and other properties assigned to those attributes.

Scoped access

Provides differing levels of access to a resource. For example, in the Console, and depending on role assigned to them) agents have the right to do such thing as create, modify, and delete user profiles; assign agent rights to other users; and manage schemas. It's recommended that you follow the "least-privileges principle" when assigning access roles and permissions: give users the permissions that enable them to do their jobs, but do not assign them any permissions beyond that. For example, if Console agents only need to work with user profiles, do not assign them an agent role that also lets them manage the schema or create/delete agent accounts.


Identity Cloud "containers" that serve as the Identity Cloud web pages that end users interact with. For example the Sign-in screen is the web page users access in order to log on to a website or app. Note that both the JavaScript SDK and Hosted Login use screens. (And although there are similarities, the JavaScript SDK, Hosted Login v1 , and Hosted Login v2 screens.

Secure audience injection

See resource indicator.

Secure Edge

Security technology that combines Identity Cloud user/identity-based management and security capabilities with the network-based protection of the Akamai Intelligent Network.

Secure Edge helps to:

  • Identify and stop malicious behavior, reducing the ability of malefactors to compromise accounts.
  • Protect against DDOS, web application, and bot attacks on your registration and login endpoints.
  • Provide API protection from the same threats.
  • Minimize fraudulent account creation.

Self-service password reset

Method by which users are empowered to change their own passwords.


Standardized way of collecting and aggregating security and event information. To make the best use of SIEM events and SIEM data, you need a SIEM software platform such as IBM QRadar or Splunk. Short for Security Information and Event Management and pronounced “sim.

Single Sign-On

Enables users to register or log in once and effortlessly navigate across multiple websites without needing to log in again. Often shortened to SSO.

Social login

Enables a user to create an account on (and subsequently log onto) a website or app by using an existing account on a social login provider such as Facebook or Twitter.

  • Read more about configuring social login
  • Watch a video demonstrating how to configure social login for Hosted Login

Social login token

Issued after a successful authentication via social login. Social Login tokens can also be provisioned manually using the /signin/oauth endpoint in exchange for an IDP token.


Webhooks v3 mechanism that monitors the Identity Cloud event pipeline for events of specific interest. Any time one of those events occurs, an event notification is sent to the listener endpoint assigned to the subscription.



Mechanism that limits the lifespan of data in a computer or network. For example, if you change an API client secret, you must specify a time-to-live value for the old client secret. If you specify a TTL of 2 hours, that means the old secret remains valid for 2 hours. When those 2 hours are up, you will no longer be able to authenticate using the old client secret. Often shortened to TTL.

Token policy

In Hosted Login, token policies are primarily used to specify how long access and refresh tokens can be used before they expire. By default, access tokens are good for 1 hour and refresh tokens are good for 90 days. Token policies are also used to specify the scopes that can be returned following an authorization request.

Token signature

Encrypted value added to a Hosted Login identity token that combines the token header, payload, and private JSON web key. This value then serves as validation that the signed token really was issued by the organization claiming to have issued it: if you can decrypt the token signature using the issuer's public key that suggest that the token is legitimate.

Token-based authentication

Authentication process in which authorization is based on permissions (scopes) granted to an access bearer token. Users obtain this bearer token not by presenting their own credentials (e.g., username and password) to the token endpoint, but by using the client ID and client secret belonging to a configuration client.

Traditional login

Process of logging on to a website by using a username and password created specifically for that site.

Transactional emails

Emails automatically generated and sent by Akamai in response to user activities. For example, if a user changes his or her email address Akamai automatically sends an email asking the user to verify the new address.


Array of dictionaries that contain the values for all translatable text that appear in the flow, with each dictionary representing a locale.

Translations must be updated any time fields are added or removed from the flow, and any time an element name (such as a field name) is changed.

Trusted device

Provides a way for a user to bypass two-factor authentication as long as the user is running a trusted device. In Hosted Login, a trusted device is comprised of:

  • A user.
  • A web browser.
  • A hardware device (e.g., a computer or a cell phone).

Note that users are required to specify whether or not a device is trusted: there is no way for an administrator to trust (or "untrust") a user's device.

Two-factor authentication

Hosted Login v2's implementation of multi-factor authentication. As a general rule, a user logging on to a website or app where two-factor authentication is enabled must first enter their email address and password (which function together as the first factor). If authentication succeeds, a one-time access code is sent to the user by using either email or text messaging. The user must then present that code (the second factor) before they can be fully logged on and authorized.



Schema attributes that can be made available in local storage. userData is typically used to enhance/personalize the user experience; that's because this data is readily available in local storage and can be retrieved without having to make an API call to the user profile database.

In an Identity Cloud flow, the userData attribute defines the data available in local storage.



Charts and graphs (as well as tables, text displays, and maps) used to render data in Customer Insights.


Web application firewall

Examines web traffic to identify and filter out suspicious activity based on rule sets that you specify. A WAF, such as the Akamai WAF used in the Identity Cloud, can block such things as comment spam, cross-site scripting attacks, and SQL injections. Often shortened to WAF.

Webhook notification

Notification sent (in the form of a Security Event Token) to a listener endpoint anytime a subscribed-to event occurs on your website or app. For example, if you have subscribed to entityCreated events, a notification sent each time a new user account is creation (account creation triggers the entityCreated event).

Well-known endpoint

See Discovery document.


Client-side JavaScript loaded to the browser by using the load.js function. Taking its cue from the flow, the Widget renders predefined elements on a web page.