---
title: Glossary
description: Terminology and concepts used in the WorkOS documentation.
breadcrumb:
  title: Home
  url: /
originalPath: .tmp-workos-clone/packages/docs/content/glossary.mdx
---

<GlossaryMarker>A</GlossaryMarker>

## Access Token

An access token represents the successful authorization of your application to access a user’s profile. During the Single Sign-On authorization flow, you’ll receive an access token and profile in exchange for your authorization code.

## ACS URL

An Assertion Consumer Service URL (ACS URL) is an endpoint where an identity provider posts SAML responses.

## API Key

A unique identifier used to authenticate your API requests.

## Attribute Mapping

Attribute mapping allows IT administrators to customize the user claims that are sent to your application. WorkOS normalizes these claims, so you can depend on a reliable, expected set of user profile information.

## Authorization Code

An authorization code is a temporary code that you will exchange for an access token. During the Single Sign-On authorization flow, you’ll exchange your authorization Code for an access token and profile.

## Authentication Challenge

An authentication challenge, also known as challenge-response authentication, is a set of protocols that helps validate actions and protect resources from unauthorized access.

## Authentication Factor

An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, that an entity requesting access to some system is who, or what, they are declared to be.

## Authorization URL

An authorization URL is the location your user will be directed to for authentication.

<GlossaryMarker>B</GlossaryMarker>

## Bearer Token

A Bearer Token is an HTTP authentication scheme that uses a single security token to act as the authentication of an API request. The client must send this token in the Authorization header when making requests to protected resources.

In the context of a Directory Sync integration, a Bearer Token is generated by WorkOS for SCIM providers such as Okta to authenticate endpoint requests.

<GlossaryMarker>C</GlossaryMarker>

## CIMD

Client ID Metadata Document (CIMD) is the mechanism through which an MCP client identifies itself to an authorization server. You can use WorkOS and AuthKit to implement authentication for an MCP server you develop. As part of that, you’ll enable CIMD in the WorkOS Dashboard under _Connect_ → _Configuration_.

## Client ID

The client ID is a public identifier for your application that maps to a specific WorkOS environment.

## Client Secret

The client secret is a value only known to your application and an OAuth identity provider. Currently, client secrets are used in OpenID Connect and Google/Microsoft/GitHub OAuth connections.

## Connection

A connection is a way for a group of users (typically in a single organization) to sign in to your application.

A directory connection is a way to retrieve a complete list of users and groups from an organization.

<GlossaryMarker>D</GlossaryMarker>

## Discovery Endpoint

An OIDC discovery endpoint is a URL that provides metadata about an OIDC provider, including the issuer URL, supported authentication and token endpoints, supported scopes, public keys for signature verification, and other configuration information.

The discovery endpoint path is `/.well-known/openid-configuration` on a URL.

Clients can use this endpoint to dynamically discover and interact with an OIDC provider without requiring manual configuration.

## Directory Group

A directory group is a collection of users within an organization who have been provisioned with access to your application.

## Directory Provider

A directory provider is the source of truth for your enterprise client’s user and group lists.

## Directory User

A directory user is a person or entity within an organization who has been provisioned access to your application.

<GlossaryMarker>E</GlossaryMarker>

## Endpoint

An endpoint is a location where an API receives requests about a specific resource.

In the context of a Directory Sync integration, an endpoint is the standardized SCIM definition of two things: a `/Users` endpoint and a `/Groups` endpoint.

<GlossaryMarker>H</GlossaryMarker>

## HRIS

A Human Resources Information System (HRIS) is software designed to maintain, manage, and process detailed employee information and human resources-related policies.

<GlossaryMarker>I</GlossaryMarker>

## IdP

An Identity Provider (IdP) is the source of truth for your enterprise client’s user database and authentication. Sometimes referred when describing the IdP-initiated flow, which is an authentication flow that starts from an identity provider like Okta instead of your application.

## IdP URI (Entity ID)

An Identity Provider URI (Entity ID) is a globally unique name for an identity provider that performs SAML authentication assertions. Sometimes referred to as Identity Provider Issuer (Okta, Entra ID).

## IdP SSO URL

An Identity Provider SSO URL (IdP SSO) is the URL your application’s users will be redirected to for authentication with an identity provider. Sometimes referred to as Identity Provider SAML 2.0 Endpoint (OneLogin).

## IdP Metadata

An Identity Provider Metadata (IdP Metadata) is the URL or XML file containing all of the metadata relevant to a specific identity provider. It includes attributes used by a service provider to route SAML messages, which minimizes the possibility of a rogue identity provider orchestrating a man-in-the-middle attack.

<GlossaryMarker>J</GlossaryMarker>

## JIT User Provisioning

Just-in-time (JIT) user provisioning creates a user in an app when the user attempts to sign in for the first time. The account and respective role doesn’t exist until the user creates it – just-in-time.

## JWT

JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.

<GlossaryMarker>O</GlossaryMarker>

## Sign-out redirect

An allowlisted location a user is redirected to after they sign out via the Logout API.

## OAuth 2.0

OAuth 2.0 is an open standard for authorization. WorkOS supports OAuth 2.0, and our Single Sign-On API is modeled after concepts found in OAuth.

## OIDC

OpenID Connect (OIDC) is an open standard and identity layer built on top of the OAuth 2.0 framework.

<GlossaryMarker>R</GlossaryMarker>

## Redirect URI

A redirect URI is a required, allowlisted callback URL. The redirect URI indicates the location to return an authorized user to after an authorization code is granted, and the authentication process is complete.

<GlossaryMarker>S</GlossaryMarker>

## SAML

Security Assertion Markup Language (SAML) is an open standard for authentication. Most of your enterprise clients will require SAML 2.0 authentication for their Single Sign-On.

## SCIM

System for Cross-domain Identity Management (SCIM) is an open standard for managing automated user and group provisioning. It’s a standard that many directory providers interface with.

## SP

Service Provider (SP) is SAML parlance for “your application”. Sometimes referred when describing the SP-initiated flow, which is an authentication flow that starts from your application instead of an identity provider like Okta.

## SP Entity ID

A Service Provider (SP) Entity ID is a globally unique name for a service provider that performs SAML authentication requests, and is the intended audience for SAML responses. It is sometimes referred to as the Audience value.

## SP Metadata

Service Provider Metadata (SP Metadata) is an XML file containing all of the metadata relevant to a specific service provider. Identity providers will use SP metadata files to make onboarding your application easier.

<GlossaryMarker>T</GlossaryMarker>

## TOTP

Time-based One-time Password (TOTP) is a temporary code, generated by an algorithm that uses the current time as a source of uniqueness.

<GlossaryMarker>X</GlossaryMarker>

## X.509 Certificate

An X.509 Certificate is a public key certificate used to authenticate SAML assertions. Sometimes referred to as Token Signature (AD FS).