LoginWith LoginWith Blog

The Auth Glossary: 25 terms every SaaS builder should know

Plain-English definitions of OAuth, OIDC, JWT, SAML, SCIM, PKCE, and every other auth acronym you'll hit shipping real software. Linked deep-dive for each term.

· LoginWith team

Auth has more jargon than any other part of web development. This glossary is the shortest possible explanation of each term — enough to decide if you need it, and a link to a deeper post for each.

Cover the next three sections once and you’ll outpace 80% of posts you’ll read on the subject.

Protocols & specs

  • OAuth 2.0 — authorization framework. One app acts on a user’s behalf without seeing their password.
  • OIDC (OpenID Connect) — identity layer on top of OAuth 2.0. What you actually want for “sign in with Google.”
  • SAML — XML-based SSO protocol from 2005. You’ll meet it when enterprise customers sign.
  • SCIM — auto-provisioning of users from an IdP into your app. Required for enterprise deals.
  • PKCE — OAuth 2.0 extension against code interception. Required for all public clients in OAuth 2.1.

Tokens

  • JWT — JSON Web Token. Signed, tamper-evident data envelope. Carries claims.
  • JWKS — JSON Web Key Set. The endpoint where an IdP publishes its public keys for JWT verification.
  • Access token — short-lived credential used to call an API on a user’s behalf.
  • Refresh token — long-lived credential used to get new access tokens without re-auth.
  • ID token — JWT with identity claims about the signed-in user. Used by the client, not the API.
  • Bearer token — any token where “whoever presents it” is treated as authorized. Most common shape.

Claims inside tokens

  • Claims — the key/value pairs inside a JWT’s payload.
  • aud (audience) — who the token is intended for. Always validate.
  • iss (issuer) — who issued the token. Always validate.

OAuth flow pieces

  • Authorization code — short-lived, single-use value returned on OAuth callback. Exchanged for tokens.
  • state parameter — random per-request value that defends the OAuth flow from CSRF.
  • Scope — a string that declares what permissions an access token has.

Sign-in methods

  • Magic link — short-lived, one-time URL sent via email that signs a user in.
  • Passkey — cryptographic credential stored on the user’s device. Phishing-resistant, no passwords.
  • MFA — multi-factor authentication. Two or more proofs of identity.

Sessions & access control

  • Session — server-side record that a particular user is currently authenticated.
  • RBAC / ABAC — role-based and attribute-based access control. Start with RBAC; add ABAC when roles break.
  • Multi-tenancy — one app serves multiple customer organizations with strict isolation.

Web security basics (auth-adjacent)

  • CSRF — an attacker tricks the user’s browser into making an authenticated request.
  • XSS — attacker JavaScript runs inside your origin. The most dangerous web vulnerability.

Where this matters

Knowing the terms is half the battle. The other half is knowing when each one actually applies to your product. Most SaaS builders don’t need to implement PKCE, rotate JWKS, or parse SAML assertions themselves — LoginWith handles the whole protocol layer behind a two-tag SSO setup and an OIDC-compliant SDK.

Start with the quickstart. Come back to the glossary when a customer asks a question that needs a specific answer.

Want auth that just works?

Get started with LoginWith