Glossary
This glossary defines key terms and concepts used throughout the Thunder documentation.
A
Access Token
A credential issued by the authorization server that an application uses to access protected resources on behalf of a user. Thunder issues access tokens as JSON Web Tokens (JWT).
Application
A registered entity in Thunder that represents a client application (such as a web app, mobile app, or backend service). Each application has a unique client ID, an associated authentication flow, and an optional registration flow.
Application Template
A predefined configuration blueprint for creating applications. Thunder provides four templates: spa (Browser App), server (Full-stack App), mobile (Mobile App), and m2m (Backend Service).
Authentication Flow
A flow that defines how users sign in to an application. Authentication flows use a node-based graph to orchestrate steps such as credential verification, social login, OTP validation, or passkey authentication. Each application references one authentication flow.
Authorization Code
A temporary code issued during the OAuth 2.0 authorization code grant. The application exchanges the authorization code for an access token at the token endpoint.
Authorization Endpoint
The OAuth 2.0 endpoint (/oauth2/authorize) where user authentication begins. The endpoint redirects the user to the sign-in experience and, upon successful authentication, returns an authorization code to the application.
B
Browser App
An application type for browser-based single-page applications built with frameworks such as React, Angular, or Vue. Browser apps are public clients that use PKCE for security.
C
Client Credentials
An OAuth 2.0 grant type for machine-to-machine communication. The application authenticates directly using its client ID and client secret, without user interaction.
Client ID
A unique identifier assigned to each registered application. The client ID identifies the application when making OAuth 2.0 requests to Thunder.
Client Secret
A confidential key assigned to server-side (confidential) applications. The client secret authenticates the application at the token endpoint.
F
Flow
A configurable sequence of steps that defines a user journey in Thunder. Flows use a node-based graph representation where each node represents an action or interaction. Thunder supports three flow types: Authentication, Registration, and User Onboarding.
Flow Handle
A human-readable identifier for a flow (for example, default-basic-flow). Applications and other resources reference flows by their handle.
Full-stack App
An application type for server-rendered web applications built with frameworks such as Express, Spring, or .NET. Full-stack apps are confidential clients that receive a client secret for server-side authentication.
G
Grant Type
The method an application uses to get an access token. Thunder supports the following grant types: authorization_code, client_credentials, refresh_token, and urn:ietf:params:oauth:grant-type:token-exchange.
Group
A named collection of users within an organization unit. Groups enable role-based access control and simplify permission management across multiple users.
I
ID Token
A JSON Web Token (JWT) issued by Thunder that contains claims about the authenticated user, such as name, email, and profile information. ID tokens follow the OpenID Connect specification.
Identity Provider
An external authentication service (such as Google or GitHub) that Thunder can integrate with for social login. Identity providers enable users to sign in using their existing accounts on third-party platforms.
Introspection Endpoint
The OAuth 2.0 endpoint (/oauth2/introspect) that validates an access token and returns information about the token, including its active status, scopes, and expiry.
J
JSON Web Key Set (JWKS)
A set of public keys published at the /oauth2/jwks endpoint. Applications and resource servers use JWKS to verify the signatures of tokens issued by Thunder.
JSON Web Token (JWT)
A compact, URL-safe token format used by Thunder for access tokens and ID tokens. Each JWT contains encoded claims and a digital signature for integrity verification.
M
MCP Server
The Model Context Protocol (MCP) server built into Thunder. The MCP server exposes Thunder management capabilities (such as application and flow management) to AI-powered development tools like VS Code Copilot.
Mobile App
An application type for native or cross-platform mobile applications built with Swift, Kotlin, React Native, or Flutter. Mobile apps are public clients that use deep links or universal links for redirect URIs and require PKCE.
M2M (Machine-to-Machine)
See Backend Service.
O
OAuth 2.0
An authorization framework that Thunder implements to enable secure, delegated access to resources. Thunder supports OAuth 2.0 endpoints including authorization, token, introspection, and JWKS.
One-Time Password (OTP)
A temporary code sent to a user's phone number via SMS for authentication or verification. Thunder supports SMS OTP as both an authentication and registration method.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that Thunder implements. OIDC enables applications to verify user identity and retrieve basic profile information through ID tokens and the UserInfo endpoint.
Organization Unit
A logical grouping of users within Thunder. Each organization unit can have its own user types, policies, and configurations. Thunder includes two default organization units: Default and Customers.
P
Passkey
A passwordless authentication method based on the WebAuthn/FIDO2 standard. Passkeys use public-key cryptography and biometric verification (such as fingerprint or face recognition) to authenticate users without passwords.
PKCE (Proof Key for Code Exchange)
A security extension for the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. Thunder requires PKCE for browser apps and mobile apps, and supports the S256 and plain code challenge methods.
Prompt Node
A flow node that displays an interactive UI to the user and collects input. Prompt nodes contain UI components such as text fields, buttons, and social login options.
Public Client
An application that cannot securely store a client secret, such as a browser-based or mobile application. Public clients use PKCE instead of a client secret to secure the authorization code exchange.
R
Redirect URI
The URL where Thunder redirects the user after authentication. Each application must register one or more authorized redirect URIs. For mobile apps, this can be a deep link or universal link.
Refresh Token
A long-lived token that an application uses to get new access tokens without requiring the user to sign in again. Thunder issues refresh tokens alongside access tokens when the refresh_token grant type is enabled.
Registration Flow
A flow that defines how new users create accounts. Registration flows can include steps such as collecting user attributes, verifying email or phone number, and setting up credentials.
Role
A named set of permissions within an organization unit. Roles define what actions a user can perform. Thunder includes a default Administrator role with full system permissions.
S
Scope
A permission boundary that limits what an application can access. Thunder supports the following OIDC scopes: openid, profile, email, phone, and address. The system scope grants access to Thunder management APIs.
Social Login
An authentication method that allows users to sign in using their existing accounts on external identity providers such as Google or GitHub.
T
Task Execution Node
A flow node that performs a server-side operation such as credential validation, user provisioning, or OTP verification. Task execution nodes use onSuccess and onFailure references to determine the next step in the flow.
Theme
A design configuration that controls the visual appearance of the sign-in experience. Themes define colors, typography, and styling for the Thunder Gate UI.
Thunder Console
The administrative web interface for managing Thunder. Access the Thunder Console at https://localhost:8090/develop to manage applications, users, flows, and other resources.
Thunder Gate
The user-facing sign-in, registration, and recovery UI. Thunder Gate renders the authentication and registration experiences defined by the application's flows and theme.
Token Endpoint
The OAuth 2.0 endpoint (/oauth2/token) where applications exchange authorization codes for access tokens, refresh access tokens, or request tokens using client credentials.
Token Exchange
An OAuth 2.0 grant type (urn:ietf:params:oauth:grant-type:token-exchange) that allows exchanging one token for another. This enables advanced scenarios such as delegation and impersonation.
U
User
An entity in Thunder that represents a person or account. Each user belongs to an organization unit, has a user type, and has a set of attributes defined by the user type schema.
User Attributes
The profile data associated with a user, such as username, email, given_name, family_name, phone_number, and picture. The available attributes are determined by the user type schema.
User Onboarding Flow
A flow that defines post-registration steps for new users, such as completing a profile or accepting terms of service.
User Schema
A definition that specifies the attributes and validation rules for a user type. Each user schema is associated with an organization unit and determines whether self-registration is allowed.
User Type
A category of user defined by a user schema. Thunder includes two default user types: Customer (allows self-registration, belongs to the Customers organization unit) and Person (managed by administrators, belongs to the Default organization unit).
Backend Service
An application type for server-to-server communication without user interaction. Backend services use the client credentials grant type and authenticate with a client ID and client secret. Also referred to as M2M (machine-to-machine).
