Requirements Notation

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this documentation are to be interpreted as described in RFC 2119.


The IAS documentation uses the following terms:

Access Token

Access tokens are Credentials used to access protected resources. Access tokens issued by IAS are JSON Web Tokens (JWTs) signed with the RS256 algorithm.


Piece of information asserted about an Entity.


An application making protected resource requests on behalf of a resource owner (such as a user).


Data presented as evidence of the right to use an identity or other resources.


Human participant.


Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity.

ID Token

JWT that contains Claims about an Authentication. It MAY contain other Claims.


Entity that issues a set of Claims.

JSON Web Token (JWT)

JSON Web Token (JWT) is a compact, URL-safe means of representing Claims to be transferred between two parties.

Refresh Token

Refresh tokens are Credentials used to obtain Access Tokens.

Resource Owner

An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an End-User.

Resource Server

A server hosting protected resources, usually in the form of an API. Capable of accepting and responding to protected resource requests using Access Tokens.

Last updated