Glossary of Terms

Key terminology used in the platform.

#

2FA
Acronym for two-factor authentication.

A

access token
1) See, OAuth access token.
2) Same as bearer access token.
Action Dashboard
In 2020.1.0 and later, the feature previously named Dashboard was renamed to Action Dashboard and modified.
The user's Action Dashboard is the first page the user sees after logging in. The Action Dashboard includes information relating to apps and APIs the user is associated with. An individual user's Action Dashboard is an aggregation of all the Forum entries from all the resources that the user is following. An individual user can modify the types of information that are displayed on his/her Action Dashboard, in the Profile > Preferences page. See also Action Dashboard entry.
Navigation: Dashboard > Action Dashboard.
Action Dashboard entry/item
An informational item that appears on a user's Action Dashboard. The entries on a specific user's Action Dashboard are Forum entries for resources the user is following. An entry on the Action Dashboard can be any of the following: Alert, API Access Request (Contract Request), Discussion, or Ticket.
additionalProperties property in Swagger
Per the Swagger specification, the Schema Object supports the JSON Schema additionalProperties property, with limitations. In the Akana API Platform, the HTTP Message Validation policy allows you to control support for the additionalProperties property via the Allow additional properties by default field. Support for additional properties is enabled by default, but you can disable it.
For more information, see Allow additional properties by default (Policy documentation).
admin (group)
In the context of an API Scope Group, an Admin is the top-level group member, and can perform any functions associated with the group. For more information, see What can a group Admin do?
Aggregate Policy
An Aggregate Policy is a collection of two or more policies included in one. The Aggregate Policy can be configured in two ways:
  • AND: messages must meet all the policies defined
  • OR: messages must meet at least one of the policies defined
For example, in the Community Manager developer portal, an Aggregate Policy might include the AtmosphereApplicationSecurityPolicy and the OAuth policy, with configuration of OR. The message to the API must meet the requirements of one of the policies.
The platform supports Aggregate Policies for Operational and Compliance policy types. Test Client supports the Operational Aggregate Policy. For more information, see Test Client security settings: Aggregate Policy.
Aggregation Pipeline (in MongoDB)
In the context of MongoDB, the aggregation pipeline is:
"a framework for data aggregation modeled on the concept of data processing pipelines. Documents enter a multi-stage pipeline that transforms the documents into aggregated results."
For more information, see Aggregation Pipeline on the MongoDB site.
Ajax
An abbreviation for Advanced JavaScript and XML—A term for a set of related web development techniques that can be used together to update parts of a webpage without reloading the entire page.
Akana API Gateway
See, gateway.
Akana API Platform
The Akana API Platform is a set of features, previously installed separately, that are now integrated and are installed as a single product. It is made up of three different components: Policy Manager, Community Manager, and Network Director. Each component plays a unique role. For instance, Policy Manager is a set of applications that provide runtime policy enforcement, management, security, service configuration, and runtime governance.
Akana Platform
The Akana Platform is the underlying set of files that supports the Akana API Platform. When installing the product, the Akana Platform installation comes first.
alert
A type of Action Dashboard item designed to inform app or API administrators about an issue such as an SLA (Service Level Agreement) violation.
allowlist
A list of terms that are allowed, when there is an active denylist in effect.
AMQP
Acronym for Advanced Message Queuing Protocol; an open-standard protocol for message orientation, queueing, and routing. In the same way as other protocols, such as SMTP, HTTP, and FTP, that have defined the behavior of the provider and client so that different implementations are interoperable, AMQP is a wire-level protocol; this means that the data is sent as a stream of octets.
anonymous access (to an API)
With anonymous API access, users do not need to log in, or set up an app, to try out an API.
Allowing anonymous access to an API endpoint in the Sandbox environment is useful if you would like to offer a preview of an API to developers without requiring users to create an app or sign up to the platform. For example, if you have a specific feature set you would like to expose as part of promoting your API, you can expose those operations in your API configuration, and allow anonymous access.
Developers can read the documentation and access the API without signing up and requesting access to the API. If a developer tries out the API and likes it, he/she can then sign up to the platform, create an app, and request API access.
Anonymous access is typically granted to API Sandbox endpoints, but it is generally not a standard practice to grant anonymous access to a Live endpoint.
Note: When Allow Anonymous Access is set to Yes for an API, viewing usage data for apps in the Overview, Charts, and Logs sections of APIs > My APIs > choose API > Analytics is not supported. This applies whether or not an approved API Access Request exists for an app. The Analytics section still shows API usage data.
anonymous user
A user who is browsing the platform without logging in. Anonymous users can see public content but cannot post to Boards, write comments or ratings, or create resources such as apps.
API
A key resource in the Akana API Platform. An API provides a business with a way of using the Internet to extend business capabilities to connect with new customers in new ways. In this context an API is a Web service exposed outside the enterprise, typically using RESTful design principles, and often with JSON content.
API access request
A specific type of Connection Request; a request, initiated by an app team member, to establish a contract between the app and an API. An API access request governs the relationship between an app and an API for the life of the connection. When an app team member requests a connection to an API on behalf of the app, the API administrator is notified of the pending request and can approve or deny the request.
API Administrator
One of the roles defined in the Akana API Platform is that of the API Admin. Each API must have at least one Admin, and can have more. The API Admin approves or rejects connection requests, moderates the API's Forum, views and manages alerts and trouble tickets, and manages documents, policies, and other information associated with the API. The API Admin can also view performance and usage data for the entire API, and can invite others to be Admins for the same API.
API Administrator and API Admin are the same role.
Note: If a Business Admin assigns a user the API Administrator role in the context of a business organization, in Organizations > Organization > Security (see What are the default roles for the API platform: API Administrator), that role has full rights to view, add, modify, or delete an API, but does not have permission to view or modify the API Admin group. Only when a user creates the API, or is invited to the API Admin group, does the user have full rights both to the API and to the API Admin group.
API description document
An API description document is a document written in one of the API description languages supported by the API platform (OAS 3.x, Swagger 2.0, RAML 0.8, WSDL, or WADL). In the Community Manager developer portal, you Scan add an API by uploading the API description document, and you can update an API by uploading a revised document. The platform takes the information in the API description document and uses it to present a visual display of the API in API Designer, as well as generating the API documentation.
API description language
One of the formal languages that provides a structured description of a RESTful web API. You can create an API using the API description document that describes that API. The platform supports the following API description languages: Swagger, RAML, WSDL, and WADL.
For supported versions, go to the System Requirements doc. Then, go to the API description document formats section.
API Forum
The API Forum allows any member to post discussions about a specific API, or create trouble tickets about issues associated with the operation of a particular API.
Navigation: APIs > API Name > Forum
API Gateway
The Akana API Gateway provides service integration and gateway services for APIs. It bundles Akana Policy Manager with one or more message handling intermediaries.
API Owner
Responsible for adding an API. In a scenario where a basic platform user cannot add APIs, a user who is assigned the role of API Owner can add APIs. The user who creates the API becomes the first API Admin.
API Scope Group
A group directly associated with a specific version of a specific API, public or private, and created by an API admin for that API.
An API scope group is uniquely related to an API. There are two types: Independently Managed, which can exist separately from the API, and Not Independently Managed, which is automatically deleted if the API is deleted.
Each member has a group member role, as a Member, Leader, or Admin. Each group can have multiple Admins, Leaders, and Members.
Note: In the past, we used the term Private API Group. However, since the licenses feature was implemented, API visibility is affected by multiple factors. For this reason, the term was changed to API Scope Group. We also used the term API Context Group.
app
An app (application) is a piece of software that delivers specific capabilities to its users. In the context of the Akana API Platform, an app is a piece of software that consumes one or more APIs.
Appendix F
In version 2019.1.14 and later, the platform supports enforcing Appendix F (Detached Content of the JWS specification (Provider role only), in the JOSE Policy v2 (Unencoded Payload Support) configuration.
app Forum
The app Forum allows development team members to create private discussions with other team members about their specific application development projects. Team members can also create trouble tickets about issues associated with application development.
Navigation: Apps > My Apps > choose app > Forum
App ID
When an app developer registers an app in the platform, it is assigned an App ID. The App ID is a unique identifier for your app within the platform. All API calls include the App ID.
app team member
One of the roles defined in the Akana API Platform is that of the app team member. Each app must have at least one team member and can have more. An app team member initiates contract requests, such as API access requests, moderates the app's Forum, and views and manages trouble tickets relating to the app. The app team member can also view performance and usage data for the app's API usage, and can invite others to be team members for the same app. All app team members have the same rights.
A record (in DNS entry)
A DNS entry for a website address includes an A record that maps the hostname or CNAME to the IP address of the DNS entry.
Artifact Resolution Service (ARS)
In SAML, a service that you must set up if you want to use the HTTP Artifact binding (supported for single sign-on SAML response messages). You can then use the service to retrieve the full message using the artifact. See, HTTP Artifact.
Assertion
See SAML assertion.
Assertion Consumer Service (ACS) endpoint
In SAML, the endpoint where the service provider will receive SAML assertions from the identity provider.
asset
A component, or resource, that can be created, used, reused, and acted upon. The API platform includes many asset types, including APIs, apps, services, schemas, policies, tenants, legal agreements, API access contracts, and others. The platform's use of this term is per the OMG Reusable Asset Specification (RAS) (http://www.omg.org/spec/RAS/2.2/PDF). The specification is a set of guidelines and recommendations about the structure, content, and descriptions of reusable software assets.
asymmetric encryption
A form of encryption where data is encrypted and decrypted with two separate keys, a public key and a private key. For more information, see public key infrastructure.
AtmosphereApplicationSecurityPolicy
A policy used to identify (authenticate) an app that is attempting to consume an API, to determine whether or not the app is authorized to access the API. This policy type supports multiple mechanisms for the app to present its identity. For more information, see Policy List: AtmosphereApplicationSecurityPolicy.
AtmoAuthToken
A tenant-specific cookie. This is the platform's authorization token. The token is returned in the Set-Cookie response header. This cookie indicates the level of access allowed. It is valid only for 30 minutes and must be renewed at that time. It also includes other information, such as the APIs, apps, and groups the user is a member of. When any of this information changes, the token must be renewed.
Because the AtmoAuthToken includes a lot of information about the user, in some cases, the token is long, and could potentially cause requests to fail if the server has a limitation on HTTP header length. For this reason, container configuration properties include authTokenMaxLength. When the AtmoAuthToken would be greater than the max length, the platform creates a mini auth token, and saves the full auth token in the database.
authorization endpoint
See, OAuth authorization endpoint.
Authorization Server URL
See, OAuth Authorization Server URL.
auto-connect feature
The platform's auto-connect feature allows an API Admin to set up the API so that when a new app is created on the platform, a contract with the API is created automatically. The API Admin specifies the details of the access granted with the auto-connect feature, such as whether access is to the Sandbox or Live implementation, or whether access is limited to specific operations or a specific transaction volume (via the Licenses feature, implemented with scope mapping).
avatar
Within the platform, an avatar is an image that can be associated with a resource such as an app, API, user, or group.

B

base path
In the context of an API, the base path is the part of the URL that is after the hostname and is the same for all operations in the API.
The base path always starts with a leading forward slash (/). If nothing is specified for the base path, it defaults to the leading forward slash. This is the host root.
For an example, see Base URL below.
Base URL
In the context of an API, the base URL is the combination of scheme, hostname, and base path on the root level of the API. For example, in the Swagger Petstore API, the full URL for the POST /pet operation, which adds a pet, is http://petstore.swagger.io/v2/pet. The base URL is http://petstore.swagger.io/v2. This is constructed from these three elements:
  • Scheme: HTTP
  • Host: petstore.swagger.io
  • Base path: /v2
Base URL (SAML)
In setting up the SAML identity provider in Policy Manager, the platform provides a specific URL to be used for instances where the Identity Provider, when encountering an error, returns the error response to the default Service Provider endpoint rather than just showing the error on the authentication page. PingFederate is an example of an Identity Provider that returns an error response in this way.
To construct the endpoint to be used for error responses, the platform needs to know the {protocol_scheme}://{host}:{port} of the container where the SAML Web SSO domain is initialized. This is the base URL.
Basic authentication (HTTP)
Basic authentication requires that users provide a valid user name and password to access content. All major browsers support this authentication method and it works across firewalls and proxy servers. The disadvantage of Basic authentication is that it transmits passwords across the network using weak encryption. You should use Basic authentication only when you know that the connection between the client and the server is secure.
BeanShell engine
A scripting language. The API platform supports BeanShell engine for creating reusable scripts, useful for automating processes.
bearer access token (access token)
An access token that uses the standard and contains all the information the resource server needs to confirm the user’s grant to the application. It has the following three-part structure, with period separators: Header.Payload.Signature. The platform's OAuth Provider domain can issue Bearer access tokens. An advantage of the Bearer access token is that the Resource Server can validate by itself without having to go back to the Authorization Server.
bearer assertion
Same as ID token (OpenID Connect).
bearer token
Used in OAuth, the bearer token is a security token with the property that any party in possession of the token (the bearer) can use it. The bearer token is sent as-is in the API request, in the Authorization header. The platform's OAuth Provider domain supports Referenced Bearer (a simple bearer token) and bearer access token.
binding
In the context of Policy Manager, a binding is a reference to an external framework (interface) that defines how the WSDL user will reach the implementation of services. This reference specifies the protocol and data format to be used in the transmitting message defined by the associated interface.
binding category group
In the context of Policy Manager, binding category groups allow you to categorize service relationships with a higher level of granularity, and contain a list of business categories that describe specific business aspects of the Organizations, Services, tModels, Schemas, Interfaces, or Bindings.
Board
See Forum. In versions of the platform before 8.3, Forums for resources were called Boards.
Board item
See Forum entry. In versions of the platform before 8.3, Forum entries were called Board items.
Bonita theme
The Bonita platform theme is similar to Simple Developer theme, but includes read-only access to API information, including API details, API documentation, and more.
For more explanation, and illustrations showing the differences, see Bonita Theme and Simple Developer Theme.
BPEL
BPEL is an abbreviation for Web Services Business Process Execution Language (WS-BPEL), an OASIS standard executable language which is a standard format for specifying actions within a business process, used by web services.
BPEL file
A file using the BPEL language. When the Site Admin or Business Admin creates an export file from the platform, such as an API export file, the export ZIP file (package file) includes BPEL files.
broadcast
Used in connection with configuration of the platform's search feature. Broadcast configuration is appropriate for scenarios where the client/server relationship is 1 to many. The scope is subnet. At startup, the node sends a message to all possible destinations. Compare unicast which sends the same data to a single network address and multicast which sends the data to all interested destinations.
Business Administrator
One of the roles defined in the Akana API Platform is that of the Business Administrator. A business can own one or more APIs and apps, and must have at least one Administrator. The Business Administrator automatically has administrator rights over all the APIs and apps owned by the business as well as all the users who are part of the business. For more information, see What roles can a Business Administrator perform?

C

CA SiteMinder
CA SiteMinder® is a popular commercial access management product. The platform supports use of CA SiteMinder for login or for OAuth support.
callback URL
Redirect URL. See, OAuth callback URL.
CAPTCHA
Acronym for Completely Automated Public Turing test to tell Computers and Humans Apart; a security feature that helps ensure that the entity performing actions such as login is a human, not a bot. For information on the platform's CAPTCHA support, see How do I configure CAPTCHA on the platform? (Site Admin help).
Depending on the platform's configuration settings, users might see a CAPTCHA test on the following pages:
  • New user signup page.
  • Forgot Password page.
category (model object)
A logical grouping of models, defined by the Site Admin (More > Admin > Settings > Model Categories).
When the Site Admin defines one or more model object categories, they are available to the Business Admin when creating models. Each model can be assigned to a category. This allows logical grouping of model objects, and also facilitates search in a scenario where there are many models defined for a business.
CDN
Acronym for content delivery network or content distribution network; a distributed system for serving content over the internet.
CER file
A digital identity certificate file, generated by an authorized Certificate Authority in response to a request (CSR).
When uploading app credentials in the Community Manager developer portal, the app developer can upload either a CER file or a CSR file.
certificate
The digital certificate, issued by a Certificate Authority, which includes information necessary to the successful implementation of security with a public and private key pair. The certificate proves the ownership of the public key, and because the Certificate Authority is a trusted entity, the certificate is trusted.
The digital certificate generally includes the following information:
  • The certificate holder's public key.
  • Information about the certificate holder.
  • Information about the certificate authority.
  • Information about the certificate: Issue date, expiration date, and serial number.
In the context of the Community Manager developer portal, a digital certificate can be issued by a commercial trusted Certificate Authority (CA), such as Symantec (VeriSign) or Comodo, or by the platform itself.
Certificate Authority (CA)
For scenarios where asymmetric encryption is used, a Certificate Authority (CA) issues certificates and guarantees the validity of the binding between the certificate owner and its public key. The CA is a trusted authority, and any certificate issued by the CA identifies the owner of the certificate. Therefore, the private key that corresponds to the public key in the certificate is deemed to be known only to the specific owner. By requesting the public key from the CA, rather than from the key owner, there is an assurance that the key is indeed the valid public key for the key owner, that the key pair has not been compromised or revoked, and that the key owner holds the private key needed to decrypt messages that you encrypt with the public key, which the CA sends to you.
The platform supports two Certificate Authority options for app developers. The Platform Tenant (Host) provides a simplified version of a Certificate Authority that can issue and renew X.509 certificates, or the app developer can import a certificate that was issued outside the platform.
Navigation: Apps > My Apps > choose app > Details > Security
challenge question
A question that the Business Admin chooses as part of a security feature. When signing up to the platform, the user must provide the answer to one or more security questions, if the platform is set up to require them. The user's answers are stored in the database, and the user must answer one or more security questions on demand to perform certain functions such as resetting a password or changing the user profile.
claim
In OpenID Connect a claim is a piece of information about an end-user, which is returned to the Relying Party by the OpenID Connect Identity Provider after both the end-user and the Relying Party have authenticated. The OpenID Connect specification defines some standard claims; additional claims can be added. Depending on the process flow that's supported by the Identity Provider and requested by the Relying Party, claims might be returned in the UserInfo Response from the UserInfo Endpoint, or in the ID Token from the Token Endpoint.
Examples of standard claims: given_name, family_name, email. For more information, refer to the Standard Claims section of the OpenID Connect specification.
client node (in Elasticsearch)
See, Elasticsearch client node.
client registration endpoint
In OpenID Connect, the provider's endpoint to which client registration requests should be sent. For example, if the platform is set up with an OAuth Provider that supports this endpoint, and an API is referencing that OAuth Provider (External OAuth Provider Domain setup), when an app connects to the API the app is automatically registered with the applicable provider. This occurs in the background by sending a message to the provider's client registration endpoint as specified in the domain setup. For more information, refer to OAuth 2.0 / OpenID Connect client registration endpoint (external page).
clock skew
The grace period an access token is allowed before effective timestamp and after expired timestamp, to accommodate the clock setting difference between the issuing machine and validating machine. An example of where this is used is in the Bearer Assertion OAuth grant settings. At runtime, if the difference is greater than the value allowed in the clock skew setting, validation of the assertion fails.
CloudHSM
A cloud-based hardware security module (HSM) on the AWS Cloud.
In version 2020.2.0 and later, the Akana API platform supports Amazon AWS CloudHSM.
For more information, see What Is AWS CloudHSM? (external link).
cluster
In the context of the platform, a cluster is a grouping of one or more API Gateways. The cluster does not represent a running process, but a group of intermediary processes working as one. Clustered instances must be on the same local network, behind a load balancer.
For more information, see What is a cluster?
CN
A security certificate includes a number of values including the Common Name (CN). The CN is the name of the server protected by the SSL certificate.
CNAME
A CNAME, or Canonical Name Record, specifies that a domain name is an alias for another domain. The CNAME record always points to another domain name, not directly to the underlying IP address for the domain.
The CNAME is used, in partnership with an A record, for supporting multiple services from a single IP address.
Used by the Site Admin in Site Settings.
code (user)
Any one of the four types of codes sent to users for different events: signup code, registration code, reset code, or invitation code.
Community Manager
The product name for the Community Manager developer portal, which is part of the Akana API Platform product. Community Manager is an API Portal that enables API producers to engage partners and developers and help them onboard, manage and test their apps. Community Manager unites API providers and app developers through a single common portal that can be easily branded and customized. Community Manager allows API providers to publish, document, promote, and support their APIs, and allows app developers to easily find, consume, and get support for the APIs that their apps use.
Connect provider
In OpenID Connect, the identity provider is called the Connect provider.
connection
A relationship between resources in the Akana API Platform—such as the API access relationship between an app and an API that it's using.
connection request
A workflow process that governs the relationship between two resources for the life of the connection. It is a request to establish a connection between resources; for example, an API access request or a follow request.
connector domain
In the context of the platform, a connector domain is an independent domain that provides authentication services; for example, Google®, Facebook®. Users can log in by authenticating with the connector domain rather than signing up as platform users.
container
An Akana container instance performs a specific web service management function in an API Gateway deployment. Instances have a unique Instance Name, Description, and Listener configuration relative to the deployment requirements.
The container mediates web service message exchanges between service consumers and service providers. It enforces policies, monitors and reports performance metrics and events, integrates services through virtualization, and provides auditing capabilities. It provides the runtime execution of the API Platform's capabilities.
context path
The context path for an API implementation is the last part of the base URL, after and including the slash (/); for example, in http://www.acmepaymentscorp.com/api, /api is the context path. This makes the endpoint unique to the API. By default, in the Akana platform, each implementation must have a unique path. If an API does not use a vanity hostname, you don't need to specify a context path; the platform creates a path that is already unique to the API implementation.
The context path could also be just a slash (generally called root).
The API settings in More > Admin >Settings > APIs include a setting that allows the Site Admin to disable the validation for a unique context path. If the setting is disabled, multiple APIs can have the same context path. These APIs must have unique URLs, or the results will not be as expected. For example, in some scenarios, all APIs hosted on the platform might have vanity hostnames, so validation for unique context path is not needed. For more information, see General API Settings (re the Site Admin setting) and What is the context path and how do I make sure I have the right context path for my API implementation? (Site Admin help).
contract
A specific type of connection that defines a consumption relationship between an app and an API. When an app admin (app team member) wants the app to be able to consume an API, he/she initiates a request for API access. The API access relationship is a contract, and is subject to an approval workflow. The contract is requested by the app team member and is approved or rejected by the API admin; it can then be cancelled or suspended by the API admin or cancelled by an app team member.
The contract governs access rights and QoS (Quality of Service) policies for all transactions between the app and the API. It also provides a convenient way of collecting and presenting metrics and usage data.
contract request
A request for a contract.
Available in version: 2019.1.35 and later.
A cookie attribute supported in the Community Manager developer portal security settings in version 2019.1.35 and later. For details, see The Domain Attribute (Section 5.2.3 of the HTTP State Management Mechanism specification, RFC6265).
Available in version: 2019.1.35 and later.
A cookie attribute supported in the Community Manager developer portal security settings in version 2019.1.35 and later. For details, see The SameSite Attribute (Section 5.3.7 of the HTTP State Management specification).
Coordinated Universal Time (UTC)
Coordinated Universal Time (UTC), also called Zulu time, is the primary time standard in general use. It essentially equates to Greenwich Mean Time (GMT), but is more scientifically precise. In the Akana API Platform API, time values are represented in the standard UTC date/time format YYYY-MM-DDTHH:MM:SSZ. Example: 2013-12-31T15:45:00-04:00Z. In the Community Manager developer portal user interface, in Analytics > Logs, date formats use the local browser time, adjusted to UTC.
CORS
Acronym for Cross-Origin Resource Sharing. CORS allows users to access resources from within the browser serving a web page, defining a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request (request from a different domain). If an API doesn't support CORS, and a request comes from another domain, the request could be refused as coming from a source which is not trusted.
The platform includes a policy, CORSAllowAll; if this policy is assigned to an API implementation, all cross-origin requests to the API implementation are allowed.
country code
Certain features of the platform support the standard two-letter or three-letter country codes, per ISO 3166-1: for example, dimension Type values in Envision datasets (see Dimension Type Values).
For more information on these standards, refer to https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 and https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3.
cross-site scripting (XSS)
Cross-site scripting (XSS) is a security vulnerability that allows attackers to add a client-side script into an input field on a web page, such as a review or comment field. Other users accessing the page can then unknowingly execute the malicious script.
(Version 2019.1.0 and later): The platform has some built-in cross-site scripting prevention; for example, by default, certain input fields, such as app, API, and group Name, Summary, and Description fields and forum discussions and tickets, check for scripting keywords and do not accept them. The Site Admin can configure additional cross-site scripting keywords on the Security Settings page (More > Admin > Settings > Security). See Keywords for cross-site scripting prevention.
See also: CSRF (cross-site request forgery).
The platform also offers a Cross-Site Scripting Detection policy. See, Using the Cross-Site Scripting Detection Policy.
CSR file
Acronym for Certificate Signing Request; a request for a digital identity certificate, generated and sent to a certificate authority.
When uploading app credentials, the app developer can upload either a CER file or a CSR file.
Because the platform supports CSR import, the app developer does not need to get a signed certificate from a CA. Instead, the developer can generate a CSR from the key pair that he/she created, and can import that directly.
When a CSR is imported, the platform uses its internal Certificate Authority to create the actual certificate, the CER file, from the request. Therefore, in order to support CER, the platform's own certificate authority must be configured.
See also: CER file.
CSRF (cross-site request forgery)
In a cross-site request forgery (CSRF) attack, a malicious user exploits the fact that an authorized user has already authenticated with another site and has the site's cookie in their browser cache. Malicious code from one browser tab can leverage the authentication already granted in another tab to execute actions unknown to the authorized user.
The platform includes a feature to help prevent CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
CSRF token
A platform token that is used only if the CSRF prevention feature is in effect. The CSRF token is sent when the user logs in, and can be used in making subsequent API calls to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
Csrf-Token cookie
A platform cookie that is used only if the CSRF prevention feature is in effect. The value of the Csrf-Token cookie is sent as a custom header value in request messages to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
CSV
Comma-separated value format, a data type for certain API input parameters. This format is commonly used for exporting tabular data. For example, in the Akana API Platform, the metric information is exported in CSV format.
Used in API documentation generated with Swagger 2.0: see http://swagger.io/specification/.
custom_en-us.json file
The Site Admin, in customizing the site, might implement a custom_en-us.json file with customization information in it. If this file exists, the platform implements the information in the file; if it doesn't exist, the platform uses the defaults. Specific customization tasks require specific entries in this file, which is uploaded to the /resources/theme/{theme_name}/locales folder for the applicable theme. For more information, see Site Page Customization.

D

Dashboard
In versions prior to 2020.1.0, the Action Dashboard was named Dashboard. See, Action Dashboard.
Dashboard entry/item
In versions prior to 2020.1.0, a Dashboard entry can be any of the following: Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
In version 2020.1.0, the Dashboard was renamed to Action Dashboard. For information about Action Dashboard entries, see Action Dashboard entry/item.
data node (in Elasticsearch)
See, Elasticsearch data node.
data seeder
In database management, a data seeder provides an initial set of data to a database when the database is first installed or created.
In the Akana API Platform, if MongoDB is used, data is seeded to the MongoDB database as part of the platform installation process when a container is created.
debug mode
The API Admin or other authorized user can turn on debug mode for an API implementation. In debug mode, additional information about the API traffic is recorded, to assist in debugging issues with the API. For more information, see What is debug mode?
Default theme (deprecated in version 2020.1.0 and removed in version 2020.2.0)
When Hermosa Theme was introduced, the original code base of the developer platform was named Default Theme to help differentiate it from other themes. Like Hermosa Theme, Default Theme had the full feature set.
For more explanation, and illustrations showing the differences, see Default Theme (versions prior to 2020.2.0) and Hermosa Theme.
denylist
A list of characters or words that are not allowed in some scenario: for example, upload of content to the Community Manager developer portal or as a security measure applied via a Cross-Site Scripting policy on an API. See also allowlist.
description language
See, API Description Language.
deployment zone
If an API is hosted on the platform and using the proxy capability, the API owner can specify the deployment zones, such as a geographical area or a specific data center, that the endpoint will be proxied in. Deployment zones are set up by the Business Admin.
For more information about working with deployment zones for a specific API, see Managing Deployment Zones for an API Implementation. For information about setting up and managing deployment zone, see Managing Deployment Zones.
developer
A developer of an app that will consume an API.
DevOps theme
The DevOps user interface theme is designed for managing promotion requests between environments, to support Lifecycle Coordinator.
For more information, and an illustration, see DevOps Theme.
digest
See, hash.
digital certificate
See, certificate.
direct JWE Encryption (dir)
OAuth preferences can include direct JWE encryption using shared symmetric keys, indicated by a value of dir. For more information, see http://connect2id.com/blog/direct-jwe-encryption (external link).
discovery (OpenID Connect)
In OpenID Connect, "discovery" is the process of determining information about the OpenID Connect identity provider. The Relying Party sends a request to the Discovery Endpoint published by the provider. The request includes resource (end-user ID), host, and type of service requested.
discovery endpoint (OpenID Connect)
Same as Discovery URL (see below).
discovery URL (OpenID Connect)
A URL published by the OpenID Connect provider for a relying party to send requests. Path: {oauth-provider-url}/.well-known/openid-configuration. Also known as a well-known configuration URL.
The discovery URL represents the location of the identity provider's endpoint and other values that the relying party (application) will need to set up connectivity.
discussion
In the Akana API Platform, an authorized user can create a discussion topic about a resource (app or API) on the resource's Forum. A discussion is typically, but not necessarily, created by someone other than the owner or administrator of the resource. Discussion entries are not threaded; users comment on the original item rather than on the comments/replies to the original item. Users can mark or unmark the discussion itself and/or one or more discussion comments.
Each discussion has a title and one or more comments. The visibility of a discussion is controlled by the visibility of the resource it's associated with; for example, a discussion about a Private API can only be seen by administrators and members of an API Scope Group associated with that API.
distributed cache
The underlying infrastructure of the Community Platform developer portal (Network Director) can be configured so that cache services are shared and distributed across all nodes in the cluster.
For more information, see https://en.wikipedia.org/wiki/Distributed_cache (external link).
DL
Abbreviation for API Description Language.
duration (on analytics charts)
In the app and API analytics charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
dynamic scope
The platform supports dynamic scopes, where an asterisk can be used as a wildcard in the scope name to indicate a variable value. Dynamic scopes facilitate granularity for OAuth grants; for example, a scope can be specific to an individual resource rather than a type of resource; a specific bank account, photo, or any other resource.
Dynamic scopes can contain only one wildcard (asterisk), which can be used at the beginning, middle, or end of the scope name.
For information about support of dynamic scopes with the PingFederate OAuth Provider, see Scopes and scope management (Ping Identity documentation). For general information about dynamic scopes, refer to the OAuth specification. Access token scope: https://tools.ietf.org/html/rfc6749#section-3.3 / https://tools.ietf.org/html/rfc6749#section-8.2.

E

ECDSA
Acronym for Elliptic Curve Digital Signature Algorithm. ECDSA is a variation of the Digital Signature Algorithm (DSA).
Elasticsearch
The search server used by the platform. Elasticsearch is based on Apache Lucene; it is Java-based and open source. It provides a distributed, full-text search engine, capable of supporting a multi-tenant environment. It uses HTTP and JSON. For more information, see Elasticsearch: Information for Site Admins.
Elasticsearch client node
(Information for Site Admins) In Elasticsearch, the client node is the node that makes the search or indexing request. All nodes can be client nodes.
Any container, even if it isn't configured to be a master eligible node or a data node, is at least a client node. If it is a data node, it does the local searches; if it isn't a data node, it is still a client node. As such, it sends a search request or index request to a remote data node and receives the results.
The client node makes the call to the platform's Search API, which in turn requests the search results from the data node.
Elasticsearch data node
(Information for Site Admins) In Elasticsearch, a data node is where the index data resides. Regardless of where the API platform feature is running, when an object is indexed, the data for that index is in the data node. When a user is searching, the data is accessed from the data node.
For the Site Admin, in configuring the Elasticsearch search feature, setting up a container as a data node indicates that the search index will be stored at that location.
Elasticsearch embedded mode
Initially, Elasticsearch embedded mode was offered as a short-term option to help customers to migrate from Compass to Elasticsearch. It was never the recommended option, and is no longer supported.
(Information for Site Admins) In Elasticsearch embedded mode, all you need to do is install the embedded feature in one or more containers. In this mode, there is no external software needed. Elasticsearch runs within each container it's installed in.
Elasticsearch master eligible node
(Information for Site Admins) A master eligible node is one that can become a master of the cluster. There is always a cluster, even if there is only one node, so a single node will always be master eligible.
Elasticsearch shard
The Elasticsearch search feature can be configured so that the search index is stored in multiple index partitions, called shards. "Elasticsearch distributes shards amongst all nodes in the cluster, and can move shards automatically from one node to another in the case of node failure, or the addition of new nodes."
For more information, refer to the Elasticsearch glossary of terms: https://www.elastic.co/guide/en/elasticsearch/reference/current/glossary.html#glossary-shard.
Elasticsearch standalone mode
(Information for Site Admins) With Elasticsearch standalone mode, your installation will need to include a standalone external Elasticsearch server. Just as with a relational database, you'll need to provide the software and hardware required.
If you choose to run Elasticsearch in standalone mode, like a database server, all containers running the Akana API Platform can use it. In this scenario, it's important to provide a cluster capability to help prevent outage.
Generally, in this scenario, all containers are working as client nodes. There is no master eligible node or data node within the product.
Entity ID
In SAML, a unique identifier for an entity. A SAML entity can be a Service Provider or an Identity Provider.
As a service provider, you define the Entity ID. When setting up your account with the Identity Provider you must specify the Entity ID, which must be unique within the IdP so that the IdP can identify your Service Provider.
The Entity ID is used as the value of the <Issuer> element inside the SAML protocol message. In an authentication request, the <Issuer> element contains the Entity ID of the Service Provider; in the SAML response, it has the Entity ID of the Identity Provider.
From the perspective of the Service Provider, the Entity ID is analogous to the client_id in OAuth.
enumeration (of users)
The term user enumeration, user enum, or simply enum refers to a security vulnerability that allows an unauthorized user to compile a list of valid user accounts that are authorized to log in to an application. For example, if an unauthorized user can try to sign up with an existing email address, and the application returns a message that an account already exists for that email address, the application is giving away information.
The platform includes enhanced security settings that can be activated to help prevent enumeration of users.
environment
A state defined by a workflow that corresponds to a software lifecycle stage (for example, Dev, Test, QA, Production).
An Environment has its own representation, or data model, for an API. and the assets that support that API. A customer may have several Environments in which the same API exists. Each Environment serves a different purpose such as development, testing, staging, or finally serving the business (production). Environments are typically chained together in an order of use, reflecting the development lifecycle. For example, development is before testing. An API is created first in the development Environment, and then in the test Environment. Changes to an API are made in the development Environment before being made in the test Environment.
environment data
The Promotion Package holds the data that needs to be promoted from the source environment to the target environment. This includes the environment data: the portion of the Source environment's data model that needs to be promoted. The environment data is in a format that the Promotion Coordinator does not need to understand. Only the environment systems need to understand the environment data and how to process it.
epoch time
Epoch time, also called Unix time, is defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time; Thursday, 1 January 1970. In some cases, the developer platform uses this value in response messages, expressed in milliseconds.
Example: 1 January 2020, 9:00:00 AM GMT, expressed in Epoch time, is 1577869200. In milliseconds it is: 1577869200000.
A tool for creating or converting epoch time values is available at https://www.epochconverter.com/.
ETL script
A script run by a database administrator to manage and process data (Extract, Transform, and Load to final destination).
export
A Site Admin or Business Admin can output all the information about one or more of certain resources, or an entire business, to an export file. The information can then be imported into another platform instance. Information is exported to a specially formulated ZIP file called a package file. Sometimes called Lifecycle Repository.
Full export is only available to a Site Admin or Business Admin. An API Admin can export an API.
extended properties
The Extended Properties feature is an add-on feature, available for use with the Akana API Platform, that allows you to set up and use configurable custom properties, along with workflows based on those properties.
For installation information and links to additional resources see, Installing the Extended Properties Feature.
extension grant type
In addition to the four standard grant types, the OAuth 2.0 specification defines Extension Grant Types. These are governed by the OAuth specification, which says:
"The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the Authorization Server) as the value of the "grant_type" parameter of the token endpoint, and by adding any additional parameters necessary."
A Bearer Assertion is an extension grant type that is generally used when the app already has an Assertion that represents the resource owner. The app sends the Assertion to the Authorization Server's Token Endpoint to get an access token for later use.
In the context of various message boxes in the Community Manager developer portal that support user-generated content, for example in forums for apps, APIs, and tickets, the platform includes two security settings. One determines whether Markdown is supported for formatting content and uploading files, and another determines whether external links are supported in Markdown content. These are in the Site settings (More > Admin > Settings) for various resources that have forums.
The Site Admin might choose to restrict links to external sites for security reasons, by leaving external link support disabled, while allowing formatting and uploaded files by enabling the Markdown setting.

F

fanout (promotion feature)
The basic structure of an environment topology is linear; for example, from development to testing to production. However, in some cases a topology might include two or more environments at the same level. Perhaps there are two testing environments, for testing under different sets of criteria; or there might be three production environments, each at a different global location. For more information, see What is promotion fanout?
FAPI
Acronym for FAPI, the financial-grade API security standard. For more information, see Financial-grade API (FAPI).
favicon
A small icon, typically 16x16 pixels, associated with a website or a specific webpage.
Implementation varies, but typically the browser displays the favicon in the address bar, on the tab next to the page title, and next to the page's name in a list of bookmarks.
FedmemberID
Unique ID for a specific tenant, in a federation (multi-tenant) scenario; for example, acmepaymentscorp. The FedmemberID is the last part of most IDs in the Community Manager developer portal. Same as TenantID.
In the Community Manager developer portal user interface, one way to find out what the FedmemberID is for your installation is to go to your own profile page (from the menu at the top right, click Profile), and look at the URL. On the Profile Details page, the last part is user/{ID}.{fedmemberid}/profiledetails. For example: user/69e3ac04-a94b-48ae-988c-a490e4de07e1.acmepaymentscorp/profiledetails. In this example, acmepaymentscorp is the FedmemberID.
follow
The concept of following a resource on the platform is similar to the same concept in Twitter. When a user chooses to follow a resource, notifications relating to that resource are posted to the user's Action Dashboard to keep the user informed. There is also a separate list of resources that the user is following. For example, if there are many APIs on the platform, and the user is only interested in two or three, the user can choose to follow those specific APIs. They are displayed in a separate list, APIs you are following, making them easier to find. The same principle applies to all resources that can be followed: apps, APIs, and groups.
follow request
A specific type of Connection Request used to establish a follow relationship between a user and a resource that can be followed. Currently, only apps, APIs, and groups can be followed.
forum
In the Akana API Platform, every resource, such as an app or API, has a Forum that displays different item types, such as tickets and discussions, for the resource. Users with approved connections to the resource can post items to the resource's Forum according to privileges. For example, a member of a specific app team can post items to the Forum for that app. Users with approved connections also see relevant Forum entries in their Action Dashboard.
A Forum is a way of sharing information and content in the platform. Forum types include: Alerts, Contract Requests, Discussions, Group Membership Requests, Reviews, Tickets.
Forum types and Forum entry types are essentially identical. The difference is in implementation; the Forum is viewed by the Business Admin or Site Admin in More > Admin >Forum), and is an overall view of Forum entries from all boards on the platform.
Forum entry
An individual content contribution by a specific user, to one of the Forum types. A Forum entry can be an Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
In versions of the platform before 8.3, Forum entries were called Board items.
forward proxy
In general, a forward proxy is a server that acts as an intermediary, generally between client requests and another server.
In the context of the API platform, if an API is using the platform as a proxy, calls from clients to the API are sent to the platform and, from there, redirected to the API live endpoint. The Community Manager developer portal includes a configuration setting (in More > Admin >Site) that allows the Site Admin to limit forward proxy activity to one or more specified hosts. See, How do I configure site settings?
Test Client uses a forward proxy approach to allow testing with APIs when the API has CORS restrictions. For more information, see Why does Test Client send an HTTP OPTIONS request before the call to the API endpoint?

G

gateway
An Akana API Gateway streamlines management, deployment, development, and operation of APIs, enhancing security and regulatory compliance through authentication, authorization, and audit capabilities. It provides central definition and management of security, routing, orchestration, mediation, auditing, threat protection, and other operational governance policies across multiple instances. The Gateway enables enterprises to standardize API and service delivery with high security, performance, and availability.
global traffic manager
A technology that facilitates global server load balancing. This is used in connection with API deployment zones to help provided features such as efficiency in processing (geographical, load balancing) and disaster recovery.
grant validity period
For an OAuth grant, the grant validity period is the time period an authorization grant will be valid for, expressed in days. This value is set by the Site Admin in the OAuth Provider domain, for each OAuth grant type.
GraphQL
A query language for APIs, that allows clients to be very specific about the information they are requesting. For more information, see What is GraphQL? For general information about GraphQL, see https://graphql.org/ (external link).
For information about support of GraphQL APIs in the Akana developer portal, see GraphQL Support in the Developer Portal.
group
1) The term "group" is used in many instances to refer to any of the following types of groups in the Akana API Platform: app teams, API Scope Groups, API Administrator groups, Site Administrator groups, or independent groups.
2) "Group" is sometimes used specifically to mean an API Scope Group.
group membership request
An invitation to a specific user, whether a platform user or not, to join a specific platform group.
GTM
Acronym for Global Traffic Manager.

H

hash
In general, a hash function converts a set of data of varying/arbitrary size to a set of data of fixed size. The result of the hash function is called a hash, digest, or hash value.
In the context of the Community Manager developer portal, when you hash a value with an encryption algorithm, such as SHA-1 (Secure Hashing Algorithm 1), the hash function returns a 160-bit string. This is the message digest.
header (Community Manager developer portal)
The Community Manager developer portal header contains the logo, the top menu items, and the link to the user profile.
Hermosa theme
The Hermosa platform theme includes features such as an expanding/collapsing sidebar to offer more space for the visual display of the Community Manager developer portal. This theme supports full functionality of the Community Manager developer portal, including Administrator tasks.
For more explanation, and illustrations showing the differences, see Default Theme (versions prior to 2020.2.0) and Hermosa Theme.
HMAC
Acronym for hash-based message authentication code. The HMAC hashing algorithm uses a secret cryptographic key (symmetric key) to create a hash for message security. HMAC is used to verify data integrity and message authenticity. It can be used with cryptographic hash algorithms such as MD5 or SHA-1. Because it uses a symmetric key rather than the public/private public key infrastructure (PKI) approach, it delegates responsibility for the key exchange to the sender/receiver.
hostname
In the context of an API, the hostname is the domain name or IP address for the API. The hostname might, or might not, include a port number. The hostname part of the URL does not include the scheme, which comes before, or the base URL, which comes after. Examples: acmepaymentscorp.com, api.example.com, example.com:8085.
For an example of the different parts of an API URL, see Base URL.
HSM
Acronym for hardware security module, a physical device for storing and managing digital keys. The platform supports HSM. In version 2020.2.0 and later it also supports Amazon AWS CloudHSM.
HTTP Artifact
One of the binding options supported by the SAML protocol. HTTP Artifact is useful in scenarios where the SAML requester and responder are using an HTTP user-agent and do not want to transmit the entire message, either for technical or security reasons. Instead, a SAML Artifact is sent, which is a unique ID for the full information. The IdP can then use the Artifact to retrieve the full information. The artifact issuer must maintain state while the artifact is pending.
HTTP Artifact sends the artifact as a query parameter.
The Akana API Platform currently supports this binding option for SAML responses, but not for SAML requests.
HTTP POST
One of the binding options supported by the SAML protocol.
HTTP POST sends the message content as a POST parameter, in the payload.
The Akana API Platform currently supports this binding option for SAML, for both requests and responses.
HTTP Redirect
One of the binding options supported by the SAML protocol.
When HTTP Redirect is used, the service provider redirects the user to the identity provider where the login happens, and the identity provider redirects the user back to the service provider. HTTP Redirect requires intervention by the User-Agent (the browser).
The Akana API Platform currently supports this binding option for SAML requests.

I

ID token (OpenID Connect) / bearer assertion
In the context of OpenID Connect, an ID token (also called a Bearer Assertion) is a compact, URL-safe means of representing claims to be sent from one party to another over the web. The claims in an ID token are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.
The OpenID Connect Provider can issue an ID token from either the Authorization Endpoint or the Token Endpoint. This is one of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The other is by publishing a UserInfo endpoint.
The JWT ID Token (id_token) includes the user's claims. JWT ID tokens are issued by the OpenID Connect provider, and are consumed by the client app.
identity
In computer security, an identity is a discrete object that contains information about the user. The identity object includes the name of the user being authenticated. The Identity object is a type of Principal object.
identity provider
An identity provider (sometimes abbreviated as IdP) is an entity responsible for verifying user identity and issuing identity information, usually in the form of a token. A common example is a website that allows users to log in using a Facebook or Google identity; in this scenario, Facebook and Google are identity providers. In OpenID Connect, the identity provider is called the Connect provider.
In terms of SAML, the identity provider verifies the identity of the user in response to a request by the Service Provider, and then responds with a SAML assertion.
IdP
In SAML, abbreviation for Identity Provider.
IdP domain
Abbreviation for identity provider domain.
implementation (of an API)
Different implementations of an API represent the different endpoints of the API in the same lifecycle stage. For example, it is common for an API to have Sandbox and Live implementations.
implementation pattern
The implementation pattern determines how the implementation is created, which also governs capabilities of the implementation. The platform supports the following options for implementation pattern:
  • Proxy: this is the default, appropriate for a simple scenario where the API implementation has a 1:1 relationship with a back-end physical service/API.
  • Orchestration: appropriate for a more complex API implementation that might include one or more services, processes, or additional steps.
  • Physical Service: appropriate if you want to set up an external API so that you can reference it in a script or process for an API that uses orchestration, but don't want to proxy the external API on the platform.
Note that if you change the pattern for an existing implementation, all data associated with the implementation is lost. For example, if an implementation has a pattern of Orchestration, with processes set up, and you change it to Proxy, the orchestration information is lost.
import
When information is exported from one instance of the platform to an export file (package file), it can then be imported to another instance of the platform.
Only a Site Admin or Business Admin has permission to perform functions relating to import.
independent group
A group that exists independently of any single app or API. Any authorized user can create an independent group, and becomes the first administrator. The administrator can then invite other members and can remove members and change a member's role. There are three roles; admin, leader, and member. All members can see resources the group is linked to. Admins have full rights over the group.
interval (on analytics charts)
In the app and API analytics charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
invitation code
A unique code generated and sent to a specific user in an email if a platform member invites the user to a platform group, such as an app team, API Admin group, or independent group.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
invitation status
A value that shows a group member's relationship with the group. When a new member is invited to a group, the member has an initial status of Pending. Depending on the user's response, the status can change to Accepted or Rejected. Other possible status values are: Cancelled, Removed, or Deleted.
IP address
Internet Protocol address; a unique numerical label assigned to a device that's connected to a computer network using the Internet Protocol. The device can be identified and reached by means of the IP address.
An IP address consists of two parts:
  1. The first part of the address is called the network number and identifies a network on the internet.
  2. The remainder of the address identifies an individual host on the network.
iss claim
In the context of the UK Open Banking standard supported by certain policies including the JOSE Profile-Driven Security policy, the iss claim is a string that identifies the Payment Services Provider (PSP). If the issuer is using a certificate, as is generally the case, it is the subject value of the signing certificate.
For more information, see the UK Open Banking 3.1 specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937656404/Read+Write+Data+API+Specification+-+v3.1#Read/WriteDataAPISpecification-v3.1-ProcessforSigningaPayload (Step 2).

J

JavaScript
A scripting language. The API platform supports JavaScript for creating reusable scripts, useful for automating processes.
JCE
Acronym for Java Cryptography Extension. JCE is a framework for implementing encryption, key generation, key agreement, and Message Authentication Code (MAC) algorithms. For more information, see Oracle JCE Provider.
JCE Provider
a piece of software that implements encryption algorithms.
Available in version 2020.2.13 or later: In the Akana Administration Console, you can specify a JCE provider, so that the JOSE Policy v2 will use the specified provider rather than the default. See, Specifying the JCE provider (2020.2.13 and later).
Jetty
A Java web server and Java servlet container, often used for machine to machine communications. Jetty is used in the underlying infrastructure of the Community Manager developer portal.
For more information, see http://www.eclipse.org/jetty/.
JEXL
A Java expression language, used by the platform's promotion feature. For more information, see http://commons.apache.org/proper/commons-jexl/.
JKS file
A Java key store file. The public key and certificate are stored in the same file. In the Community Manager developer portal, this format is supported for uploading the app keystore file in the Test Client tool.
JMS
Acronym for Java Message Service, a Java messaging standard that acts as a middleware. For more information, see Getting Started with Java Message Service (JMS).
The platform supports JMS binding for services.
JOSE
Acronym for JSON Object Signing and Encryption. The platform's JOSE policy is a security policy that can be attached to RESTful and messaging services, to secure any message content. This policy supports JSON signatures and/or encryption in the messages. It conforms to the JSON Web Signature (JWS) standard (https://tools.ietf.org/html/rfc7515) and the JSON Web Encryption (JWE) standard (https://tools.ietf.org/html/rfc7516).
JSON
An acronym for JavaScript Object Notation, JSON uses a subset of the JavaScript syntax to describe an object clearly and succinctly. One of the advantages of JSON over XML for API messages is that message content conveyed in the JSON format is much more concise than the same content conveyed in XML, consuming less bandwidth.
JSONPath
A data-serialization format that creates a uniform standard and syntax to define different parts of a JSON document. Using JSONPath, you can define expressions that you can use to identify a subset of the content in a JSON document. For example, some policies support JSONPath for identifying information, such as message content, that the policy can then act upon.
For more information, see Using JSONPath in Policies.
JSON Schema Draft 4
A standard for defining the structure of JSON data. For details see: https://tools.ietf.org/html/draft-zyp-json-schema-04. The JSON Schema Designer supports JSON Schema Draft 4. For more information, see JSON Schema Editor.
JSON Schema Editor
The JSON Schema Editor includes such features as:
  • Code completion
  • Syntax highlighting
  • Syntax and semantic validation when you save or switch between text and graphical view

It supports JSON Schema Draft 4. For more information, see JSON Schema Editor.

JSON Web Algorithms (JWA)
The JWA specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines the set of values that is valid for use with JWS, in the alg (algorithm) header parameter.
For full information, refer to the JWA specification: https://tools.ietf.org/html/rfc7518.
JSON Web Encryption (JWE)
A way of representing encrypted content using JSON. Can be combined with signing using JSON Web Signature (JWS).
For full information, refer to the JWE specification: https://tools.ietf.org/html/rfc7516.
JSON Web Key (JWK)
A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key (for example, an RSA key). See also: JSON Web Key Set below.
For full information, refer to the JWK specification: https://tools.ietf.org/html/rfc7517.
JSON Web Key Set
A JSON data structure that represents a set of JSON Web Keys.
The OAuth Provider publishes a JSON Web Key Set document, which includes one or more JSON web keys, used for signing the signature algorithm.
Per the OpenID Connect specification, http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys:
"Rotation of signing keys can be accomplished with the following approach. The signer publishes its keys in a JWK Set at its jwks_uri location and includes the kid of the signing key in the JOSE Header of each message to indicate to the verifier which key is to be used to validate the signature. Keys can be rolled over by periodically adding new keys to the JWK Set at the jwks_uri location. The signer can begin using a new key at its discretion and signals the change to the verifier using the kid value. The verifier knows to go back to the jwks_uri location to re-retrieve the keys when it sees an unfamiliar kid value. The JWK Set document at the jwks_uri SHOULD retain recently decommissioned signing keys for a reasonable period of time to facilitate a smooth transition."
For an example of a JWK Set document, see Get Public JWK Set, sample response. (OAuth API documentation for the platform).
JSON Web Key Set URL/URI
The URL at which the OAuth Provider provides their JSON Web Key Set document.
The signer publishes the JSON Web Key set at a URL (jwks_uri value). This URL gives a JSON data structure that represents the set of JSON Web Keys with various values needed to use the keys.
For more information see: OpenID Connect specification, http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys:
For an example of a JWK Set document, see Get Public JWK Set, sample response. (OAuth API documentation for the platform).
JSON Web Signature (JWS)
A standard for securing JSON content with a digital signature or MAC. The platform supports JWS; for example, with the JOSE Security Policy. For details of the JWS standard, refer to the specification: https://tools.ietf.org/html/rfc7515.
JSON Web Token (JWT)
A type of bearer token, where the information is structured as a JSON object in a predefined format. It is URL-safe, and is digitally signed with an RSA or HMAC (hashed message authentication code) key.
A JSON Web Token contain all the information the resource server needs to confirm the user's grant to the application, sent as-is in the API request header. One advantage of the JWT token is that the Resource Server can validate by itself, without having to go back to the Authorization Server. Another advantage is that there are flexible options for encryption; a higher or lower level of security can be used, depending on needs.
A JSON Web Token can be either JSON Web Signature (JWS) or a JWE.
For full information, refer to the JWT website: https://jwt.io/introduction/.
JWE
Acronym for JSON Web Encryption.
JWKS
See, JSON Web Key Set.
JWK Set (JWKS)
See, JSON Web Key Set.
JWK set URL
See, JSON Web Key Set URL.
JWS
See, JSON Web Signature (JWS).
JWS serialization
In the JOSE Security Policy, the platform supports two types of JWS serialization (see applicable sections in the JWS RFC: JWS Compact Serialization and JWS JSON Serialization.
JWK
See, JSON Web Key (JWK), JSON Web Key Set.
JWT
See, JSON Web Token.
JWT token
Same as JSON Web Token.
JWT access token
A type of JWT token. The JWT Access Token primarily includes the scope of the access token, though it might optionally also include the user's claims. JWT access tokens are issued by the OAuth provider, for consumption by the resource server.
JWT ID token
See, ID token (OpenID Connect) / bearer assertion.
Jython
A scripting language. The API platform supports Jython for creating reusable scripts, useful for automating processes.
Jython comes with Akana product installation. It is the default scripting language for the platform, used for all external scripts.

K

Kafka
Available in version: 2020.1.2 and later.
Apache Kafka is an open-source distributed platform for event streaming, distribution, and storage. In the Akana Platform, Kafka is optional. You can use your own external Kafka implementation to manage streaming and storage of data and analytics information in the platform.
For more information about Kafka, see https://kafka.apache.org/quickstart (external site).
Keystore Explorer
An open source utility for creating and managing public and private keystores and digital certificates. Keystore Explorer is used in the UK Open Banking use case (see Use Case: Open Banking). Downloadable from http://keystore-explorer.org/downloads.html.
kid (Key Identifier)
The kid (Key Identifier) of the signing and/or encryption key sent in the message header. This tells the verifier which key in the JSON Web Key Set to use to validate the JWS (signature).
For more information, see the UK Open Banking 3.1 specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937656404/Read+Write+Data+API+Specification+-+v3.1#Read/WriteDataAPISpecification-v3.1-ProcessforSigningaPayload (Step 2).

L

LDAP
Acronym for Lightweight Directory Access Protocol; an open, industry-standard protocol used by the platform to support single sign-on.
leader
In the context of an API Scope Group, a Leader has more capabilities than a group Member, but is not as senior as a group Admin. For more information, see What can a group Leader do?
legal agreement (API)
The platform allows the API Admin or Business Admin to upload one or more legal agreements associated with an API. When a legal agreement is active for an API, an app developer must accept the legal agreement in order to request a contract with the API (API access request).
For more information, see Legal Agreement Maintenance.
LESS
The custom.less style sheet in the Community Manager developer portal is implemented with LESS, a dynamic stylesheet language that extends the static CSS by adding a dynamic behavior in the CSS.
For more information, see What is less.js and what are the benefits?
license
A License is a tailored API access package designed by the Business Admin/API Admin and offered to the app developer. A license includes one or more license terms, each of which can include multiple scopes, giving access to specifically designated operations, and multiple quality of service (QoS) policies, and also one or more legal agreements applicable to the license.
For more information on the License feature, see Licenses: Feature Overview.
license term
A license term defines the access that is being offered in a license (scope) and the level of access (QoS policy). Each license term includes one or more scopes plus, optionally, the quality of service limits/policies to be applied to all scopes in the license term. Scopes apply to both visibility and access; policies apply only to access. To have any impact, a license term must include at least one scope.
LC
Acronym for Lifecycle Coordinator.
LaaS
Lifecycle as a Service (LaaS) is a set of products from Akana that exposes Lifecycle Manager asset configuration as a service/API. LaaS provides a way to integrate Lifecycle Manager functionality into Akana API Platform. Since Lifecycle Manager is more configurable, this facilitates the introduction of a more complex workflow, which can be used for purposes such as API governance.
LAAS includes two separate features:
label (for a ticket)
A label assigned to a ticket to indicate the ticket's priority rating.
latency
In the context of API transactions, latency is the amount of time it takes to process a message from source to destination. Latency is represented in the app/API analytics metrics. For an example, see API Analytics Overview dials.
Lifecycle Coordinator
Lifecycle Coordinator is a separate configurable component that coordinates promotion across multiple instances of API Platform tenants. It can be deployed standalone or can be co-located with a tenant (or multiple tenants in the SaaS environment). Lifecycle Coordinator governs the promotion process and the transfer of data between environments.
For more information, see Managing Lifecycle Coordinator.
Lifecycle Manager
Lifecycle Manager is a metadata repository and SDLC management product that enables enterprises to effectively collaborate between business, developers, and IT operations, resulting in rapid development and deployment cycles while increasing reliability, stability, and availability of their APIs and supporting assets.
Lifecycle Manager provides an intelligent inventory of assets and includes their relationships to each other, to the technical infrastructure, and to the company's business architecture. Through the use of Lifecycle Manager, organizations can accelerate reuse and SOA initiatives, as well as improve the governance over production and consumption of services and other reusable assets. Application developers, business analysts, and technical and business architects can search the repository for the company's SDAs, to identify those that best match business and technical requirements for application development and integration.
When integration with Lifecycle Manager is set up, the Community Manager developer portal supports custom properties for certain resources in the Community Manager developer portal (apps, APIs, and users).
Lifecycle Repository
Lifecycle Repository is another name for the Extended Properties add-on component, available for use with the Akana API Platform, that allows you to set up and use configurable properties, along with workflows based on those properties. Configurable properties are supported for the following resource types: API, App, and User.
For installation information and links to additional resources see, Installing the Extended Properties Feature.
lifecycle stage
A lifecycle stage of an API indicates the point it's at in its entire development process. For example, lifecycle stages might be Design, Development, Testing, Staging, and Production. Each API version has its own lifecycle within the lifecycle of the API. The end of each lifecycle is deprecation.
listener
In general, a listener is an object that executes some code when triggered by an event. A listener monitors events happening in the program and acts based on how it's programmed to act in certain events.
In the context of the API platform, a listener is the server process that listens for and accepts incoming connection requests from client applications. Each deployment zone is based on an API Gateway; one or more listeners are defined for the API Gateway. The deployment zone can use one or more of the listeners defined for the API Gateway.
Policy Manager supports the following listener types: HTTP, HTTPS, JMS, AMQP. The Community Manager developer portal supports HTTP and HTTPS.
local tenant
In the context of Lifecycle Coordinator, a Local tenant is a tenant that resides on the same API Platform instance as Lifecycle Coordinator, in contrast to a remote tenant.
locale (browser)
The locale is a browser setting that allows the user to define the language, date format, and other preferences that control how basic information is displayed; for example, UK versus US differences in date formats.

M

MAC
Acronym for Message Authentication Code; a code used in message authentication. The MAC code is generated with a specific type of algorithm called a MAC algorithm, which takes input of a secret key and a message, and generates a MAC. To decrypt the message, the receiver must have the secret key.
MAC token
Acronym for Message Authentication Code. Used in OAuth 2.0, the MAC token is a security code that is typed in by the user of a computer to access an account or a portal. The code is attached to the message or request sent by the user. The MAC token attached to the message must be recognized by the receiving system in order to grant the user access. MAC tokens are commonly used in electronic funds transfer (EFT) transactions to maintain information integrity.
manifest
The Promotion Package holds the data that needs to be promoted from the Source Environment to the Target Environment. This includes the manifest, which holds summary information about the environment data in a format that the Promotion Coordinator understands. There might be several formats of environment data artifacts, but there is only one manifest format. The manifest holds the identifiers of all the objects and their relationships to one another in the environment data.
MapReduce
In the context of MongoDB, MapReduce is a database operation that allows you to condense large amounts of data into more manageable and useful chunks. You can configure the size of the chunks in the Akana Administration Console configuration settings: see, Managing the Map/Reduce maxBatchSize Settings.
For general information on the MapReduce database operation, refer to the MongoDB documentation: Map-Reduce.
mark
Users can give positive feedback to items such as discussion topics and associated comments, reviews, and other resources such as tickets, using the Mark function. Choosing Mark provides positive feedback, in the same way as "Like" in Facebook®. The Mark value toggles on and off, so a user can mark or unmark a discussion comment. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
Markdown
The Community Manager developer portal supports Markdown on certain fields, which allows you to add basic formatting such as heading styles, bulleted and numbered lists, and text styles such as bold and italics. For details, see Using Markdown.
managed user
A platform user who was added by the Site Admin, as distinct from a user who signed up by creating a profile using the self-signup process, which is called a registered user. Differentiating between users in terms of how they are added allows the implementation of custom workflows that grant different privileges to different types of users. For example, the Site Admin could implement a custom workflow so that a managed user cannot change the user profile but a registered user can.
master node (in Elasticsearch)
In Elasticsearch, the master nodes of the cluster manage the cluster, including such tasks as a) Keeping track of all containers that are part of the cluster, and updating as needed when nodes join or leave the cluster, b) Keeping track of which nodes are master eligible, and c) Keeping track of which shards are in which data node.
member
In the context of an API Scope Group, a group member has access to all information relating to the API and the group, including tickets and discussions. Members cannot invite additional members or change the status of other members. For more information, see What can a group Member do?
membership request (invitation)
An invitation to another individual, whether a registered user or not, to join an Akana API Platform group or team such as an app team. API Administrators can invite others to be API Administrators; app team members can invite others to the app team. A Site Administrator, Private API Administrator, or Independent Group member can also issue a membership request in the same way.
metadata (for an API Gateway)
The metadata file for an API Gateway includes information about the OSGi container designated as the gateway. It includes such information as the container key, container type, X.509 certificate, and information about the policies that are attached to the API Gateway, as well as its capabilities and configuration information.
The Gateway container is set up and configured as part of product installation and configuration. When setting up an API Gateway in the Community Manager developer portal, you must specify the container key to identify the underlying container; when setting up a gateway cluster, you must upload or reference the metadata file.
The URL for the metadata file for a container is: {protocol}://{hostname:optional port}/metadata/.
MGF1
A mask generation algorithm, based on a hash function, defined by RCF 2437 (10.2.1), the RSA Cryptography Specification Version 2.0.
mock service (API)
A mock service is a specific type of orchestration that constructs the response based on a set of sample request/responses. A mock service is at an operation level, nor a service level.
model object (API)
Model object is an informal term for a named grouping of discrete pieces of information. For example, in the Swagger Petstore example (http://petstore.swagger.io/), one model object is Pet, and contains pieces of information about a pet, such as name, unique ID, and tags.
POST and PUT operations often include model objects in the content being sent; GET operations often include model objects in the response being returned.
moderation
Depending on the platform's settings, some type of user-generated content, such as reviews, discussions, and comments, might be moderated. If moderation is turned on for a specific type of content, such as discussions, and a user adds that type of content, it has a Pending state until it's approved. Certain authorized users can approve content; for example, a discussion for an API might need to be approved by an API Admin or Business Admin. Once the new content is approved, it is visible to all users who have visibility of the resource (app, API, or group). For more information, see What is moderation and how does it work? (Administrator help).
MongoDB
The Akana Platform uses MongoDB, as an alternative to the traditional RDBMS, to help scale certain features such as OAuth, analytics, auditing, and Policy Manager alerts.
The platform uses MongoDB for managing analytics information in the Community Manager developer portal (Community Manager) as well as for the Envision product. In the Akana Platform, analytics data is marked for deletion on TTL index columns after they have been aggregated into rollups.
multicast
Used in connection with configuration of the platform's search feature. IP Multicast allows for one-to-many communication in a network, via IP. Multicast configuration is appropriate for scenarios where the client/server relationship is either 1 to many or many to many. The scope is defined horizon. At startup, the node sends a message to all interested destinations. Compare with unicast which sends the same data to a single network address and broadcast which sends the same data to all possible destinations.
My APIs
APIs > My APIs takes the user the user to a list of APIs that the current user has a relationship with. From here you can choose a specific API, click through, and perform functions relating to the API.
My Apps
Apps > My Apps takes the user to a list of apps that the current user has a relationship with. From here you can choose a specific app, click through, and perform functions relating to the app.
My Dashboard
The My Dashboard feature allows you to pick APIs that you're interested in watching, and add them to a visual API metrics summary display so that you can more easily monitor API activity.
For more information, see What is the My Dashboard feature?

N

Network Director
Part of the underlying infrastructure that supports the Community Manager developer portal, which is itself part of the Akana API Platform product.
NGINX
A web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. For more information, see https://www.nginx.com/.
nonce
A random string, uniquely generated for each request. A nonce is used to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. Over a secure channel, it is still an added security measure.

O

OAS 3.x
Open API Specification 3.0/Open API 3.0/OAS 3.0 is the next generation of Swagger 2.0. It was originally part of the Swagger framework, but became a separate project, OpenAPI, in January 2016. It is an open source, collaborative project managed by the Linux foundation. There are several key differences between Swagger 2.0 and OAS 3.0.
The OpenAPI 3.0 specification is hosted on GitHub: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md.
The OpenAPI 3.1 specification is hosted on GitHub: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md.
The Akana API Platform supports OAS 3.0, OAS 3.1, and Swagger 2.0.
OAuth
OAuth is an open standard security protocol for authorization that allows you to share private resources stored on one site with another site without having to share credentials. One advantage of OAuth is that it supports both authentication and authorization in such a way that an application does not need to give access to the user's credentials. For example, in the platform you can sign in using your Facebook credentials, or on the API Details page you can share an API to Facebook, Twitter, and LinkedIn. These elements of the platform are configured as private resources.
OAuth access token
In OAuth, an access token is essentially a pass, a credential that gives authorization to access the requested and approved resource or resources for as long as the access token remains valid. In some cases, access tokens can be renewed by means of a refresh token; in some cases, they cannot. For more information, refer to the OAuth 2.0 specification (external site).
For more information on access tokens, see What is an access token?
OAuth authorization code
With the OAuth 2.0 Authorization Code grant type, the resource owner (consumer; for example, the app user) is redirected to the Authorization Server and gives authorization for the app to access the resource. The Authorization Server then redirects the consumer back to the client app with an authorization code. The client app presents this authorization code, along with the app's authentication credentials, back to the Authorization Server, requesting an access token (and optionally a refresh token). The client then uses the access token to call the service on behalf of the resource owner. A refresh token can be used to extend the lifetime of this session.
OAuth authorization endpoint
The endpoint for the OAuth Authorization Server. This is the endpoint on the Authorization Server where the resource owner provides credentials, such as username and password, in and grants authorization to the client app to access the resources or a specified subset of the resources.
When setting up an OAuth domain, Site Admins must specify this value. Additionally, if an API is using a third-party OAuth provider rather than an OAuth domain set up on the platform, the API Admin must specify this value in the OAuth setup wizard. For more information, see What are the OAuth 2.0 endpoints and how do they work? and the OAuth 2.0 specification (external site).
For information about the OAuth authorization endpoint URL when an API is hosted on the platform, see What are the OAuth endpoints for the platform?
OAuth Authorization Server
In an OAuth implementation, the Authorization Server collects the resource owner's credentials, gets the resource owner's permission for the app to access the resources, and passes back the authorization token to the app so that the app can then access the resources.
OAuth Authorization Server URL
As part of setting up the OAuth domain, the Business Admin must specify the Authorization Server URL. This is the URL that the browser for the resource owner (app user) will be accessing for the OAuth grant. It is the URL at which the OAuth Provider accesses the requests, for both Authorization Endpoint and Token Endpoint.
The URL must be accessible to all the apps and end users that might use APIs that are referencing the OAuth domain. The Authorization Endpoint and Token Endpoint for OAuth 1.0a and OAuth 2.0 use different paths, according to the applicable OAuth specification. Firewalls and DNS servers must be set up for this URL so that end users and apps can access the URL.
Site Admin information: Because the platform can support multiple OAuth Providers, it is important that each OAuth Provider has a different Authorization Server URL (for both Authorization Endpoint and Token Endpoint).
As well as the Site Admin entering the authorization server URL in the domain setup, it is important that the network team makes the necessary changes to direct the requests to this URL to the containers where the Akana OAuth Provider feature is installed. This might include additional steps such as adding a DNS entry or configuring the load balancer if the URL is a virtual endpoint on F5.
For more information, see What are the OAuth endpoints for the platform?
OAuth authz
For information about the OAuth authorization endpoint URL when an API is hosted on the platform, see What are the OAuth endpoints for the platform?
OAuth callback URL
Redirect URL. The URL to which the API sends the response message with the token.
OAuth endpoints
See OAuth URLs for the platform.
OAuth grant provisioning UI
In the platform, the OAuth grant provisioning UI is the HTML page, used in Test Client, where the resource owner signs in and authorizes access, for the purposes of using Test Client.
The grant provisioning UI has the potential to include the logo for the application, pulled from the application information, and for the OAuth provider, as set up in the Branding tab in the OAuth Provider domain setup.
OAuth grant types
OAuth 2.0 supports four different grant types; each has a different process flow. Grant types are designated as 2-legged or 3-legged depending on the number of parties involved. The 2-legged grant types are Client Credentials and Resource Owner Password Credentials; the three-legged grant types are Authorization Code and Implicit.
For more information on OAuth grant types (for API admins) see What grant types does OAuth support? and How does OAuth 2-Legged and 3-Legged Authorization work?
OAuth grant types: 2-legged
The number of legs used to describe an OAuth request refers to the number of parties involved; 2-legged or 3-legged. When the client is also the resource owner, it is a 2-legged flow. OAuth 2.0 includes the following 2-legged grant types; Client Credentials and Resource Owner Password Credentials.
OAuth grant types: 3-legged
The number of legs used to describe an OAuth request refers to the number of parties involved. The most common process flow includes three parties; a client, a server, and a resource owner. This is a 3-legged flow. OAuth 2.0 includes the following 3-legged grant types; Authorization Code and Implicit.
OAuth grant types: Authorization Code
A 3-legged OAuth 2.0 grant type: An authorization code is returned to the client through a browser redirect after the resource owner gives consent to the OAuth Authorization Server. The client then exchanges the authorization code for an access token. Resource owner credentials are never exposed to the client app.
OAuth grant types: Client Credentials
A 2-legged OAuth 2.0 grant type: The client presents its own credentials to the OAuth Authorization Server in order to obtain an access token. This access token is either associated with the client's own resources, rather than a specific resource owner, or is associated with a resource owner for whom the client is otherwise authorized to act.
OAuth grant types: Implicit
A 3-legged OAuth 2.0 grant type: An access token is returned to the client through a browser redirect in response to the resource owner authorization request. This grant type is suitable for clients that do not support keeping client credentials confidential (for use in authenticating with the OAuth Authentication Server) such as client applications implemented in a browser using a scripting language like JavaScript.
OAuth grant types: Resource Owner Password Credentials
A 2-legged OAuth 2.0 grant type: The client collects the resource owner's password and exchanges it at the OAuth Authorization Server for an access token, and often also a refresh token. This grant type is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operation system or a highly privileged application, since the client must discard the password after using it to obtain the access token.
OAuth provider
The platform's OAuth provider fulfils various standard OAuth provider functions such as: collecting authorizations from end users to apps, issuing tokens to apps, and validating tokens received in API requests.
The platform's OAuth Provider domain relies on authentication being performed by an external Identity Provider. The OAuth process flow doesn't perform authentication, but relies on it. The platform's OAuth Provider can connect to various identity stores, such as LDAP and CA Site Minder. The portal also supports interfacing with a proprietary identity store.
OAuth refresh token
In OAuth 2.0, certain grant types support use of refresh tokens to facilitate longer access periods. This is useful in scenarios that extend over time, such as a regular monthly payment amount.
In OAuth 1.0a, once an access token is generated it is valid until revoked by the user. OAuth 2.0 introduces expiration of access tokens and adds a second type of token, a refresh token, that can be used in conjunction with the access token to allow users to give long-term permissions but yet maintain security. This process helps ensure that if a specific access token is compromised, a new one can be generated from the refresh token, which can be stored in the database on the server.
The access token grants immediate access but only for a limited time. The access token comes with two additional values: expires_in, which indicates the life of the access token, and refresh_token which can be used to get a new access token when the current token expires. Additional user approval is not needed, but the expiration and renewal add security to the process. When (or before) the access token expires, the refresh token can be used to generate a new access token.
For more information, see What is a Refresh Token?
OAuth resource server
The server where the resources are stored. The resource server accepts requests and responds to approved requests using access tokens.
OAuth token endpoint
In OAuth 2.0, the token endpoint is the endpoint on the Authorization Server where the client app sends the authorization code, client ID, and client secret and receives in exchange an access token which allows the app to access the approved resources. For more information, see What are the OAuth 2.0 endpoints and how do they work? and the OAuth 2.0 specification (external site).
For information about the OAuth token endpoint URL when an API is hosted on the platform, see What are the OAuth endpoints for the platform?
The token endpoint first authenticates the client application. It then allows the client application to send the code received from the authorization endpoint; in exchange, it generates an access token and sends it to the client application.
Users connect to the authorization endpoint; apps connect to the token endpoint.
OAuth URLs for the platform
The platform has specific OAuth URLs used when APIs are hosted on the platform. For details, see What are the OAuth endpoints for the platform?
OBIE
Acronym for the Open Banking Implementation Entity, the entity that publishes the UK Open Banking specifications. See https://www.openbanking.org.uk/about-us/glossary/.
OpenAPI specification
As of January 2016, the Swagger specification has been donated to the Open API Initiative. It is now known as the OpenAPI Specification.
Open Banking specification
See, UK Open Banking specification.
OpenID
An open standard for authenticating users, now deprecated in favor of OpenID Connect.
OpenID Connect
An identity layer on top of the OAuth 2.0 protocol that allows the client to verify the identity of an end-user based on authentication by an Authorization Server. OpenID Connect was released in February 2014 and is gaining popularity. For example, Google has moved from OpenID to OpenID Connect for products such as the Google+ API, used by the platform's Google login domain. For more information, see Welcome to OpenID Connect (external site).
Specification: https://openid.net/specs/openid-connect-core-1_0.html.
OpenID Connect provider
The platform's OAuth Provider domain can also function as an OpenID Connect Provider. In this scenario, the platform manages OAuth grants, token validation, and all other activities associated with the OAuth provider role. It supports issuing JWT tokens from the Authorization Endpoint or Token Endpoint. It supports the UserInfo Endpoint, and supports the Well-Known Configuration endpoint for metadata. Both digital signatures and encryption are supported for JWT tokens.
orchestration (API)
An orchestration creates a service that is implemented with a process, rather than being simply a proxy of another service. The orchestration process itself might (but does not necessarily) invoke multiple APIs, and might aggregate responses or take other actions to process a request. A mock service is a type of orchestration. An orchestration is at an operation level, not a service level.
organization
In the context of the Akana API Platform, an organization can represent any of several different types of organizational entities, such as a company, department, project, or partner.
OSGi container
In general, an OSGi (Open Services Gateway initiative) container is an individual piece of a modular system used to install and configure software components in a very flexible and configurable arrangement. This supports such activities as installing or uninstalling, starting, stopping, or updating one or more containers without stopping the entire system.
In the context of the API Platform, specific features are installed in specific OSGi containers. For example, the API Platform might be installed in one OSGi container, the underlying infrastructure in another container, and the Network Director, the component that actually manages the traffic, in another.
overloaded operation (API)
An overloaded operation is one that has two or more implementations that have the same basic URL but with different arguments or, commonly, different media types. Often, there might be two operations that share the same path and HTTP verb but have different media types for Consumes (request media type) and Produces (response media type) elements.
For example, the platform API itself has a small number of overloaded operations that return essentially the same information, but in two different formats depending on the media types used. In these examples, if the response media type is application/json or application/xml, the response is in the form of an RSS channel, and with the same path and HTTP verb, if the media type is application/vnd.soa.v81+json or application/vnd.soa.v81+xml, the response is in the form of a model object.

P

P12 file
P12 is a file format that includes the entire keystore; the information that relates to both the private key and the public key. A P12 file is protected with a password.
In Test Client, for testing an API with certain security policies, you can upload a P12 file to provide the security information Test Client needs to authenticate. See Upload Keystore (Test Client documentation).
package file
The ZIP file that is created as a result of using the export function. The package file can be imported into another instance of the platform by a Site Admin or API Admin.
partial API visibility
API visibility for the app developer is restricted to a subset of the API; only certain portions of the API documentation/operations can be seen by the app developer.
password reset code
See, reset code.
PEM
Acronym for Privacy-Enhanced Electronic Mail, a secure file format for storing and sending secure information such as cryptographic keys and certificates.
physical service
A physical service is an API service external to the platform which is not hosted on the platform, but which is set up so that platform APIs can reference it. A platform API that's set up to use orchestration can reference a physical service in a process or script as part of the orchestration.
For more information, see What is a physical service?
PingFederate
A federated identity management system based on the SAML protocol. PingFederate® supports SSO, SLO, and other federated identity standards. It can also be used as an OAuth 2.0 provider.
The platform supports PingFederate provider as a domain type (set up by the Business Admin). For more information, see PingFederate Domain.
pipes (data format)
A data format that uses the pipe character (|) as a separator between values. Pipe separators are sometimes used for tabular data exchange.
PKCE
Acronym for Proof Key for Code Exchange by OAuth Public Clients; pronounced pixie. A security extension to OAuth 2.0, intended for public clients on mobile devices. Designed to help prevent malicious interception of the OAuth authorization code.
For more information, refer to What is PKCE? (this documentation) or to the specification: https://tools.ietf.org/html/rfc7636 (external link).
PKCS12
A file format used for keystores. The private key and X.509 certificate are stored in the same PKCS12 file. In the Community Manager developer portal, this format is supported for uploading the app keystore file in the Test Client tool. The file extension can be p12 or pfx.
PKI
Acronym for public key infrastructure.
policy
A policy is a set of one or more predefined rules that can be applied to API traffic. For example, a policy might look for malicious content, mask sensitive information, log transactions, or monitor traffic volume. The platform includes some predefined policies and many policies that an authorized administrator can configure for different purposes. Usually, multiple policies can be applied to one API.
Note: For general information about all policies, see About Policies (Policy Manager help).
Policy Manager
Akana Policy Manager is the core product that provides the underlying infrastructure for the platform. Message handling intermediaries integrate with Policy Manager which attaches policies and provides a policy decision point as well as the policy administration point.
The Policy Manager console is the user interface for the Akana API Gateway.
POX
Acronym for Plain Old XML. The platform supports POX binding for services.
Postman
A free external Web client application used for testing APIs. See https://www.getpostman.com/postman.
principal
In terms of the security applied to APIs, a principal is an entity that's expected to be already authenticated, or trusted without authentication being necessary, that can be referenced for further action. For example, in the context of a specific API implementation, in the Identities page, the API admin can specify which elements in the incoming message should be used as principals.
The two most common Identity Principal objects are:
  • Consumer: Represents the consuming application.
  • End User: Represents the user of the consuming application.
Private API
Private APIs are visible to members who have been invited to join an API Scope Group. Once a member has accepted a Private API invitation, the Private API is displayed with a unique icon.
private header
A private header is any header other than the registered headers defined by the specification; see Private Header Parameter Names section of RFC 7515.
Test Client supports private headers.
private key JWT
An authentication mechanism used to get the OAuth access token. It is more secure than using the Client ID and Secret to get the access token. When Private Key JWT is used, the client generates a JWT that is signed using the client's private key, and sends that in the request for the access token The OAuth authorization server validates the signature of the JWT to verify that it was signed by the client who is the owner of the private key, and then the OAuth authorization server issues the token.
The Akana OAuth/OIDC Provider domain supports Private Key JWT.
For examples, see https://accounts.google.com/.well-known/openid-configuration (jwks_uri in the payload) and https://www.googleapis.com/oauth2/v3/certs which has the public keys.
process
In the context of the API Platform, a process is an ordered group of activities that can be performed by an API Gateway that supports the virtualization capability. For more information, see What is a process?
Process Editor
The Process Editor is a graphical user interface (GUI) that allows you to create API orchestration processes in a visual editor. These processes are defined using the Business Process Execution Language (BPEL) standard, and the tool offers an extensible palette of activities and transformations that can be combined to create complex workflows.
production environment
In versions of the API platform prior to 8.1, an API could have endpoints in the Sandbox environment or the Production environment. In versions 8.1 and later, terminology has changed. An API can have two implementations, Sandbox and Live. By default, when a user adds an API, the platform automatically creates the Live implementation.
profile
In the context of the Akana API Platform user interface, the user profile page allows you to edit your user details (firstname, lastname, username, and avatar) and settings (email, password, and notifications settings).
promotion (from one environment to another)
Promotion is the process of propagating changes made in one Environment to another. The Promotion process is automated for efficiency and to help prevent mistakes that could occur in a manual process. Promotion is managed via the Promotion Coordinator.
Promotion requires installation and configuration of the Lifecycle Coordinator feature. For more information, see Using Custom Metadata in the Community Manager developer portal (Site Admin doc) and What is the promotion feature? (API Admin doc).
Promotion Coordinator
A Promotion Coordinator is a separate component that controls the promotion process and transfer of data between environments. There is a single Promotion Coordinator for all Environments.
promotion package
The Promotion Package holds the data that needs to be promoted from the Source Environment to the Target Environment. The package contains two different artifacts: the environment data and the manifest.
promotion profile
In the context of Lifecycle Coordinator, the promotion profile is a part of the topology file representing the transition to the next (target) environment. The topology file includes a promotionProfiles element, and within this element, one or more promotion profiles are defined. In an example of three environments, Development, Test, and Production, there are two promotion profiles; one defines the transition from Development to Test and the other defines the transition from Test to Production.
For more information, see Promotion Profiles (Promotion User's Guide). For examples, see Lifecycle Coordinator Promotion: Sample Topologies.
provisioning (installation/upgrade task)
As part of the installation or upgrade process, there is a post-install/post-upgrade task called Provisioning.
Provisioning Initializes resources associated with the feature set you're installing or upgrading. The provisioning task must be run on each container.
proxy API
When an API Admin or Business Admin sets up an API on the Akana API Platform and chooses to use the Proxy feature, all traffic to the API endpoints is channeled via the platform. This offers significant benefits, including the ability to apply policies and monitor traffic at the proxy.
When an API uses a proxy, the platform receives the API traffic and directs it to the target (actual) endpoint, which is not exposed to API users.
When an API uses the platform as a proxy, the platform receives the API traffic and directs it to the target (actual) endpoint, which is not exposed to API users.
PSP (UK Open Banking)
In the context of the UK Open Banking standard supported by certain policies including the JOSE Profile-Driven Security policy, PSP is an acronym for Payment Services Provider. From the UK Open Banking glossary:
"A Payment Services Provider is an entity which carries out regulated payment services..."
Public Key infrastructure (PKI)
PKI is the entire set of standards, roles, and protocols that defines and supports the use of a public and private key pair—asymmetric encryption—for secure messaging in electronic systems. The infrastructure includes the entity that issues keys and authenticates key holders—the Certificate Authority. It includes the set of processes and protocols by which public and private keys are used to securely exchange data.
Public Key Integration
The Public Key Integration section of Apps > My Apps > choose app > Security allows you to use Public Key Infrastructure (PKI) for secure message signing. When you initially create your app, a shared secret is generated by default. If you would like to override the shared secret, you can upload a Certificate Signing Request (CSR). The Certificate Authority associated with the platform will generate a public/private key pair using the uploaded CSR.
Navigation: Apps > My Apps > choose app > Security

Q

QName
A unique identifier used for certain elements and attributes (Qualified Name). The Community Manager developer portal API uses QNames to identify elements such as API bindings and interfaces. Policy Manager also uses QNames.
QNames are used to create a mapping between a URI and a namespace prefix. The QName includes the object's unique name within the namespace, plus the namespace itself.
QoS (quality of service) policy
A QoS policy defines the level of service being offered to an app that is accessing an API; for example, the number of transactions per minute that are allowed for the app. In the platform, QoS policies are tied to license terms.

R

RabbitMQ
An open-source message broker software that implements the Advanced Message Queuing Protocol (AMQP). The underlying infrastructure can be configured to use AMQP.
RAML
Acronym for RESTful API Modeling Language. RAML is a language based on YAML, and is used for describing RESTful APIs.
The API Platform supports RAML 0.8.
rating
The API platform allows users to rate certain resources, such as apps, APIs, and groups, clicking from 1 (lowest rating) to 5 stars (highest rating).
realm
A URL pattern for which an authentication request is valid. In OpenID Connect, a realm is designed to give the end user an indication of the scope of the authentication request. The identity provider must present the realm when requesting the end-user's approval for an authentication request. The identity provider uses the realm to identify the relying party.
recipe (automation)
In the context of Akana API Platform installation or upgrade, an automation recipe is a JSON document that describes the features, bundles, configurations, and tasks that should be performed on a container. Recipes are interpreted by a script that is shipped with the platform project and can be used to create an instance from scratch or to modify an existing one.
By using recipes, complex configurations can be automated without having to resort to custom scripting. Container customizations can also be captured in recipes to facilitate repeatable deployment of non-standard configurations or features.
For more information about automation recipes, see Automation Reference Guide.
redirection endpoint (redirection URI)
The Client Redirection URI is the client's URI to which the authorization server sends the user-agent back once the user has granted (or denied) access to the resources.
In general, a redirection endpoint or URL is a URL that an application provides to another app, when directing the user to the second app to perform some function and then return the user once the function is complete. For example:
  1. Login: If the user is logging in with Google, the platform directs the user to Google and provides a redirect URL. When Google has authenticated the user, Google redirects the user back to the platform using the redirection URL.
  2. OAuth. Facebook example: if an app is requesting access to one or more of the user's Facebook resources, such as the Calendar, the app directs the user to a Facebook authorization page, and provides a redirect URL. Facebook authenticates the user, collects the user's permission for the app to access the resources, and then uses the redirect URL to return the user to the app. In this example, Facebook is the identity provider and also the OAuth Provider.
  3. Platform OAuth Provider: as part of registering with the OAuth Provider, the app developer must register the app's redirection URI on the App OAuth Details page. When the app is requesting access to resources on behalf of the end-user, the end-user is directed to the authorization page and then, after authenticating and authorizing, is seamlessly sent back to the redirection endpoint. The app can then, having access to the user's resources, provide the requested functionality to the user.
redirection URI
Same as redirection endpoint.
refresh token
See OAuth refresh token.
registered user
A platform user who signed up by creating a profile using the self-signup process, as distinct from a user who was added by the Site Admin, which is called a managed user. Differentiating between users in terms of how they are added allows the implementation of custom workflows that grant different privileges to different types of users. For example, the Site Admin could implement a custom workflow so that a managed user cannot change the user profile but a registered user can.
registration code
A unique code generated and sent to a specific user in an email if the Site Admin adds the user (currently supported only via the API). The code is only valid for the account it is generated for, and expires after a pre-set period.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
regular expression
A regular expression is a sequence of characters, following specific predefined rules, that define a search pattern that can be used for matching. The platform supports regular expressions in many contexts, such as policy definitions or API parameter definitions.
For general information, see https://en.wikipedia.org/wiki/Regular_expression.
relying party
In OpenID Connect, the app that is providing a service to the end-user is called the relying party. The relying party trusts the identity provider (Connect provider) to authenticate the user. In the context of the Akana API Platform, when OpenID Connect is used for login, the platform is the relying party and the Site Admin sets up the OpenID Connect identity provider in Domains setup.
remote tenant
In the context of Lifecycle Coordinator, a remote tenant is a tenant that resides on a different API Platform instance than Lifecycle Coordinator, in which case communication between Lifecycle Coordinator and the tenant is via REST; in contrast to a local tenant.
Repository Client
A standalone, Eclipse-based IDE, installed as a separate installation package available within the Lifecycle Manager installation ZIP file. Repository Client is a standalone application that you can install locally, that allows you to connect to the Lifecycle Manager library. Lifecycle Manager installation is not required. Repository Client offers a graphical user interface that is easier to work with than raw XML configuration files.
Repository Client is often used as part of the Extensible Properties feature, Lifecycle Repository. For more information, and examples, see What is the Repository Client?
Also often used with the Promotion feature, Lifecycle Coordinator. For more information, see Lifecycle Coordinator Promotion Guide.
reset code
A unique code generated and sent to a specific user as a result of a password reset request. The code is only valid for the account that requested it, and expires after two days by default. Expiration time is configurable by the Site Admin.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
reset.css
In Web-based applications and web pages that use CSS styling, a stylesheet called reset.css is often used to reset the styles of core HTML elements, such as headings and lists, to a consistent baseline. Custom styles are then applied as a next step.
The reason this is important is that there are inconsistencies in the way that different browsers interpret basic styles. Resetting to a consistent baseline, and building from there, helps ensure a consistent user experience across different browsers.
The platform uses reset.css as part of its style implementation.
resource
In the Akana API Platform, a Resource is an item, such as an App or API, which has its own Forum and set of activities.
restricted API access
Restricted access for an app means that the app's access to the API is restricted to a subset of the API, as defined by scope mapping, or to a specified, agreed-upon quota as defined by a QoS policy. Compare: unrestricted API access.
Resource server
See OAuth resource server.
review
Users can write reviews for any apps, APIs, or groups that they have access to. In the Community Manager developer portal, reviews are created from the Details page for the resource. Each review includes a subject line and a comment.
Other users can comment on the review, and can mark reviews that they like.
Depending on the platform configuration, reviews might be moderated. If so, the review must be approved by an Administrator before it is published.
A review is actually a Forum entry even though, in the user interface, reviews are not displayed on the Forum for the resource, but instead are displayed on the Details page.
In terms of using the API, all operations that work for Forum entries work for reviews also.
role
The specific functions that a platform user can perform are governed by platform roles, which are assigned to the user by the Administrator. For example, one user might have a role that allows adding and editing of APIs, whereas another might have a different role that only allows viewing.
For more information, see How do roles work?
role (platform group)
Within an independent group, each group member has a role, either as Member, Admin, or Leader. An Admin can invite or remove other team members and designate roles.
Within an API Scope Group, each group member has a role, either as Member, Leader, or Admin. The API Admin cam invite team members and designate roles.
Other roles on the platform include App Team Member, Site Admin, API Admin/API Administrator (same role), and Site User. For more information about roles, see What are the default roles for the API platform?
root organization
In the context of the Community Manager developer portal, the root organization is the default organization that's created when the Community Manager developer portal instance (tenant) is created. The name generally matches the Community Manager developer portal itself; for example, if the Community Manager developer portal name is acmepaymentscorp, the root organization shows up in the Organizations list as Tenant - acmepaymentscorp. Even before any organizations are added to the Community Manager developer portal, the root organization appears on the Organizations list.
RSA
A popular and secure public key cryptography algorithm.
RSA Adaptive Authentication for eCommerce
The RSA Adaptive Authentication for eCommerce (RSA-AAEC) standard provides different layers of security for financial transactions.
For more information, see https://www.rsa.com/content/dam/en/solution-brief/rsa-adaptive-authentication-for-ecommerce.pdf (external link).
In version 2022.1.0 and later, the Akana API Platform supports the following versions of the RSA-AAEC standard in the JOSE Profile-Driven Security Policy: 3.0, 3.1, 3.2.
RSA-AAEC
Abbreviation for the RSA Adaptive Authentication for eCommerce standard.
Runtime Configuration
The Repository Client product allows you to specify predefined implementation details for an API, based on values that users provide for custom properties added in the Community Manager developer portal.
when you create an API in the Community Manager developer portal, it inherits default out-of-the-box settings. For example, anonymous access is enabled, a Live implementation is created, the context path is a unique URL based on the Community Manager developer portal URL, and there are no policies attached to the API.
By using the Repository Client product in conjunction with the Community Manager developer portal, you can collect values from the user at runtime and customize the API that's created for the user, based on those values. For example, you could set up a scenario where a custom property asks whether the API is sensitive or not, and if yes, the Community Manager developer portal creates the API with a default setting of Private.
The Runtime Configuration file is the JSON file that the Repository Client product uses to share this information with the Community Manager developer portal.

S

SaaS
Acronym for Software as a Service.
The Akana SaaS solution offers a highly secure, high available infrastructure to support enterprise-grade API management.
SAML
Acronym for Security Assertion Markup Language. SAML is an identity federation standard that enables single sign-on. It is an XML-based standard for exchanging authentication and authorization data between a service provider (providing a service to the user) and an identity provider (providing user identity verification for the service provider).
One usage, in the context of the platform, is by OpenID Connect where it is used to provide single sign-on. The platform acts as the relying party.
Specifications:
SAML Artifact
In SAML, a unique ID used by the service provider (SP) and identity provider (IdP) to reference a specific user session or transaction. The SP can use the Artifact to query the IdP for information about the user.
SAML assertion
A SAML assertion is an XML document returned by the Identity Provider to the Service Provider after authentication of the user. The assertion has a very specific structure, as defined by the SAML standard. A SAML assertion has a <Subject> element which contains information about the user. It might have conditions and attributes associated with the information being conveyed. It is digitally signed and asserts that the user has been authenticated.
Note: the above definition applies to an authentication assertion, which applies in the context of the platform's support of SAML. There are other types of SAML assertions.
SAML Web SSO
Single sign-on over the Web using the SAML protocol.
sandbox endpoint URL
A unique gateway URL (service endpoint) that provides access to an APIs sandbox environment. The Sandbox Endpoint URL becomes available after requesting access to an API using the Request API Access Wizard.
schema
In the context of adding or modifying an API, the platform supports defining a custom schema for request or response model object definitions (JSON format only).
Schema Definition Language (GraphQL)
A document, in a precise specified format and following specified guidelines, that defines the GraphQL schema for a GraphQL API.
Schema Form Editor
The Schema Form Editor is an editor for editing OAS 3.x schema. It includes features such as syntax and semantic validation and coding hints.
scheme
In the full URL for an API, the scheme is the transfer protocol; most commonly HTTP or HTTPS.
For an example of the different parts of an API URL, see Base URL.
scope (with licenses)
A subset of a license. A scope is the bridge between the top level of the hierarchy, which is a license, and the bottom level, an operation. At the business level, the Business Admin defines the scope with a name and basic attributes. Then, at the API level, the API Admin assigns specific operations to one or more scopes for the API. These operations are included in any license that the scope is assigned to.
scope (OAuth)
In the context of OAuth, a scope is a permission setting that limits access to the resource; for example, an app consumer grants permission to view an account balance so that the app can then summarize multiple account balances for the consumer. By granting a specific scope, the consumer (the app's user) is not granting full access to the resource, but only partial access. For example, there could be a scope to view/retrieve data about the resource and a different scope to modify the resource.
In the platform, a scope value for an API version defines a subset of resources to which permission can be independently granted.
Defining scopes for an API allows the API administrator to control the granularity of API access granted to an app. When scopes are defined, app owners can request access to specific resources they want to access, and API owners can grant access to specific resources they want to share.
The OAuth Provider can also specify which scopes are required and optional in messages. The API Admin chooses the provider and then specifies which optional scopes apply to the API, and the level of granularity (to specific operations, multiple operations, or all operations).
scope, dynamic
See, dynamic scope.
scope group
An API scope group is uniquely related to an API. There are two types: Independently Managed, which can exist separately from the API, and Not Independently Managed, which are automatically deleted if the API is deleted. Same as API Scope Group.
scope mapping
If your API is using the Licenses feature, scope mapping is the key to defining which portions of your API will be available for which licenses. The scopes and licenses themselves are defined by the Business Admin, but at the API level you determine which operations are assigned to which scopes. This in turn determines which licenses will be available to app developers requesting access to your API.
script
In the context of the API Platform, a script is a reusable sequence of commands that can be used to automate the execution of tasks associated with managing the platform and its resources.
You can build scripts for automating common tasks relating to your APIs. You can build a library of reusable scripts, which you can then import into a process.
For more information, see What is a script?
SDL
Acronym for a GraphQL schema definition language.
The platform includes search functionality on certain specific pages and on platform-wide content. For example, a user can search on the apps list or APIs list for a specific app or API; the Site Admin can search for a specific user in the Users List. Search is available on many other areas of the user interface. Some examples: Forum posts, tickets, and alerts; help documentation (question mark at top right; then, Browse Docs).
Search results are limited to those resources the user performing the search has permission to see. For example, a user who does not have access to a specific private API will not see it on the list.
security challenge question
See, challenge question.
security domain
An application or collection of applications that all share, and trust, common security. The same security mechanism is used for all within the security domain, for authentication, authorization, and/or session management. A user who is authorized on one part of the security domain is considered authorized for other parts.
In a tenant/partner scenario, all tenants share the same security domain and are considered to be trusted. So, for example, app owners on one tenant have access to API information on another tenant seamlessly and without any additional security authorization.
Security Event Token
In the context of UK Open Banking, a Security Event Token is a JSON data structure that describes statements of fact from the perspective of an issuer about a subject. Each statement of fact represents an event relating to the subject; for example, a token was issued or revoken on behalf of the subject. Each SET becomes an individually signed JSON web signature (JWS).
For more information, see https://datatracker.ietf.org/doc/html/rfc8417 (Security Event Token specification).
security token service
An open standard core component for single sign-on using web services. It includes a framework for claims-based identity management; for example, via SAML or JSON Web Token (JWT).
serialization
Many of the policies that the API Admin can attach to APIs in the Community Manager developer portal include a Serialization configuration property, with the option to choose Compact (dot-separated, consumes less bandwidth) or JSON (key-value pairs, more human-readable). For more information, refer to the applicable sections in the JWS RFC: JWS Compact Serialization and JWS JSON Serialization. See also JWS serialization.
Server Name Indication (SNI)
An abbreviation for Server Name Indication, SNI is an extension of the TLS protocol that allows a single server to connect multiple SSL certificates to one IP address. When the client attempts to connect to the server, the client indicates the hostname it is attempting to connect to. The server sends the applicable digital certificate, which the browser then verifies; upon verification, the connection goes ahead.
The API platform's support of SNI at the API/service level means that multiple certificates can be used for one HTTPS endpoint. This means that each API can use its own certificate for its own clients. The deployment zone must support HTTPS; the API implementation must have the Use Implementation's Key/Certificate for SSL option checked in the HTTPS tab for the deployment, and there must be a certificate in place for the implementation. For details, see How do I set up my API to support SNI? (API Admin help).
The API platform also supports SNI at the tenant level; the Site Admin can upload a certificate for the specific theme. For details, see How do I manage security for a Community Manager developer portal theme? (Site Admin help).
For general information on SNI, see https://en.m.wikipedia.org/wiki/Server_Name_Indication.
Service Provider
In terms of SAML, the Service Provider (SP) offers a service to the user and allows the user to sign in by using SAML. When the user attempts to sign in, the SP sends a SAML authentication request to the Identity Provider (IdP). The IdP validates the request, authenticates the user, and creates a SAML assertion that represents the user's identity and, in some cases, sends additional information about the user in the form of associated attributes. The SAML assertion is digitally signed and encrypted and then sent back to the service provider that initiated the request.
Identity federation software at the SP receives the assertion, verified the authenticity, decrypts, and shares the information with the application.
SHA
Acronym for Secure Hash Algorithm; a family of cryptographic hash functions including SHA-0, SHA-1, SHA-2 (see SHA-256), and SHA-3.
SHA-1
SHA-1 (Secure Hashing Algorithm 1) is a cryptographic hash function, broadly used and trusted.
When you hash a value with SHA-1, the hash function returns a 160-bit string. This is the message digest. The value is hashed and sent with the message; at the receipt point, the value is hashed again, and the two hash values are compared. When the two hash values match, it is a secure, reliable indication that the message hasn't changed; the message at the receipt point is an accurate duplication of the message at the send point.
SHA-256
Part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each is named according to the number of bits in the output; so, whereas SHA-1 has 160 bits in the hash output, SHA-256 has 256.
shard (in Elasticsearch)
See Elasticsearch shard.
Shared Secret
A shared secret is a value generated for an app developer within the secure environment of the platform. The shared secret is known only to the app developer and the platform, and is used for authentication in secure send/receive communications.
The shared secret is 64 bytes.
Navigation: Apps > My Apps > choose app > Details > Security
signature/MAC algorithm
Refers to a JSON Web Signature (JWS) algorithm or a MAC algorithm.
For information about the signature/MAC algorithms supported by the platform, see What signature algorithms are supported by the platform's Akana OAuth/OIDC Provider?
signup code
A unique code generated and sent to a specific user in an email when the user signs up for the platform. The code is only valid for the account that requested it, and expires after seven days.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
Simple Developer theme
Simple Developer theme, also called Simple Dev, is an additional customizable code base, with a separate URL, that you can choose as an additional installation option. Simple Dev includes a streamlined user interface, providing a simplified user experience for app developers.
The API admin, Site Admin, and Business Admin capabilities available in Hermosa Theme are excluded from Simple Dev theme for the sake of simplicity. One installation can have multiple themes, with multiple customizations of each, sharing the same database. Each theme has a different URL.
Simple Dev theme offers an easily customizable look and feel, and is easily extensible.
For an illustration, see Simple Developer Theme.
site administrator
An individual who has responsibility for keeping the site running smoothly. The Site Admin has access to additional parts of the user interface for configuration and monitoring purposes. There can be more than one site administrator. For more information, see What functions are available to the Site Administrator in the platform?
SNI
See, Server Name Indication (SNI).
soapUI
A free (or paid) application used for testing APIs. See https://www.soapui.org/.
SP
In SAML, abbreviation for Service Provider.
sprite
A two-dimensional image that was used by the Community Manager developer portal CSS, used only in Default theme (deprecated in version 2020.1.0 and removed in version 2020.2.0), to control the colors in platform default icons and images. Although the icons and images could not themselves be changed, the colors could be changed, as part of UI customization, by changing the colors of the sprite files. Hermosa Theme uses a different approach to custom icons, Font Awesome (see http://fontawesome.io; external link).
SSL
A cryptographic protocol used to add security to messages by encryption. SSL uses X.509 certificates and asymmetric security. The session key is used to encrypt the messages. SSL offers encryption and identification.
SSO
Abbreviation for single sign-on, a feature allowing a user to sign in once for more than one system rather than signing in separately to each system.
If an app offers single sign-on, this means that the app, acting as a Service Provider (providing services to an end user) uses an Identity Provider, an entity that provides authentication and possibly authorization services, to verify the identity of an end user logging on to the app. The user signs in to the Service Provider, and the Service Provider either implicitly or explicitly requests authentication from the Identity Provider. Once authentication is received, the Service Provider delivers the requested service to the end user.
SSRF
Acronym for server-side request forgery. Like CSRF, an SSRF attack is a malicious attack on a server, attempting to access or manipulate data in an unauthorized manner.
CSRF uses a web client such as a browser; SSRF uses an insecure server as a proxy.
The platform has built-in security features to prevent SSRF. For example, when uploading an API description document, the document can only be uploaded if the server is a trusted server. For more information, see How do I add an API using an API description document? (API Admin help) and Limit forward proxy feature to allow only these hosts (Site Admin help).
SSV
Space-separated value format, a data type for certain API input parameters. This format is commonly used for exporting tabular data. Used in API documentation generated with Swagger 2.0: see http://swagger.io/specification/.
STS
Acronym for security token service.
style (for parameters in Swagger)
Parameter style values are defined by the Swagger specification, and vary according to the type of parameter (for example, path or query). Examples: simple, spaceDelimited, pipeDelimited, matrix, label, form. For more information, refer to the Swagger documentation re parameter serialization; see https://swagger.io/docs/specification/serialization/.
subdomain
A subdomain is a subset of a main domain, with a separate IP address. For example, if you own the domain www.example.com you could break it down into these subdomains: www.example.com, apiportal.example.com, docs.example.com.
Swagger
Swagger is a specification and framework implementation for dynamically generating API documentation for RESTful web services. It is the precursor to Open API Specification 3.0 (OAS 3.0).
The Akana API Platform supports OAS 3.x and Swagger 2.0.
Swagger 1.2
An earlier version of Swagger. Swagger 2.0 and OAS 3.0 are descendants.
The Akana API Platform supports OAS 3.x and Swagger 2.0.
Swagger 2.0
Swagger 2.0 is a specification and framework implementation for dynamically generating API documentation for RESTful web services. The platform includes an implementation of Swagger that works in conjunction with the Add a New API Wizard. For more information, see What is Swagger and how does it work?
The Swagger 2.0 specification is hosted on GitHub: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md.
The Akana API Platform supports OAS 3.x and Swagger 2.0
Note: The Akana API Platform supports uploading a Swagger 2.0 or OAS 3.0 document in a format other than JSON, such as YAML. However, the platform converts it to JSON. You cannot download a Swagger or OAS 3.0 document in YAML.
symmetric encryption
A form of encryption where data is encrypted and decrypted with one key, often called a Shared Secret. The encrypter and decrypter both have the same key. This is a less secure form of encryption than asymmetric encryption, where there are two keys, a public key and a private key.
symmetric key
The private key used for encrypting and decrypting data in a scenario where symmetric encryption is used. The symmetric key is often called a Shared Secret.

T

tag
A tag is essentially a keyword or key phrase that's added to a piece of content, or information associated with a resource, to assist in search results. Several different types of resources can have tags assigned to them; for example, apps, APIs, groups, and tickets. Multiple tags are separated by commas.
For example, if an app is a movie general knowledge game, the app owner might assign tags of movie, game, general knowledge; or an API owner can add a category or product line to the metadata for certain APIs so those APIs will come up in search results for that term.
tan header (UK Open Banking)
Per the UK Open Banking specification, the tan header field: "must be a string that consists of a domain name that is registered to and identifies the Trust Anchor that hosts the public counter-part of the key used for signing."
For UK Open Banking, the value must be openbanking.org.uk.
When Open Banking support is enabled in the policy, if a tan header field exists in the JWS header, the JOSE Security Policy v2 validates the header value and also validates that it is present in the crit claim list.
For more information, see the UK Open Banking 3.1 specification: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937656404/Read+Write+Data+API+Specification+-+v3.1#Read/WriteDataAPISpecification-v3.1-ProcessforSigningaPayload (Step 2).
target API
When defining an API on the platform, if an API is using the platform as a proxy, the Target API defines the destination ("next-hop") endpoint for the API.
target host
When defining a domain in the platform, it is possible to define a virtual host address for each login domain. This is the target host. Example: {role}/{company}.com.
target endpoint
When an API is hosted on the platform, the API Admin defines a proxy endpoint, which is shared with apps. Traffic to the proxy endpoint is managed by the platform, which directs the requests to the actual API endpoint—the target endpoint—and directs the responses from the target endpoint back to the requestor (the client app). The target endpoint is not exposed to users, and the platform acts as a gateway to the target endpoint, applying security policies, Quality of Service policies, and any other rules, as per the API definition on the platform.
template (Lifecycle Manager)
The Community Manager developer portal offers an optional extension for Lifecycle Manager (LM) users to support LM templates. Called capture templates in LM terminology, these templates define additional pieces of information to be collected from users about platform resources, such as apps and APIs, over and above the platform defaults. For example, by default, adding an app requires a name, description, version number, and version description. An LM capture template could define additional required or optional properties, such as keywords or type of app. Types of information collected can include different data types such as text, integer, or Boolean; single or multiple values; optional or required user input. The specifics are determined by the Capture Template design in LM. The template can also include user assistance (tooltips) for the various fields.
To implement LM capture templates to collect additional information from users, several steps are needed. The implementation must include Lifecycle Manager, using the same database as the Community Manager developer portal; one or more LM capture templates must be in place; and the applicable site setting (in More > Admin >Site > Extended Properties and Workflow) must be enabled.
tenant
When you log in to an instance of the Community Manager developer portal, you are logging in to a specific tenant. In the context of the Community Manager developer portal, each tenant has its own URL and its own set of apps, APIs, businesses, and groups. Configuration settings in the Community Manager developer portal apply to the current tenant. The tenant is a distinct Community Manager developer portal and community that has a logical separation from any other communities that might be hosted in the same product instance. A tenant might be a customer that is hosted within a shared system, such as the Akana SaaS platform, but has separation from other customers/ tenants.
The Tenant is managed by the Site Administrator. Each tenant generally has its own look and feel.
See also: local tenant, remote tenant.
tenantid
Unique ID for a specific tenant on the platform.
Test Client
The platform includes an API testing interface, called Test Client, that acts as an easy-to-use test client for any API that is fully integrated, with an API definition in the platform. This test tool allows developers to thoroughly test all capabilities of the API. It can be used for prototyping, testing, and troubleshooting apps against an API. It includes OAuth support for retrieving the OAuth token in order to process the message.
For more information, see Trying Out APIs in Test Client (for app developers), API Testing with Test Client (for API Admins), or Test Client (for Site Admins).
theme
One instance of the portal. More than one theme can be defined during the installation process and can then be customized for different purposes or audiences. Each theme has a separate URL.
The platform includes several out-of-the-box standard themes: Default theme (deprecated in version 2020.1.0 and removed in version 2020.2.0), Simple Dev, Hermosa, Bonita (valid in version: 2020.1.0 and later), and DevOps (used by the Lifecycle Coordinator product). Themes can be extended, which means you can have more than one version, independently customizable.
For overview and illustrations, see Platform user interface "theme". For more information, see What is a platform theme?
Note: Simple Dev theme is deprecated in version 2020.2.0, and will be removed in a future release.
third-party account (email)
The platform supports login through a third-party identity provider, such as logging in with a Google, SAML, or LDAP account.
third-party provider (TPP)
In the context of the UK Open Banking specification, a third-party provider is is an authorised online service provider that adheres to the UK Open Banking specification to provide financial services to the consumer. The third-party provided generally requires some access to the consumer's banking information in order to provide the service. The UK Open Banking standard allows the third-party provider (TPP) to request access consents in order to provide a service to the consumer.
thread pool
The thread pool is used to manage the thread configuration for the estimated volume of transactions that will be processed through the production site. Each request requires one thread. If the thread pool is configured with a maximum thread pool size of 256, the container will support 256 concurrent requests. If more concurrent requests are required in a container, the thread pool configuration for the specific listener can be increased.
In the context of the Community Manager developer portal, thread pool settings are configured for the listener by the Business Admin ( More > Admin >API Gateways > choose API Gateway > Inbound Listeners section, Edit button > choose listener > Edit).
Note: The thread pool is dynamically adjusted between the minimum and maximum values. The minimum thread pool setting signals the server to allocate at least that many threads in reserve for application requests. That number is increased up to the maximum specified thread pool size.
ticket
A type of forum entry, representing a trouble ticket created to raise an issue with a resource (app or API) or a connection. Tickets are typically created by a consumer of an API. Any member of the community can comment on a ticket, but it can only be marked as Resolved by the original creator or by an administrator of the target resource. For example, if Joe writes a ticket about an issue with the SkyBlue API, only Joe or the SkyBlue API Admin can mark the ticket as Resolved.
Tickets are also included in the Action Dashboard.
time to first byte (TTFB)
The TTFB for an API request is the amount of time that it takes from when the request is received from the client app to the first byte of data returned from the API Gateway to the client app.
In the context of the Community Manager developer portal, TTFB metric breakdowns are shown in the API Logs page. For more information, see Viewing the time to first byte (TTFB) metrics.
token
An access object sent to the requestor (client app) after authentication is complete and authorization has been granted. The token enables the client app to request access to the end-user's resources. OAuth, OpenID Connect, and SAML use tokens. There are different types of tokens, as defined in the applicable specification; for example, OAuth access tokens, bearer tokens (also called bearer access tokens), client tokens (not currently supported), and ID tokens (used by OpenID Connect).
token endpoint (OAuth)
See OAuth token endpoint.
trust store
The trust store is the platform's secure repository for Trusted CA Certificates.
For more information, see https://fpki.idmanagement.gov/truststores/ (external link).
Trusted Certificate Authority
A Trusted Certificate Authority (CA) is a third-party identity that is qualified with a specified level of trust. Trusted CA Certificates are used when an identity is being validated as the entity it claims to be. Certificates imported into the Platform Tenant (Host) must be issued by a Trusted Authority. Trusted CA Certificates must be configured prior to importing X.509 certificates for applications running on the platform.
Navigation: Apps > My Apps > choose app > Details > Security
TSV
Tab-separated value format, a data type for certain API input parameters. TSV format is used for tabular data exchange.
TTFB
See, time to first byte (TTFB).
TTL
In the context of MongoDB, TTL is Time to Live, a value that determines how long data is stored. TTL is managed by TTL indexes. From the MongoDB documentation (https://docs.mongodb.com/manual/core/index-ttl/):
"TTL indexes are special single-field indexes that MongoDB can use to automatically remove documents from a collection after a certain amount of time or at a specific clock time. Data expiration is useful for certain types of information like machine generated event data, logs, and session information that only need to persist in a database for a finite amount of time."
two-factor authentication
An enhanced security feature for additional authentication of users logging in. The first factor, something the user knows, is satisfied by the user entering credentials, such as username and password, to authenticate. A second factor can be something the user has, such as a passcode. The platform has an optional feature to support two-factor authentication, commonly called 2FA. If this feature is enabled, after verifying credentials the user is sent a code, usually by email, and is directed to a platform page for entering the code.

U

UDDI
Acronym for Universal Description, Discovery, and Integration. UDDI is an XML-based protocol, sponsored by OASIS, that includes an international registry that allows businesses to publish service listings and discover each other, and to define how the services or software applications interact over the Internet.
The platform assigns unique UDDI keys to resources and references the UDDI keys in various operations.
UK Open Banking specification
The UK Open Banking initiative is designed to help customers securely share their banking information with one or more third-party providers, in a flexible and secure manner that puts the customer in control, without having to share banking credentials.
Specification (version 3.1.2): https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805207/Read+Write+Data+API+Specification+-+v3.1.2.
The Open Banking specification includes a set of rules and guidelines controlling the interaction between third-party providers and banks, to define a channel for the flow of banking data through secure open APIs. The specification includes rules and guidelines covering such things as message security, message format, message headers, and error messaging. For more information about Open Banking, see https://www.openbanking.org.uk/.
For information about the platform's support of Open Banking, see JOSE Security Policy v2 support of the Open Banking specification.
For a glossary of terms relating to Open Banking, see https://www.openbanking.org.uk/about-us/glossary.
unicast
Used in connection with configuration of the platform's search feature. Unicast configuration is appropriate for scenarios where the client/server relationship is 1 to 1 and the scope is the whole network. At startup, the node sends a message to a single network address. This is appropriate for a single client scenario or a cluster scenario. Compare broadcast which sends the same data to all possible destinations and multicast which sends the data to all interested destinations.
unmark
To unmark a discussion, ticket, or other resource means to remove a mark previously placed on the resource. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
unrestricted API access
Unrestricted API access for an app means that the contract is not limited to a specific license. The app has full access to all operations of the API. Compare: restricted API access.
URI
A URI is a string of characters used to identify a name or resource. The term URI encompasses both URLs, URNs, and other ways to indicate a resource. A URL is a type of URI that identifies a resource by specifying its location in the context of a protocol such as HTTP.
For more information, see https://www.w3.org/TR/uri-clarification/.
URL
A URL (Universal Resource Locator, a Web address) identifies a resource by specifying its location in the context of a particular access protocol; for example, HTTP or HTTPS.
A URL is a type of Uniform Resource Identifier (URI).
URN
A Uniform Resource Name (URN) is a type of Uniform Resource Identifier (URI) that uses the urn scheme.
A URN is not a locator, and is not necessarily associated with a specific protocol or access method. It is expected to be unique. An example of a URN naming system is the urn:isbn namespace, used for International Standard Book Numbers.
user
A person with a registered login ID to the Akana API Platform. All users must complete the registration process so that the system can gather required information about them before granting access. Each user can choose to define a new username/password combination that will be managed within the Akana API Platform, or can leverage the integration of the Akana API Platform with external security providers such as Facebook® for authentication. By completing the signup process, each individual is assigned the role of User; users can then assume other roles, such as API Administrator or App team member (depending on platform settings).
UserInfo Endpoint (OpenID Connect)
One of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The OpenID Connect Provider can publish a UserInfo endpoint, which is a protected resource that returns claims about the authenticated end-user.
The client sends a request to the UserInfo Endpoint using an access token. The UserInfo Endpoint returns the user info to the client app.
The OpenID Connect Provider can issue an ID Token (token) from either the Authorization Endpoint or the Token Endpoint.
UTC
See Coordinated Universal Time (UTC).

V

vanity hostname
A vanity hostname is generally memorable, easy to understand, and clearly identifiable. An API might have an actual hostname that has more complexity, but maps to a vanity hostname that's easy for customers to remember. Customers can use the vanity hostname and do not even need to be aware that it isn't the actual API processing endpoint. The vanity hostname cannot include the underscore character.
version
Each app or API on the platform much have at least one version, and can have multiple versions. When a user creates an app or API on the platform, the first version is created automatically; when using the API, it's important to complete both actions. If there is only one app or API version, deleting that version also deletes the app or API.
vertical ellipsis menu
In the Hermosa theme, the vertical ellipsis (Advanced Options, sometimes called a kebab menu) indicates additional options.
VIP
Acronym for a virtual IP address.
Visa Token Service
A security standard from Visa. The Visa Token Service (VTS) standard replaces sensitive account information, such as the account number, with a token.
For more information, see https://developer.visa.com/capabilities/vts (external link).
The Akana API Platform supports the VTS standard in the JOSE Profile-Driven Security Policy.
visibility
A setting that controls the types of users who can see a resource, such as an app, API, group, license, or scope, and any associated items such as discussions and tickets.
There are three possible values. The first two are applicable to all resources that have visibility settings; the third is applicable only to apps, APIs, and groups.
  1. Public: anyone can see the resource, even anonymous users.
  2. Private: the resource is restricted to those who have been specifically invited to have visibility of the resource, usually by joining a private group that has visibility of the resource.
  3. Registered Users: the resource is visible to all users who have logged in, but is not visible to anonymous users.
VTS
Acronym for the Visa Token Service standard.

W

WADL
Acronym for Web Application Description Language, an XML-based description language for RESTful Web APIs. WADL is one of the API description languages supported by the API Platform.
Note: The platform supports WADL for upload to create an API, but the platform then converts the WADL to JSON to create the API. It does not support download of an API description in WADL format.
well-known configuration URL (OpenID Connect)
In the OpenID Connect protocol, the Well-Known Configuration URL is a specific URL published by the OpenID Connect provider. The platform can use this URL to retrieve other values it needs such as Authorization Server URL, Token Endpoint URL, UserInfo Endpoint URL, and security parameters used for tokens.
Note: If the well-known configuration URL uses the HTTPS protocol, the issuer certificate of the server must be trusted by the platform. Also, the issuer certificate of the server must be part of the cacerts file on the Akana API Platform container JRE.
workflow
Workflow defines the sequence of steps that are followed in a business process, including such related data as conditions (for example, a ticket must be resolved before it can be closed), state (for example, a ticket can have states of Open, Resolved, and Closed), or role (for example, a certain step can only be completed by an Administrator).
Defining the workflow for a business process gives you control over the process and allows you to monitor and customize as needed to streamline the business process.
The platform includes default out-of-the-box workflows for certain resources, such as API contracts, and allows you to customize the workflow for several key resources.
workflow action
Certain types of activities on the platform must be done in a specific sequence. These are often managed by workflows. Each workflow action changes the state of the resource. Some examples of workflow actions are: requesting or approving an API contract, sending a group membership invitation, or changing the status of a ticket.
WSDL
Acronym for Web Services Description Language; the WSDL (pronounced wizdel) is an XML file that includes the definition for the service, including all operations, model objects, and so forth.
In the context of the Community Manager developer portal, you can create a SOAP-based API by uploading the WSDL file that includes the definition of the API. See How do I add an API using an API description document?

X

X5C parameter
The X5C (X.509 Certificate Chain) parameter is defined as part of the JSON Web Key (JWK) spec. This parameter contains a chain of one or more certificates. The certificate chain is represented as a JSON array of certificate value strings.
The platform supports this parameter via the JOSE Security Policy v2.
X-Csrf-Token_fedmemberID header
A custom header used by the platform to protect against CSRF attacks. For details, see What is the CSRF prevention feature? (Site Admin help).
For information about the FedmemberID, see FedmemberID.
XSRF
XSRF is an alternative term for CSRF.

Y

YAML
A data format. YAML 1.2 is a superset of JSON. YAML is not really a markup language since it is data-oriented rather than focusing on document markup. Whitespace indentation, rather than brackets, are used to denote structure. RAML, one of the API description document types supported by the API Platform, is based on YAML.

Z

zulu time
See, Coordinated Universal Time (UTC).