Glossary of Terms

Key terminology used in the platform.

API Platform Version: 8.2
2FA
Acronym for two-factor authentication.
access token
1) See OAuth access token.
2) Same as bearer access token.
Ajax
An abbreviation for Advanced JavaScript and XML—A term for a set of related web development techniques that can be used together to update parts of a webpage without reloading the entire page.
Akana API Gateway
See gateway.
Akana API Platform
The Akana API Platform is a set of features, previously installed separately, that are now integrated and are installed as a single product. The Akana API Platform includes Policy Manager and Community Manager as well as some other features.
Akana Platform
The Akana Platform is the underlying set of files that supports the Akana API Platform. When installing the product, the Akana Platform installation comes first.
alert
A type of Dashboard item designed to inform app or API administrators about an issue such as an SLA (Service Level Agreement) violation.
AMQP
Acronym for Advanced Message Queuing Protocol; an open-standard protocol for message orientation, queueing, and routing. In the same way as other protocols, such as SMTP, HTTP, and FTP, that have defined the behavior of the provider and client so that different implementations are interoperable, AMQP is a wire-level protocol; this means that the data is sent as a stream of octets.
anonymous access (to an API)
With anonymous API access, users do not need to log in, or set up an app, to try out an API.
Allowing anonymous access to an API endpoint in the Sandbox environment is useful if you would like to offer a preview of an API to developers without requiring users to create an app or sign up to the platform. For example, if you have a specific feature set you would like to expose as part of promoting your API, you can expose those operations in your API configuration, and allow anonymous access.
Developers can read the documentation and access the API without signing up and requesting access to the API. If a developer tries out the API and likes it, he/she can then sign up to the platform, create an app, and request API access.
Anonymous access is typically granted to API Sandbox endpoints, but it is generally not a standard practice to grant anonymous access to a Live endpoint.
Note: When Allow Anonymous Access is set to Yes for an API, viewing usage data for apps in the Overview, Charts, and Logs sections of My APIs > Analytics is not supported. This applies whether or not an approved API Access Request exists for an app. The My APIs > Analytics section will still show API usage data.
anonymous user
A user who is browsing the platform without logging in. Anonymous users can see public content but cannot post to Boards, write comments or ratings, or create resources such as apps.
API
A key resource in the Akana API Platform. An API provides a business with a way of using the Internet to extend business capabilities to connect with new customers in new ways. In this context an API is a Web service exposed outside the enterprise, typically using RESTful design principles, and often with JSON content.
API access request
A specific type of Connection Request; a request, initiated by an app team member, to establish a contract between the app and an API. An API access request governs the relationship between an app and an API for the life of the connection. When an app team member requests a connection to an API on behalf of the app, the API administrator is notified of the pending request and can approve or deny the request.
API Administrator
One of the roles defined in the Akana API Platform is that of the API Admin. Each API must have at least one Admin, and can have more. The API Admin approves or rejects connection requests, moderates the API's Forum, views and manages alerts and trouble tickets, and manages documents, policies, and other information associated with the API. The API Admin can also view performance and usage data for the entire API, and can invite others to be Admins for the same API.
API Forum
The API Forum allows any member to post discussions pertaining to a specific API, or create trouble tickets pertaining to issues associated with the operation of a particular API.
Navigation: APIs > API Name > Forum
API Context Group
A group directly associated with a specific version of a specific API, public or private, and created by an API admin for that API. Each member has a group member role, either as member or leader. Each group can have multiple leaders as well as members. An API Context Group is uniquely related to its API version and does not exist independently of it. If the API version is deleted, any API Context Groups associated with that version are also deleted, whereas independent platform groups associated with the API are not.
Note: In the past, we used the terms Private API group. However, since the licenses feature was implemented, API visibility is affected by multiple factors. For this reason, the term was changed to API Context Group. We also used the term scope group.
API Gateway
The Akana API Gateway provides service integration and gateway services for APIs. It bundles Akana Policy Manager with one or more message handling intermediaries.
API Scope Group
A group directly associated with a specific version of a specific API, public or private, and created by an API admin for that API.
API Owner
The API Owner role is the role responsible for the API; similar to the API Admin role.
An API Admin can edit or delete any API for which he/she is an Admin; an API Owner can edit or delete an API only if he/she created the API.
app
An app (application) is a piece of software that delivers specific capabilities to its users. In the context of the Akana API Platform, an app is a piece of software that consumes one or more APIs.
app Forum
The app Forum allows development team members to create private discussions with other team members pertaining to their specific application development projects. Team members can also create trouble tickets pertaining to issues associated with application development.
Navigation: My Apps > App > Forum
App ID
When an app developer registers an app in the platform, it is assigned an App ID. The App ID is a unique identifier for your app within the platform. All API calls include the App ID.
app team member
One of the roles defined in the Akana API Platform is that of the app team member. Each app must have at least one team member and can have more. An app team member initiates contract requests, such as API access requests, moderates the app's Forum, and views and manages trouble tickets relating to the app. The app team member can also view performance and usage data for the app's API usage, and can invite others to be team members for the same app. All app team members have the same rights.
A record (in DNS entry)
A DNS entry for a website address includes an A record that maps the hostname or CNAME to the IP address of the DNS entry.
Artifact Resolution Service (ARS)
In SAML, a service that you must set up if you want to use the HTTP Artifact binding (supported for single sign-on SAML response messages). You can then use the service to retrieve the full message using the artifact. See HTTP Artifact.
Assertion
See SAML assertion.
Assertion Consumer Service (ACS) endpoint
In SAML, the endpoint where the service provider will receive SAML assertions from the identity provider.
asset
A component, or resource, that can be created, used, reused, and acted upon. The API platform includes many asset types, including APIs, apps, services, schemas, policies, tenants, legal agreements, API access contracts, and others. The platform's use of this term is per the OMG Reusable Asset Specification (RAS) (http://www.omg.org/spec/RAS/2.2/PDF). The specification is a set of guidelines and recommendations about the structure, content, and descriptions of reusable software assets.
AtmosphereApplicationSecurityPolicy
A policy used to identify (authenticate) an app that is attempting to consume an API, to determine whether or not the app is authorized to access the API. This policy type supports multiple mechanisms for the app to present its identity. For more information, see Policy List: AtmosphereApplicationSecurityPolicy.
AtmoAuthToken
A tenant-specific cookie. This is the platform's authorization token. The token is returned in the Set-Cookie response header. This cookie indicates the level of access allowed. It is valid only for 30 minutes and must be renewed at that time. It also includes other information, such as the APIs, apps, and groups the user is a member of. When any of this information changes, the token must be renewed.
Because the AtmoAuthToken includes a lot of information about the user, in some cases, the token is long, and could potentially cause requests to fail if the server has a limitation on HTTP header length. For this reason, container configuration properties include authTokenMaxLength. When the AtmoAuthToken would be greater than the max length, the platform creates a mini auth token, and saves the full auth token in the database.
authorization endpoint
See OAuth authorization endpoint.
Authorization Server URL
See OAuth Authorization Server URL.
auto-connect feature
The platform's auto-connect feature allows an API Admin to set up the API so that when a new app is created on the platform, a contract with the API is created automatically. The API Admin specifies the details of the access granted with the auto-connect feature, such as whether access is to the Sandbox or Live implementation, or whether access is limited to specific operations or a specific transaction volume (via the Licenses feature, implemented with scope mapping).
Base URL
In setting up the SAML identity provider in Policy Manager, the platform provides a specific URL to be used for instances where the Identity Provider, when encountering an error, returns the error response to the default Service Provider endpoint rather than just showing the error on the authentication page. PingFederate is an example of an Identity Provider that returns an error response in this way.
To construct the endpoint to be used for error responses, the platform needs to know the {protocol_scheme}://{host}:{port} of the container where the SAML Web SSO domain is initialized. This is the base URL.
Basic authentication (HTTP)
Basic authentication requires that users provide a valid user name and password to access content. All major browsers support this authentication method and it works across firewalls and proxy servers. The disadvantage of Basic authentication is that it transmits passwords across the network using weak encryption. You should use Basic authentication only when you know that the connection between the client and the server is secure.
Beanshell engine
A scripting language. The API platform supports Beanshell engine for creating reusable scripts, useful for automating processes.
bearer access token (access token)
An access token that uses the standard and contains all the information the resource server needs to confirm the user’s grant to the application. It has the following three-part structure, with period separators: Header.Payload.Signature. The platform's OAuth Provider domain can issue Bearer access tokens. An advantage of the Bearer access token is that the Resource Server can validate by itself without having to go back to the Authorization Server.
bearer assertion
Same as ID token (OpenID Connect).
bearer token
Used in OAuth, the bearer token is a security token with the property that any party in possession of the token (the bearer) can use it. The bearer token is sent as-is in the API request, in the Authorization header. The platform's OAuth Provider domain supports Referenced Bearer (a simple bearer token) and bearer access token.
Board
See Forum. In versions of the platform before 8.3, Forums for resources were called Boards.
Board item
See Forum entry. In versions of the platform before 8.3, Forum entries were called Board items.
bpel file
A bpel file is a Business Process Execution Language file. BPEL itself is an abbreviation for Web Services Business Process Execution Language (WS-BPEL), an OASIS standard executable language which is a standard format for specifying actions within a business process, used by web services. When the Site Admin or Business Admin creates an export file from the platform, such as an API export file, the export ZIP file (package file) includes BPEL files.
broadcast
Used in connection with configuration of the platform's search feature. Broadcast configuration is appropriate for scenarios where the client/server relationship is 1 to many. The scope is subnet. At startup, the node sends a message to all possible destinations. Compare unicast which sends the same data to a single network address and multicast which sends the data to all interested destinations.
Business Administrator
One of the roles defined in the Akana API Platform is that of the Business Administrator. A business can own one or more APIs and apps, and must have at least one Administrator. The Business Administrator automatically has administrator rights over all the APIs and apps owned by the business as well as all the users who are part of the business. For more information, see What roles can a Business Administrator perform?
CA SiteMinder
CA SiteMinder® is a popular commercial access management product. The platform supports use of CA SiteMinder for login or for OAuth support.
callback URL
Redirect URL. See OAuth callback URL.
CDN
Acronym for content delivery network or content distribution network; a distributed system for serving content over the internet.
CER file
A message generated by a certificate authority in response to a request for a digital identity certificate.
When uploading app credentials, the app developer can upload either a CER file or a CSR file.
See also: CSR file.
Certificate Authority
For scenarios where asymmetric encryption is used, a Certificate Authority (CA) issues certificates and guarantees the validity of the binding between the certificate owner and its public key. The CA is a trusted authority, and any certificate issued by the CA identifies the owner of the certificate. Therefore, the private key that corresponds to the public key in the certificate is deemed to be known only to the specific owner. By requesting the public key from the CA, rather than from the key owner, there is an assurance that the key is indeed the valid public key for the key owner, that the key pair has not been compromised or revoked, and that the key owner holds the private key needed to decrypt messages that you encrypt with the public key, which the CA sends to you.
The platform supports two Certificate Authority options for app developers. The Platform Tenant (Host) provides a simplified version of a Certificate Authority that can issue and renew X.509 certificates, or the app developer can import a certificate that was issued outside the platform.
Navigation: My Apps > App > Details > Security
challenge question
A question that the Business Admin chooses as part of a security feature. When signing up to the platform, the user must provide the answer to one or more security questions, if the platform is set up to require them. The user's answers are stored in the database, and the user must answer one or more security questions on demand to perform certain functions such as resetting a password or changing the user profile.
claim
In OpenID Connect a claim is a piece of information about an end-user, which is returned to the Relying Party by the OpenID Connect Identity Provider after both the end-user and the Relying Party have authenticated. The OpenID Connect specification defines some standard claims; additional claims can be added. Depending on the process flow that's supported by the Identity Provider and requested by the Relying Party, claims might be returned in the UserInfo Response from the UserInfo Endpoint, or in the ID Token from the Token Endpoint.
Examples of standard claims: given_name, family_name, email. For more information, refer to the Standard Claims section of the OpenID Connect specification.
client node (in Elasticsearch)
See Elasticsearch client node.
client registration endpoint
In OpenID Connect, the provider's endpoint to which client registration requests should be sent. For example, if the platform is set up with an OAuth Provider that supports this endpoint, and an API is referencing that OAuth Provider (External OAuth Provider Domain setup), when an app connects to the API the app is automatically registered with the applicable provider. This occurs in the background by sending a message to the provider's client registration endpoint as specified in the domain setup. For more information, refer to OAuth 2.0 / OpenID Connect client registration endpoint (external page).
clock skew
The grace period an access token is allowed before effective timestamp and after expired timestamp, to accommodate the clock setting difference between the issuing machine and validating machine. An example of where this is used is in the Bearer Assertion OAuth grant settings. At runtime, if the difference is greater than the value allowed in the clock skew setting, validation of the assertion fails.
cluster
In the context of the platform, a cluster is a grouping of one or more API Gateways. The cluster does not represent a running process, but a group of intermediary processes working as one. Clustered instances must be on the same local network, behind a load balancer.
For more information, see What is a cluster?
CNAME
A CNAME, or Canonical Name Record, specifies that a domain name is an alias for another domain. The CNAME record always points to another domain name, not directly to the underlying IP address for the domain.
The CNAME is used, in partnership with an A record, for supporting multiple services from a single IP address.
Used by the Site Admin in Site Settings.
code (user)
Any one of the four types of codes sent to users for different events: signup code, registration code, reset code, or invitation code.
Connect provider
In OpenID Connect, the identity provider is called the Connect provider.
connection
A relationship between resources in the Akana API Platform—such as the API access relationship between an app and an API that it's using.
connection request
A workflow process that governs the relationship between two resources for the life of the connection. It is a request to establish a connection between resources; for example, an API access request or a follow request.
connector domain
In the context of the platform, a connector domain is an independent domain that provides authentication services; for example, Google®, Facebook®. Users can log in by authenticating with the connector domain rather than signing up as platform users.
container
An Akana container instance performs a specific web service management function in an API Gateway deployment. Instances have a unique Instance Name, Description, and Listener configuration relative to the deployment requirements.
The container mediates web service message exchanges between service consumers and service providers. It enforces policies, monitors and reports performance metrics and events, integrates services through virtualization, and provides auditing capabilities. It provides the runtime execution of the API Platform's capabilities.
context path
The context path for an API implementation is the last part of the base URL, after a slash (/); for example, in http://www.acmepaymentscorp.com/api, /api is the context path. This makes the endpoint unique to the API. In the Akana platform, each implementation must have a unique path. If an API does not use a vanity hostname, a context path is not needed; the platform creates a path that is already unique to the API implementation.
contract
A specific type of connection that defines a consumption relationship between an app and an API. When an app admin (app team member) wants the app to be able to consume an API, he/she initiates a request for API access. The API access relationship is a contract, and is subject to an approval workflow. The contract is requested by the app team member and is approved or rejected by the API admin; it can then be cancelled or suspended by the API admin or cancelled by an app team member.
The contract governs access rights and QoS (Quality of Service) policies for all transactions between the app and the API. It also provides a convenient way of collecting and presenting metrics and usage data.
contract request
A request for a contract.
CORS
Acronym for Cross-Origin Resource Sharing. CORS allows users to access resources from within the browser serving a web page, defining a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.
The platform includes a policy, CORSAllowAll; if this policy is selected as part of an API definition, all cross-origin requests to the API are allowed.
CSR file
Acronym for Certificate Signing Request; a message sent to a certificate authority to request a digital identity certificate.
When uploading app credentials, the app developer can upload either a CER file or a CSR file.
Because the platform supports CSR import, the app developer does not need to get a signed certificate from a CA. Instead, the developer can generate a CSR from the key pair that he/she created, and can import that directly.
When a CSR is imported, the platform uses its internal Certificate Authority to create the CER from the request. Therefore, in order to support CER, the platform's own certificate authority must be configured.
See also: CER file.
CSRF attack
In a cross-site request forgery (CSRF) attack, a malicious user exploits the fact that an authorized user has already authenticated with another site and has the site's cookie in their browser cache. Malicious code from one browser tab can leverage the authentication already granted in another tab to execute actions unknown to the authorized user.
The platform includes a feature to help prevent CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
CSRF token
A platform token that is used only if the CSRF prevention feature is in effect. The CSRF token is sent when the user logs in, and can be used in making subsequent API calls to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
Csrf-Token cookie
A platform cookie that is used only if the CSRF prevention feature is in effect. The value of the Csrf-Token cookie is sent as a custom header value in request messages to protect against CSRF attacks. For more information, see What is the CSRF prevention feature? (Site Admin help).
CSV
Comma-separated value format, a data type for certain API input parameters. This format is commonly used for exporting tabular data. For example, in the Akana API Platform, the metric information is exported in CSV format.
Used in API documentation generated with Swagger 2.0: see http://swagger.io/specification/.
custom_en-us.json file
The Site Admin, in customizing the site, might implement a custom_en-us.json file with customization information in it. If this file exists, the platform implements the information in the file; if it doesn't exist, the platform uses the defaults. Specific customization tasks require specific entries in this file, which is uploaded to the /resources/theme/{theme_name}/locales folder for the applicable theme. For more information, see Site Page Customization.
Dashboard
The user's Dashboard, also called home page or feed, is the first page the user sees after logging in. The Dashboard includes information relating to apps and APIs the user is associated with. An individual user's Dashboard is an aggregation of all the Forum entries from all the resources that the user is following. An individual user can modify the types of information that are displayed on his/her Dashboard. See also Dashboard entry.
Navigation: Dashboard tab.
Dashboard entry/item
An informational item that appears on a user's Dashboard. The entries on a specific user's Dashboard are Forum entries for resources the user is following. A Dashboard entry can be any of the following: Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
data node (in Elasticsearch)
See Elasticsearch data node.
debug mode
The API Admin or other authorized user can turn on debug mode for an API implementation. In debug mode, additional information about the API traffic is recorded, to assist in debugging issues with the API. For more information, see What is debug mode?
Default theme
The original code base of the developer platform is named Default Theme to differentiate it from other themes (Simple Dev theme, Hermosa theme). Default Theme and Hermosa Theme both have the full feature set, including Site Admin and Business Admin capabilities; Simple Dev is a streamlined interface for developers. Default Theme is the original design; Hermosa Theme is an updated design.
For more explanation, and illustrations showing the differences, see Default Theme and Hermosa Theme.
deployment zone
If an API is hosted on the platform and using the proxy capability, the API owner can specify the deployment zones, such as a geographical area or a specific data center, that the endpoint will be proxied in.
For more information about working with deployment zones for a specific API, see Managing Deployment Zones for an API.
Dev Console
The Developer Console (Dev Console) is a web-based REST client that was provided as part of the developer portal user interface for API testing in earlier versions of the platform. It has now been replaced by the Test Client tool, which provides many additional features and options.
developer
A developer of an app that will consume an API.
direct JWE Encryption (dir)
OAuth preferences can include direct JWE encryption using shared symmetric keys, indicated by a value of dir. For more information, see http://connect2id.com/blog/direct-jwe-encryption (external link).
discovery (OpenID Connect)
In OpenID Connect, "discovery" is the process of determining information about the OpenID Connect identity provider. The Relying Party sends a request to the Discovery Endpoint published by the provider. The request includes resource (end-user ID), host, and type of service requested.
discovery endpoint (OpenID Connect)
Same as Discovery URL (see below).
discovery URL (OpenID Connect)
A URL published by the OpenID Connect provider for a relying party to send requests. Path: {oauth-provider-url}/.well-known/openid-configuration. Also known as a well-known configuration URL.
The discovery URL represents the location of the identity provider's endpoint and other values that the relying party (application) will need to set up connectivity.
discussion
In the Akana API Platform, an authorized user can create a discussion topic about a resource (app or API) on the resource's Forum. A discussion is typically, but not necessarily, created by someone other than the owner or administrator of the resource. Discussion entries are not threaded; users comment on the original item rather than on the comments/replies to the original item. Users can, however, mark or unmark the discussion itself and/or one or more discussion comments.
Each discussion has a title and one or more comments. The visibility of a discussion is controlled by the visibility of the resource it's associated with; for example, a discussion about a Limited (Private) API can only be seen by administrators and API Context Group members associated with that API.
DL
API Descriptor Language. Abbreviation used in the developer portal user interface and underlying API for API descriptor language document.
duration (on analytics charts)
In the app and API analytics charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
ECDSA
Acronym for Elliptic Curve Digital Signature Algorithm. ECDSA is a variation of the Digital Signature Algorithm (DSA).
Elasticsearch
The search server used by the platform. Elasticsearch is based on Apache Lucene; it is Java-based and open source. It provides a distributed, full-text search engine, capable of supporting a multi-tenant environment. It uses HTTP and JSON. For more information, see Elasticsearch: Information for Site Admins.
Elasticsearch client node
(Information for Site Admins) In Elasticsearch, the client node is the node that makes the search or indexing request. All nodes can be client nodes.
Any container, even if it isn't configured to be a master eligible node or a data node, is at least a client node. If it is a data node, it does the local searches; if it isn't a data node, it is still a client node. As such, it sends a search request or index request to a remote data node and receives the results.
The client node makes the call to the platform's Search API, which in turn requests the search results from the data node.
Elasticsearch data node
(Information for Site Admins) In Elasticsearch, a data node is where the index data resides. Regardless of where the API platform feature is running, when an object is indexed, the data for that index is in the data node. When a user is searching, the data is accessed from the data node.
For the Site Admin, in configuring the Elasticsearch search feature, setting up a container as a data node indicates that the search index will be stored at that location.
Elasticsearch embedded mode
(Information for Site Admins) In Elasticsearch embedded mode, all you need to do is install the embedded feature in one or more containers. In this mode, there is no external software needed. Elasticsearch runs within each container it's installed in.
Choose this option if you don't have a standalone Elasticsearch server.
Elasticsearch master eligible node
(Information for Site Admins) A master eligible node is one that can become a master of the cluster. There is always a cluster, even if there is only one node, so a single node will always be master eligible.
Elasticsearch shard
The Elasticsearch search feature can be configured so that the search index is stored in multiple index partitions, called shards. "Elasticsearch distributes shards amongst all nodes in the cluster, and can move shards automatically from one node to another in the case of node failure, or the addition of new nodes."
For more information, refer to the Elasticsearch glossary of terms: https://www.elastic.co/guide/en/elasticsearch/reference/current/glossary.html#glossary-shard.
Elasticsearch standalone mode
(Information for Site Admins) With Elasticsearch standalone mode, your installation will need to include a standalone external Elasticsearch server. Just as with a relational database, you'll need to provide the software and hardware required.
If you choose to run Elasticsearch in standalone mode, like a database server, all containers running the Akana API Platform can use it. In this scenario, it's important to provide a cluster capability to help prevent outage.
Generally, in this scenario, all containers are working as client nodes. There is no master eligible node or data node within the product.
Entity ID
In SAML, a unique identifier for an entity. A SAML entity can be a Service Provider or an Identity Provider.
As a service provider, you define the Entity ID. When setting up your account with the Identity Provider you must specify the Entity ID, which must be unique within the IdP so that the IdP can identify your Service Provider.
The Entity ID is used as the value of the <Issuer> element inside the SAML protocol message. In an authentication request, the <Issuer> element contains the Entity ID of the Service Provider; in the SAML response, it has the Entity ID of the Identity Provider.
From the perspective of the Service Provider, the Entity ID is analogous to the client_id in OAuth.
enumeration (of users)
The term user enumeration, user enum, or simply enum refers to a security vulnerability that allows an unauthorized user to compile a list of valid user accounts that are authorized to log in to an application. For example, if an unauthorized user can try to sign up with an existing email address, and the application returns a message that an account already exists for that email address, the application is giving away information.
The platform includes enhanced security settings that can be activated to help prevent enumeration of users.
environment
A state defined by a workflow that corresponds to a software lifecycle stage (for example, Dev, Test, QA, Production).
An Environment has its own representation, or data model, for an API. and the assets that support that API. A customer may have several Environments in which the same API exists. Each Environment serves a different purpose such as development, testing, staging, or finally serving the business (production). Environments are typically chained together in an order of use, reflecting the development lifecycle. For example, development is before testing. An API is created first in the development Environment, and then in the test Environment. Changes to an API are made in the development Environment before being made in the test Environment.
environment data
The Promotion Package holds the data that needs to be promoted from the source environment to the target environment. This includes the environment data: the portion of the Source environment's data model that needs to be promoted. The environment data is in a format that the Promotion Coordinator does not need to understand. Only the environment systems need to understand the environment data and how to process it.
epoch time
Epoch time, also called Unix time, is defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time; Thursday, 1 January 1970. In some cases, the developer platform uses this value in response messages, expressed in milliseconds.
export
A Site Admin or Business Admin can output all the information about one or more of certain resources, or an entire business, to an export file. The information can then be imported into another platform instance. Information is exported to a specially formulated ZIP file called a package file.
Full export is only available to a Site Admin or Business Admin. An API Admin can export an API.
extension grant type
In addition to the four standard grant types, the OAuth 2.0 specification defines Extension Grant Types. These are governed by the OAuth specification, which says:
"The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the Authorization Server) as the value of the "grant_type" parameter of the token endpoint, and by adding any additional parameters necessary."
A Bearer Assertion is an extension grant type that is generally used when the app already has an Assertion that represents the resource owner. The app sends the Assertion to the Authorization Server's Token Endpoint to get an access token for later use.
favicon
A small icon, typically 16x16 pixels, associated with a website or a specific webpage.
Implementation varies, but typically the browser displays the favicon in the address bar, on the tab next to the page title, and next to the page's name in a list of bookmarks.
follow
The concept of following a resource on the platform is similar to the same concept in Twitter. When a user chooses to follow a resource, notifications relating to that resource are posted to the user's Dashboard to keep the user informed. There is also a separate list of resources that the user is following. For example, if there are many APIs on the platform, and the user is only interested in two or three, the user can choose to follow those specific APIs. They are displayed in a separate list, APIs you are following, making them easier to find. The same principle applies to all resources that can be followed: apps, APIs, and groups.
follow request
A specific type of Connection Request used to establish a follow relationship between a user and a resource that can be followed. Currently, only apps, APIs, and groups can be followed.
forum
In the Akana API Platform, every resource, such as an app or API, has a Forum that displays all feed entries for the resource. Users with approved connections to the resource can post items to the resource's Forum according to privileges. For example, a member of a specific app team can post items to the Forum for that app. Users with approved connections also see relevant Forum entries in their personal home Feed.
A Forum is a way of sharing information and content in the platform. Forum types include: Alerts, Contract Requests, Discussions, Group Membership Requests, Reviews, Tickets.
Forum types and Forum entry types are essentially identical. The difference is in implementation; the Forum is viewed by the Business Admin or Site Admin in Forum view (Administration > Forum), and is an overall view of Forum entries from all boards on the platform.
Forum entry
An individual content contribution by a specific user, to one of the Forum types. A Forum entry can be an Alert, API Access Request (Contract Request), Discussion, Group Membership Invitation, or Ticket.
In versions of the platform before 8.3, Forum entries were called Board items.
forward proxy
In general, a forward proxy is a server that acts as an intermediary, generally between client requests and another server.
In the context of the API platform, if an API is using the platform as a proxy, calls from clients to the API are sent to the platform and, from there, redirected to the API live endpoint. The developer portal includes a configuration setting (Administration > Site) that allows the Site Admin to limit forward proxy activity to one or more specified hosts. See How do I configure site settings?
gateway
An Akana API Gateway streamlines management, deployment, development, and operation of APIs, enhancing security and regulatory compliance through authentication, authorization, and audit capabilities. It provides central definition and management of security, routing, orchestration, mediation, auditing, threat protection, and other operational governance policies across multiple instances. The Gateway enables enterprises to standardize API and service delivery with high security, performance, and availability.
global traffic manager
A technology that facilitates global server load balancing. This is used in connection with API deployment zones to help provided features such as efficiency in processing (geographical, load balancing) and disaster recovery.
grant validity period
For an OAuth grant, the grant validity period is the time period an authorization grant will be valid for, expressed in days. This value is set by the Site Admin in the OAuth Provider domain, for each OAuth grant type.
group
1) The term "group" is used in many instances to refer to any of the following types of groups in the Akana API Platform: app teams, API Context Groups, API Administrator groups, Site Administrator groups, or independent groups.
2) "Group" is sometimes used specifically to mean an API Context Group.
group membership request
An invitation to a specific user, whether a platform user or not, to join a specific platform group.
GTM
Acronym for Global Traffic Manager.
Hermosa theme
The Hermosa platform theme includes features such as an expanding/collapsing sidebar to offer more space for the visual display of the developer portal. This theme supports full functionality of the developer portal, including Administrator tasks.
For more explanation, and illustrations showing the differences, see Default Theme and Hermosa Theme.
HMAC
The HMAC hashing algorithm uses a symmetric key to create a hash for message security. HMAC can be used with cryptographic hash algorithms such as MD5 or SHA-1.
HTTP Artifact
One of the binding options supported by the SAML protocol. HTTP Artifact is useful in scenarios where the SAML requester and responder are using an HTTP user-agent and do not want to transmit the entire message, either for technical or security reasons. Instead, a SAML Artifact is sent, which is a unique ID for the full information. The IdP can then use the Artifact to retrieve the full information. The artifact issuer must maintain state while the artifact is pending.
HTTP Artifact sends the artifact as a query parameter.
The Akana API Platform currently supports this binding option for SAML responses, but not for SAML requests.
HTTP POST
One of the binding options supported by the SAML protocol.
HTTP POST sends the message content as a POST parameter, in the payload.
The Akana API Platform currently supports this binding option for SAML, for both requests and responses.
HTTP Redirect
One of the binding options supported by the SAML protocol.
When HTTP Redirect is used, the service provider redirects the user to the identity provider where the login happens, and the identity provider redirects the user back to the service provider. HTTP Redirect requires intervention by the User-Agent (the browser).
The Akana API Platform currently supports this binding option for SAML requests.
identity provider
An identity provider (sometimes abbreviated as IdP) is an entity responsible for verifying user identity and issuing identity information, usually in the form of a token. A common example is a website that allows users to log in using a Facebook or Google identity; in this scenario, Facebook and Google are identity providers. In OpenID Connect, the identity provider is called the Connect provider.
In terms of SAML, the identity provider verifies the identity of the user in response to a request by the Service Provider, and then responds with a SAML assertion.
IdP
In SAML, abbreviation for Identity Provider.
IdP domain
Abbreviation for identity provider domain.
implementation (of an API)
Different implementations of an API represent the different endpoints of the API in the same lifecycle stage. For example, it is common for an API to have Sandbox and Live implementations.
implementation pattern
The implementation pattern determines how the implementation is created, which also governs capabilities of the implementation. The platform supports the following options for implementation pattern:
  • Proxy: appropriate for a simple scenario where the API implementation has a 1:1 relationship with a back-end physical service/API.
  • Orchestration: appropriate for a more complex API implementation that might include one or more services, processes, or additional steps.
Note that if you change the pattern for an existing implementation, all data associated with the implementation is lost. For example, if an implementation has a pattern of Orchestration, with processes set up, and you change it to Proxy, the orchestration information is lost.
import
When information is exported from one instance of the platform to an export file (package file), it can be imported to another instance of the platform.
Only a Site Admin or Business Admin has permission to perform functions relating to import.
independent group
A group that exists independently of any single app or API. Any authorized user can create an independent group, and becomes the first administrator. The administrator can then invite other members and can remove members and change a member's role. There are three roles; admin, leader, and member. All members can see resources the group is linked to. Admins have full rights over the group.
interval (on analytics charts)
In the app and API analytics charts, the duration and interval controls work together to allow you to narrow down the dataset you're interested in.
The duration allows you to select the time period to be shown on the chart; for example, one week, one day, one hour.
The interval defines the subdivision of time shown on one increment of the chart; for example, 1 week, 5 sec.
Options adjust based on the selected Duration. For example, if Duration is 5 minutes, Interval is 5 sec. If Duration is 1 year, Interval is 1 week.
invitation code
A unique code generated and sent to a specific user in an email if a platform member invites the user to a platform group, such as an app team, API Admin group, or independent group.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
invitation status
A value that shows a group member's relationship with the group. When a new member is invited to a group, the member has an initial status of Pending. Depending on the user's response, the status can change to Accepted or Rejected. Other possible status values are: Cancelled, Removed, or Deleted.
JavaScript
A scripting language. The API platform supports JavaScript for creating reusable scripts, useful for automating processes.
JEXL
A Java expression language, used by the platform's promotion feature. For more information, see http://commons.apache.org/proper/commons-jexl/.
JOSE
Acronym for JSON Object Signing and Encryption. The platform's JOSE policy is a security policy that can be attached to RESTful and messaging services, to secure any message content. This policy supports JSON signatures and/or encryption in the messages. It conforms to the JSON Web Signature (JWS) standard (https://tools.ietf.org/html/rfc7515) and the JSON Web Encryption (JWE) standard (https://tools.ietf.org/html/rfc7516).
JSON
An acronym for JavaScript Object Notation, JSON uses a subset of the JavaScript syntax to describe an object clearly and succinctly. One of the advantages of JSON over XML for API messages is that message content conveyed in the JSON format is much more concise than the same content conveyed in XML, consuming less bandwidth.
JSON Web Key (JWK)
A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key (for example, an RSA key). For full information, refer to the JWK specification: https://tools.ietf.org/html/rfc7517.
JSON Web Key Set
A JSON data structure that represents a set of Jason Web Keys.
JSON Web Token
A type of bearer token, where the information is structured as a JSON object in a predefined format. It is URL-safe, and is digitally signed with an RSA or HMAC (hashed message authentication code) key.
A JSON Web Token contain all the information the resource server needs to confirm the user's grant to the application, sent as-is in the API request header. One advantage of the JWT token is that the Resource Server can validate by itself, without having to go back to the Authorization Server. Another advantage is that there are flexible options for encryption; a higher or lower level of security can be used, depending on needs.
For more information on JWT, see https://jwt.io/introduction/ (external link).
JWK
See JSON Web Key (JWK).
JWT
See JSON Web Token.
JWT token
Same as JSON Web Token.
JWT access token
A type of JWT token. The JWT Access Token primarily includes the scope of the access token, though it might optionally also include the user's claims. JWT access tokens are issued by the OAuth provider, for consumption by the resource server.
JWT ID token
See ID token (OpenID Connect) / bearer assertion.
Jython
A scripting language. The API platform supports Jython for creating reusable scripts, useful for automating processes.
ID token (OpenID Connect) / bearer assertion
In the context of OpenID Connect, an ID token (also called a Bearer Assertion) is a compact, URL-safe means of representing claims to be sent from one party to another over the web. The claims in an ID token are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.
The OpenID Connect Provider can issue a ID token from either the Authorization Endpoint or the Token Endpoint. This is one of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The other is by publishing a UserInfo endpoint.
The JWT ID Token (id_token) includes the user's claims. JWT ID tokens are issued by the OpenID Connect provider, and are consumed by the client app.
LDAP
Acronym for Lightweight Directory Access Protocol; an open, industry-standard protocol used by the platform to support single sign-on.
leader
In the context of an API Context Group, a leader is a senior group member. A leader can invite additional members to the group and can change another member's status, from member to leader or vice versa.
legal agreement (API)
The platform allows the API Admin or Business Admin to upload one or more legal agreements associated with an API. When a legal agreement is active for an API, an app developer must accept the legal agreement in order to request a contract with the API.
The platform supports the following file formats for legal agreements associated with an API: HTML (htm or html extension) or text (txt extension).
license
A License is a tailored API access package designed by the Business Admin/API Admin and offered to the app developer. A license includes one or more license terms, each of which can include multiple scopes, giving access to specifically designated operations, and multiple quality of service (QoS) policies, and also one or more legal agreements applicable to the license.
For more information on the License feature, see Licenses: Feature Overview.
license term
A license term defines the access that is being offered in a license (scope) and the level of access (QoS policy). Each license term includes one or more scopes plus, optionally, the quality of service limits/policies to be applied to all scopes in the license term. Scopes apply to both visibility and access; policies apply only to access. To have any impact, a license term must include at least one scope.
Lifecycle Manager
Lifecycle Manager is a metadata repository and SDLC management product that enables enterprises to effectively collaborate between business, developers, and IT operations, resulting in rapid development and deployment cycles while increasing reliability, stability, and availability of their APIs and supporting assets.
Lifecycle Manager provides an intelligent inventory of assets and includes their relationships to each other, to the technical infrastructure, and to the company's business architecture. Through the use of Lifecycle Manager, organizations can accelerate reuse and SOA initiatives, as well as improve the governance over production and consumption of services and other reusable assets. Application developers, business analysts, and technical and business architects can search the repository for the company's SDAs, to identify those that best match business and technical requirements for application development and integration.
When integration with Lifecycle Manager is set up, the develope portal supports custom properties for certain resources in the developer portal (apps, APIs, and users).
lifecycle stage
A lifecycle stage of an API indicates the point it's at in its entire development process. For example, lifecycle stages might be Design, Development, Testing, Staging, and Production. Each API version has its own lifecycle within the lifecycle of the API. The end of each lifecycle is deprecation.
listener
In general, a listener is an object that executes some code when triggered by an event. A listener monitors events happening in the program and acts based on how it's programmed to act in certain events.
In the context of the API platform, a listener is the server process that listens for and accepts incoming connection requests from client applications.
Policy Manager supports the following listener types: HTTP, HTTPS, JMS, AMQP. The developer portal supports HTTP and HTTPS.
MAC
Acronym for Message Authentication Code; a code used in message authentication. The MAC code is generated with a specific type of algorithm called a MAC algorithm, which takes input of a secret key and a message, and generates a MAC. To decrypt the message, the receiver must have the secret key.
MAC token
Acronym for Message Authentication Code. Used in OAuth 2.0, the MAC token is a security code that is typed in by the user of a computer to access an account or a portal. The code is attached to the message or request sent by the user. The MAC token attached to the message must be recognized by the receiving system in order to grant the user access. MAC tokens are commonly used in electronic funds transfer (EFT) transactions to maintain information integrity.
manifest
The Promotion Package holds the data that needs to be promoted from the Source Environment to the Target Environment. This includes the manifest, which holds summary information about the environment data in a format that the Promotion Coordinator understands. There might be several formats of environment data artifacts, but there is only one manifest format. The manifest holds the identifiers of all the objects and their relationships to one another in the environment data.
mark
Users can give positive feedback to items such as discussion topics and associated comments, reviews, and other resources such as tickets, using the Mark function. Choosing Mark provides positive feedback, in the same way as "Like" in Facebook®. The Mark value toggles on and off, so a user can mark or unmark a discussion comment. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
Markdown
The developer portal supports Markdown on certain fields, which allows you to add basic formatting such as heading styles, bulleted and numbered lists, and text styles such as bold and italics. For details, see Using Markdown.
managed user
A platform user who was added by the Site Admin, as distinct from a user who signed up by creating a profile using the self-signup process, which is called a registered user. Differentiating between users in terms of how they are added allows the implementation of custom workflows that grant different privileges to different types of users. For example, the Site Admin could implement a custom workflow so that a managed user cannot change the user profile but a registered user can.
master node (in Elasticsearch)
In Elasticsearch, the master nodes of the cluster manage the cluster, including such tasks as a) Keeping track of all containers that are part of the cluster, and updating as needed when nodes join or leave the cluster, b) Keeping track of which nodes are master eligible, and c) Keeping track of which shards are in which data node. For more information, see In Elasticsearch, what is a master eligible node?
member
In the context of an API Context Group, a group member has access to all information relating to the Private API and the group, including tickets and discussions. Members cannot invite additional members or change the status of other members. A member can be promoted to leader status by the API Admin or by another leader.
membership request (invitation)
An invitation to another individual, whether a registered user or not, to join an Akana API Platform group or team such as an app team. API Administrators can invite others to be API Administrators; app team members can invite others to the app team. A Site Administrator, Private API Administrator, or Independent Group member can also issue a membership request in the same way.
metadata (for an API Gateway)
The metadata file for an API Gateway includes information about the OSGi container designated as the gateway. It includes such information as the container key, container type, X.509 certificate, and information about the policies that are attached to the API Gateway, as well as its capabilities and configuration information.
The Gateway container is set up and configured as part of product installation and configuration. When setting up an API Gateway in the developer portal, you must specify the container key to identify the underlying container; when setting up a gateway cluster, you must upload or reference the metadata file.
The URL for the metadata file for a container is: {protocol}://{hostname:optional port}/metadata/.
MGF1
A mask generation algorithm, based on a hash function, defined by RCF 2437 (10.2.1), the RSA Cryptography Specification Version 2.0.
mock service (API)
A mock service is a specific type of orchestration that constructs the response based on a set of sample request/responses. A mock service is at an operation level, nor a service level.
model object (API)
Model object is an informal term for a named grouping of discrete pieces of information. For example, in the Swagger Petstore example (http://petstore.swagger.io/), one model object is Pet, and contains pieces of information about a pet, such as name, unique ID, and tags.
moderation
Depending on the platform's settings, some type of user-generated content, such as reviews, discussions, and comments, might be moderated. If moderation is turned on for a specific type of content, such as discussions, and a user adds that type of content, it has a Pending state until it's approved. Certain authorized users can approve content; for example, a discussion for an API might need to be approved by an API Admin or Business Admin. Once the new content is approved, it is visible to all users who have visibility of the resource (app, API, or group). For more information, see What is moderation and how does it work? (Administrator help).
multicast
Used in connection with configuration of the platform's search feature. IP Multicast allows for one-to-many communication in a network, via IP. Multicast configuration is appropriate for scenarios where the client/server relationship is either 1 to many or many to many. The scope is defined horizon. At startup, the node sends a message to all interested destinations. Compare with unicast which sends the same data to a single network address and broadcast which sends the same data to all possible destinations.
My APIs
The My APIs quick filter provides a list of APIs that a member who is an API Provider has added. Each API includes functional and usage documentation, and download files.
Navigation: My APIs quick filter
My Apps
The My Apps quick filter is a dashboard that displays all the apps defined by a member. The dashboard is used to manage your app workflow from setup to live.
Navigation: My Apps quick filter
nonce
A random string, uniquely generated for each request. A nonce is used to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. Over a secure channel, it is still an added security measure.
OAuth
OAuth is an open standard security protocol for authorization that allows you to share private resources stored on one site with another site without having to share credentials. One advantage of OAuth is that it supports both authentication and authorization in such a way that an application does not need to give access to the user's credentials. For example, in the platform you can sign in using your Facebook credentials, or on the API Details page you can share an API to Facebook, Twitter, and LinkedIn. These elements of the platform are configured as private resources.
OAuth access token
In OAuth, an access token is essentially a pass, a credential that gives authorization to access the requested and approved resource or resources for as long as the access token remains valid. In some cases, access tokens can be renewed by means of a refresh token; in some cases, they cannot. For more information, refer to the OAuth 2.0 specification (external site).
For more information on access tokens, see What is an access token?
OAuth authorization code
With the OAuth 2.0 Authorization Code grant type, the resource owner (consumer; for example, the app user) is redirected to the Authorization Server and gives authorization for the app to access the resource. The Authorization Server then redirects the consumer back to the client app with an authorization code. The client app presents this authorization code, along with the app's authentication credentials, back to the Authorization Server, requesting an access token (and optionally a refresh token). The client then uses the access token to call the service on behalf of the resource owner. A refresh token can be used to extend the lifetime of this session.
OAuth authorization endpoint
The endpoint for the OAuth Authorization Server. This is the endpoint on the Authorization Server where the resource owner provides credentials, such as username and password, in and grants authorization to the client app to access the resources or a specified subset of the resources.
When setting up an OAuth domain, Site Admins must specify this value. Additionally, if an API is using a third-party OAuth provider rather than an OAuth domain set up on the platform, the API Admin must specify this value in the OAuth setup wizard. For more information, see What are the OAuth 2.0 endpoints and how do they work? and the OAuth 2.0 specification (external site).
For information about the OAuth authorization endpoint URL when an API is hosted on the platform, see What is the OAuth Authorization Server URL for the platform?
OAuth Authorization Server
In an OAuth implementation, the Authorization Server collects the resource owner's credentials, gets the resource owner's permission for the app to access the resources, and passes back the authorization token to the app so that the app can then access the resources.
OAuth Authorization Server URL
As part of setting up the OAuth domain, the Business Admin must specify the Authorization Server URL. This is the URL that the browser for the resource owner (app user) will be accessing for the OAuth grant. It is the URL at which the OAuth Provider accesses the requests, for both Authorization Endpoint and Token Endpoint.
The URL must be accessible to all the apps and end users that might use APIs that are referencing the OAuth domain. The Authorization Endpoint and Token Endpoint for OAuth 1.0a and OAuth 2.0 will use different paths according to the specific OAuth version. Firewalls and DNS servers must be set up for this URL so that end users and apps can access the URL.
For more information, see What is the OAuth Authorization Server URL for the platform?
OAuth authz
For information about the OAuth authorization endpoint URL when an API is hosted on the platform, see What is the OAuth Authorization Server URL for the platform?
OAuth callback URL
Redirect URL. The URL to which the API sends the response message with the token.
OAuth endpoints
See OAuth URLs for the platform.
OAuth grant provisioning UI
In the platform, the OAuth grant provisioning UI is the HTML page, used in Test Client, where the resource owner signs in and authorizes access, for the purposes of using Test Client.
The grant provisioning UI has the potential to include the logo for the application, pulled from the application information, and for the OAuth provider, as set up in the Branding tab in the OAuth Provider domain setup.
OAuth grant types
OAuth 2.0 supports four different grant types; each has a different process flow. Grant types are designated as 2-legged or 3-legged depending on the number of parties involved. The 2-legged grant types are Client Credentials and Resource Owner Password Credentials; the three-legged grant types are Authorization Code and Implicit.
For more information on OAuth grant types (for API admins) see What grant types does OAuth support? and How does OAuth 2-Legged and 3-Legged Authorization work?
OAuth grant types: 2-legged
The number of legs used to describe an OAuth request refers to the number of parties involved; 2-legged or 3-legged. When the client is also the resource owner, it is a 2-legged flow. OAuth 2.0 includes the following 2-legged grant types; Client Credentials and Resource Owner Password Credentials.
OAuth grant types: 3-legged
The number of legs used to describe an OAuth request refers to the number of parties involved. The most common process flow includes three parties; a client, a server, and a resource owner. This is a 3-legged flow. OAuth 2.0 includes the following 3-legged grant types; Authorization Code and Implicit.
OAuth grant types: Authorization Code
A 3-legged OAuth 2.0 grant type: An authorization code is returned to the client through a browser redirect after the resource owner gives consent to the OAuth Authorization Server. The client then exchanges the authorization code for an access token. Resource owner credentials are never exposed to the client app.
OAuth grant types: Client Credentials
A 2-legged OAuth 2.0 grant type: The client presents its own credentials to the OAuth Authorization Server in order to obtain an access token. This access token is either associated with the client's own resources, rather than a specific resource owner, or is associated with a resource owner for whom the client is otherwise authorized to act.
OAuth grant types: Implicit
A 3-legged OAuth 2.0 grant type: An access token is returned to the client through a browser redirect in response to the resource owner authorization request. This grant type is suitable for clients that do not support keeping client credentials confidential (for use in authenticating with the OAuth Authentication Server) such as client applications implemented in a browser using a scripting language like JavaScript.
OAuth grant types: Resource Owner Password Credentials
A 2-legged OAuth 2.0 grant type: The client collects the resource owner's password and exchanges it at the OAuth Authorization Server for an access token, and often also a refresh token. This grant type is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operation system or a highly privileged application, since the client must discard the password after using it to obtain the access token.
OAuth refresh token
In OAuth 2.0, certain grant types support use of refresh tokens to facilitate longer access periods. This is useful in scenarios that extend over time, such as a regular monthly payment amount.
In OAuth 1.0a, once an access token is generated it is valid until revoked by the user. OAuth 2.0 introduces expiration of access tokens and adds a second type of token, a refresh token, that can be used in conjunction with the access token to allow users to give long-term permissions but yet maintain security. This process helps ensure that if a specific access token is compromised, a new one can be generated from the refresh token, which can be stored in the database on the server.
The access token grants immediate access but only for a limited time. The access token comes with two additional values: expires_in, which indicates the life of the access token, and refresh_token which can be used to get a new access token when the current token expires. Additional user approval is not needed, but the expiration and renewal add security to the process. When (or before) the access token expires, the refresh token can be used to generate a new access token.
For more information, see What is a Refresh Token?
OAuth resource server
The server where the resources are stored. The resource server accepts requests and responds to approved requests using access tokens.
OAuth token endpoint
In OAuth 2.0, the token endpoint is the endpoint on the Authorization Server where the client app sends the authorization code, client ID, and client secret and receives in exchange an access token which allows the app to access the approved resources. For more information, see What are the OAuth 2.0 endpoints and how do they work? and the OAuth 2.0 specification (external site).
For information about the OAuth token endpoint URL when an API is hosted on the platform, see What is the OAuth Authorization Server URL for the platform?
The token endpoint first authenticates the client application. It then allows the client application to send the code received from the authorization endpoint; in exchange, it generates an access token and sends it to the client application.
Users connect to the authorization endpoint; apps connect to the token endpoint.
OAuth URLs for the platform
The platform has specific OAuth URLs used when APIs are hosted on the platform. For details, see What is the OAuth Authorization Server URL for the platform?
OpenAPI Specification
As of January 2016, the Swagger specification has been donated to the Open API Initiative. It is now known as the OpenAPI Specification.
OpenID
An open standard for authenticating users, now deprecated in favor of OpenID Connect.
OpenID Connect
An identity layer on top of the OAuth 2.0 protocol that allows the client to verify the identity of an end-user based on authentication by an Authorization Server. OpenID Connect was released in February 2014 and is gaining popularity. For example, Google has moved from OpenID to OpenID Connect for products such as the Google+ API, used by the platform's Google login domain. For more information, see Welcome to OpenID Connect (external site).
orchestration (API)
An orchestration creates a service that is implemented with a process, rather than being simply a proxy of another service. The orchestration process itself might invoke multiple APIs (but does not necessarily) and might aggregate responses or take other actions to process a request. A mock service is a type of orchestration. An orchestration is at an operation level, nor a service level.
organization
In the context of the Akana API Platform, an organization can represent any of several different types of organizational entities, such as a company, department, project, or partner.
OSGi container
In general, an OSGi (Open Services Gateway initiative) container is an individual piece of a modular system used to install and configure software components in a very flexible and configurable arrangement. This supports such activities as installing or uninstalling, starting, stopping, or updating one or more containers without stopping the entire system.
In the context of the API Platform, specific features are installed in specific OSGi containers. For example, the API Platform might be installed in one OSGi container, the underlying infrastructure in another container, and the Network Director, the component that actually manages the traffic, in another.
overloaded operation (API)
An overloaded operation is one that has two or more implementations that have the same basic URL but with different arguments or, commonly, different media types. Often, there might be two operations that share the same path and HTTP verb but have different media types for Consumes (request media type) and Produces (response media type) elements.
For example, the platform API itself has a small number of overloaded operations that return essentially the same information, but in two different formats depending on the media types used. In these examples, if the response media type is application/json or application/xml, the response is in the form of an RSS channel, and with the same path and HTTP verb, if the media type is application/vnd.soa.v81+json or application/vnd.soa.v81+xml, the response is in the form of a model object.
package file
The ZIP file that is created as a result of using the export function. The package file can be imported into another instance of the platform by a Site Admin or API Admin.
partial API visibility
API visibility for the app developer is restricted to a subset of the API; only certain portions of the API documentation/operations can be seen by the app developer.
password reset code
See reset code.
PingFederate
A federated identity management system based on the SAML protocol. PingFederate® supports SSO, SLO, and other federated identity standards. It can also be used as an OAuth 2.0 provider.
The platform supports PingFederate provider as a domain type (set up by the Site Admin).
pipes (data format)
A data format that uses the pipe character (|) as a separator between values. Pipe separators are sometimes used for tabular data exchange.
PKCS12
A file format used for keystores. The private key and certificate can be stored in the same PKCS12 file. In the platform, this format is used for uploading the app keystore file in the Test Client tool. The file extension can be p12 or pfx.
Policy Manager
Akana Policy Manager is the core product that provides the underlying infrastructure for the platform. Message handling intermediaries integrate with Policy Manager which attaches policies and provides a policy decision point as well as the policy administration point.
The Policy Manager console is the user interface for the Akana API Gateway.
Private API
Private APIs are visible to members who have been invited to join an API Context Group. Once a member has accepted a Private API invitation, the Private API is displayed with a unique icon.
process
In the context of the API Platform, a process is an ordered group of activities that can be performed by an API Gateway that supports the virtualization capability. For more information, see What is a process?
production environment
In versions of the API platform prior to 8.1, an API could have endpoints in the Sandbox environment or the Production environment. In versions 8.1 and later, terminology has changed. An API can have two implementations, Sandbox and Live. By default, when a user adds an API, the platform automatically creates the Live implementation.
profile
In the context of the Akana API Platform user interface, the user profile page allows you to edit your user details (firstname, lastname, username, and avatar) and settings (email, password, and notifications settings).
promotion (from one environment to another)
Promotion is the process of propagating changes made in one Environment to another. The Promotion process is automated for efficiency and to help prevent mistakes that could occur in a manual process. Promotion is managed via the Promotion Coordinator.
Promotion requires installation and configuration of the Lifecycle Coordinator feature. For more information, see Using Custom Metadata on the Developer Portal (Site Admin doc) and What is the promotion feature? (API Admin doc).
Promotion Coordinator
A Promotion Coordinator is a separate component that controls the promotion process and transfer of data between environments. There is a single Promotion Coordinator for all Environments.
promotion package
The Promotion Package holds the data that needs to be promoted from the Source Environment to the Target Environment. The package contains two different artifacts: the environment data and the manifest.
provisioning (installation/upgrade task)
As part of the installation or upgrade process, there is a post-install/post-upgrade task called Provisioning.
Provisioning Initializes resources associated with the feature set you're installing or upgrading. The provisioning task must be run on each container.
proxy API
When an API Admin or Business Admin sets up an API on the Akana API Platform and chooses to use the Proxy feature, all traffic to the API endpoints is channeled via the platform. This offers significant benefits, including the ability to apply policies and monitor traffic at the proxy.
When an API uses a proxy, the platform receives the API traffic and directs it to the target (actual) endpoint, which is not exposed to API users.
When an API uses the platform as a proxy, the platform receives the API traffic and directs it to the target (actual) endpoint, which is not exposed to API users.
Public Key Integration
The Public Key Integration section of My Apps > App Details > Security allows you to use Public Key Infrastructure (PKI) for secure message signing. When you initially create your app, a shared secret is generated by default. If you would like to override the shared secret, you can upload a Certificate Signing Request (CSR). The Certificate Authority associated with the platform will generate a public/private key pair using the uploaded CSR.
Navigation: My Apps > App > Details > Security
QName
A unique identifier used for certain elements and attributes (Qualified Name). The developer portal API uses QNames to identify elements such as API bindings and interfaces. Policy Manager also uses QNames.
QNames are used to create a mapping between a URI and a namespace prefix. The QName includes the object's unique name within the namespace, plus the namespace itself.
QoS (quality of service) policy
A QoS policy defines the level of service being offered to an app that is accessing an API; for example, the number of transactions per minute that are allowed for the app. In the platform, QoS policies are tied to license terms.
RAML
Acronym for RESTful API Modeling Language. RAML is a language based on YAML, and is used for describing RESTful APIs.
rating
The API platform allows users to rate certain resources, such as apps, APIs, and groups, clicking from 1 (lowest rating) to 5 stars (highest rating).
realm
A URL pattern for which an authentication request is valid. In OpenID Connect, a realm is designed to give the end user an indication of the scope of the authentication request. The identity provider must present the realm when requesting the end-user's approval for an authentication request. The identity provider uses the realm to identify the relying party.
redirection endpoint
In general, a redirection endpoint or URL is a URL that an application provides to another app, when directing the user to the second app to perform some function and then return the user once the function is complete. For example:
  • Login: If the user is logging in with Google, the platform directs the user to Google and provides a redirect URL. When Google has authenticated the user, Google redirects the user back to the platform using the redirect URL.
  • OAuth: if an app is requesting access to one or more of the user's Facebook resources, such as the Calendar, the app directs the user to a Facebook authorization page, and provides a redirect URL. Facebook authenticates the user, collects the user's permission for the app to access the resources, and then uses the redirect URL to return the user to the app.
refresh token
See OAuth refresh token.
registered user
A platform user who signed up by creating a profile using the self-signup process, as distinct from a user who was added by the Site Admin, which is called a managed user. Differentiating between users in terms of how they are added allows the implementation of custom workflows that grant different privileges to different types of users. For example, the Site Admin could implement a custom workflow so that a managed user cannot change the user profile but a registered user can.
registration code
A unique code generated and sent to a specific user in an email if the Site Admin adds the user (currently supported only via the API). The code is only valid for the account it is generated for, and expires after a pre-set period.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
relying party
In OpenID Connect, the app that is providing a service to the end-user is called the relying party. The relying party trusts the identity provider (Connect provider) to authenticate the user. In the context of the Akana API Platform, when OpenID Connect is used for login, the platform is the relying party and the Site Admin sets up the OpenID Connect identity provider in Domains setup.
reset code
A unique code generated and sent to a specific user as a result of a password reset request. The code is only valid for the account that requested it, and expires after two days by default. Expiration time is configurable by the Site Admin.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
reset.css
In Web-based applications and web pages that use CSS styling, a stylesheet called reset.css is often used to reset the styles of core HTML elements, such as headings and lists, to a consistent baseline. Custom styles are then applied as a next step.
The reason this is important is that there are inconsistencies in the way that different browsers interpret basic styles. Resetting to a consistent baseline, and building from there, helps ensure a consistent user experience across different browsers.
The platform uses reset.css as part of its style implementation.
resource
In the Akana API Platform, a Resource is an item, such as an App or API, which has its own Forum and set of activities.
restricted API access
Restricted access for an app means that the app's access to the API is restricted to a subset of the API, as defined by scope mapping, or to a specified, agreed-upon quota as defined by a QoS policy. Compare: unrestricted API access.
Resource server
See OAuth resource server.
review
Users can write reviews for any apps, APIs, or groups that they have access to. In the developer portal, reviews are created from the Details page for the resource. Each review includes a subject line and a comment.
Other users can comment on the review, and can mark reviews that they like.
Depending on the platform configuration, reviews might be moderated. If so, the review must be approved by an Administrator before it is published.
A review is actually a Forum entry even though, in the user interface, reviews are not displayed on the Forum for the resource, but instead are displayed on the Details page.
In terms of using the API, all operations that work for Forum entries work for reviews also.
role
The specific functions that a platform user can perform are governed by platform roles, which are assigned to the user by the Administrator. For example, one user might have a role that allows adding and editing of APIs, whereas another might have a different role that only allows viewing.
For more information, see How do roles work?
role (platform group)
Within an API Context Group, each group member has a role, either as Member or Leader. The Private API Admin cam invite team members and designate roles.
Within an independent group, each group member has a role, either as Member, Admin, or Leader. An Admin can invite or remove other team members and designate roles.
Other roles on the platform include App Team Member, Site Administrator, API Administrator, and Site User. An additional role, API Owner, is defined in the underlying infrastructure.
RSA
A popular and secure public key cryptography algorithm.
SaaS
Acronym for Software as a Service.
The Akana SaaS solution offers a highly secure, high available infrastructure to support enterprise-grade API management.
SAML
Acronym for Security Assertion Markup Language. SAML is an identity federation standard that enables single sign-on. It is an XML-based standard for exchanging authentication and authorization data between a service provider (providing a service to the user) and an identity provider (providing user identity verification for the service provider).
One usage, in the context of the platform, is by OpenID Connect where it is used to provide single sign-on. The platform acts as the relying party.
SAML Artifact
In SAML, a unique ID used by the service provider (SP) and identity provider (IdP) to reference a specific user session or transaction. The SP can use the Artifact to query the IdP for information about the user.
SAML assertion
A SAML assertion is an XML document returned by the Identity Provider to the Service Provider after authentication of the user. The assertion has a very specific structure, as defined by the SAML standard. A SAML assertion has a <Subject> element which contains information about the user. It might have conditions and attributes associated with the information being conveyed. It is digitally signed and asserts that the user has been authenticated.
Note: the above definition applies to an authentication assertion, which applies in the context of the platform's support of SAML. There are other types of SAML assertions.
SAML Web SSO
Single sign-on over the Web using the SAML protocol.
sandbox endpoint URL
A unique gateway URL (service endpoint) that provides access to an APIs sandbox environment. The Sandbox Endpoint URL becomes available after requesting access an API using the Request API Access Wizard.
Navigation: Add APIs in My Apps > API Management, or Request API Access in My Apps.
schema
In the context of adding or modifying an API, the platform supports defining a custom schema for request or response model object definitions (JSON format only).
scope
A subset of a license. A scope is the bridge between the top level of the hierarchy, which is a license, and the bottom level, an operation. At the business level, the Business Admin defines the scope with a name and basic attributes. Then, at the API level, the API Admin assigns specific operations to one or more scopes for the API. These operations are included in any license that the scope is assigned to.
scope group
An API scope group is uniquely related to an API and does not exist independently of the API. If an API is deleted, any API Context Groups associated with that API are also deleted, whereas independent platform groups associated with the API are not. Same as API Context Group.
scope mapping
If your API is using the Licenses feature, scope mapping is the key to defining which portions of your API will be available for which licenses. The scopes and licenses themselves are defined by the Business Admin, but at the API level you determine which operations are assigned to which scopes. This in turn determines which licenses will be available to app developers requesting access to your API.
search
The platform includes search functionality on certain specific pages and on platform-wide content. For example, a user can search on the apps list or APIs list for a specific app or API; the Site Admin can search for a specific user in the Users List. Search is available on many other areas of the user interface. Some examples: Forum posts, tickets, and alerts; help documentation (question mark at top right; then, Browse Docs).
Search results are limited to those resources the user performing the search has permission to see. For example, a user who does not have access to a specific private API will not see it on the list.
security challenge question
See challenge question.
security domain
An application or collection of applications that all share, and trust, common security. The same security mechanism is used for all within the security domain, for authentication, authorization, and/or session management. A user who is authorized on one part of the security domain is considered authorized for other parts.
In a tenant/partner scenario, all tenants share the same security domain and are considered to be trusted. So, for example, app owners on one tenant have access to API information on another tenant seamlessly and without any additional security authorization.
Server Name Indication (SNI)
An abbreviation for Server Name Indication, SNI is an extension of the TLS protocol that allows a single server to connect multiple SSL certificates to one IP address. When the client attempts to connect to the server, the client indicates the hostname it is attempting to connect to. The server sends the applicable digital certificate, which the browser then verifies; upon verification, the connection goes ahead.
The API platform's support of SNI means that multiple certificates can be used for one HTTPS endpoint. This means that each API can use its own certificate for its own clients. The deployment zone must support HTTPS; the API implementation must have the Use Implementation's Key/Certificate for SSL option checked in the HTTPS tab for the deployment, and there must be a certificate in place for the implementation.
For general information on SNI, see https://en.m.wikipedia.org/wiki/Server_Name_Indication.
Service Provider
In terms of SAML, the Service Provider (SP) offers a service to the user and allows the user to sign in by using SAML. When the user attempts to sign in, the SP sends a SAML authentication request to the Identity Provider (IdP). The IdP validates the request, authenticates the user, and creates a SAML assertion that represents the user's identity and, in some cases, sends additional information about the user in the form of associated attributes. The SAML assertion is digitally signed and encrypted and then sent back to the service provider that initiated the request.
Identity federation software at the SP receives the assertion, verified the authenticity, decrypts, and shares the information with the application.
SHA
Acronym for Secure Hash Algorithm; a family of cryptographic hash functions including SHA-0, SHA-1, SHA-2 (see SHA-256), and SHA-3.
SHA-1
SHA-1 is a cryptographic hash function, broadly used and trusted.
When you hash a value with SHA-1, the hash function returns a 160-bit string. This is the message digest. The value is hashed and sent with the message; at the receipt point, the value is hashed again, and the two hash values are compared. When the two hash values match, it is a secure, reliable indication that the message hasn't changed; the message at the receipt point is an accurate duplication of the message at the send point.
SHA-256
Part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each is named according to the number of bits in the output; so, whereas SHA-1 has 160 bits in the hash output, SHA-256 has 256.
shard (in Elasticsearch)
See Elasticsearch shard.
Shared Secret
A shared secret is a value generated for an app developer within the secure environment of the platform. The shared secret is known only to the app developer and the platform, and is used for authentication in secure send/receive communications.
Navigation: My Apps > App > Details > Security
signup code
A unique code generated and sent to a specific user in an email when the user signs up for the platform. The code is only valid for the account that requested it, and expires after seven days.
This is one of the several types of codes use to manage user signup and login. For information on the others, see code (user).
Simple Developer theme
Simple Developer theme, also called Simple Dev, is an additional customizable code base, with a separate URL, that you can choose as an additional installation option. Simple Dev includes a streamlined user interface, providing a simplified user experience for app developers.
The API admin, Site Admin, and Business Admin capabilities available in Default Theme/Hermosa Theme are excluded from Simple Dev theme for the sake of simplicity. One installation can have multiple themes, with multiple customizations of each, sharing the same database. Each theme has a different URL.
Simple Dev theme offers an easily customizable look and feel, and is easily extensible.
For an illustration, see Simple Developer Theme.
site administrator
An individual who has responsibility for keeping the site running smoothly. The Site Admin has access to additional parts of the user interface for configuration and monitoring purposes. There can be more than one site administrator. For more information, see What functions are available to the Site Administrator in the platform?
SNI
See Server Name Indication (SNI).
SP
In SAML, abbreviation for Service Provider.
sprite
A two-dimensional image used by the developer portal CSS, in Default Theme only, to control the colors in platform default icons and images. Although the icons and images cannot themselves be changed, the colors can be changed, as part of UI customization, by changing the colors of the sprite files. Hermosa Theme uses a different approach to custom icons, Font Awesome (see http://fontawesome.io; external link).
SSL
A cryptographic protocol used to add security to messages by encryption. SSL uses X.509 certificates and asymmetric security. The session key is used to encrypt the messages. SSL offers encryption and identification.
SSO
Abbreviation for single sign-on, a feature allowing a user to sign in once for more than one system rather than signing in separately to each system.
If an app offers single sign-on, this means that the app, acting as a Service Provider (providing services to an end user) uses an Identity Provider, an entity that provides authentication and possibly authorization services, to verify the identity of an end user logging on to the app. The user signs in to the Service Provider, and the Service Provider either implicitly or explicitly requests authentication from the Identity Provider. Once authentication is received, the Service Provider delivers the requested service to the end user.
SSV
Space-separated value format, a data type for certain API input parameters. This format is commonly used for exporting tabular data. Used in API documentation generated with Swagger 2.0: see http://swagger.io/specification/.
Swagger
Swagger (http://swagger.io) is a specification and framework implementation for dynamically generating API documentation for RESTful web services. The platform includes an implementation of Swagger that works in conjunction with the Add a New API Wizard. For more information, see What is Swagger and how does it work?
Note: As of January 2016, the Swagger specification has been donated to the Open API Initiative. It is now known as the OpenAPI Specification.
tag
A tag is essentially a keyword or key phrase that's added to a piece of content, or information associated with a resource, to assist in search results. Several different types of resources can have tags assigned to them; for example, apps, APIs, groups, and tickets. Multiple tags are separated by commas.
For example, if an app is a movie general knowledge game, the app owner might assign tags of movie, game, general knowledge; or an API owner can add a category or product line to the metadata for certain APIs so those APIs will come up in search results for that term.
target API
When defining an API on the platform, if an API is using the platform as a proxy, the Target API defines the destination ("next-hop") endpoint for the API.
target host
When defining a domain in the platform, it is possible to define a virtual host address for each login domain. This is the target host. Example: {role}/{company}.com.
template (Lifecycle Manager)
The developer portal offers an optional extension for Lifecycle Manager (LM) users to support LM templates. Called capture templates in LM terminology, these templates define additional pieces of information to be collected from users about platform resources, such as apps and APIs, over and above the platform defaults. For example, by default, adding an app requires a name, description, version number, and version description. An LM capture template could define additional required or optional properties, such as keywords or type of app. Types of information collected can include different data types such as text, integer, or Boolean; single or multiple values; optional or required user input. The specifics are determined by the Capture Template design in LM. The template can also include user assistance (tooltips) for the various fields.
To implement LM capture templates to collect additional information from users, several steps are needed. The implementation must include Lifecycle Manager, using the same database as the developer portal; one or more LM capture templates must be in place; and the applicable site setting (Administration > Site > Lifecycle Manager Integration) must be enabled.
tenant
The tenant is a distinct developer portal and community that is logical separated from any other communities that may be hosted in the same product instance.
The Tenant is managed by the Site Administrator.
Test Client
The platform includes an API testing interface, called Test Client, that acts as an easy-to-use test client for any API that is fully integrated, with an API definition in the platform. This test tool allows developers to thoroughly test all capabilities of the API. It can be used for prototyping, testing, and troubleshooting apps against an API. It includes OAuth support for retrieving the OAuth token in order to process the message.
For more information, see Trying Out APIs in Test Client (for app developers), API Testing with Test Client (for API Admins), or Test Client (for Site Admins).
theme
One instance of the portal. More than one theme can be defined during the installation process and can then be customized for different purposes or audiences. Each theme has a separate URL.
The platform includes three out-of-the-box themes; Default Theme, Simple Developer Theme, and Hermosa Theme. The first two can be cloned, which means you can have more than one version, independently customizable. Hermosa Theme cannot be cloned.
For overview and illustrations, see Platform user interface "theme". For more information, see What is a platform theme? (Site Admins only).
ticket
A type of feed entry, representing a trouble ticket created to raise an issue with a resource (app or API) or a connection. Tickets are typically created by a consumer of an API. Any member of the community can comment on a ticket, but it can only be marked as Resolved by the original creator or by an administrator of the target resource. For example, if Joe writes a ticket about an issue with the SkyBlue API, only Joe or the SkyBlue API Admin can mark the ticket as Resolved.
token
An access object sent to the requestor (client app) after authentication is complete and authorization has been granted. The token enables the client app to request access to the end-user's resources. OAuth, OpenID Connect, and SAML use tokens. There are different types of tokens, as defined in the applicable specification; for example, OAuth access tokens, bearer tokens (also called bearer access tokens), client tokens (not currently supported), and ID tokens (used by OpenID Connect).
token endpoint (OAuth)
See OAuth token endpoint.
Trusted Certificate Authority
A Trusted Certificate Authority (CA) is a third party identity that is qualified with a specified level of trust. Trusted CA Certificates are used when an identity is being validated as the entity it claims to be. Certificates imported into the Platform Tenant (Host) must be issued by a Trusted Authority. Trusted CA Certificates must be configured prior to importing X.509 certificates for applications running on the platform.
Navigation: My Apps > App > Details > Security
TSV
Tab-separated value format, a data type for certain API input parameters. TSV format is used for tabular data exchange.
two-factor authentication
An enhanced security feature for additional authentication of users logging in. The first factor, something the user knows, is satisfied by the user entering credentials, such as username and password, to authenticate. A second factor can be something the user has, such as a passcode. The platform has an optional feature to support two-factor authentication, commonly called 2FA. If this feature is enabled, after verifying credentials the user is sent a code, usually by email, and is directed to a platform page for entering the code.
unicast
Used in connection with configuration of the platform's search feature. Unicast configuration is appropriate for scenarios where the client/server relationship is 1 to 1 and the scope is the whole network. At startup, the node sends a message to a single network address. This is appropriate for a single client scenario or a cluster scenario. Compare broadcast which sends the same data to all possible destinations and multicast which sends the data to all interested destinations.
unmark
To unmark a discussion, ticket, or other resource means to remove a mark previously placed on the resource. In the user interface, the mark icon is a thumbs-up, and the unmark icon is a closed fist.
unrestricted API access
Unrestricted API access for an app means that the contract is not limited to a specific license. The app has full access to all operations of the API. Compare: restricted API access.
user
A person with a registered login ID to the Akana API Platform. All users must complete the registration process so that the system can gather required information about them before granting access. Each user can choose to define a new username/password combination that will be managed within the Akana API Platform, or can leverage the integration of Akana API Platform with external security providers such as Facebook® for authentication. By completing the signup process, each individual is assigned the role of User; users can then assume other roles, such as API Administrator or App team member (depending on platform settings).
UserInfo Endpoint (OpenID Connect)
One of the two ways offered by the OpenID Connect specification for the app to learn information about the end user. The OpenID Connect Provider can publish a UserInfo endpoint, which is a protected resource that returns claims about the authenticated end-user.
The client sends a request to the UserInfo Endpoint using an access token. The UserInfo Endpoint returns the user info to the client app.
The OpenID Connect Provider can issue an ID Token (token) from either the Authorization Endpoint or the Token Endpoint.
vanity hostname
A vanity hostname is generally memorable, easy to understand, and clearly identifiable. An API might have an actual hostname that has more complexity, but maps to a vanity hostname that's easy for customers to remember. Customers can use the vanity hostname and do not even need to be aware that it isn't the actual API processing endpoint. The vanity hostname cannot include the underscore character.
version
Each app or API on the platform much have at least one version, and can have multiple versions. When a user creates an app or API on the platform, the first version is created automatically; when using the API, it's important to complete both actions. If there is only one app or API version, deleting that version also deletes the app or API.
vertical ellipsis menu
In the Hermosa theme, the vertical ellipsis (Advanced Options, sometimes called a kebab menu) indicates additional options.
For more explanation and an illustration, see Hermosa Theme.
VIP
Acronym for a virtual IP address.
visibility
A setting that controls the types of users who can see a resource, such as an app, API, group, license, or scope, and any associated items such as discussions and tickets.
There are three possible values. The first two are applicable to all resources that have visibility settings; the third is applicable only to apps, APIs, and groups.
  1. Public: anyone can see the resource, even anonymous users.
  2. Private: the resource is restricted to those who have been specifically invited to have visibility of the resource, usually by joining a private group that has visibility of the resource.
  3. Registered Users: the resource is visible to all users who have logged in, but is not visible to anonymous users.
well-known configuration URL (OpenID Connect)
In the OpenID Connect protocol, the Well-Known Configuration URL is a specific URL published by the OpenID Connect provider. The platform can use this URL to retrieve other values it needs such as Authorization Server URL, Token Endpoint URL, UserInfo Endpoint URL, and security parameters used for tokens.
Note: If the well-known configuration URL uses the HTTPS protocol, the issuer certificate of the server must be trusted by the platform. Also, the issuer certificate of the server must be part of the cacerts file on the Akana API Platform container JRE.
workflow
Workflow defines the sequence of steps that are followed in a business process, including such related data as conditions (for example, a ticket must be resolved before it can be closed), state (for example, a ticket can have states of Open, Resolved, and Closed), or role (for example, a certain step can only be completed by an Administrator).
Defining the workflow for a business process gives you control over the process and allows you to monitor and customize as needed to streamline the business process.
The platform includes default out-of-the-box workflows for certain resources, such as API contracts, and allows you to customize the workflow for several key resources.
workflow action
Certain types of activities on the platform must be done in a specific sequence. These are often managed by workflows. Each workflow action changes the state of the resource. Some examples of workflow actions are: requesting or approving an API contract, sending a group membership invitation, or changing the status of a ticket.
WSDL
Acronym for Web Services Description Language; the WSDL (pronounced wizdel) is an XML file that includes the definition for the service, including all operations, model objects, and so forth.
In the context of the developer portal, you can create a SOAP-based API by uploading the WSDL file that includes the definition of the API. See How do I add an API using an API description document?
X-Csrf-Token_fedmemberID header
A custom header used by the platform to protect against CSRF attacks. For details, see What is the CSRF prevention feature? (Site Admin help).
YAML
A data format. YAML 1.2 is a superset of JSON. YAML is not really a markup language since it is data-oriented rather than focusing on document markup. Whitespace indentation, rather than brackets, are used to denote structure. RAML, one of the API description document types supported by the API Platform, is based on YAML.

Back to top