Authentication is full of abbreviations. We explain the most important terms in a clear and practical way.
The current industry standard for authorization. Think of it like a hotel key: it gives access to certain rooms (scopes), but does not necessarily prove who you are. Version 2.1 consolidates best practices and removes insecure legacy flows (like implicit flow).
A layer on top of OAuth 2.0 focused on identity. While OAuth says "you may enter", OIDC says "you are this user". It provides the id_token containing user data. Tuurio acts as a standards-compliant OIDC provider.
Pronounced: "Pixie"
A security mechanism that prevents intercepted auth codes from being abused. The app creates a secret, hashes it and sends only the hash first. During token exchange the original secret must be provided. Mandatory for mobile apps and SPAs.
Multi-factor authentication: something you know (password) plus something you have (phone or security key). Tuurio supports TOTP authenticator apps and WebAuthn.
A compact format to transmit claims securely. A JWT has header, payload and signature. Tuurio signs tokens cryptographically so your backend can verify authenticity without querying a database.
A long-lived key your app can use to obtain new access tokens without forcing the user to log in again. It must be stored securely and can be revoked by admin or user if compromised.
The end of passwords. Passkeys use device biometrics (FaceID, TouchID, Windows Hello) with public-key cryptography. No shared secret is transmitted. Tuurio supports passkeys out of the box.