| Access rules |
Email-based rules that decide whether a user may sign in. Deny lists are checked before allow lists. |
| Access token |
A token returned by an OAuth provider after Authwall exchanges an authorization code. Authwall uses it to fetch provider user information during the OAuth callback. |
| Account |
The Authwall user record that owns sessions, profile data, password hash, and linked identities. |
| Account removal |
The flow that deletes a user's account, sessions, identities, and pending tokens while preserving auth events with user_id cleared. |
| Allow list |
A configured set of email addresses or domains that are allowed to sign in. When an allow list exists, unlisted email identities are denied. |
| Auth event |
An audit record for authentication activity such as sign-in, sign-out, password change, identity linking, session revocation, or account removal. |
| Authorization code |
A short-lived OAuth value returned to Authwall's callback URL after the provider approves the sign-in attempt. Authwall exchanges it for provider tokens. |
| Authorization code flow |
The OAuth redirect flow used by Authwall providers: redirect to provider, receive a code at the callback URL, exchange the code, fetch user info, then create or update the Authwall session. |
| Authwall |
The authentication proxy that sits in front of an upstream application, handles sign-in, and forwards authenticated requests. |
| CSRF token |
A per-session token required for state-changing Authwall form/API actions so another site cannot submit those actions through the user's browser. |
| Callback URL |
The Authwall route where an OAuth provider sends the browser after approval, for example /auth/google/callback. Also called the redirect URL or redirect URI. |
| Client ID |
The public OAuth application identifier issued by a provider and configured in Authwall with variables such as AUTHWALL_GOOGLE_CLIENT_ID. |
| Client secret |
The private OAuth application secret issued by a provider and configured in Authwall with variables such as AUTHWALL_GOOGLE_CLIENT_SECRET. |
| Confidential client |
A server-side OAuth client that can keep a client secret private. Authwall behaves as a confidential client because token exchange happens on the server. |
| Deny list |
A configured set of email addresses or domains that are blocked from sign-in even if another rule would otherwise allow them. |
| Direct upstream mode |
Upstream mode where Authwall changes the upstream request origin for direct application requests. |
| Email change |
The flow that lets a signed-in user request and confirm a new email identity when a mailer is configured. |
| Email confirmation |
The flow that confirms the user controls an email address before marking that email identity as verified. |
| Email identity |
A user identity of type email. Verified email identities can be used for email/password sign-in and access-rule checks. |
| Grant type |
An OAuth exchange pattern. Authwall currently uses the authorization code grant for provider sign-in. |
| Identity |
A sign-in handle linked to an account, such as a username, verified email, Google account, GitHub account, Microsoft account, Facebook account, X account, or Discord account. |
| Magic code |
A one-time code emailed to a user for passwordless sign-in. |
| Magic link |
A one-time emailed link that signs in the user without a password. |
| Mailer |
The configured email delivery provider used for magic links, password reset, email confirmation, email change, and security notifications. |
| Normalized identity value |
The canonical value used for uniqueness and lookup, such as lowercased email or provider account id. |
| OAuth connect |
The authenticated flow that links a new OAuth provider identity to the current Authwall account. |
| OAuth disconnect |
The authenticated flow that removes an OAuth provider identity from the current account when it is not the last remaining sign-in method. |
| OAuth login |
The flow that signs a user in through an external provider and creates an Authwall account when no linked provider identity exists yet. |
| OAuth provider |
An external identity provider supported by Authwall, such as Google, GitHub, Microsoft, Facebook, X, or Discord. |
| OAuth state |
A random value stored in the session and sent through the OAuth redirect to protect callbacks from cross-site or stale responses. Authwall also uses it to distinguish login from connect intent. |
| Open registration |
The default mode where a new account can be created by anyone who completes an enabled sign-in or sign-up flow and passes access rules. |
| PKCE |
OAuth proof key for code exchange. Authwall stores a verifier in the session, sends a challenge to the provider, and uses the verifier during token exchange. |
| Password flow |
Username/password or email/password sign-in and sign-up, controlled by Authwall flow settings and password policy. |
| Password reset |
The email-based flow that lets a user set a new password using a time-limited reset token. |
| Profile |
The authenticated Authwall page and API surface for account details, identities, email changes, password changes, and account removal. |
| Protected request |
Any non-Authwall, non-public-path request that requires a signed-in session before Authwall proxies it to the upstream application. |
| Proxy upstream mode |
Upstream mode where Authwall forwards proxy headers such as X-Forwarded-* to the upstream application. |
| Public URL |
The externally visible base URL for Authwall. It is used for redirects, generated links, and secure-cookie defaults. |
| Public client |
An OAuth client that cannot keep a client secret private, such as browser-only or mobile code. Authwall's server-side OAuth flows are not public-client flows. |
| Public path |
A configured upstream path that Authwall may proxy without requiring a signed-in session. |
| Redirect URI |
OAuth name for the registered callback URL. In Authwall configuration this is called the provider redirect URL. |
| Redirect URL |
The exact OAuth callback URL registered with the provider and configured in Authwall, such as AUTHWALL_GOOGLE_REDIRECT_URL. |
| Refresh token |
A provider token that can request new access tokens without another browser approval step. Authwall does not depend on refresh tokens for normal sign-in. |
| Root secret |
The secret configured with AUTHWALL_SECRET or generated in data/secret.key; Authwall derives the session secret from it via HKDF. (CSRF tokens are random per-session values, not derived from it.) |
| Seed user |
A bootstrap user created at startup from AUTHWALL_SEED. Useful for initial deployments or test environments. |
| Session |
The server-side record and browser cookie that keep a user signed in. Sessions include user id, user uid, IP, user agent, expiration, and CSRF data. |
| Sign-in flow |
One enabled way to authenticate, such as username/password, email/password, magic link, magic code, or an OAuth provider. |
| Upstream application |
The protected application Authwall forwards allowed requests to. Its URL is configured with AUTHWALL_UPSTREAM_URL; AUTHWALL_UPSTREAM_MODE controls how requests are proxied to it. |
| Upstream headers |
Headers that Authwall adds to or removes from upstream requests using AUTHWALL_SET_HEADERS and AUTHWALL_UNSET_HEADERS. |
| User UID |
The stable public user identifier forwarded to the upstream application in X-Auth-User. |
| Verified email |
An email address that Authwall or an OAuth provider has confirmed. OAuth access rules require a verified provider email when allow or deny rules are configured. |
| X-Auth-User |
The request header Authwall sets on authenticated upstream requests. Its value is the signed-in user's uid. Incoming X-Auth-* headers are removed before proxying. |