Glossary

A reader navigating these docs encounters a small set of terms repeatedly. This page defines them in one place. Each entry is a working definition; the section it links to carries the full argument.

Application. A system that sends authentication requests to Authonomy and receives an authentication result. Applications terminate authentication against Authonomy; they do not observe which login method served the request.

Audit trail. The append-only durable record of every operation, state transition, configuration change, and routing decision at an Authonomy instance. Each instance writes its own audit trail to its own durable storage. Aggregation across instances is a deployment concern outside the resiliency surface. See Audit continuity.

Authoritative source. The customer’s designated primary identity provider, which holds authority for the identity population and its lifecycle. No replica ever displaces the authoritative source as the system of record for identity.

Canonical view. An Authonomy instance’s local representation of the identity population under its scope: users, groups, entitlements, and (by default) registered Authonomy-native credentials. The view is synced from the customer’s authoritative source within the drift window.

Credential store. The persistent home for credential material registered with Authonomy — WebAuthn public keys, TOTP seeds, password hashes, and administrative credentials — or for the keys used to protect that material. By default the store is the instance database; deployments with stronger key-custody requirements externalize it to a keystore (HSM, cloud KMS).

Database. The persistent state store for an Authonomy deployment: the canonical view, the audit trail, the operations queue, the session and state store, and (by default) credential material.

Drift window. The maximum permitted staleness of a replica relative to its source of authoritative state. A sync-lag bound, not an outage-duration bound — severance extends effective staleness by the severance duration, and staleness resumes converging to the window on reconnect. See Understand the drift window.

Failover. The router’s selection of a non-primary login method when the primary is unavailable. Method-level failover (an external provider becoming unreachable) and site-level failover (an instance at a site losing WAN to its providers) are the same mechanism applied at an instance whose set of reachable methods has narrowed. See Failover behavior.

Federation. The platform component that establishes and maintains the configuration at each external identity provider required for Authonomy to manage authentication against it.

Health monitor. The component that continuously evaluates the availability of every configured login method, combining synthetic probes, live-traffic observations, and upstream signal into a state classification of healthy, degraded, or unavailable. See Health monitoring.

Health state. One of healthy (route normally), degraded (route, but prefer an alternative where routing expresses preference), or unavailable (do not route). Transitions between states are gated by stabilization windows.

Just-in-time enrollment. The default mechanism by which floor credentials are registered with Authonomy: at first authentication through Authonomy via any external method, the instance prompts the user to register a floor factor before completing the authentication flow. See The native floor.

Login method. One of the options a routing rule selects for serving an authentication request: an external primary identity provider, an external secondary identity provider, or Authonomy’s native authentication. The router evaluates login methods against the health monitor’s state per request.

Native authentication. Authentication served by Authonomy against credentials Authonomy holds in its credential store: WebAuthn, TOTP, and password for users, plus administrative credentials where configured. The continuity floor in the routing ladder, because it does not depend on any external identity provider.

Operations console. The operator-facing view onto current state, recent history, in-flight operations, and pending conflicts. The primary surface for manual action.

Operations framework. The persistent work system that runs every long-running or asynchronous operation: queue, worker pools, retry with backoff, idempotency via deduplication keys, per-record progress tracking.

Orphan reconciliation. A sync mode that detects replica records with no corresponding authoritative record and removes them. Exists to close gaps in the incremental sync path.

Replica. Any non-authoritative representation of authoritative state. The deployment database is a replica of the customer’s authoritative identity source. Replicas serve authentication against last-known state; they do not assert authoritative claims about identity-lifecycle.

Router. The health-aware decision-making component that selects a login method per request against an application’s priority-ordered routing configuration.

Routing configuration. The per-application ordered list of rules mapping request scope to login method. Held in Authonomy’s routing model, not at the providers; consulted at request time against the health monitor.

Scope (instance). The subset of the customer’s identity population represented in an instance’s canonical view. The scope and the enrollment policy for locally-verifiable factors together determine which subjects can authenticate at the instance during a WAN severance.

Session and state store. The shared persistent store for stateful parts of authentication — refresh-token state, multi-step authentication flow state, shared operational state. Stateless bearer validation at the edge does not require the store.

Severance. An instance’s loss of connectivity to one or more of its upstream paths: external identity providers, the deployment database, or the keystore in externalized-keystore topologies. During severance from external providers, the instance serves authentication against whichever methods remain reachable.

Stabilization window. The interval applied between a raw health classification change and the transition the router consults. Prevents routing from oscillating on transient signal.

Sync engine. The component that keeps the deployment database in agreement with the customer’s authoritative identity source over time. Supports full, incremental, targeted, and orphan-reconciliation modes. See Reconciliation and drift.

Targeted sync. An operator-initiated sync for a specific user, attribute, or scope. Used when a change needs to reach the deployment database faster than the incremental cadence provides.