Glossary
Definitions of key terms and concepts in PDaaS.
A
Access Key
The public identifier of an API key, used in the Authorization header. Format: sa_{org_slug}_{account_id}_{random}.
Access Token
Short-lived JWT token (15-60 minutes) used for API authentication by users. Contains claims about the user and their current context.
Account
A sub-division within an organization for logical separation (e.g., production, staging, dev, or teams, projects, customers).
Action
An operation that can be performed on a resource (e.g., accounts:Get, users:Create). Used in IAM policies.
RID (Resource ID)
Standardized format for uniquely identifying resources. Format: rid:pdaas:{resource-type}:{resource-id}.
Audit Trail
Immutable log of all actions performed in PDaaS, used for security monitoring, compliance, and debugging.
C
Condition
Contextual restriction in an IAM policy (e.g., IP address, time, string matching) that must be met for the policy to apply.
Correlation ID
Unique identifier (x-correlation-id) assigned to each request for tracing and debugging across services.
E
Effect
The result of an IAM policy statement, either "Allow" or "Deny".
G
Group
A collection of users and/or service accounts that can have policies attached for permission management.
H
HMAC (Hash-based Message Authentication Code)
Cryptographic signature method used for service account authentication. Uses SHA-256 algorithm.
I
IAM (Identity and Access Management)
AWS-style authorization system using policies, groups, and conditions to control access to resources.
Inline Policy
A policy attached directly to a specific user or service account (not reusable).
J
JWT (JSON Web Token)
Token format used for user authentication. Contains claims about the user's identity and permissions.
M
Managed Policy
A reusable policy that can be attached to multiple groups. Defined once, used many times.
MFA (Multi-Factor Authentication)
Additional security layer requiring a second form of authentication (TOTP or WebAuthn) beyond password.
N
Nonce
Unique identifier (x-nonce) used in HMAC authentication to prevent replay attacks. Must be unique per request.
O
Organization
Top-level tenant container in PDaaS. Has a unique 6-character slug and complete data isolation from other organizations.
Organization Service Account
Service account created by admins for shared automation (CI/CD, integrations). No quantity limit.
P
Personal Service Account
Service account owned by an individual user for personal API access. Maximum 2 active per user.
Policy
JSON document defining permissions using IAM syntax. Specifies who can do what on which resources.
R
Refresh Token
Long-lived token (7-30 days) used to obtain new access tokens without re-authentication.
Resource
An entity in PDaaS (organization, account, user, service account, group, policy) that can be operated on.
S
Secret Key
The private key of an API key, used to generate HMAC signatures. Shown only once during creation.
Service Account
Non-human actor for programmatic API access. Uses HMAC authentication instead of passwords.
Slug
A unique 6-character identifier for an organization. Format: [0-9a-z]{6}. Used in API keys and subdomains.
Soft Delete
Deletion method that marks resources as deleted (deleted_at timestamp) but preserves data for audit and recovery.
Statement
A block within an IAM policy that specifies Effect, Action, Resource, and optional Conditions.
T
TOTP (Time-based One-Time Password)
MFA method generating 6-digit codes that change every 30 seconds. Compatible with Google Authenticator, Authy, etc.
U
User
Human actor who authenticates with email/password. Can belong to multiple accounts and have different permissions per account.
W
WebAuthn
MFA standard supporting biometrics and hardware security keys (YubiKey, etc.). More secure than TOTP.