High-Level Overview

The following sections describe relationships between key terms and concepts in Anon’s platform:

Anon Concepts

  • Your Organization has Members.
  • A Member may call Anon’s endpoints with their session_tokens.
  • A UserPool organizes a group of end users. They may be associated with multiple webapp SdkClients.
  • A webapp SdkClient may be used to distinguish different clients that interact with the same UserPool.

Generating JWTs

  • Your identity provider generates a public and private key pair called a JSON Web Key (JWK).
  • Your identity provider generates a JSON Web Token (JWT) and signs it with the private key. Anon refers to it as an appUserIdToken.
  • An appUserId is your user’s id, which gets encoded in "sub" field in the appUserIdToken.

How Anon validates your JWTs

  • A JSON Web Key Set (JWKS) represents a set of (one or more) JWKs.
  • Your JWKS public url exposes the public key(s).
  • A UserPool points to a JWKS.
  • A webapp SdkClient points to a UserPool.
  • Anon uses your JWKS to validate your JWTs (specifically user id tokens).
  • Anon uses the appUserIdTokens to discriminate between users.

Organization

An Organization represents your company in Anon’s system.

Member

A Member is someone from your company who can use your Organization. There are two types:

  • Admin Member: Can create new UserPools, SdkClient instances, and add other members.
  • Read-only Member: Can only view resources, without the ability to create or modify them.

Session Token

A session_token is an ory token (ory_*) which authenticates your Member to Anon, allowing them access to Anon’s endpoints — such as, create UserPool and SdkClient. To generate new session_tokens, log in as a Member.

API Key

A ApiKey is an ory token (ory_*) used to auth your backend services to Anon, allowing your backend to hit Anon’s API endpoints. An ApiKey is generated via your service SdkClient (service account).

UserPool

A UserPool represents a group of end users. Points to a JWKS to validate your users’ credentials. Specifically, it tracks your OAuth’s JSON Web Key Set (JWKS), which is a set of JSON Web Keys (JWKs) used to verify JSON Web Tokens (JWTs) issued by an Authorization Server.

A UserPool could be:

  • Anon-provided: In older credential-generating processes, Anon provides a 1password file containing a JWKS, including its private key. To generate additional JWTs for it, use this script.
  • Anon-hosted: The endpoint /org/userPool allows generating an Anon-hosted UserPool. To generate additional JWTs for it, use the endpoint /appUserIdToken.
  • Self-provided: For security best practices, create a UserPool by using the JWKS from your own identity provider.

SDK Client

An SdkClient allows your applications and services to authenticate with Anon.

There are two types of SdkClient:

  • A webapp SdkClient (has an associated UserPool) is for your frontend apps, providing info for Anon’s Link SDK to save user sessions. We use the SdkClient’s clientId to identify the UserPool that the end-user belongs to.
  • A service SdkClient (has an associated APIKey) allows your backend apps to authenticate into Anon’s API endpoints.

App User ID Token

An appUserIdToken is a JWT used by your end-user to access your own webapp, as well as Anon.

When a user logs into your app, your identity provider generates an appUserIdToken for them. This can be used for Anon as well — so just by logging into your app, your end-user also gets logged into Anon.

App User ID

An appUserId is a sub field of your end-user’s JWT (appUserIdToken), which could be found using https://jwt.io.

The same id for your end-user as used by your internal system, often an UUID or ObjectId.

Was this page helpful?

Hosting OptionsFAQs / Troubleshooting