App User

An end user whose identity may be created or managed by the Team Member.

Authorization Server

A server that verifies that a user has permission to access a protected resource. The authorization server authenticates the Resource Owner, and issues access tokens to apps.

Client or Client Application

Software that runs on a browser or device. A client app may request access to a protected resource.


The short name for ForgeRock Identity Cloud Express.

Express Console

Graphical interface used by Team Members to manage their ecosystem. For example, Team Members can use the Express console to set up users, tenants, apps, and more.


ForgeRock as a Service.

Native App

An application installed on a device, such as a mobile phone; a native app is distinct from a web app that runs in a browser.

OAuth 2.0

OAuth 2.0 is a delegation protocol for conveying authorization decisions across a network of web-enabled applications and APIs.

OpenID Connect (OIDC)

OpenID Connect is an authentication layer on top of the OAuth 2.0 protocol. Clients can use OIDC to verify the identity of an end-user, as well as get basic profile information about those users.

Resource Owner

An entity, typically a user, who can grant access to a protected resource. The protected resource could be personally identifiable information (PII), for example.

Resource Server

A host for protected resources using OAuth 2.0. A Resource Server responds to requests from clients with access tokens.


SAML (Security Assertion Markup Language) is not supported by Express.


A scope is a set of (OAuth 2.0) rights to a protected resource. Client apps can use access tokens to request scopes. Authorization Servers can allow or deny such requests. For more information, see the following page: Scopes.

Service App

Also known as a machine-to-machine (M2M) app, which typically does not require human interaction.

Redirect URL

After an app authenticates a user, the app forwards the user to the specified URL.

Sign-Out Redirect URL

When a user signs out of an app, the app forwards the user to the specified URL.

Single-Page App (SPA)

An app that runs entirely in the browser. Also known as a browser-based app.

Team Member

A ForgeRock administration console user.


A single, isolated instance of the admin console. A Tenant contains apps, users, devices, and rules.

Tenant Name

The domain associated with your deployment of Express. You’ll see it in the URL associated with your admin console: https://ui-{tenantName} By default, emails sent from Express include a from address of [email protected]{tenantName}.com_.


An object that enables the secure exchange of information between servers. Express uses JSON Web Tokens (JWT), specifically access tokens, ID tokens, and refresh tokens.

User Profile

User information and metadata.

User Agent

The agent used by the Resource Owner to interact with the Client, such as a browser or a native application.

Web App

A traditional application that runs mostly on the server.

If you have questions email [email protected].