Digital Toolkit


Computer keyboard - Photo by Pixabay:
The glossary contains terms that are commonly used throughout the documentation.

Access token

This represents and enables authorized access to data provided by an OAuth 2.0-based API.

Must be kept confidential.

When an Access Token becomes invalid or expires, a new Access Token can be obtained via a Refresh Token.


An account refers to one of a user’s banking accounts (including types such as Checking, Savings, and Loans).


This acronym stands for application programming interface.


Within the context of plugins: These are UI summary views that are displayed using a card-like visual metaphor on the dashboard for Banno’s built-in features as well as plugins.

Within the context of APIs: These refer to credit cards or debit cards.

Confidential client

Confidential clients are OAuth clients that can keep their API credentials secret (e.g. secure servers).


Banking software that provides basic functionality (including general ledger, transactions, and transfers) for financial institutions.


This is the primary UI that a user typically sees when they use Banno Online & Mobile.

The dashboard displays a set of UI summary cards, which includes Banno’s built-in features as well as plugins.

Financial institution

A bank or credit union.

Identity token

This represents authenticated identity information about a user in an OpenID Connect-based API.


This acronym refers to JavaScript Object Notation, the data-interchange format used in the API.


The OAuth 2.0 industry standard allows users to delegate scoped access to third parties who wish to act on the user’s behalf.

OpenID Connect (OIDC)

The OpenID Connect (OIDC) industry standard is an identity layer built on top of OAuth 2.0 that provides authenticated information about the user to third party apps.

PKCE (Proof Key for Code Exchange)

PKCE (pronounced ‘pixie’) is an extension that adds additional security to the OAuth2 authorization code flow.


These are web apps that can be configured to display as cards in a user’s dashboard in Banno Online & Mobile.

An optional primary action button can be used to take users to a full-screen web view of your application.

Plugins are sometimes referred to informally in the developer community as “card/cards” or “tile/tiles”, but the correct terms are “plugin/plugins”.

Public client

Public clients are OAuth clients that are incapable of keeping their API credentials secret, such as mobile apps or single-page applications (SPA).

Refresh token

A credential used to obtain a new access token per this RFC.


Acronym for Representational state transfer, the software architectural style used by the API.


See plugins.

Have a Question?
Have a how-to question? Seeing a weird error? Get help on StackOverflow.
Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.
Last updated Tue Jul 18 2023