10Duke Enterprise release 3 documentation is no longer being updated


This is a list of terms and abbreviations used in 10Duke Enterprise documentation.


Access token

A token that allows a client application to call 10Duke APIs in a secure manner.

After successful authentication using OpenID Connect/OAuth, 10Duke Enterprise returns an access token (a random character string). The client application includes this token in later API requests to inform 10Duke Enterprise that the application is authorized to access the API.

Activation code

Activation codes are a mechanism that allows you to distribute licenses that your customers can redeem later.

Based on the provisioning and activation code configuration you set up in 10Duke Enterprise, licenses are automatically created and granted when customers use the activation codes you have generated for them.

Aggregated licensed item

An aggregated licensed item is contained in another licensed item as a “child” item. A common use case for aggregated licensed items is to define a list of product features that the license consumer has access to.

When a license consumer accesses a resource defined by an aggregated license item, they consume the license of the “parent” item (the aggregating licensed item).

Aggregating licensed item

An aggregating licensed item contains other licensed items.

When licenses are granted, they apply to the “parent” aggregating licensed item. License consumers consume that license when accessing any of the “child” resources.


Authentication means the verification of a user’s identity. 10Duke Enterprise can authenticate users or rely on authentication by a trusted external identity provider.


Authorization means determining if access to protected resources has been granted.

10Duke Enterprise provides a licensing solution for controlling access to your application and role-based access control for restricting user access to administration tools and APIs.

Interaction with 10Duke APIs uses OAuth for authorizing access to the APIs.

Built-in role

Built-in roles are predefined default system roles that 10Duke Enterprise automatically grants to users.

For example, every user is by default granted the “Viewer” role that provides very limited access. A user who has successfully logged in is granted the “Authenticated User” role, which grants more permissions.

Client application

A client application is any system integrated to 10Duke Enterprise that interacts with the 10Duke APIs.

Your application that the end user uses through a license is a client application. It can be, for example, a desktop, mobile, or web application, or a physical device (a machine or PC).

Other examples of client applications are possible administration user interfaces and CRMs integrated with 10Duke Enterprise.

Client role

Client roles can be used to control end user access in the client applications.

In many cases, the license controls what the end user can and cannot do in the client applications. If needed, you can also use 10Duke Enterprise for role-based access control in your client applications. You can manage both licenses and role-based access centrally in 10Duke Enterprise, and let your client application ask for all authorization decisions from 10Duke Enterprise.


Your customers can be companies or individual consumers, depending on whether you’re selling your software on the B2B or B2C market (or both).

Device client

A device client is a machine or PC on which your licensed software application is running. The device client is the one consuming a license instead of the end user who is using the software.

From the 10Duke Enterprise point of view, a device client is an OAuth client application that is governed by a specific organization and that authenticates itself for authorized API access.

Device client group

Device client groups are used for giving device clients access to organization licenses in entitlements.

When organizations authorize their device clients to consume the organization’s licenses, they do this by granting access per device client group, not per individual device client.

End user

An end user is someone who has access to your software application through a license.

In identity-based licensing, they’re a registered user who has been granted access to the license. In device-based licensing, they can be any person who has access to the device where your software is running, and the device client is the one that has been granted access to the license.

Depending on who you’re selling licenses to, end users can be users of your software at a customer company who has purchased licenses from you (for example, the company’s employees or contractors), or they can be your direct consumer customers.


An entitlement is a collection of licenses granted to an organization or a consumer user. The latter is called a personal entitlement.

An organization’s entitlement defines which groups of users and device clients are authorized to consume the licenses in that entitlement.

Feature flag

In 10Duke Enterprise, the term used for this is “aggregated licensed item”. Aggregated licensed items can be used to define a list of product features that the license consumer has access to.

Federated identity

In identity federation, user identities are linked across multiple systems.

Licensee organizations may have their own identity provider that they want to use as the single source of truth for their user identity data. 10Duke Enterprise can rely on an external identity provider to authenticate end users, for example, by using OpenID Connect or SAML for single sign-on.

Floating license

A floating license uses a license model where a limited number of licenses to your application are shared among a larger number of users or device clients.

For example, an organization might have purchased a 20-seat floating license, and they have 30 employees who consume the seats from a “central pool” when they need access to your application.

ID token

A JWT token that contains the details of an authenticated end user.

When an end user has been successfully authenticated using OpenID Connect, 10Duke Enterprise returns an ID token to the client application containing the end user’s details. When using an external identity provider for user authentication, 10Duke Enterprise can also rely on ID tokens granted by the external identity provider.

Identity provider

An identity provider provides user identity and authentication services.

In identity-based licensing scenarios, 10Duke Enterprise needs to know the end user who is consuming licenses. To authenticate end users, 10Duke Enterprise can act as the identity provider itself or rely on authentication by a trusted external identity provider.

Identity proxy

An identity proxy is a service used as an identity provider that actually provides a connection to another identity provider.

When an external identity provider is used, client applications can still connect to 10Duke Enterprise for authenticating users. 10Duke relays the authentication to the external identity provider, in practice working as an identity proxy.

Internal role

Internal roles are used to grant permissions in the scope of the whole system. You typically use internal roles for your own system administrator users.


Invitations are used for inviting new users and device clients to the system and for inviting existing users and device clients to user groups or device client groups to authorize access to licenses. User invitations can also assign roles to users.

The invitation recipient can accept or decline the invitation for themselves or for the device client, depending on the type of invitation.

Invitation token

An invitation token that authorizes access to an invitation for the invitation recipient.

10Duke Enterprise generates the invitation token (a random character string), and the token must be provided to the recipient (usually as part of the URL to the welcome page) and be kept intact until the invitation has been accepted or declined. An invitation can have multiple tokens associated with it.


A license describes a contract between the licensor (you) and a licensee (a customer who has purchased your software). Your licensed software connects to 10Duke Enterprise for authorizing access to the software.

You grant licenses to customers using product packages. In practice, they get a separate license for each licensed item in a product package.

You can apply different types of license credit when granting licenses, for example, grant seats or use time.

License consumption

End users and device clients consume licenses when they access a resource (such as your software application or a feature in it) that is protected by a license. Licenses can be consumed in online or offline mode.

License consumer

A license consumer can be either a user who is consuming an organization license or a personal license, or a device client that is consuming an organization license.

License credit

License credit refers to the type and quantity of consumption that a license allows.

A license can specify credit in the form of seats (which limits the number of users or device clients consuming the license), use count (which limits the total number of times the license can be consumed), and use time (which limits the total consumption time).

License lease

A license lease is a time-limited authorization to consume a licensed resource, conveyed to the client application in a license token.

The lease provides information on the licensed item that the user or device client is authorized to consume, the license they’re consuming, and the validity time of the lease.

10Duke Enterprise creates the license lease when the user or device client starts consuming a license, and returns a license token that describes the lease. When the lease is about to expire, the client application can request to extend the lease.

License management

License management means the configuring, granting, assigning, reconciling, revoking, and terminating of licenses.

In addition to the licensor carrying out these tasks, licensees have access to a limited set of tasks in the 10Duke OrgAdmin tool, their primary need being license assignment.

License model

A license model defines how the licenses associated with the model can be managed by licensees and consumed by users and device clients. It reflects the business terms on which you as a vendor are granting a license to your customer.

You associate your licensed items with a license model through a product package.

License seat

A license seat allows license consumption to one user or device client at a time for the duration of the license lease. When granting a license, you define how many seats are available.

Seats can be floating or named depending on the license model, and organizations can make seat reservations for their users and device clients.

License server

A license server is an application that a software vendor uses to manage the licenses they issue to their customers.

In a traditional solution, a license server may be deployed on premise at the customer’s site. In more modern solutions, the license server is typically located in the cloud. 10Duke Enterprise is a cloud-based licensing solution.

License token

A secure JWT token that 10Duke Enterprise sends to the client application when a user or device client starts consuming a license. The license token describes the license lease, and the client application uses the token to enforce the license terms.

Licensed item

A resource you want to license, such as your software application, or a feature or a collection of features in the application.


A customer that has purchased a license from you. A licensee can be a company or a consumer customer.


Licensing refers to the whole set of tools and interactions where a licensor issues licenses and licensees purchase and administer them.


This is you, the software vendor: the company that grants licenses to licensees.

Multi-factor authentication

Multi-factor authentication (MFA) requires a user to provide two or more authentication factors to access a system.

In 10Duke Enterprise user authentication, two-factor authentication (2FA) can be used with a device or an application (such as Google Authenticator) that can generate time-based one-time passwords (TOTP).

Named seat license

A named seat license uses a license model where each seat is reserved for a named user or device client. The seat can only be consumed by that user or device client, and they must have a seat reservation to be able to consume the license.

Offline consumption

In offline consumption, the client application used by the end user goes offline, typically for a longer period of time. As the client application won’t be able to refresh the license token frequently to extend the license lease, it checks out the license for the longer period of time allowed for offline consumption.

Online consumption

In online consumption, the client application used by the end user stays online and refreshes the license token frequently to extend the license lease.


An organization represents a customer company in the system when you’re selling your products on the B2B market.

Organization role

An organization role grants permissions to access resources within a certain licensee organization. You typically use organization roles to control organization administrator access to OrgAdmin.


A permission to access or manage a protected resource in the system, for example, to create license models or to view organization licenses.

You grant permissions to users through roles.

Perpetual license

With a perpetual license, the customer has made a one-time purchase to acquire the software.

Licenses granted on a perpetual basis are valid indefinitely (the license doesn’t specify an end date).

Product key

See “Activation code”.

Product package

A product package bundles together different licensed items into one sellable package, and associates a license model to those items.

A product package typically corresponds to what your customer understands to have purchased from you.


In 10Duke Enterprise, provisioning can refer to the provisioning of licenses or users.

License provisioning refers to the creating and initializing of licenses for use.

User provisioning refers to the creation of users, either in advance (for example, by email invitation or through the APIs) or on demand (for example, by using SSO or JWT bearer authorization based on data from a trusted external provider).


A role defines a set of permissions that can be granted to a user. The types of roles available are: built-in role, internal role, organization role, client role.

Role-based access control

In role-based access control (RBAC), roles and permissions are used to restrict user access. A typical 10Duke Enterprise configuration has multiple types of user roles, each granting different permissions in the system.

Seat reservation

A seat reservation means that a license seat has been assigned to a specific user or device client, and can only be consumed by that user or device client.

With named seat licenses, seat reservations are mandatory, and the license model may restrict seat reassignment from one user or device client to another.

With floating licenses, seat reservations can be made if needed, and this removes those seats from the floating license pool.

Single sign-on

Single sign-on (SSO) allows a user to log in to multiple systems with a single identity and credentials.

In the context of 10Duke Enterprise, this usually means web SSO using either OIDC or SAML protocol to allow multiple client applications to use the same user identity.


With a subscription-based license, the customer pays, for example, a monthly or annual fee to use the software instead of making a one-time purchase.

Licenses granted on a subscription basis specify a start and end date, and the license is intended to be periodically renewed.

Two-factor authentication

2FA; multi-factor authentication that requires two authentication factors, such as a password and a one-time password sent to a mobile device.


In 10Duke Enterprise, a registered user can be an administrator user who uses the 10Duke SysAdmin or 10Duke OrgAdmin tool, an end user who uses your licensed software application, or both.

A user’s access rights depend on their user roles and permissions and the licenses granted to them.

For example, a licensee organization’s user may act as the administrator for the organization, but they may also be an end user who uses the licensed software that the organization has purchased.

User group

User groups are used for giving end users access to organization licenses in entitlements. User groups typically reflect the end users’ relationship to an organization, for example, an organization can have an “employees” group and an “external license consumers” group.

When organizations authorize their end users to consume the organization’s licenses, they do this by granting access per user group, not per individual user.



Two-factor authentication


AWS Certificate Manager


Assertion Consumer Service


Application programming interface


Amazon Web Services


Customer relationship management


Domain Keys Identified Mail


Domain Name System


Enterprise resource planning


Federated identity management


General Data Protection Regulation


Hash-based message authentication code


Internet of Things


Java Runtime Environment


JSON Web Token ID


JSON Web Signature


JSON Web Token


Multi-factor authentication


OpenID Connect


One-time password


Privacy Enhanced Mail


Proof Key for Code Exchange


Proof of concept


Role-based access control


Representational state transfer


Software as a Service


Security Assertion Markup Language


Software development kit


Service-level agreement


Single logout


Simple Mail Transfer Protocol


Single-page application


Sender Policy Framework


Single sign-on


Time-based one-time password


Uniform Resource Identifier


Uniform Resource Locator


Universal unique identifier


Virtual machine