Glossary
Plain-language definitions for the kit-specific nouns and web concepts these docs lean on.
Short definitions for the SyntaxKit-specific terms and web concepts these docs lean on. Grouped by topic and cross-linked to the page that owns each one. Use Cmd-F or the jump cards below. Missing something? Email the support address on the License page and we'll add it.
Auth & sessions
Better Auth, passkeys, 2FA, and the cookies behind a session.
Organizations
Active org, personal org, and the multi-tenant guards.
Data & API
Prisma adapters, migrations, oRPC, packages, and uploads.
Frontend & i18n
Styling helpers, server vs client components, and locale routing.
Billing & webhooks
Stripe modes, signing secrets, and idempotent event handling.
Security & abuse
CORS, CSP, CSRF, rate limits, and captcha.
Email & observability
Transactional mail, deliverability, analytics, and logs.
Build & deployment
Env timing, capabilities, the setup doctor, and the monorepo.
Auth & Sessions
| Term | Definition |
|---|---|
| Better Auth | The self-hosted auth library behind packages/auth: sessions, OAuth, 2FA, passkeys, and the multi-tenant org model (via plugins). No per-MAU pricing. Authentication. |
| Passkey | Phishing-resistant sign-in using device-bound key pairs (Touch ID, Windows Hello, hardware keys). Built on WebAuthn via Better Auth's passkey plugin. Passkeys. |
| Platform admin | A User.role = "admin" (distinct from per-org roles) that gates /dashboard/admin and the admin oRPC namespace. Bootstrap with pnpm admin:bootstrap --email <email>. Platform Admin Role. |
| SameSite cookie | A cookie attribute (Strict / Lax / None) controlling cross-site sends. The kit uses sameSite=lax for session cookies to blunt CSRF without breaking inbound links. |
| Session cookie | The httpOnly, sameSite=lax cookie Better Auth sets after sign-in. Encrypted with BETTER_AUTH_SECRET; carries the user id and activeOrganizationId. How Sessions Work. |
| Two-Factor Auth | A second sign-in factor: TOTP codes from an authenticator app plus single-use backup codes, wired via Better Auth's twoFactor plugin. Two-Factor Auth. |
Organizations
| Term | Definition |
|---|---|
| Active organization | The org the current session is acting on. The session carries activeOrganizationId; the withActiveOrganization middleware puts context.organization on every signed-in oRPC call. The Active Organization. |
| Last-owner protection | A guard that blocks removing or demoting an org's only remaining owner, using a FOR UPDATE row lock to avoid races. Guards That Keep Things Sane. |
| Personal organization | An org auto-created for each user on sign-up (isPersonalOrganization: true), so single-user accounts feel native. Structurally identical to a team org. Organizations. |
Data & API
| Term | Definition |
|---|---|
| Composite project | A TypeScript project (tsc -b) that emits declaration files for other packages. Used by packages/shared and packages/api so their types are shared across the workspace. |
| Driver adapter | A pluggable Prisma layer for a specific Postgres protocol. The kit picks @prisma/adapter-neon for *.neon.tech hosts and @prisma/adapter-pg everywhere else. Database. |
| Migration vs seed | A migration is a versioned schema change (prisma migrate dev); a seed loads starter data (prisma db seed). Seeds ship in three modes: bootstrap, demo, test. Database. |
| oRPC | The OpenAPI-native typed RPC framework behind packages/api: end-to-end TypeScript plus a generated spec at /api-reference. API. |
| Pre-signed URL | A short-lived S3 URL letting the browser PUT bytes straight to a bucket key, bypassing serverless body-size limits. How An Upload Flows. |
| Subpath export | A package.json exports entry exposing one file under a sub-path (e.g. @syntaxkit/analytics/client), so consumers pull only the client or server half. Package Map. |
Frontend & i18n
| Term | Definition |
|---|---|
cn helper | clsx plus tailwind-merge, from @syntaxkit/ui/lib/utils. Caller-side className wins over the cva default, ending Tailwind specificity wars. Base Components. |
cva | class-variance-authority: turns Tailwind class strings into typed component variants. Every shadcn-style primitive uses it. Base Components. |
| Locale routing | Two i18n strategies in parallel: marketing routes are URL-prefixed (/en/..., /de/...); the dashboard reads a NEXT_LOCALE cookie at render time. Internationalization. |
next-intl | The i18n library powering both locale strategies (URL-prefix marketing, cookie-driven dashboard). Internationalization. |
| OKLCH | A perceptually uniform color space (oklch(L C H)) used for every color token in packages/ui. Pick colors at oklch.com. Brand Tokens. |
| Server action | A Next.js "use server" function called from the client. Used sparingly (e.g. the setLocale action). Multi-instance deploys need a shared NEXT_SERVER_ACTIONS_ENCRYPTION_KEY. Operational Secrets. |
| Server component vs client component | App Router primitives: server components render server-side and ship no JS; client components ("use client") ship interactive code. Calling The API From React. |
| shadcn/ui | A pattern (and CLI) for copying React primitives into your own repo instead of installing them. The kit's packages/ui is yours to edit. Customization. |
Billing & Webhooks
| Term | Definition |
|---|---|
| Best-effort side effect | An email or analytics dispatch wrapped so its failure doesn't fail the webhook; the OutboundEffect claim is released so the next Stripe retry tries again. Best-Effort Side Effects. |
| Live mode vs test mode | Stripe's two environments: test (sk_test_*) for fake cards, live (sk_live_*) for real charges. Signing secrets and price ids differ between them. Pricing And Stripe Live Mode. |
| OutboundEffect | A Postgres table keyed by (kind, key) that records each email/analytics dispatch, so retries can't double-send. Two-Layer Idempotency. |
| Stale processing recovery | Recovers Stripe events whose handler crashed mid-run: after 5 minutes (STALE_PROCESSING_WINDOW_MS), the next retry may re-claim and re-run it. Stale Processing Recovery. |
| Stripe webhook signing secret | The secret Stripe signs payloads with; the kit verifies every event via stripe.webhooks.constructEvent. The production secret differs from the Stripe-CLI one. Endpoint And Signature Verification. |
| StripeWebhookEvent | A Postgres table keyed by eventId ensuring each Stripe event is processed exactly once. One half of two-layer idempotency. Two-Layer Idempotency. |
| Two-layer idempotency | The webhook dedupe story: StripeWebhookEvent.eventId blocks duplicate event ids; OutboundEffect.(kind, key) blocks duplicate business actions. Two-Layer Idempotency. |
Security & Abuse
| Term | Definition |
|---|---|
| CORS | Cross-Origin Resource Sharing: HTTP headers deciding whether a browser may call your API from another origin. proxy.ts scopes it to NEXT_PUBLIC_APP_URL. Edge: Headers, CSP, CORS. |
| CSP | Content Security Policy: an allow-list header limiting which origins can load scripts, styles, fonts, etc. Set strict via Nosecone plus a curated allow-list. Edge: Headers, CSP, CORS. |
| CSRF | Cross-Site Request Forgery: tricking a user's browser into an authenticated request to your site. Mitigated by httpOnly, sameSite=lax session cookies set explicitly in packages/auth/src/server.ts. |
| Rate limit | A sliding-window counter capping requests over time (e.g. 5 per 10s). Backed by Upstash Redis on auth, contact, and other public surfaces. Abuse Protection (Upstash). |
| Turnstile | Cloudflare's captcha alternative to reCAPTCHA, used for auth flows (Better Auth's captcha plugin) and the public contact form. Authentication: Sessions And Captcha. |
Email & Observability
| Term | Definition |
|---|---|
| OpenTelemetry | The observability standard the kit uses for structured logs, exporting OTLP records to PostHog Logs. Structured Logging. |
| PostHog | One vendor for all telemetry: product and web analytics, session replay, error tracking, and structured logs. Analytics and Monitoring. |
| Reverse proxy | A Next.js rewrite routing /ingest/* to PostHog, defeating ad-blockers (same-origin) and simplifying CSP. The Reverse Proxy. |
| Source map upload | A build step (withPostHogConfig) that uploads JS source maps to PostHog so stack traces de-minify. Needs POSTHOG_API_KEY and POSTHOG_PROJECT_ID. Source Maps. |
| SPF, DKIM, DMARC | Three DNS records that prove your domain may send email; without them, Gmail and Outlook deliverability drops sharply. Email Sender Configuration. |
| Transactional email | Email triggered by a specific user action (verification, receipt) rather than bulk marketing. Delivered via Plunk, templated with React Email. Email. |
Build & Deployment
| Term | Definition |
|---|---|
| Build-time vs runtime env | Every NEXT_PUBLIC_* var is inlined into the JS bundle at build time, so changing one needs a rebuild; server secrets are read at runtime. Build-Time vs Runtime Env. |
| Capability | A boolean for whether a feature's env-var group is fully configured (isBillingEnabled, etc., from packages/shared/src/setup.ts). Drives graceful degradation everywhere. Environment Variables. |
dotenvx | The .env-loading CLI behind the kit's test, integration, E2E, and webserver scripts. Loads files by priority; --overload overrides host env. Commands And Scripts. |
| Setup Doctor | The pnpm setup:doctor script: validates the env file, lists which integrations are configured, and confirms the database is reachable. Run after a fresh clone. Commands And Scripts. |
| Standalone output | A Next.js build option (output: "standalone") producing a self-contained Node server with only the deps actually used. Both apps use it to keep Docker images small. Deployment. |
| Turborepo | The monorepo task runner: caches lint, check-types, build, test and orders tasks so ^db:generate runs before any build. The Build Pipeline. |