Glossary

Authorization model where access is granted based on attributes of the user, device, resource, and environment (tags, posture, time, country) rather than fixed roles. Used in QuickZTNA ACLs.

Rules that decide whether a connection between two peers is allowed. Evaluated by acl-evaluate.

The ztna binary running on each device. Handles WireGuard tunnel setup, posture reporting, heartbeat, and commands from the control plane.

A reusable or one-time token (tskey-auth-<random>) that lets a new device register itself without going through interactive login. Used by MDMs and automation.

WebSocket message fan-out to all clients subscribed to a channel within an org. Rate-limited to 10/min/client.

Discovers and controls unsanctioned SaaS app usage. Gated to Workforce plan.

The reverse proxy + auto-TLS server that fronts everything on login.quickztna.com.

A range of IP addresses, e.g. 100.64.0.0/10 (the tailnet address space).

The authenticated API and dashboard that manages identities, policies, and device inventory. Separate from the data plane.

Periodic background jobs. Handles retention, trial expiry, anomaly scans, etc.

The WireGuard peer-to-peer mesh that carries actual user traffic. Server never sees this traffic.

Per-device network health (latency, packet loss, jitter) plus a health score. Gated to Workforce plan.

WebSocket-based relay for peers that can't reach each other directly (symmetric NAT, CGNAT). 4 regions: BLR, NYC, LON, SFO.

Scans agent-captured text for sensitive patterns (credit cards, SSNs, API keys). Reports events, can block. Gated to Workforce plan.

The { success, data, error } response shape used by every API endpoint.

An auth key that registers a single machine, after which the machine disappears from the tailnet when it goes offline. Used for CI/CD runners.

NIST standard for ML-KEM (post-quantum key encapsulation). What QuickZTNA uses for quantum-safe tunnels.

Node.js web framework. Backend HTTP layer.

Algorithm used to derive the hybrid PSK from combined X25519 + ML-KEM shared secrets.

Time-bounded, approved access grants for sensitive resources. Request → approve → auto-revoke when the window expires.

Signed token proving identity. QuickZTNA uses ES256 (ECDSA P-256). Issuer quickztna, audience quickztna-api.

Key Encryption Key (master, in env) / Data Encryption Key (per-org, encrypted by KEK). Envelope encryption.

Every machine reachable by name at <hostname>.<org>.zt.net. Resolved via the agent's built-in DNS stub.

Module-Lattice-Based Key-Encapsulation Mechanism, 768-bit security. FIPS 203. The post-quantum half of the hybrid key exchange.

The permanent credential an agent uses after first registration. Different from the auth key (which is one-time/reusable for registration).

Auth flow for GitHub and Google login. SSO is OIDC/SAML (separate).

A customer account. Every resource is scoped to an org_id. One user can belong to multiple orgs.

Password hashing algorithm. QuickZTNA uses SHA-256 with 100K iterations.

Cryptographic primitives believed to resist quantum computers. QuickZTNA uses ML-KEM-768 for key exchange.

Extra shared secret injected into WireGuard. QuickZTNA derives the PSK from the hybrid key exchange for quantum safety.

Device health signals: OS version, disk encryption, firewall on, antivirus running. Policies can require posture before granting access.

Current payment processor. India-first; international support via Razorpay International. Stripe on roadmap.

Long-lived (30d) token used to obtain new access tokens. Stored in __Host-refresh_token HttpOnly cookie.

Industry standard for automated user provisioning from identity providers (Okta, Azure AD). Gated to Business+.

Captures admin sessions (remote shell, SSH jump) for audit playback. Gated to Business+.

A CIDR advertised by one machine so other peers can reach resources behind it (e.g., a home LAN or cloud VPC).

Platform operator (not an org role). Hardcoded email. Has /api/platform-admin access. Does not bypass plan gates.

The private encrypted mesh of all machines in one org. Addressed in 100.64.0.0/10 by default.

Arbitrary labels on machines (tag:laptop, tag:prod). ACLs frequently reference tags instead of hostnames.

Minimum TLS version for DERP. Enables the X25519Kyber768 hybrid KEM at the transport layer.

RFC 6238 6-digit code for MFA. QuickZTNA caches used codes for 90s to prevent replay.

Open-source Redis fork. Used for session KV, rate limits, WebSocket pub/sub.

The modern VPN protocol that carries QuickZTNA tunnels. Kernel on Linux, userspace (wireguard-go) elsewhere.

Highest paid tier. Unlocks workforce analytics, DLP, CASB, anomaly detection, remote desktop, DEM.

Elliptic curve Diffie-Hellman, the classical half of the hybrid key exchange. Combined with ML-KEM-768 for quantum safety.

Security model where every connection is verified against identity and policy regardless of network location. The "Z" in QuickZTNA.