Glossary

Plain-language definitions for the kit-specific nouns and web concepts these docs lean on.

Short definitions for the SyntaxKit-specific terms and web concepts these docs lean on. Grouped by topic and cross-linked to the page that owns each one. Use Cmd-F or the jump cards below. Missing something? Email the support address on the License page and we'll add it.

Auth & sessions

Better Auth, passkeys, 2FA, and the cookies behind a session.

Organizations

Active org, personal org, and the multi-tenant guards.

Data & API

Prisma adapters, migrations, oRPC, packages, and uploads.

Frontend & i18n

Styling helpers, server vs client components, and locale routing.

Billing & webhooks

Stripe modes, signing secrets, and idempotent event handling.

Security & abuse

CORS, CSP, CSRF, rate limits, and captcha.

Email & observability

Transactional mail, deliverability, analytics, and logs.

Build & deployment

Env timing, capabilities, the setup doctor, and the monorepo.

Auth & Sessions

Term	Definition
Better Auth	The self-hosted auth library behind `packages/auth`: sessions, OAuth, 2FA, passkeys, and the multi-tenant org model (via plugins). No per-MAU pricing. Authentication.
Passkey	Phishing-resistant sign-in using device-bound key pairs (Touch ID, Windows Hello, hardware keys). Built on WebAuthn via Better Auth's `passkey` plugin. Passkeys.
Platform admin	A `User.role = "admin"` (distinct from per-org roles) that gates `/dashboard/admin` and the `admin` oRPC namespace. Bootstrap with `pnpm admin:bootstrap --email <email>`. Platform Admin Role.
SameSite cookie	A cookie attribute (`Strict` / `Lax` / `None`) controlling cross-site sends. The kit uses `sameSite=lax` for session cookies to blunt CSRF without breaking inbound links.
Session cookie	The `httpOnly`, `sameSite=lax` cookie Better Auth sets after sign-in. Encrypted with `BETTER_AUTH_SECRET`; carries the user id and `activeOrganizationId`. How Sessions Work.
Two-Factor Auth	A second sign-in factor: TOTP codes from an authenticator app plus single-use backup codes, wired via Better Auth's `twoFactor` plugin. Two-Factor Auth.

Organizations

Term	Definition
Active organization	The org the current session is acting on. The session carries `activeOrganizationId`; the `withActiveOrganization` middleware puts `context.organization` on every signed-in oRPC call. The Active Organization.
Last-owner protection	A guard that blocks removing or demoting an org's only remaining owner, using a `FOR UPDATE` row lock to avoid races. Guards That Keep Things Sane.
Personal organization	An org auto-created for each user on sign-up (`isPersonalOrganization: true`), so single-user accounts feel native. Structurally identical to a team org. Organizations.

Data & API

Term	Definition
Composite project	A TypeScript project (`tsc -b`) that emits declaration files for other packages. Used by `packages/shared` and `packages/api` so their types are shared across the workspace.
Driver adapter	A pluggable Prisma layer for a specific Postgres protocol. The kit picks `@prisma/adapter-neon` for `*.neon.tech` hosts and `@prisma/adapter-pg` everywhere else. Database.
Migration vs seed	A migration is a versioned schema change (`prisma migrate dev`); a seed loads starter data (`prisma db seed`). Seeds ship in three modes: `bootstrap`, `demo`, `test`. Database.
oRPC	The OpenAPI-native typed RPC framework behind `packages/api`: end-to-end TypeScript plus a generated spec at `/api-reference`. API.
Pre-signed URL	A short-lived S3 URL letting the browser PUT bytes straight to a bucket key, bypassing serverless body-size limits. How An Upload Flows.
Subpath export	A `package.json` `exports` entry exposing one file under a sub-path (e.g. `@syntaxkit/analytics/client`), so consumers pull only the client or server half. Package Map.

Frontend & i18n

Term	Definition
`cn` helper	`clsx` plus `tailwind-merge`, from `@syntaxkit/ui/lib/utils`. Caller-side `className` wins over the cva default, ending Tailwind specificity wars. Base Components.
`cva`	`class-variance-authority`: turns Tailwind class strings into typed component variants. Every shadcn-style primitive uses it. Base Components.
Locale routing	Two i18n strategies in parallel: marketing routes are URL-prefixed (`/en/...`, `/de/...`); the dashboard reads a `NEXT_LOCALE` cookie at render time. Internationalization.
`next-intl`	The i18n library powering both locale strategies (URL-prefix marketing, cookie-driven dashboard). Internationalization.
OKLCH	A perceptually uniform color space (`oklch(L C H)`) used for every color token in `packages/ui`. Pick colors at oklch.com. Brand Tokens.
Server action	A Next.js `"use server"` function called from the client. Used sparingly (e.g. the `setLocale` action). Multi-instance deploys need a shared `NEXT_SERVER_ACTIONS_ENCRYPTION_KEY`. Operational Secrets.
Server component vs client component	App Router primitives: server components render server-side and ship no JS; client components (`"use client"`) ship interactive code. Calling The API From React.
shadcn/ui	A pattern (and CLI) for copying React primitives into your own repo instead of installing them. The kit's `packages/ui` is yours to edit. Customization.

Billing & Webhooks

Term	Definition
Best-effort side effect	An email or analytics dispatch wrapped so its failure doesn't fail the webhook; the `OutboundEffect` claim is released so the next Stripe retry tries again. Best-Effort Side Effects.
Live mode vs test mode	Stripe's two environments: test (`sk_test_`) for fake cards, live (`sk_live_`) for real charges. Signing secrets and price ids differ between them. Pricing And Stripe Live Mode.
OutboundEffect	A Postgres table keyed by `(kind, key)` that records each email/analytics dispatch, so retries can't double-send. Two-Layer Idempotency.
Stale processing recovery	Recovers Stripe events whose handler crashed mid-run: after 5 minutes (`STALE_PROCESSING_WINDOW_MS`), the next retry may re-claim and re-run it. Stale Processing Recovery.
Stripe webhook signing secret	The secret Stripe signs payloads with; the kit verifies every event via `stripe.webhooks.constructEvent`. The production secret differs from the Stripe-CLI one. Endpoint And Signature Verification.
StripeWebhookEvent	A Postgres table keyed by `eventId` ensuring each Stripe event is processed exactly once. One half of two-layer idempotency. Two-Layer Idempotency.
Two-layer idempotency	The webhook dedupe story: `StripeWebhookEvent.eventId` blocks duplicate event ids; `OutboundEffect.(kind, key)` blocks duplicate business actions. Two-Layer Idempotency.

Security & Abuse

Term	Definition
CORS	Cross-Origin Resource Sharing: HTTP headers deciding whether a browser may call your API from another origin. `proxy.ts` scopes it to `NEXT_PUBLIC_APP_URL`. Edge: Headers, CSP, CORS.
CSP	Content Security Policy: an allow-list header limiting which origins can load scripts, styles, fonts, etc. Set strict via Nosecone plus a curated allow-list. Edge: Headers, CSP, CORS.
CSRF	Cross-Site Request Forgery: tricking a user's browser into an authenticated request to your site. Mitigated by `httpOnly`, `sameSite=lax` session cookies set explicitly in `packages/auth/src/server.ts`.
Rate limit	A sliding-window counter capping requests over time (e.g. 5 per 10s). Backed by Upstash Redis on auth, contact, and other public surfaces. Abuse Protection (Upstash).
Turnstile	Cloudflare's captcha alternative to reCAPTCHA, used for auth flows (Better Auth's captcha plugin) and the public contact form. Authentication: Sessions And Captcha.

Email & Observability

Term	Definition
OpenTelemetry	The observability standard the kit uses for structured logs, exporting OTLP records to PostHog Logs. Structured Logging.
PostHog	One vendor for all telemetry: product and web analytics, session replay, error tracking, and structured logs. Analytics and Monitoring.
Reverse proxy	A Next.js rewrite routing `/ingest/*` to PostHog, defeating ad-blockers (same-origin) and simplifying CSP. The Reverse Proxy.
Source map upload	A build step (`withPostHogConfig`) that uploads JS source maps to PostHog so stack traces de-minify. Needs `POSTHOG_API_KEY` and `POSTHOG_PROJECT_ID`. Source Maps.
SPF, DKIM, DMARC	Three DNS records that prove your domain may send email; without them, Gmail and Outlook deliverability drops sharply. Email Sender Configuration.
Transactional email	Email triggered by a specific user action (verification, receipt) rather than bulk marketing. Delivered via Plunk, templated with React Email. Email.

Build & Deployment

Term	Definition
Build-time vs runtime env	Every `NEXT_PUBLIC_*` var is inlined into the JS bundle at build time, so changing one needs a rebuild; server secrets are read at runtime. Build-Time vs Runtime Env.
Capability	A boolean for whether a feature's env-var group is fully configured (`isBillingEnabled`, etc., from `packages/shared/src/setup.ts`). Drives graceful degradation everywhere. Environment Variables.
`dotenvx`	The `.env`-loading CLI behind the kit's test, integration, E2E, and webserver scripts. Loads files by priority; `--overload` overrides host env. Commands And Scripts.
Setup Doctor	The `pnpm setup:doctor` script: validates the env file, lists which integrations are configured, and confirms the database is reachable. Run after a fresh clone. Commands And Scripts.
Standalone output	A Next.js build option (`output: "standalone"`) producing a self-contained Node server with only the deps actually used. Both apps use it to keep Docker images small. Deployment.
Turborepo	The monorepo task runner: caches `lint`, `check-types`, `build`, `test` and orders tasks so `^db:generate` runs before any build. The Build Pipeline.