Glossary
Definitions for Literal-specific security, cryptography, API, and workflow terms.
Definitions for Literal-specific terms used across the documentation. For broader context, follow the link in each entry.
Literal Concepts
Grant
An encrypted access package created by a document holder for a specific recipient. A grant wraps the document’s encryption key for that recipient and binds the access to an expiration time.
See Grants & Sharing.
Entity
An organization in Literal: a company, institution, or verifier that manages member access, organization metadata, and organization-scoped search under one cryptographic boundary.
Entity Membership
A member’s authorized association with an entity. Membership records use opaque tokens and encrypted member identifiers rather than plaintext relationship fields.
Entity Delivery
A direct push of encrypted document access from an entity admin to a specific organization member. The recipient still accepts or denies the delivery.
See Entity Deliveries.
Document Holder
The party who uploaded a document and controls how it is shared. Document holders create grants, accept or deny claims, and revoke access.
Verifier
A party that checks a verification seal for a document. Verifiers are often organizations performing KYC or compliance review.
Organization Scope
The organization-scoped context for document access, search, and key material. A user can operate in personal scope and one or more organization scopes simultaneously.
Verification Seal
An encrypted, signed artifact produced by the secure enclave during document processing. The seal lets a verifier check authenticity, integrity, and specificity for a processed document.
See Document Lifecycle.
Privacy And Routing
Blind Index
A one-way token generated from a plaintext value and scoped key material. Literal stores and compares blind indexes for search, but does not receive the plaintext value that produced the token.
See Encrypted Search.
Blind Routing
The pattern of storing sensitive relationships as opaque cryptographic tokens instead of plaintext foreign keys. Literal can compare tokens for authorized lookups, but a database read does not reveal document ownership, grant relationships, or membership rosters.
See Blind Routing.
View Tag
A short, ambiguous marker attached to a grant. Recipients query view tags to discover possible grants; a tag query intentionally returns multiple unrelated grants alongside the genuine one.
See Grants & Sharing.
Document Token
A blind token derived client-side that identifies a document without exposing a plaintext document identifier to the application server.
See Blind Routing.
Owner Token
A blind token that identifies a document’s owner for authorized lookups without revealing the owner’s plaintext identity.
See Blind Routing.
Grant Claim Token
A per-grant token derived from the recipient’s key material. Each claim token is unique to its grant, so separate claims cannot be linked back to a single plaintext recipient identifier.
See Grants & Sharing.
Sealed Member Identifier
An encrypted member identifier stored on a membership record and bound to a specific entity. Replaying a sealed identifier from one entity into another fails by construction.
Keys And Cryptography
User Master Key (UMK)
The root of a document holder’s personal key hierarchy, derived from the user’s password on the client device. The User Master Key never reaches Literal.
See Key Hierarchy.
Data Encryption Key (DEK)
A per-document symmetric key generated by the client at upload time. The DEK encrypts document content and metadata and is wrapped separately for each authorized access path.
See Key Hierarchy.
Entity Master Key (EMK)
The root of an organization’s key hierarchy, generated and unwrapped only inside the secure enclave.
See Key Hierarchy.
Platform Key
A hardware-protected key used by the attested enclave path for platform wrapping operations and verification artifacts. The private key is not exposed to application code or server operators.
See Platform Public Key and Key Hierarchy.
Key Wrapping
Encrypting one key with another so the wrapped key can be stored or transmitted safely. Document keys are wrapped along multiple authorized access paths (personal, organization, platform, grant).
See Key Hierarchy.
Delivery Keypair
A per-membership keypair used for entity deliveries. Delivery encryption keys let admins encrypt document access for a specific member; delivery signing keys support proof-of-possession during acceptance.
See Entity Deliveries.
Hybrid Cryptography
Combining established classical algorithms with post-quantum algorithms in the same operation, so the system does not depend on a single cryptographic family.
See Key Hierarchy.
OPAQUE
A password-authenticated key exchange that lets a client prove knowledge of a password without sending it to the server. Literal uses OPAQUE for registration and login.
See Authentication.
OPRF
An Oblivious Pseudorandom Function. The client blinds an input, the server evaluates the OPRF without learning the input, and the client unblinds the result locally. Used in Literal for the login bucket and for refresh-token derivation during browser session binding.
See Deriving The Login Bucket.
Sessions And Access
Pending Session
A short-lived session state created by browser login. A pending access token can only call refresh evaluation and session bind. It expires within 60 seconds.
See Session Lifecycle.
Locked Session
A session that has authenticated but lacks the client-derived tokens required to access document, search, or membership operations. Returned by recovery and by refresh calls that omit owner_token and user_member_token.
See Session Lifecycle.
Unlocked Session
A session with both owner_token and user_member_token present, allowing document, search, and membership operations.
See Session Lifecycle.
Access Token
A short-lived bearer token used to authenticate API requests. Access tokens expire after 15 minutes.
See Session Lifecycle.
Refresh Token
A longer-lived token used to mint new access tokens. Refresh tokens are single-use and rotate on each refresh.
See Session Lifecycle.
Revocation Token
A client-derived token that authorizes invalidating every active session for the account.
See Session Lifecycle.
Infrastructure Boundaries
Application Server
The general request-handling layer. The application server can route requests and store ciphertext, wrapped keys, and opaque tokens, but it does not receive document plaintext or plaintext relationship fields.
See Zero-Knowledge Model.
Database And Storage Layer
The persistent layer that holds encrypted blobs, blind index tokens, and wrapped keys. Plaintext relationship columns for sensitive associations have been removed.
See Zero-Knowledge Model.
Secure Enclave
A hardware-isolated execution environment used for operations that require temporary access to decrypted content, such as text extraction, verification, and entity-scoped index generation.
See Zero-Knowledge Model.
Attestation
A cryptographic check the enclave must pass before the key management service releases keys. Attestation verifies that the enclave is running approved code in a genuine isolated environment.
See Zero-Knowledge Model.
Zero-Knowledge Boundary
The architectural line between zones that may hold plaintext (the client device and the attested secure enclave) and zones that handle only ciphertext, wrapped keys, and opaque tokens (the application server and database).
See Zero-Knowledge Model.
Last updated on