App Key

App Keys consist of a public-private key pair specific to a Virgil application. The private key is held by your backend and used to sign unique JWTs for each user, and the public key is stored in the Virgil Cloud to verify the signature of the JWTs to allow those users to perform operations on Virgil Cloud.

App Token

App Tokens are long-lived access tokens used on the backend to authenticate on the Virgil Cloud. The token name is shown below and the token string is shown only once at the time of creation and then safely stored by the Virgil Application developer.


The process of verifying user's access for performing necessary operations at Virgil Cloud. When user interacts with Virgil Cloud, they have to be provided with a unique token that tells Virgil who they are and what they're allowed to do. Authentication request contains your application credentials, account credentials and user's identity.


User might have several devices: a desktop client, some web browsers, an Android device, an iPhone, etc. They broadly relate to a real device in the physical world, but user might have several browsers on a physical device, or several client applications on a mobile device, each of which would be its own device.

Devices are used primarily to manage the keys used for end-to-end encryption (each device gets its own copy of the decryption keys), but they also help users manage their access - for instance, by revoking access to particular devices.

When a user first uses a client, it registers itself as a new device. The longevity of devices might depend on the type of client. A web client will probably drop all of its state on logout, and create a new device every time you log in, to ensure that cryptography keys are not leaked to a new user. In a mobile client, it might be acceptable to reuse the device if a login session expires, provided the user is the same.

Virgil Application

Virgil Application is a basis for enabling, configuring, and using all the Virgil Cloud services including managing APIs, billing, and managing permissions for Virgil Cloud resources.

All applications consist of the following:

  • App ID, which is a unique identifier for the application
  • A collection of App Keys that are used to generate Access Tokens
  • One mutable display name
  • The lifecycle state of the application; for example, ACTIVE or DELETE_REQUESTED
  • A collection of labels that can be used for filtering applications
  • The time when the project was created.

Virgil Card

In the Virgil Cloud, a Card, also known as a Virgil Card, is a digitally structure used to prove the ownership of a public key. The Card consists of a specially formatted block of data that contains the User of the holder (which may be either a user or IoT device) and the holder's public key, as well as a list of digital signatures of an authorities for authentication. The authority attests that the sender's Identity is the one associated with the public key in the Card structure.

Find out about Virgil Cards structure here.

Virgil Card ID

A unique identifier of a user's Virgil Card.

Each Virgil Card is created by passing the content snapshot, which contains all data related to the Virgil Card, and is represented as a JSON. This JSON representation is used to calculate the Virgil Card's Fingerprint. If you convert the Fingerprint to its hexadecimal representation, it will return the Virgil Card's ID.

The Virgil Card ID representation:


Virgil Cloud

Virgil Cloud is a SPaaS (Security Platform as a Service) that consists of a set of Virgil Security services, such as Virgil Cards Service, Virgil PFS Service, Virgil Keyknox Service, Virgil Pythia Service. Virgil Cloud has all the necessary functionality to help users to create and manage their Virgil Cards, encrypt and decrypt their data and much more.


PHE record

PHE record (password record, Pure Record) is a unique data that is associated with a specific user’s password (1 password = 1 record). Each password record contains a user's password record version, your application & PHE service random salts, two values obtained during the execution of the PHE protocol and user's PHE encryption key.


Virgil Cloud KMS (Key Management System) is a secure alternative to traditional wrapping-based KMS that forms the backbone of key management in large-scale data storage deployments. The Virgil Cloud KMS system provides updatable encryption capability that allows a KMS service client to seamlessly update all its encrypted data to be decryptable only by the new key.