The nextAuth Server (NS) allows you to set up multiple (virtual) servers running on a single NS. All virtual servers are separated and do not share any data (e.g., sessions, users, accounts), except that they run on the same NS and database. A server is identified by a random Server ID and is associated with a public/private keypair for server authentication. These are all automatically generated when creating a server through the API.
Every server can be configured separately with a different name, logo, and second factor settings.
Whenever the mobile app authenticates, it does so with respect to a specific session. A Session Identifier, called Nonce in the API documentation, is an opaque string which can be arbitrarily chosen by the user of the API. We recommend using at least 128 random bytes and encoding these in hexadecimal or base64.
Based on the session identifier, one can check through the API whether a mobile app is authenticated for that specific session and, if so, which user (and account of the user) is logged in.
Internally, both the servers and nextAuth Mobile SDK do not use the session identifiers directly, but use derived identifiers.
A User maps the account (public keys) that is used to authenticate with to a unique userid for your backend system. This userid can be any string and is determined by the user of the API. Obviously, a user can have multiple accounts (app instances, devices) linked to it. This way, it is possible for users to have multiple of their devices linked, e.g., a smart phone and a tablet.
Optionally, you can also define attributes for users, e.g., first name, last name, email, group membership… This way, your business applications can also learn specific attributes of the user that is currently logged in.
An Account means an account inside a mobile app for a specific user at a specific server. Each account has its own public/private key pairs (these are not even shared among other accounts of the same user). Within the same app, there might be multiple accounts, corresponding to different users, potentially on different servers. On the server side, there might be multiple accounts which correspond to the same mobile device.