2 Common Terminology

Common Terminology is a list of terms, definitions, and classifications that apply across the entire GovStack specification ecosystem. Terms are capitalized when used in a formal or defined sense (for example, Building Block or Microservice). The same terms may also appear in lowercase without changing their meaning (for example, Microservice = microservice).

It is required that Building Block specifications do not overwrite and re-define any of the terminology listed here and use this terminology whenever it applies.

Building Block specifications may define their own terminology, applicable only within their specific scope. However, if a Building Block introduces terms that are relevant across multiple Building Blocks or GovStack in general, those terms should be defined in this common terminology document instead.

2.1 GovStack or digital government specific terminology

This is a list of terms that are either unique to GovStack or have been updated enough to be considered relevant with GovStack context.

Adaptor

An optional component that maps an existing API to the GovStack specification by transforming URLs, payloads and data formats such as XML to JSON.

Autonomous (Building Block)

A component (or a building block) that can run independently, often consisting of multiple modules or microservices. An expected quality criteria for building blocks.

Building Block (BB)

Based on TOGAF: Building Block is "A package of functionality defined to meet business needs across an organization". A reusable software component that provides a basic digital service at scale. These components can be combined across multiple use cases, are interoperable and can evolve over time.

Building Block Emulator

A lightweight implementation used in a sandbox or demonstration environment to simulate the behaviour of a building block.

Building Block Specification

Technical specification for GovStack building block.

Building Block Software

A software solution distributed by open source code or deployable container that is developed in compliance with GovStack Specification.

Digital Public Good (DPG)

Openly available digital solutions that meet certain standards for openness, privacy and do‑no‑harm, intended to be used by governments and other organizations as shared public resources.

Digital Public Infrastructure (DPI)

In the GovStack context this term refers to shared digital systems and services used to deliver “best-of-breed digital government services” across sectors. A key goal is to build digital government services and Digital Public Infrastructure that improve efficiency and transparency, particularly in low‑resource settings.

Digital Service System (DPI)

A single purpose digital system providing government service consisting of one or multiple Building Blocks. A technical system that supports and automates routines of a Service. It typically includes a service-specific application frontend and backend plus integrations with GovStack Building Blocks and external systems.

GDPR

Privacy requirements that grant individuals rights such as data deletion and require organizations to protect personal data.

GovStack

GovStack is a collaborative initiative that provides a reference architecture for digital government systems. It promotes a “whole‑of‑government” approach and offers a methodology for leveraging reusable technology components (“building blocks”) so that governments can create interoperable digital platforms to address high‑priority use cases.

Information Mediator (Building Block)

Component that securely connects applications across the internet and is essentially a data exchange platform used to connect building blocks when services are not co‑located.

Organisation

Entity (usually a government ministry or agency) that maintains applications or services for consumption by others

Organisational Subsystem

A single purpose system providing digital government service consisting of one or multiple application, Building Blocks, microservice or other components

Policy as Code

The practice of encoding policies and rules in machine‑readable formats so that they can be automatically enforced and audited.

Registration

It is a process of issuing any approval/license/certificate by a public entity as a result of a request/application/declaration made by a user of the public service. The result of a “registration” is usually a number and/or a document (called certificate, license, permit, authorization, registration, clearance, approval, etc.)

Service

A value-delivering offering provided by an Organisation to Users or other organisations. A Service is defined by the outcome it provides, eligibility and obligations, policies and SLAs and the end-to-end process required to deliver it. A Service may be delivered through multiple channels (digital and non-digital) and is supported by one or more Digital Service Systems.

Standard for Public Code

A set of guidelines that encourage clear documentation, reusable code, open standards, version control and welcoming contributions.

Workflow (Building Block)

A component that manages complex transactions involving multiple building blocks, including retries and rollbacks.

2.2 General IT terminology used in GovStack

These are general IT terms that are used within GovStack, some with explanations taking into account the GovStack context.

Ansible

An open source automation tool used for configuration management, application deployment and orchestration of IT infrastructure.

API (Application Programming Interface)

Interface through which Building Blocks expose REST services defined using OpenAPI

API Gateway

A single entry point through which clients and applications access the services of GovStack building blocks.

Authentication

This is the technical process of establishing that the credentials (i.e. username, password, biometric etc.) provided by a party (user, system, other) is valid and that the party can be granted basic access to system resources with default access rights. Note that authorization also needs to be applied for a party to access protected resources.

Authorization

This is the technical process of establishing whether or not an authenticated party has rights to access a given protected resource. Access rights can typically be granted or revoked administratively on a read-only and/or read-write and/or execute basis through an administrative provisioning process. Permissions or rights defined for a party typically manifest in an access token that is granted at the time of authentication for the party. Hence the processes of authentication and authorization are intrinsically related.

Asynchronous Design / Publish‑Subscribe

A design approach where building blocks communicate using asynchronous messages, often through a publish/subscribe pattern, to accommodate low‑bandwidth or intermittent connections.

Central Operator

An organization responsible for operating the GovStack ecosystem, onboarding members and managing policies.

Certificate Authority & Time‑Stamping Authority

Entities that issue and revoke security certificates and provide secure time stamps on messages and logs.

Cloud‑Native

The ability of applications to be easily deployed and recovered, run as independent instances and support automated scaling and high availability.

Container

A lightweight, standalone package that includes everything needed to run software, such as code and dependencies, allowing building blocks to be deployed independently.

CI (Continuous Integration)

A development practice where code changes are automatically built and tested as soon as they are committed to a shared repository.

Cross‑Functional Requirements

Overarching requirements that apply to every GovStack project, covering development, deployment, architecture, quality, security and data considerations.

Cryptographic Algorithms

The algorithms used to protect data. Only modern, industry‑accepted algorithms should be used.

CSV

A simple tabular data format where each line represents a record and fields within a record are separated by commas, commonly used for spreadsheets and data export.

Docker / OCI Containers

Tools that package and orchestrate software and its dependencies in lightweight containers. Dockerfile is a text file with instructions for building a Docker container image, specifying the base image, dependencies and commands to run.

Domain Driven Design (DDD)

Approaches that organize software into small, domain‑focused services or modules, encouraging loosely coupled interactions.

EOL (End of Life)

The point at which a language, framework or dependency is no longer supported. Components used in GovStack should not be near their end of life.

GraphQL

A query language and runtime for APIs that allows clients to request only the data they need in a single request, serving as an alternative to REST.

HTML5 & CSS3

Web standards for structuring and styling user interfaces. User interfaces should comply with these standards.

HTTPS & TLS 1.3 (Transport Security)

The use of HTTPS with modern TLS protocols, such as TLS 1.3, to secure communication between clients and servers.

Idempotent APIs

APIs where repeated calls with the same parameters produce the same result. GET and PUT methods should be idempotent, whereas POST and DELETE methods are not.

Identity Provider / Authorization Server / Resource Server

Roles in an authentication system: the identity provider authenticates users and issues tokens, the authorization server handles token management, and the resource server hosts protected resources.

IEEE Spectrum Programming Language Rankings

Annual rankings published by IEEE Spectrum that evaluate programming languages using factors such as job postings, open source activity and academic research.

Iframe

An HTML element that embeds one web page within another, used in GovStack for secure UI handoff between applications.

ISO8601 / UTC Timestamps

A standard for representing dates and times in a consistent and unambiguous format, using Coordinated Universal Time.

I/O Sanitization

The practice of validating and cleaning all inputs and outputs to prevent injection attacks or data corruption.

JSON

A lightweight text‑based format for structuring data, often used to transmit information between web services and applications.

JWT (JSON Web Token) / Token‑Based Authentication

A method of authentication where applications exchange signed tokens that contain the claims needed to verify identity or authorization.

Key Rotation Policy

A plan for regularly changing security keys to minimize the risk of compromise.

Kubernetes and Docker

Container orchestration tools used to deploy and manage multiple containers that compose a building block or set of blocks. Docker is a platform that packages an application and its dependencies into a lightweight container that runs consistently across environments.

Logging

The process of recording system events and errors to support troubleshooting and auditing. Logs may be written to standard output or sent to a log management system.

Microservice

Fine‑grained, loosely coupled and autonomous service within an application

Pubsub (Publish/Subscribe)

A messaging pattern where senders (publishers) emit messages to a topic and receivers (subscribers) receive messages by subscribing to that topic, enabling asynchronous communication.

OAuth 2.0

An authorization framework that enables users to grant applications access to resources without sharing credentials.

OCI (Open Container Initiative)

An industry consortium that defines open standards for container formats and runtimes, ensuring portability across platforms.

OCSP (Online Certificate Status Protocol)

An Internet protocol used to check the validity of digital certificates in real time, allowing systems to determine if a certificate has been revoked.

OpenAPI

A standardized format for defining and documenting APIs, commonly used in version 3.x to describe GovStack service APIs.

OpenID Connect & Single Sign‑On

An authentication protocol that allows a user to log in once and access multiple applications, using tokens from an identity provider.

QR Code

A two‑dimensional barcode that must conform to the ISO/IEC 18004:2015 standard.

REST (API)

An architectural style that uses standard HTTP methods and resource identifiers for APIs. A type of API that follows guidelines that cover safe API design practices such as keeping personal data out of URLs, supporting caching, identifying resources via URIs and creating self‑describing messages.

Secure Proxy

An intermediary that manages authentication and authorization for embedded UI interactions, allowing the called application to focus on its core functionality.

Semantic Versioning (major.minor.patch)

A three‑part versioning scheme where a major version indicates breaking changes, a minor version adds new capabilities while remaining backward compatible, and a patch version corrects errors without changing behaviour.

Service Application Frontend/Backend

A domain‑dependent digital component consisting of a user interface for data entry and a backend that handles business logic, local data access and calls to building blocks.

Service Registry

A registry where building blocks register the services they provide and discover services offered by others.

SMTP (Simple Mail Transfer Protocol)

A standard protocol used for sending email messages between mail servers and from clients to servers.

Soft Delete

A database practice of marking records as deleted without physically removing them, unless a hard deletion is required by law.

Stateless

An system or API functionality criteria where each request contains all necessary information to complete the call, enabling independent handling and easier scaling.

TIOBE Index

A ranking of programming languages based on popularity and community activity, often used to gauge industry adoption.

Transaction/Trace/Correlation ID

An identifier included with each request and response that allows tracing a transaction across multiple services.

Unicode

A standard encoding for text characters that supports multiple languages and scripts.

Unique Identifier

A number assigned to each requirement that is never reused, even if the requirement becomes obsolete.

User

Individual accessing a specific application or set of services.

Version Control

The use of tools like Git to track changes in source code, with database schema changes managed via migration scripts.

WCAG 2.1 AA (Accessibility)

The requirement that applications meet the Web Content Accessibility Guidelines 2.1 at level AA, ensuring content is accessible to users with disabilities.

Webhooks

A mechanism for callbacks between building blocks, where a system sends a request to a predefined URL when an event occurs.

XML

A markup language that uses tags to structure data hierarchically, suitable for document and data interchange across different systems.