The following are a list of terms used within this document.
Generally, this is a password. However, a user can authenticate him/herself in a variety of ways. Updating the user's authentication token thus corresponds to refreshing the object they use to authenticate themself with the system. The word password is avoided to keep open the possibility that the authentication involves a retinal scan or other non-textual mode of challenge/response.
Having successfully authenticated the user, PAM is able to establish certain characteristics/attributes of the user. These are termed credentials. Examples of which are group memberships to perform privileged tasks with, and tickets in the form of environment variables etc. . Some user-credentials, such as the user's UID and GID (plus default group memberships) are not deemed to be PAM-credentials. It is the responsibility of the application to grant these directly.