Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Initiate user login

Create authorization URLs and redirect users to Scalekit's hosted login page

Login initiation begins your authentication flow. You redirect users to Scalekit’s hosted login page by creating an authorization URL with appropriate parameters.When users visit this URL, Scalekit’s authorization server validates the request, displays the login interface, and handles authentication through your configured connection methods (SSO, social providers, Magic Link or Email OTP

Authorization URL format
<SCALEKIT_ENVIRONMENT_URL>/oauth/authorize?
  response_type=code& # always `code` for authorization code flow
  client_id=<SCALEKIT_CLIENT_ID>& # Dashboard > Developers > Settings > API Credentials
  redirect_uri=<CALLBACK_URL>& # Dashboard > Authentication > Redirect URLs > Allowed Callback URLs
  scope=openid+profile+email+offline_access& # Permissions requested. Include `offline_access` for refresh tokens
  state=<RANDOM_STATE> # prevent CSRF attacks

The authorization request includes several parameters that control authentication behavior:

  • Required parameters ensure Scalekit can identify your application and return the user securely
  • Optional parameters enable organization routing and pre-populate fields
  • Security parameters prevent unauthorized access attempts

Query parameters

Section titled “Query parameters”

Understand each parameter and how it controls the authorization flow:

ParameterRequiredDescription
response_typeYesSet to code for authorization code flow. Indicates the expected response type.
client_idYesYour application’s public identifier from the dashboard. Scalekit uses this to identify and validate your application.
redirect_uriYesYour application’s callback URL where Scalekit returns the authorization code. Must be registered in your dashboard settings.
scopeYesSpace-separated list of permissions. Always include openid profile email. Add offline_access to request refresh tokens for extended sessions.
stateRecommendedRandom string generated by your application. Scalekit returns this unchanged. Use it to prevent CSRF attacks and maintain request state.
promptRecommendedValue to control the authentication flow.
Use login to force re-authentication.
Use create to trigger sign up page
select_account to select an account if they have multiple accounts
organization_idOptionalRoute user to specific organization’s configured authentication method.
connection_idOptionalSkip organization selection and direct user to specific SSO connection.
login_hintOptionalPre-populate the email field with a hint. Useful for domain-based routing when combined with organization_id.

Set up login flow

Section titled “Set up login flow”

  1. Add state parameter recommended

    Section titled “Add state parameter ”

    Always generate a cryptographically secure random string for the state parameter and store it temporarily (session, local storage, cache, etc).

    This can be used to validate that the state value returned in the callback matches the original value you sent. This prevents CSRF (Cross-Site Request Forgery) attacks where an attacker tricks users into approving unauthorized authentication requests.

    Generate and store state
    // Generate secure random state
    const state = require('crypto').randomBytes(32).toString('hex');
    // Store it temporarily (session, local storage, cache, etc)
    sessionStorage.oauthState = state;

  2. Redirect to the authorization URL

    Section titled “Redirect to the authorization URL”

    Use the Scalekit SDK to generate the authorization URL. It doesn’t make any network requests; it simply returns the URL as a string. Your app can redirect the user to this URL.

    Express.js
    4 collapsed lines
    import { Scalekit } from '@scalekit-sdk/node';
    

    const scalekit = new Scalekit(/* your credentials */);
    

    // Basic authorization URL for general login
    const redirectUri = 'https://yourapp.com/auth/callback';
    const options = {
      scopes: ['openid', 'profile', 'email', 'offline_access'],
      state: sessionStorage.oauthState,
    };
    

    const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
    

    // Redirect user to Scalekit's hosted login page
    res.redirect(authorizationUrl);

After the user authenticates:

  1. Scalekit generates an authorization code
  2. Makes a callback to your registered allowed callback URL
  3. Your backend exchanges the code for tokens by making a server-to-server request

This approach keeps sensitive operations server-side and protects your application’s credentials.

Let’s take a look at how to complete the login in the next step.