Customize login flows

When you implement login, you generate an authorization URL that redirects users to a Scalekit-hosted login page. You can customize the user’s journey by passing different parameters when creating this URL.

This guide covers common scenarios like routing users to their organization’s identity provider or prompting for re-authentication.

Routing precedence

Scalekit applies connection selection in this order: connection_id → organizationId → loginHint (domain extraction). Prefer the highest confidence signal you have.

1. Route users to a specific organization

   For multi-tenant applications, you can route users directly to their organization’s authentication method using organizationId. This is useful when you already know the user’s organization.

   Node.js

   Express.js

   const orgId = getOrganizationFromRequest(req)
   const redirectUri = 'https://your-app.com/auth/callback'
   const options = {
     scopes: ['openid', 'profile', 'email', 'offline_access'],
     organizationId: orgId,
   }
   const url = scalekit.getAuthorizationUrl(redirectUri, options)
   return res.redirect(url)

   Python

   Flask

   from scalekit import AuthorizationUrlOptions
   
   org_id = get_org_from_request(request)
   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], organization_id=org_id)
   url = scalekit_client.get_authorization_url(redirect_uri, options)
   return redirect(url)

   Go

   Gin

   orgID := getOrgFromRequest(c)
   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, OrganizationId: orgID}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String orgId = getOrgFromRequest(request);
   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setOrganizationId(orgId);
   URL url = scalekitClient.authentication().getAuthorizationUrl(redirectUri, options);
   return new RedirectView(url.toString());

2. Route users based on email domain

   If you don’t know the organization beforehand, you can use loginHint to let Scalekit determine the correct authentication method from the user’s email domain. This is common for enterprise logins where the email domain is associated with a specific SSO connection. The domain must be registered to the organization either manually from the Scalekit Dashboard or through the admin portal when onboarding an enterprise customer.

   Node.js

   Express.js

   const redirectUri = 'https://your-app.com/auth/callback'
   const options = { scopes: ['openid', 'profile', 'email', 'offline_access'], loginHint: userEmail }
   const url = scalekit.getAuthorizationUrl(redirectUri, options)
   return res.redirect(url)

   Python

   Flask

   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], login_hint=user_email)
   url = scalekit_client.get_authorization_url(redirect_uri, options)
   return redirect(url)

   Go

   Gin

   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, LoginHint: userEmail}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setLoginHint(userEmail);
   URL url = scalekitClient.authentication().getAuthorizationUrl(redirectUri, options);
   return new RedirectView(url.toString());

3. Route users to a specific SSO connection

   When you know the exact enterprise connection a user should use, you can pass its connectionId for the highest routing precision. This bypasses any other routing logic.

   Node.js

   Express.js

   const redirectUri = 'https://your-app.com/auth/callback'
   const options = { scopes: ['openid', 'profile', 'email', 'offline_access'], connectionId: 'conn_123...' }
   const url = scalekit.getAuthorizationUrl(redirectUri, options)
   return res.redirect(url)

   Python

   Flask

   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], connection_id='conn_123...')
   url = scalekit_client.get_authorization_url(redirect_uri, options)
   return redirect(url)

   Go

   Gin

   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, ConnectionId: "conn_123..."}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setConnectionId("conn_123...");
   URL url = scalekitClient.authentication().getAuthorizationUrl(redirectUri, options);
   return new RedirectView(url.toString());

4. Force users to re-authenticate

   You can require users to authenticate again, even if they have an active session, by setting prompt: 'login'. This is useful for high-security actions that require recent authentication.

   Node.js

   Express.js

   const redirectUri = 'https://your-app.com/auth/callback'
   const options = { scopes: ['openid', 'profile', 'email', 'offline_access'], prompt: 'login' }
   return res.redirect(scalekit.getAuthorizationUrl(redirectUri, options))

   Python

   Flask

   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], prompt='login')
   return redirect(scalekit_client.get_authorization_url(redirect_uri, options))

   Go

   Gin

   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, Prompt: "login"}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setPrompt("login");
   return new RedirectView(scalekitClient.authentication().getAuthorizationUrl(redirectUri, options).toString());

5. Let users choose an account or organization

   To show the organization or account chooser, set prompt: 'select_account'. This is helpful when a user is part of multiple organizations and needs to select which one to sign into.

   Node.js

   Express.js

   const redirectUri = 'https://your-app.com/auth/callback'
   const options = { scopes: ['openid', 'profile', 'email', 'offline_access'], prompt: 'select_account' }
   return res.redirect(scalekit.getAuthorizationUrl(redirectUri, options))

   Python

   Flask

   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], prompt='select_account')
   return redirect(scalekit_client.get_authorization_url(redirect_uri, options))

   Go

   Gin

   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, Prompt: "select_account"}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setPrompt("select_account");
   return new RedirectView(scalekitClient.authentication().getAuthorizationUrl(redirectUri, options).toString());

6. Send users directly to signup

   To send users directly to the signup form instead of the login page, use prompt: 'create'.

   Node.js

   Express.js

   const redirectUri = 'https://your-app.com/auth/callback'
   const options = { scopes: ['openid', 'profile', 'email', 'offline_access'], prompt: 'create' }
   return res.redirect(scalekit.getAuthorizationUrl(redirectUri, options))

   Python

   Flask

   redirect_uri = 'https://your-app.com/auth/callback'
   options = AuthorizationUrlOptions(scopes=['openid','profile','email','offline_access'], prompt='create')
   return redirect(scalekit_client.get_authorization_url(redirect_uri, options))

   Go

   Gin

   redirectUri := "https://your-app.com/auth/callback"
   options := scalekitClient.AuthorizationUrlOptions{Scopes: []string{"openid","profile","email","offline_access"}, Prompt: "create"}
   url, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
   c.Redirect(http.StatusFound, url.String())

   Java

   Spring

   String redirectUri = "https://your-app.com/auth/callback";
   AuthorizationUrlOptions options = new AuthorizationUrlOptions();
   options.setScopes(Arrays.asList("openid","profile","email","offline_access"));
   options.setPrompt("create");
   return new RedirectView(scalekitClient.authentication().getAuthorizationUrl(redirectUri, options).toString());

Always send state

Include a cryptographically strong state parameter and validate it on callback to prevent CSRF and session fixation attacks. See our guide on CSRF protection for details.