Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Authorization URL to initiate SSO

Learn how to construct and implement authorization URLs in Scalekit to initiate secure Single Sign-on (SSO) flows with your identity provider.

The authorization endpoint is where your application redirects users to begin the authentication process. Scalekit powers this endpoint and handles redirecting users to the appropriate identity provider.

Example authorization URL
https://SCALEKIT_ENVIRONMENT_URL/oauth/authorize?
    response_type=code&
    client_id=skc_1234&
    scope=openid%20profile&
    redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&
    organization_id=org_1243412&
    state=aHR0cHM6Ly95b3Vyc2Fhcy5jb20vZGVlcGxpbms%3D

Parameters

Section titled “Parameters”
ParameterRequirementDescription
client_idRequiredYour unique client identifier from the API credentials page
nonceOptionalRandom value for replay protection
organization_idRequired*Identifier for the organization initiating SSO
connection_idRequired*Identifier for the specific SSO connection
domainRequired*Domain portion of email addresses configured for an organization
providerRequired*Social login provider name. Supported providers: google, microsoft, github, gitlab, linkedin, salesforce
response_typeRequiredMust be set to code
redirect_uriRequiredURL where Scalekit sends the response. Must match an authorized redirect URI
scopeRequiredMust be set to openid email profile
stateOptionalOpaque string for request-response correlation
login_hintOptionalUser’s email address for prefilling the login form

* You must provide one of organization_id, connection_id, domain, or provider.

If you identify SSO connection using domain or login_hint, the domain must be registered to the organization. Register domains in Dashboard > Organizations > General, or let customers add them via the admin portal. See Onboard enterprise customers.

SDK usage

Section titled “SDK usage”

Use Scalekit SDKs to generate authorization URLs programmatically. This approach handles parameter encoding and validation automatically.

import { ScalekitClient } from '@scalekit-sdk/node';


const scalekit = new ScalekitClient(
  'https://your-subdomain.scalekit.dev',
  '<SCALEKIT_CLIENT_ID>',
  '<SCALEKIT_CLIENT_SECRET>'
);


const options = {
  loginHint: 'user@example.com',
  organizationId: 'org_123235245',
};


const authorizationURL = scalekit.getAuthorizationUrl(redirectUri, options);
// Example generated URL:
// https://your-subdomain.scalekit.dev/oauth/authorize?response_type=code&client_id=skc_1234&scope=openid%20profile&redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&organization_id=org_123235245&login_hint=user%40example.com&state=abc123

Parameter precedence

Section titled “Parameter precedence”

When you provide multiple connection parameters, Scalekit follows a specific precedence order to determine which identity provider to use:

  1. provider (highest precedence): If present, Scalekit ignores all other connection parameters and directs users to the specified social login provider. For example, provider=google redirects users to Google’s login screen. See Social Login for more details.

  2. connection_id: Takes highest precedence among enterprise SSO parameters. Scalekit uses this specific connection if you provide a valid connection ID. If the connection ID is invalid, the authorization request fails.

  3. organization_id: Scalekit uses this parameter when no valid connection_id is provided. It selects the SSO connection configured for the specified organization.

  4. domain: Scalekit uses this parameter when neither connection_id nor organization_id are provided. It selects the SSO connection configured for the specified domain.

  5. login_hint (lowest precedence): Scalekit extracts the domain portion from the email address and uses the corresponding SSO connection mapped to that organization. The domain must be registered to the organization either manually from the Scalekit Dashboard or through the admin portal when onboarding an enterprise customer.