Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

scalekit-inc/implementing-fsa-logout

Name: implementing-fsa-logout
Author: scalekit-inc

plugins/full-stack-auth/skills/implement-logout/SKILL.md

npx skillsauth add scalekit-inc/claude-code-authstack implementing-fsa-logout

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Implementing logout (Scalekit FSA)

Goal

Implement a single /logout endpoint that:

Clears the application session layer (your cookies/tokens).
Invalidates the Scalekit session layer by redirecting the browser to Scalekit’s OIDC logout endpoint.
Returns the user to a safe, allowlisted post-logout redirect URL.

Key constraints (must follow)

The Scalekit logout call MUST be a browser redirect (top-level navigation), not a fetch/XHR from frontend and not a server-to-server API call.
The ID token (often idToken) MUST be read BEFORE clearing cookies, because it is used as id_token_hint.
The post_logout_redirect_uri MUST be allowlisted in Scalekit Dashboard (Post Logout URLs).

Inputs to collect from the user/project

Ask for (or infer from the codebase):

Tech stack: Express/Fastify/Next.js (Node), Flask/Django (Python), Gin/Fiber (Go), Spring Boot (Java), etc.
Where tokens are stored: cookie names (default examples: accessToken, refreshToken, idToken) and cookie attributes (Path, Domain, SameSite).
The post-logout landing URL (example: http://localhost:3000/login or your production login page).
Scalekit configuration: base URL / environment, and whether the project uses a Scalekit SDK helper like getLogoutUrl(...).

Recommended implementation (workflow)

Locate the current auth/session code:

Find where access/refresh/ID tokens are set.
Note cookie names, paths, domains, and SameSite settings (you must match these when clearing).

Add a GET /logout route:

Extract idToken (or equivalent) from cookies/session storage.
Compute postLogoutRedirectUri.
Build the Scalekit logout URL pointing at /oidc/logout, preferably using the Scalekit SDK helper if present.
Clear session cookies (access/refresh/id), preserving the correct Path/Domain so deletion actually works.
Redirect (302) the browser to the Scalekit logout URL.

Configure Scalekit Dashboard allowlist:

Verify and iterate:

In DevTools → Network, clicking logout should show a document navigation to Scalekit (not XHR/fetch).
Confirm the request includes the Scalekit session cookie automatically.
After redirecting back, logging in should not silently reuse the application cookies you intended to clear.

Reference behavior (pseudocode)

Read id_token_hint from cookie/session.
logoutUrl = scalekit.getLogoutUrl(id_token_hint, post_logout_redirect_uri)
Clear cookies (access/refresh/id).
302 -> logoutUrl

Implementation templates

Node.js (Express)

app.get('/logout', (req, res) => {
  const idTokenHint = req.cookies?.idToken; // read BEFORE clearing
  const postLogoutRedirectUri = process.env.POST_LOGOUT_REDIRECT_URI ?? 'http://localhost:3000/login';

  // Prefer SDK helper if available in your project
  const logoutUrl = scalekit.getLogoutUrl(idTokenHint, postLogoutRedirectUri);

  // Clear cookies (match Path/Domain/SameSite used when setting them)
  res.clearCookie('accessToken', { path: '/' });
  res.clearCookie('refreshToken', { path: '/' });
  res.clearCookie('idToken', { path: '/' });

  return res.redirect(logoutUrl);
});

Python (Flask)

from flask import request, redirect, make_response

@app.get("/logout")
def logout():
    id_token = request.cookies.get("idToken")  # read BEFORE clearing
    post_logout_redirect_uri = os.getenv("POST_LOGOUT_REDIRECT_URI", "http://localhost:3000/login")

    logout_url = scalekit_client.get_logout_url(
        id_token_hint=id_token,
        post_logout_redirect_uri=post_logout_redirect_uri
    )

    resp = make_response(redirect(logout_url))
    resp.set_cookie("accessToken", "", max_age=0, path="/")
    resp.set_cookie("refreshToken", "", max_age=0, path="/")
    resp.set_cookie("idToken", "", max_age=0, path="/")
    return resp

Go (Gin)

func LogoutHandler(c *gin.Context) {
  idToken, _ := c.Cookie("idToken") // read BEFORE clearing
  postLogoutRedirectURI := os.Getenv("POST_LOGOUT_REDIRECT_URI")
  if postLogoutRedirectURI == "" {
    postLogoutRedirectURI = "http://localhost:3000/login"
  }

  logoutURL, err := scalekit.GetLogoutUrl(scalekit.LogoutUrlOptions{
    IdTokenHint: idToken,
    PostLogoutRedirectUri: postLogoutRedirectURI,
  })
  if err != nil {
    c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
    return
  }

  // Clear cookies (match original attributes)
  c.SetCookie("accessToken", "", -1, "/", "", true, true)
  c.SetCookie("refreshToken", "", -1, "/", "", true, true)
  c.SetCookie("idToken", "", -1, "/", "", true, true)

  c.Redirect(http.StatusFound, logoutURL.String())
}

Java (Spring Boot)

@GetMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
  String idToken = null;
  if (request.getCookies() != null) {
    for (Cookie c : request.getCookies()) {
      if ("idToken".equals(c.getName())) {
        idToken = c.getValue();
        break;
      }
    }
  }

  String postLogoutRedirectUri = System.getenv().getOrDefault(
    "POST_LOGOUT_REDIRECT_URI",
    "http://localhost:3000/login"
  );

  URL logoutUrl = scalekitClient.authentication().getLogoutUrl(
    idToken,
    postLogoutRedirectUri
  );

  // Clear cookies (ensure Path/Domain match your app cookies)
  Cookie access = new Cookie("accessToken", "");
  access.setMaxAge(0);
  access.setPath("/");
  access.setHttpOnly(true);
  access.setSecure(true);
  response.addCookie(access);

  Cookie refresh = new Cookie("refreshToken", "");
  refresh.setMaxAge(0);
  refresh.setPath("/");
  refresh.setHttpOnly(true);
  refresh.setSecure(true);
  response.addCookie(refresh);

  Cookie id = new Cookie("idToken", "");
  id.setMaxAge(0);
  id.setPath("/");
  id.setHttpOnly(true);
  id.setSecure(true);
  response.addCookie(id);

  response.sendRedirect(logoutUrl.toString());
}

Logout security checklist (copy/paste)

Extract ID token BEFORE clearing cookies.
Clear all application session cookies (access/refresh/id).
Redirect browser (302) to Scalekit /oidc/logout via the generated logout URL.
Ensure post_logout_redirect_uri is allowlisted in Scalekit dashboard.
Validate logout is a document navigation (not XHR/fetch) and cookies are actually removed.

Common failure modes (what to check)

“Logout doesn’t really log out”: cookie deletion mismatches Path/Domain/SameSite; clear cookies with the same attributes used when setting them.
“Login immediately succeeds after logout”: identity provider session may still be active; this is expected for SSO providers, but your app cookies should still be cleared.
“Scalekit logout doesn’t take effect”: logout was done via API call rather than browser redirect; use a redirect so the Scalekit session cookie is included automatically.
“Redirect rejected”: post_logout_redirect_uri is not allowlisted in Scalekit dashboard.

Output expectations when using this skill

When asked to implement logout in a real repo, the assistant should:

Identify the correct cookie names and where they are set.
Implement /logout with the correct sequence (read id token → build logout URL → clear cookies → redirect).
Provide a brief test plan and the exact dashboard value to allowlist for post-logout redirect.

scalekit-inc/implementing-fsa-logout

plugins/full-stack-auth/skills/implement-logout/SKILL.md

Implements a complete logout flow for Scalekit FSA integrations by clearing application session cookies and redirecting the browser to Scalekit’s /oidc/logout endpoint to invalidate the Scalekit session. Use when adding or fixing logout in Node.js, Python, Go, or Java web apps that use Scalekit OIDC.

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add scalekit-inc/claude-code-authstack implementing-fsa-logout

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:39 AM6.7s1 file scanned

SKILL.md

name:: implementing-fsa-logout
description:: Implements a complete logout flow for Scalekit FSA integrations by clearing application session cookies and redirecting the browser to Scalekit’s /oidc/logout endpoint to invalidate the Scalekit session. Use when adding or fixing logout in Node.js, Python, Go, or Java web apps that use Scalekit OIDC.

Implementing logout (Scalekit FSA)

Goal

Implement a single /logout endpoint that:

Clears the application session layer (your cookies/tokens).
Invalidates the Scalekit session layer by redirecting the browser to Scalekit’s OIDC logout endpoint.
Returns the user to a safe, allowlisted post-logout redirect URL.

Key constraints (must follow)

The Scalekit logout call MUST be a browser redirect (top-level navigation), not a fetch/XHR from frontend and not a server-to-server API call.
The ID token (often idToken) MUST be read BEFORE clearing cookies, because it is used as id_token_hint.
The post_logout_redirect_uri MUST be allowlisted in Scalekit Dashboard (Post Logout URLs).

Inputs to collect from the user/project

Ask for (or infer from the codebase):

Tech stack: Express/Fastify/Next.js (Node), Flask/Django (Python), Gin/Fiber (Go), Spring Boot (Java), etc.
Where tokens are stored: cookie names (default examples: accessToken, refreshToken, idToken) and cookie attributes (Path, Domain, SameSite).
The post-logout landing URL (example: http://localhost:3000/login or your production login page).
Scalekit configuration: base URL / environment, and whether the project uses a Scalekit SDK helper like getLogoutUrl(...).

Recommended implementation (workflow)

Locate the current auth/session code:

Find where access/refresh/ID tokens are set.
Note cookie names, paths, domains, and SameSite settings (you must match these when clearing).

Add a GET /logout route:

Extract idToken (or equivalent) from cookies/session storage.
Compute postLogoutRedirectUri.
Build the Scalekit logout URL pointing at /oidc/logout, preferably using the Scalekit SDK helper if present.
Clear session cookies (access/refresh/id), preserving the correct Path/Domain so deletion actually works.
Redirect (302) the browser to the Scalekit logout URL.

Configure Scalekit Dashboard allowlist:

Verify and iterate:

In DevTools → Network, clicking logout should show a document navigation to Scalekit (not XHR/fetch).
Confirm the request includes the Scalekit session cookie automatically.
After redirecting back, logging in should not silently reuse the application cookies you intended to clear.

Reference behavior (pseudocode)

Read id_token_hint from cookie/session.
logoutUrl = scalekit.getLogoutUrl(id_token_hint, post_logout_redirect_uri)
Clear cookies (access/refresh/id).
302 -> logoutUrl

Implementation templates

Node.js (Express)

app.get('/logout', (req, res) => {
  const idTokenHint = req.cookies?.idToken; // read BEFORE clearing
  const postLogoutRedirectUri = process.env.POST_LOGOUT_REDIRECT_URI ?? 'http://localhost:3000/login';

  // Prefer SDK helper if available in your project
  const logoutUrl = scalekit.getLogoutUrl(idTokenHint, postLogoutRedirectUri);

  // Clear cookies (match Path/Domain/SameSite used when setting them)
  res.clearCookie('accessToken', { path: '/' });
  res.clearCookie('refreshToken', { path: '/' });
  res.clearCookie('idToken', { path: '/' });

  return res.redirect(logoutUrl);
});

Python (Flask)

from flask import request, redirect, make_response

@app.get("/logout")
def logout():
    id_token = request.cookies.get("idToken")  # read BEFORE clearing
    post_logout_redirect_uri = os.getenv("POST_LOGOUT_REDIRECT_URI", "http://localhost:3000/login")

    logout_url = scalekit_client.get_logout_url(
        id_token_hint=id_token,
        post_logout_redirect_uri=post_logout_redirect_uri
    )

    resp = make_response(redirect(logout_url))
    resp.set_cookie("accessToken", "", max_age=0, path="/")
    resp.set_cookie("refreshToken", "", max_age=0, path="/")
    resp.set_cookie("idToken", "", max_age=0, path="/")
    return resp

Go (Gin)

func LogoutHandler(c *gin.Context) {
  idToken, _ := c.Cookie("idToken") // read BEFORE clearing
  postLogoutRedirectURI := os.Getenv("POST_LOGOUT_REDIRECT_URI")
  if postLogoutRedirectURI == "" {
    postLogoutRedirectURI = "http://localhost:3000/login"
  }

  logoutURL, err := scalekit.GetLogoutUrl(scalekit.LogoutUrlOptions{
    IdTokenHint: idToken,
    PostLogoutRedirectUri: postLogoutRedirectURI,
  })
  if err != nil {
    c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
    return
  }

  // Clear cookies (match original attributes)
  c.SetCookie("accessToken", "", -1, "/", "", true, true)
  c.SetCookie("refreshToken", "", -1, "/", "", true, true)
  c.SetCookie("idToken", "", -1, "/", "", true, true)

  c.Redirect(http.StatusFound, logoutURL.String())
}

Java (Spring Boot)

@GetMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
  String idToken = null;
  if (request.getCookies() != null) {
    for (Cookie c : request.getCookies()) {
      if ("idToken".equals(c.getName())) {
        idToken = c.getValue();
        break;
      }
    }
  }

  String postLogoutRedirectUri = System.getenv().getOrDefault(
    "POST_LOGOUT_REDIRECT_URI",
    "http://localhost:3000/login"
  );

  URL logoutUrl = scalekitClient.authentication().getLogoutUrl(
    idToken,
    postLogoutRedirectUri
  );

  // Clear cookies (ensure Path/Domain match your app cookies)
  Cookie access = new Cookie("accessToken", "");
  access.setMaxAge(0);
  access.setPath("/");
  access.setHttpOnly(true);
  access.setSecure(true);
  response.addCookie(access);

  Cookie refresh = new Cookie("refreshToken", "");
  refresh.setMaxAge(0);
  refresh.setPath("/");
  refresh.setHttpOnly(true);
  refresh.setSecure(true);
  response.addCookie(refresh);

  Cookie id = new Cookie("idToken", "");
  id.setMaxAge(0);
  id.setPath("/");
  id.setHttpOnly(true);
  id.setSecure(true);
  response.addCookie(id);

  response.sendRedirect(logoutUrl.toString());
}

Logout security checklist (copy/paste)

Extract ID token BEFORE clearing cookies.
Clear all application session cookies (access/refresh/id).
Redirect browser (302) to Scalekit /oidc/logout via the generated logout URL.
Ensure post_logout_redirect_uri is allowlisted in Scalekit dashboard.
Validate logout is a document navigation (not XHR/fetch) and cookies are actually removed.

Common failure modes (what to check)

“Logout doesn’t really log out”: cookie deletion mismatches Path/Domain/SameSite; clear cookies with the same attributes used when setting them.
“Login immediately succeeds after logout”: identity provider session may still be active; this is expected for SSO providers, but your app cookies should still be cleared.
“Scalekit logout doesn’t take effect”: logout was done via API call rather than browser redirect; use a redirect so the Scalekit session cookie is included automatically.
“Redirect rejected”: post_logout_redirect_uri is not allowlisted in Scalekit dashboard.

Output expectations when using this skill

When asked to implement logout in a real repo, the assistant should:

Identify the correct cookie names and where they are set.
Implement /logout with the correct sequence (read id token → build logout URL → clear cookies → redirect).
Provide a brief test plan and the exact dashboard value to allowlist for post-logout redirect.

Related Skills

scalekit-inc/production-readiness-scalekit

development

VerifiedTrustedCommunity

Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.

SKILL.mdUpdated May 1, 2026

scalekit-inc/production-readiness-scalekit

scalekit-inc/modular-sso

data-ai

VerifiedTrustedCommunity

Implements complete SSO and authentication flows using Scalekit. Handles modular SSO, IdP-initiated login, user session management, and enterprise customer onboarding. Use when adding authentication, SSO, SAML, OIDC, or user login to applications.

SKILL.mdUpdated Apr 16, 2026

scalekit-inc/modular-sso

scalekit-inc/implementing-admin-portal

testing

VerifiedTrustedCommunity

Implements Scalekit's admin portal for customer self-serve SSO and SCIM configuration. Generates portal links server-side and embeds the portal as an iframe in the app's settings UI. Use when the user asks to add an admin portal, customer self-serve SSO setup, iframe embed for SSO config, shareable setup link, or let customers configure their own SSO or SCIM connection.

SKILL.mdUpdated Apr 16, 2026

scalekit-inc/implementing-admin-portal

scalekit-inc/production-readiness-scalekit

development

VerifiedTrustedCommunity

Walks through a structured production readiness checklist for Scalekit SCIM provisioning implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, or wants to verify their SCIM directory sync implementation is production-ready.

SKILL.mdUpdated Apr 16, 2026

scalekit-inc/production-readiness-scalekit

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/scalekit-inc/claude-code-authstack.git

# Copy into Claude Code skills folder (global)
cp -r claude-code-authstack/plugins/full-stack-auth/skills/implement-logout ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

scalekit-inc/claude-code-authstack

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT