Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

scalekit-inc/implementing-fsa-logout

Name: implementing-fsa-logout
Author: scalekit-inc

skills/implementing-fsa-logout/SKILL.md

npx skillsauth add scalekit-inc/skills implementing-fsa-logout

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Implementing logout (Scalekit FSA)

Goal

Implement a single /logout endpoint that:

Clears the application session layer (your cookies/tokens).
Invalidates the Scalekit session layer by redirecting the browser to Scalekit’s OIDC logout endpoint.
Returns the user to a safe, allowlisted post-logout redirect URL.

Key constraints (must follow)

The Scalekit logout call MUST be a browser redirect (top-level navigation), not a fetch/XHR from frontend and not a server-to-server API call.
The ID token (often idToken) MUST be read BEFORE clearing cookies, because it is used as id_token_hint.
The post_logout_redirect_uri MUST be allowlisted in Scalekit Dashboard (Post Logout URLs).

Inputs to collect from the user/project

Ask for (or infer from the codebase):

Tech stack: Express/Fastify/Next.js (Node), Flask/Django (Python), Gin/Fiber (Go), Spring Boot (Java), etc.
Where tokens are stored: cookie names (default examples: accessToken, refreshToken, idToken) and cookie attributes (Path, Domain, SameSite).
The post-logout landing URL (example: http://localhost:3000/login or your production login page).
Scalekit configuration: base URL / environment, and whether the project uses a Scalekit SDK helper like getLogoutUrl(...).

Recommended implementation (workflow)

Locate the current auth/session code:

Find where access/refresh/ID tokens are set.
Note cookie names, paths, domains, and SameSite settings (you must match these when clearing).

Add a GET /logout route:

Extract idToken (or equivalent) from cookies/session storage.
Compute postLogoutRedirectUri.
Build the Scalekit logout URL pointing at /oidc/logout, preferably using the Scalekit SDK helper if present.
Clear session cookies (access/refresh/id), preserving the correct Path/Domain so deletion actually works.
Redirect (302) the browser to the Scalekit logout URL.

Configure Scalekit Dashboard allowlist:

Verify and iterate:

In DevTools → Network, clicking logout should show a document navigation to Scalekit (not XHR/fetch).
Confirm the request includes the Scalekit session cookie automatically.
After redirecting back, logging in should not silently reuse the application cookies you intended to clear.

Reference behavior (pseudocode)

Read id_token_hint from cookie/session.
logoutUrl = scalekit.getLogoutUrl(id_token_hint, post_logout_redirect_uri)
Clear cookies (access/refresh/id).
302 -> logoutUrl

Implementation templates

Node.js (Express)

app.get('/logout', (req, res) => {
  const idTokenHint = req.cookies?.idToken; // read BEFORE clearing
  const postLogoutRedirectUri = process.env.POST_LOGOUT_REDIRECT_URI ?? 'http://localhost:3000/login';

  // Prefer SDK helper if available in your project
  const logoutUrl = scalekit.getLogoutUrl(idTokenHint, postLogoutRedirectUri);

  // Clear cookies (match Path/Domain/SameSite used when setting them)
  res.clearCookie('accessToken', { path: '/' });
  res.clearCookie('refreshToken', { path: '/' });
  res.clearCookie('idToken', { path: '/' });

  return res.redirect(logoutUrl);
});

Python (Flask)

from flask import request, redirect, make_response

@app.get("/logout")
def logout():
    id_token = request.cookies.get("idToken")  # read BEFORE clearing
    post_logout_redirect_uri = os.getenv("POST_LOGOUT_REDIRECT_URI", "http://localhost:3000/login")

    logout_url = scalekit_client.get_logout_url(
        id_token_hint=id_token,
        post_logout_redirect_uri=post_logout_redirect_uri
    )

    resp = make_response(redirect(logout_url))
    resp.set_cookie("accessToken", "", max_age=0, path="/")
    resp.set_cookie("refreshToken", "", max_age=0, path="/")
    resp.set_cookie("idToken", "", max_age=0, path="/")
    return resp

Go (Gin)

func LogoutHandler(c *gin.Context) {
  idToken, _ := c.Cookie("idToken") // read BEFORE clearing
  postLogoutRedirectURI := os.Getenv("POST_LOGOUT_REDIRECT_URI")
  if postLogoutRedirectURI == "" {
    postLogoutRedirectURI = "http://localhost:3000/login"
  }

  logoutURL, err := scalekit.GetLogoutUrl(scalekit.LogoutUrlOptions{
    IdTokenHint: idToken,
    PostLogoutRedirectUri: postLogoutRedirectURI,
  })
  if err != nil {
    c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
    return
  }

  // Clear cookies (match original attributes)
  c.SetCookie("accessToken", "", -1, "/", "", true, true)
  c.SetCookie("refreshToken", "", -1, "/", "", true, true)
  c.SetCookie("idToken", "", -1, "/", "", true, true)

  c.Redirect(http.StatusFound, logoutURL.String())
}

Java (Spring Boot)

@GetMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
  String idToken = null;
  if (request.getCookies() != null) {
    for (Cookie c : request.getCookies()) {
      if ("idToken".equals(c.getName())) {
        idToken = c.getValue();
        break;
      }
    }
  }

  String postLogoutRedirectUri = System.getenv().getOrDefault(
    "POST_LOGOUT_REDIRECT_URI",
    "http://localhost:3000/login"
  );

  URL logoutUrl = scalekitClient.authentication().getLogoutUrl(
    idToken,
    postLogoutRedirectUri
  );

  // Clear cookies (ensure Path/Domain match your app cookies)
  Cookie access = new Cookie("accessToken", "");
  access.setMaxAge(0);
  access.setPath("/");
  access.setHttpOnly(true);
  access.setSecure(true);
  response.addCookie(access);

  Cookie refresh = new Cookie("refreshToken", "");
  refresh.setMaxAge(0);
  refresh.setPath("/");
  refresh.setHttpOnly(true);
  refresh.setSecure(true);
  response.addCookie(refresh);

  Cookie id = new Cookie("idToken", "");
  id.setMaxAge(0);
  id.setPath("/");
  id.setHttpOnly(true);
  id.setSecure(true);
  response.addCookie(id);

  response.sendRedirect(logoutUrl.toString());
}

Logout security checklist (copy/paste)

Extract ID token BEFORE clearing cookies.
Clear all application session cookies (access/refresh/id).
Redirect browser (302) to Scalekit /oidc/logout via the generated logout URL.
Ensure post_logout_redirect_uri is allowlisted in Scalekit dashboard.
Validate logout is a document navigation (not XHR/fetch) and cookies are actually removed.

Common failure modes (what to check)

“Logout doesn’t really log out”: cookie deletion mismatches Path/Domain/SameSite; clear cookies with the same attributes used when setting them.
“Login immediately succeeds after logout”: identity provider session may still be active; this is expected for SSO providers, but your app cookies should still be cleared.
“Scalekit logout doesn’t take effect”: logout was done via API call rather than browser redirect; use a redirect so the Scalekit session cookie is included automatically.
“Redirect rejected”: post_logout_redirect_uri is not allowlisted in Scalekit dashboard.

Output expectations when using this skill

When asked to implement logout in a real repo, the assistant should:

Identify the correct cookie names and where they are set.
Implement /logout with the correct sequence (read id token → build logout URL → clear cookies → redirect).
Provide a brief test plan and the exact dashboard value to allowlist for post-logout redirect.

scalekit-inc/implementing-fsa-logout

skills/implementing-fsa-logout/SKILL.md

Implements a complete logout flow for Scalekit FSA integrations by clearing application session cookies and redirecting the browser to Scalekit’s /oidc/logout endpoint to invalidate the Scalekit session. Use when adding or fixing logout in Node.js, Python, Go, or Java web apps that use Scalekit OIDC.

2 stars

development

Updated May 22, 2026

$ install --global

skillsauth

npx skillsauth add scalekit-inc/skills implementing-fsa-logout

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:39 AM6.7s1 file scanned

SKILL.md

name:: implementing-fsa-logout
description:: Implements a complete logout flow for Scalekit FSA integrations by clearing application session cookies and redirecting the browser to Scalekit’s /oidc/logout endpoint to invalidate the Scalekit session. Use when adding or fixing logout in Node.js, Python, Go, or Java web apps that use Scalekit OIDC.

Implementing logout (Scalekit FSA)

Goal

Implement a single /logout endpoint that:

Clears the application session layer (your cookies/tokens).
Invalidates the Scalekit session layer by redirecting the browser to Scalekit’s OIDC logout endpoint.
Returns the user to a safe, allowlisted post-logout redirect URL.

Key constraints (must follow)

The Scalekit logout call MUST be a browser redirect (top-level navigation), not a fetch/XHR from frontend and not a server-to-server API call.
The ID token (often idToken) MUST be read BEFORE clearing cookies, because it is used as id_token_hint.
The post_logout_redirect_uri MUST be allowlisted in Scalekit Dashboard (Post Logout URLs).

Inputs to collect from the user/project

Ask for (or infer from the codebase):

Tech stack: Express/Fastify/Next.js (Node), Flask/Django (Python), Gin/Fiber (Go), Spring Boot (Java), etc.
Where tokens are stored: cookie names (default examples: accessToken, refreshToken, idToken) and cookie attributes (Path, Domain, SameSite).
The post-logout landing URL (example: http://localhost:3000/login or your production login page).
Scalekit configuration: base URL / environment, and whether the project uses a Scalekit SDK helper like getLogoutUrl(...).

Recommended implementation (workflow)

Locate the current auth/session code:

Find where access/refresh/ID tokens are set.
Note cookie names, paths, domains, and SameSite settings (you must match these when clearing).

Add a GET /logout route:

Extract idToken (or equivalent) from cookies/session storage.
Compute postLogoutRedirectUri.
Build the Scalekit logout URL pointing at /oidc/logout, preferably using the Scalekit SDK helper if present.
Clear session cookies (access/refresh/id), preserving the correct Path/Domain so deletion actually works.
Redirect (302) the browser to the Scalekit logout URL.

Configure Scalekit Dashboard allowlist:

Verify and iterate:

In DevTools → Network, clicking logout should show a document navigation to Scalekit (not XHR/fetch).
Confirm the request includes the Scalekit session cookie automatically.
After redirecting back, logging in should not silently reuse the application cookies you intended to clear.

Reference behavior (pseudocode)

Read id_token_hint from cookie/session.
logoutUrl = scalekit.getLogoutUrl(id_token_hint, post_logout_redirect_uri)
Clear cookies (access/refresh/id).
302 -> logoutUrl

Implementation templates

Node.js (Express)

app.get('/logout', (req, res) => {
  const idTokenHint = req.cookies?.idToken; // read BEFORE clearing
  const postLogoutRedirectUri = process.env.POST_LOGOUT_REDIRECT_URI ?? 'http://localhost:3000/login';

  // Prefer SDK helper if available in your project
  const logoutUrl = scalekit.getLogoutUrl(idTokenHint, postLogoutRedirectUri);

  // Clear cookies (match Path/Domain/SameSite used when setting them)
  res.clearCookie('accessToken', { path: '/' });
  res.clearCookie('refreshToken', { path: '/' });
  res.clearCookie('idToken', { path: '/' });

  return res.redirect(logoutUrl);
});

Python (Flask)

from flask import request, redirect, make_response

@app.get("/logout")
def logout():
    id_token = request.cookies.get("idToken")  # read BEFORE clearing
    post_logout_redirect_uri = os.getenv("POST_LOGOUT_REDIRECT_URI", "http://localhost:3000/login")

    logout_url = scalekit_client.get_logout_url(
        id_token_hint=id_token,
        post_logout_redirect_uri=post_logout_redirect_uri
    )

    resp = make_response(redirect(logout_url))
    resp.set_cookie("accessToken", "", max_age=0, path="/")
    resp.set_cookie("refreshToken", "", max_age=0, path="/")
    resp.set_cookie("idToken", "", max_age=0, path="/")
    return resp

Go (Gin)

func LogoutHandler(c *gin.Context) {
  idToken, _ := c.Cookie("idToken") // read BEFORE clearing
  postLogoutRedirectURI := os.Getenv("POST_LOGOUT_REDIRECT_URI")
  if postLogoutRedirectURI == "" {
    postLogoutRedirectURI = "http://localhost:3000/login"
  }

  logoutURL, err := scalekit.GetLogoutUrl(scalekit.LogoutUrlOptions{
    IdTokenHint: idToken,
    PostLogoutRedirectUri: postLogoutRedirectURI,
  })
  if err != nil {
    c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
    return
  }

  // Clear cookies (match original attributes)
  c.SetCookie("accessToken", "", -1, "/", "", true, true)
  c.SetCookie("refreshToken", "", -1, "/", "", true, true)
  c.SetCookie("idToken", "", -1, "/", "", true, true)

  c.Redirect(http.StatusFound, logoutURL.String())
}

Java (Spring Boot)

@GetMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
  String idToken = null;
  if (request.getCookies() != null) {
    for (Cookie c : request.getCookies()) {
      if ("idToken".equals(c.getName())) {
        idToken = c.getValue();
        break;
      }
    }
  }

  String postLogoutRedirectUri = System.getenv().getOrDefault(
    "POST_LOGOUT_REDIRECT_URI",
    "http://localhost:3000/login"
  );

  URL logoutUrl = scalekitClient.authentication().getLogoutUrl(
    idToken,
    postLogoutRedirectUri
  );

  // Clear cookies (ensure Path/Domain match your app cookies)
  Cookie access = new Cookie("accessToken", "");
  access.setMaxAge(0);
  access.setPath("/");
  access.setHttpOnly(true);
  access.setSecure(true);
  response.addCookie(access);

  Cookie refresh = new Cookie("refreshToken", "");
  refresh.setMaxAge(0);
  refresh.setPath("/");
  refresh.setHttpOnly(true);
  refresh.setSecure(true);
  response.addCookie(refresh);

  Cookie id = new Cookie("idToken", "");
  id.setMaxAge(0);
  id.setPath("/");
  id.setHttpOnly(true);
  id.setSecure(true);
  response.addCookie(id);

  response.sendRedirect(logoutUrl.toString());
}

Logout security checklist (copy/paste)

Extract ID token BEFORE clearing cookies.
Clear all application session cookies (access/refresh/id).
Redirect browser (302) to Scalekit /oidc/logout via the generated logout URL.
Ensure post_logout_redirect_uri is allowlisted in Scalekit dashboard.
Validate logout is a document navigation (not XHR/fetch) and cookies are actually removed.

Common failure modes (what to check)

“Logout doesn’t really log out”: cookie deletion mismatches Path/Domain/SameSite; clear cookies with the same attributes used when setting them.
“Login immediately succeeds after logout”: identity provider session may still be active; this is expected for SSO providers, but your app cookies should still be cleared.
“Scalekit logout doesn’t take effect”: logout was done via API call rather than browser redirect; use a redirect so the Scalekit session cookie is included automatically.
“Redirect rejected”: post_logout_redirect_uri is not allowlisted in Scalekit dashboard.

Output expectations when using this skill

When asked to implement logout in a real repo, the assistant should:

Identify the correct cookie names and where they are set.
Implement /logout with the correct sequence (read id token → build logout URL → clear cookies → redirect).
Provide a brief test plan and the exact dashboard value to allowlist for post-logout redirect.

Related Skills

scalekit-inc/sk-actions-custom-provider

tools

VerifiedTrustedCommunity

Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/sk-actions-custom-provider

scalekit-inc/setup-scalekit

tools

VerifiedTrustedCommunity

Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).

2SKILL.mdUpdated May 22, 2026

scalekit-inc/setup-scalekit

scalekit-inc/scalekit-code-doctor

tools

VerifiedTrustedCommunity

Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/scalekit-code-doctor

scalekit-inc/production-readiness-sso

development

VerifiedTrustedCommunity

Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.

2SKILL.mdUpdated May 22, 2026

scalekit-inc/production-readiness-sso

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/scalekit-inc/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/implementing-fsa-logout ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

scalekit-inc/skills

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT