scalekit-inc/implementing-scalekit-fsa
skills/implementing-scalekit-fsa/SKILL.md
Implements Scalekit full-stack authentication (FSA) including sign-up, login, logout, and secure session management using JWT tokens. Use when building or integrating user authentication with the Scalekit SDK across Node.js, Python, Go, or Java — or when the user asks about auth flows, OAuth callbacks, token refresh, or session handling with Scalekit.
$ install --global
skillsauthnpx skillsauth add scalekit-inc/skills implementing-scalekit-fsaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 3:39 AM12.5s1 file scanned
SKILL.md
- name:
- implementing-scalekit-fsa
- description:
- Implements Scalekit full-stack authentication (FSA) including sign-up, login, logout, and secure session management using JWT tokens. Use when building or integrating user authentication with the Scalekit SDK across Node.js, Python, Go, or Java — or when the user asks about auth flows, OAuth callbacks, token refresh, or session handling with Scalekit.
Scalekit Full-Stack Authentication
Setup
Install the SDK and set credentials in .env:
SCALEKIT_ENVIRONMENT_URL=<your-environment-url>
SCALEKIT_CLIENT_ID=<your-client-id>
SCALEKIT_CLIENT_SECRET=<your-client-secret>
Auth flow
1. Redirect to login
Generate an authorization URL and redirect the user:
// Node.js
const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, {
scopes: ['openid', 'profile', 'email', 'offline_access']
});
res.redirect(authorizationUrl);
redirectUrimust exactly match the allowed callback URL registered in the Scalekit dashboard.
2. Handle the callback
Exchange the authorization code for tokens:
// Node.js
const { user, idToken, accessToken, refreshToken } =
await scalekit.authenticateWithCode(code, redirectUri);
| Token | Purpose |
|---|---|
| idToken | Full user profile (sub, oid, email, name, exp) |
| accessToken | Roles + permissions; expires in 5 min (configurable) |
| refreshToken | Long-lived; use to renew access tokens |
3. Create the session
Store tokens in HttpOnly cookies:
// Node.js
res.cookie('accessToken', authResult.accessToken, {
maxAge: (authResult.expiresIn - 60) * 1000,
httpOnly: true, secure: true, path: '/api', sameSite: 'strict'
});
res.cookie('refreshToken', authResult.refreshToken, {
httpOnly: true, secure: true, path: '/auth/refresh', sameSite: 'strict'
});
Token validation middleware pattern:
- Read
accessTokencookie → decrypt →scalekit.validateAccessToken(token) - If invalid →
scalekit.refreshAccessToken(refreshToken)→ update cookies - If refresh fails → log out the user
4. Log out
Clear session data, then redirect to Scalekit's logout endpoint:
// Node.js
clearSessionData();
const logoutUrl = scalekit.getLogoutUrl(idTokenHint, postLogoutRedirectUri);
res.redirect(logoutUrl); // One-time use URL; expires after logout
Cross-language reference
All SDK methods follow the same pattern across languages with minor naming conventions:
| Operation | Node.js | Python | Go | Java |
|---|---|---|---|---|
| Auth URL | getAuthorizationUrl | get_authorization_url | GetAuthorizationUrl | getAuthorizationUrl |
| Exchange code | authenticateWithCode | authenticate_with_code | AuthenticateWithCode | authenticateWithCode |
| Validate token | validateAccessToken | validate_access_token | ValidateAccessToken | validateAccessToken |
| Refresh token | refreshAccessToken | refresh_access_token | RefreshAccessToken | refreshToken |
| Logout URL | getLogoutUrl | get_logout_url | GetLogoutUrl | getLogoutUrl |
What this unlocks
One integration enables: Magic Link & OTP, social sign-ins, enterprise SSO, workspaces, MCP authentication, SCIM provisioning, and user management.
Related Skills
scalekit-inc/sk-actions-custom-provider
tools
VerifiedTrustedCommunity
Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/setup-scalekit
tools
VerifiedTrustedCommunity
Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).
2SKILL.mdUpdated May 22, 2026
scalekit-inc/scalekit-code-doctor
tools
VerifiedTrustedCommunity
Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/production-readiness-sso
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.
2SKILL.mdUpdated May 22, 2026