scalekit-inc/migrating-to-scalekit-auth
plugins/full-stack-auth/skills/migrating-to-scalekit-auth/SKILL.md
Plans and executes a safe, incremental migration from any existing auth system to Scalekit's full-stack auth platform. Use when the user asks to migrate authentication, replace session middleware, import users/organizations to Scalekit, configure SSO, or set up SCIM provisioning with Scalekit.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add scalekit-inc/claude-code-authstack migrating-to-scalekit-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 3:39 AM4.7s3 files scanned
SKILL.md
- name:
- migrating-to-scalekit-auth
- description:
- Plans and executes a safe, incremental migration from any existing auth system to Scalekit's full-stack auth platform. Use when the user asks to migrate authentication, replace session middleware, import users/organizations to Scalekit, configure SSO, or set up SCIM provisioning with Scalekit.
Scalekit Auth Migration Planner
Guides an incremental, reversible migration from an existing auth system to Scalekit. Follow these phases in order—do not skip phases.
Migration checklist
Copy and track progress:
Migration Progress:
- [ ] Phase 1: Audit and export existing auth data
- [ ] Phase 2: Import organizations and users into Scalekit
- [ ] Phase 3: Configure redirects and roles
- [ ] Phase 4: Update application code
- [ ] Phase 5: Deploy and monitor
Phase 1: Audit and export
Conduct a code audit covering:
- Sign-up/login flows, session middleware, token validation
- RBAC logic, email verification, logout/session termination
Export the following data:
- User records (email, name,
email_verified) - Org/tenant structure
- Role assignments and permissions
- SSO/IdP provider configs
Backup checklist before proceeding:
- [ ] Export a sample JWT or session cookie (understand current format)
- [ ] Set up a feature flag to roll back to old auth system
- [ ] Document rollback procedure
Minimum user schema:
| Field | Required |
|---|---|
| email | Required |
| first_name | Optional |
| last_name | Optional |
| email_verified | Optional (defaults false) |
See AUDIT-CHECKLIST.md for full code audit patterns.
Phase 2: Import organizations and users
external_id is critical—store original PKs here to preserve system-to-system mappings.
Step 1: Create organizations first
Node.js example:
const result = await scalekit.organization.createOrganization(
org.display_name,
{ externalId: org.external_id, metadata: org.metadata }
);
Step 2: Create users within organizations
const { user } = await scalekit.user.createUserAndMembership("org_scalekit_id", {
email: "[email protected]",
externalId: "usr_987",
userProfile: { firstName: "John", lastName: "Doe" },
});
Rules:
- Set
sendInvitationEmail: falseduring import to skip invite emails; membership auto-activates and email is marked verified - Batch imports in parallel; respect Scalekit rate limits
- Validate
external_idmappings match source data exactly
For language-specific samples (Python, Go, Java, cURL): See IMPORT-SAMPLES.md.
Phase 3: Configure redirects and roles
Redirects:
- Register callback URLs in Settings → Redirects in Scalekit dashboard
- Add post-logout URLs to control destination after logout
Roles:
- Define roles under User Management → Roles or via SDK
- During user import, include
rolesarray inside themembershipobject - Verify role claims are readable from the token after login
Phase 4: Update application code
Session middleware: Replace legacy JWT validation with Scalekit SDK or JWKS endpoint.
Verify:
- [ ] Access tokens accepted on all protected routes
- [ ] Refresh token renewal works seamlessly
- [ ]
rolesclaim from Scalekit tokens used for RBAC checks
Login page: Update logo, colors, copy, and legal links in Scalekit dashboard under Branding.
Secondary flows to update:
- Email verification prompt
- Logout redirect destination
Phase 5: Deploy and monitor
Pre-deployment:
- [ ] Test login with a subset of migrated users
- [ ] Verify session creation, validation, and expiry
- [ ] Confirm role-based access works end-to-end
Deployment sequence:
- Deploy updated application code
- Enable feature flag → route traffic to Scalekit
- Start at 5–10% of users; expand after stability confirmed
- Monitor auth success rates and error logs
- Keep rollback plan active for first 48 hours
Post-deployment monitoring:
- Auth error rates
- Session creation/validation metrics
- SSO connection health
- User-reported issues via support
Troubleshooting
| Symptom | Fix |
|---|---|
| Users can't log in | Verify callback URLs registered; check external_id mappings; ensure emails match exactly |
| Session validation fails | Switch JWT validation to Scalekit JWKS endpoint; verify token expiry/refresh logic |
| SSO not working | Confirm org has SSO enabled; verify IdP config; test IdP-initiated login |
Note: Password migration support is coming. If required, contact Scalekit's Solutions team.
Related Skills
scalekit-inc/production-readiness-scalekit
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.
SKILL.mdUpdated May 1, 2026
scalekit-inc/modular-sso
data-ai
VerifiedTrustedCommunity
Implements complete SSO and authentication flows using Scalekit. Handles modular SSO, IdP-initiated login, user session management, and enterprise customer onboarding. Use when adding authentication, SSO, SAML, OIDC, or user login to applications.
SKILL.mdUpdated Apr 16, 2026
scalekit-inc/implementing-admin-portal
testing
VerifiedTrustedCommunity
Implements Scalekit's admin portal for customer self-serve SSO and SCIM configuration. Generates portal links server-side and embeds the portal as an iframe in the app's settings UI. Use when the user asks to add an admin portal, customer self-serve SSO setup, iframe embed for SSO config, shareable setup link, or let customers configure their own SSO or SCIM connection.
SKILL.mdUpdated Apr 16, 2026
scalekit-inc/production-readiness-scalekit
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SCIM provisioning implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, or wants to verify their SCIM directory sync implementation is production-ready.
SKILL.mdUpdated Apr 16, 2026