scalekit-inc/migrating-to-scalekit-auth
skills/migrating-to-scalekit-auth/SKILL.md
Plans and executes a safe, incremental migration from any existing auth system to Scalekit's full-stack auth platform. Use when the user asks to migrate authentication, replace session middleware, import users/organizations to Scalekit, configure SSO, or set up SCIM provisioning with Scalekit.
$ install --global
skillsauthnpx skillsauth add scalekit-inc/skills migrating-to-scalekit-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 3:39 AM4.7s3 files scanned
SKILL.md
- name:
- migrating-to-scalekit-auth
- description:
- Plans and executes a safe, incremental migration from any existing auth system to Scalekit's full-stack auth platform. Use when the user asks to migrate authentication, replace session middleware, import users/organizations to Scalekit, configure SSO, or set up SCIM provisioning with Scalekit.
Scalekit Auth Migration Planner
Guides an incremental, reversible migration from an existing auth system to Scalekit. Follow these phases in order—do not skip phases.
Migration checklist
Copy and track progress:
Migration Progress:
- [ ] Phase 1: Audit and export existing auth data
- [ ] Phase 2: Import organizations and users into Scalekit
- [ ] Phase 3: Configure redirects and roles
- [ ] Phase 4: Update application code
- [ ] Phase 5: Deploy and monitor
Phase 1: Audit and export
Conduct a code audit covering:
- Sign-up/login flows, session middleware, token validation
- RBAC logic, email verification, logout/session termination
Export the following data:
- User records (email, name,
email_verified) - Org/tenant structure
- Role assignments and permissions
- SSO/IdP provider configs
Backup checklist before proceeding:
- [ ] Export a sample JWT or session cookie (understand current format)
- [ ] Set up a feature flag to roll back to old auth system
- [ ] Document rollback procedure
Minimum user schema:
| Field | Required |
|---|---|
| email | Required |
| first_name | Optional |
| last_name | Optional |
| email_verified | Optional (defaults false) |
See AUDIT-CHECKLIST.md for full code audit patterns.
Phase 2: Import organizations and users
external_id is critical—store original PKs here to preserve system-to-system mappings.
Step 1: Create organizations first
Node.js example:
const result = await scalekit.organization.createOrganization(
org.display_name,
{ externalId: org.external_id, metadata: org.metadata }
);
Step 2: Create users within organizations
const { user } = await scalekit.user.createUserAndMembership("org_scalekit_id", {
email: "[email protected]",
externalId: "usr_987",
userProfile: { firstName: "John", lastName: "Doe" },
});
Rules:
- Set
sendInvitationEmail: falseduring import to skip invite emails; membership auto-activates and email is marked verified - Batch imports in parallel; respect Scalekit rate limits
- Validate
external_idmappings match source data exactly
For language-specific samples (Python, Go, Java, cURL): See IMPORT-SAMPLES.md.
Phase 3: Configure redirects and roles
Redirects:
- Register callback URLs in Settings → Redirects in Scalekit dashboard
- Add post-logout URLs to control destination after logout
Roles:
- Define roles under User Management → Roles or via SDK
- During user import, include
rolesarray inside themembershipobject - Verify role claims are readable from the token after login
Phase 4: Update application code
Session middleware: Replace legacy JWT validation with Scalekit SDK or JWKS endpoint.
Verify:
- [ ] Access tokens accepted on all protected routes
- [ ] Refresh token renewal works seamlessly
- [ ]
rolesclaim from Scalekit tokens used for RBAC checks
Login page: Update logo, colors, copy, and legal links in Scalekit dashboard under Branding.
Secondary flows to update:
- Email verification prompt
- Logout redirect destination
Phase 5: Deploy and monitor
Pre-deployment:
- [ ] Test login with a subset of migrated users
- [ ] Verify session creation, validation, and expiry
- [ ] Confirm role-based access works end-to-end
Deployment sequence:
- Deploy updated application code
- Enable feature flag → route traffic to Scalekit
- Start at 5–10% of users; expand after stability confirmed
- Monitor auth success rates and error logs
- Keep rollback plan active for first 48 hours
Post-deployment monitoring:
- Auth error rates
- Session creation/validation metrics
- SSO connection health
- User-reported issues via support
Troubleshooting
| Symptom | Fix |
|---|---|
| Users can't log in | Verify callback URLs registered; check external_id mappings; ensure emails match exactly |
| Session validation fails | Switch JWT validation to Scalekit JWKS endpoint; verify token expiry/refresh logic |
| SSO not working | Confirm org has SSO enabled; verify IdP config; test IdP-initiated login |
Note: Password migration support is coming. If required, contact Scalekit's Solutions team.
Related Skills
scalekit-inc/sk-actions-custom-provider
tools
VerifiedTrustedCommunity
Create or review Scalekit custom providers/connectors for proxy-only usage, including MCP providers. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine if it is an MCP provider, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/setup-scalekit
tools
VerifiedTrustedCommunity
Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).
2SKILL.mdUpdated May 22, 2026
scalekit-inc/scalekit-code-doctor
tools
VerifiedTrustedCommunity
Use when a user asks to generate, review, validate, or fix any code snippet that uses Scalekit APIs or SDKs. This skill is the single source of truth for Scalekit code correctness — it can generate illustration-quality snippets from scratch (for docs, websites, or integration guides) and review existing code to catch wrong method names, missing parameters, security anti-patterns, and broken auth flows. Covers all four SDKs (Node, Python, Go, Java), raw REST API calls, and both Scalekit product suites — SaaSKit (SSO, login, sessions, RBAC, SCIM) and AgentKit (connections, tool calling, MCP auth). Use when the user says review my Scalekit code, generate a Scalekit example, validate this auth flow, check my SDK usage, fix my Scalekit integration, write a code sample for docs, or anything involving Scalekit code quality.
2SKILL.mdUpdated May 22, 2026
scalekit-inc/production-readiness-sso
development
VerifiedTrustedCommunity
Walks through a structured production readiness checklist for Scalekit SSO implementations. Use when the user says they are going live, launching to production, doing a pre-launch review, hardening their SSO setup, or wants to verify their Scalekit implementation is production-ready.
2SKILL.mdUpdated May 22, 2026