Web application

A web application typically has both a frontend and a backend. In this model, the backend initiates authentication, handles the callback, exchanges the authorization code for tokens, and manages user sessions securely.

Tip

👉 Check out the example apps on GitHub to see Web, SPA, Desktop, and Mobile apps sharing a single Scalekit session.

This guide covers the authorization code flow for web applications that use a client_id and client_secret.

Prerequisites

Before you begin, ensure you have:

• A Scalekit account with an environment configured
• Your environment URL (ENV_URL), e.g., https://yourenv.scalekit.com
• A web application registered in Scalekit with client_id and client_secret (Create one →)
• At least one redirect URL configured in Dashboard > Developers > Applications > [Your App] > Redirects

High-level flow

Step-by-step implementation

1. Initiate login or signup

   Login begins when your backend redirects the user to Scalekit’s hosted login page using the authorization endpoint.

   <ENV_URL>/oauth/authorize?
     response_type=code&
     client_id=<CLIENT_ID>&
     redirect_uri=<CALLBACK_URL>&
     scope=openid+profile+email+offline_access&
     state=<RANDOM_STATE>

   For detailed definition of the parameters, refer here

2. Handle the callback and complete login

   After authentication, Scalekit redirects the user back to your callback endpoint with code and state.

   Your backend must:

   • Validate the returned state
   • Handle any error parameters
   • Exchange the authorization code for tokens

   POST <ENV_URL>/oauth/token
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=authorization_code&
   client_id=<CLIENT_ID>&
   client_secret=<CLIENT_SECRET>&
   code=<CODE>&
   redirect_uri=<CALLBACK_URL>

   {
     "access_token": "...",
     "refresh_token": "...",
     "id_token": "...",
     "expires_in": 299
   }

   Note: Authorization codes are single-use and short-lived.

3. Manage sessions and token refresh

   Once tokens are issued, your web app is responsible for session management.

   Token roles

   • Access token: short-lived, used for authenticated requests
   • Refresh token: used to obtain new tokens
   • ID token: user identity claims and required for logout

   Typical web apps store tokens in secure cookies and validate the access token on every protected request.

   When an access token expires, request new tokens using the refresh token:

   POST <ENV_URL>/oauth/token
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=refresh_token&
   client_id=<CLIENT_ID>&
   client_secret=<CLIENT_SECRET>&
   refresh_token=<REFRESH_TOKEN>

   Validate access tokens by checking:

   • Verify the token signature using Scalekit’s public keys (JWKS).
   • iss matches your Scalekit environment
   • aud matches your client_id
   • exp and iat are valid

   Public keys for verification are available at:

   <ENV_URL>/keys

4. Implement logout

   Logging out requires clearing your application session and invalidating the Scalekit session.

   Your logout endpoint should:

   • Extract the ID token
   • Clear application session cookies
   • Redirect the browser to Scalekit’s logout endpoint

   <ENV_URL>/oidc/logout?
     id_token_hint=<ID_TOKEN>&
     post_logout_redirect_uri=<POST_LOGOUT_REDIRECT_URI>

   Logout must be performed via a browser redirect so that Scalekit can identify and terminate the session. Additionally, configure backchannel logout URIs to get notified when a logout is performed from another application sharing the same user session.

Handle errors

When authentication fails, Scalekit redirects to your callback URL with error parameters instead of an authorization code:

/callback?error=access_denied&error_description=User+denied+access&state=<STATE>

Your callback handler should check for errors before processing the authorization code:

1. Check if the error parameter exists
2. Log the error and error_description for debugging
3. Display a user-friendly message
4. Provide an option to retry login

Common error codes:

Error	Description
access_denied	User denied the authorization request
invalid_request	Missing or invalid parameters
server_error	Scalekit encountered an unexpected error

(Optional) Use Scalekit Management APIs

In addition to handling user authentication, web applications can also call Scalekit’s Management APIs from the backend. These APIs allow your application to interact with Scalekit-managed resources such as users, organizations, memberships, and roles.

Typical use cases include:

• Fetching the currently authenticated user
• Listing organizations the user belongs to
• Managing organization membership or roles

Management APIs are Scalekit-owned APIs and are intended to be called server-side only. To use Management APIs, the application must explicitly allow it:

1. Go to app.scalekit.com
2. Navigate to Developers → Applications
3. Select your Web Application
4. Enable Allow Scalekit Management API Access

This option is available only for web applications, since they can securely store credentials. When enabled, your backend can authenticate to Scalekit’s Management APIs using the application’s credentials and SDKs provided by Scalekit. These calls are independent of end-user access tokens and are designed for trusted, server-side workflows.

What’s next

• Configure backchannel logout to receive notifications when a user logs out from another app
• Set up a custom domain for your authentication pages
• Add enterprise SSO to support SAML and OIDC with your customers’ identity providers