Merge user identities

Users can sign into your application using different authentication methods. A user might authenticate with a passwordless method today and LinkedIn OAuth tomorrow. Scalekit automatically merges these identities into a single user profile. This prevents duplicate accounts and ensures a unified experience.

Identity linking is how Scalekit safely deduplicates authentication methods across identity providers. Scalekit uses the email address as the unique identifier and access to the email inbox as the source of truth.

When users prove access to their email inbox through any authentication method, Scalekit treats this as an identity. Scalekit automatically links multiple identities together using the user’s email address as the source of truth. All authentication methods for the same email address are associated with a single User object.

Domain verification

When an organization administrator verifies a domain for their organization through allowed email domains, they prove they have access to create email inboxes. A verified domain implies the ability to verify all users with that email domain.

When a domain is verified and an SSO connection is configured, users who sign in through an organization’s identity provider are automatically considered email verified if the domain matches. This reduces friction for your end users while maintaining security.

Users who sign in through SSO with an email address that is not a verified domain are not considered verified. These users must go through the email verification process.

Configure allowed email domains

Learn how to set up allowed email domains for automatic organization membership and domain verification in the email domain rules guide.

Merge SSO identities

Users can have multiple authentication methods. Users can also have multiple SSO credentials. This happens when a user works with multiple organizations that each require SSO authentication for all members. There is still only one User object. Users choose which organization’s SSO identity provider to use when authenticating.

When users sign in through an SSO identity provider for the first time, Scalekit checks if their email domain is verified. If verified, Scalekit automatically links the SSO credential to the user’s existing account.

Email verification safety still applies. When a user signs in for the first time through an SSO identity provider where the user’s email address is not a verified domain, Scalekit asks the user to verify their email before linking the SSO credential to their account.

Multiple organizations

Users can belong to multiple organizations, each with their own SSO configuration. Scalekit maintains a single user profile while allowing users to authenticate through different organization identity providers.