Apify Actor with per-user OAuth via Scalekit

Build an Apify Actor that uses Scalekit Agent Auth so each user connects their OAuth accounts, keyed by Apify userId.

An Apify Actor is a stateless serverless container. Every run starts cold — no session, no cookies, no “current user.” When you want each person who runs your Actor to access their own Notion workspace, their own Gmail, or their own GitHub account, you need to map Apify’s identity model onto an OAuth token store that persists across runs.

Scalekit solves this with a connected-accounts model: for each (connector, identifier) pair, it stores one OAuth session and refreshes it automatically. This recipe builds an Actor that connects to Notion per-user and to YouTube via a shared account, using Apify’s native userId as the per-user identifier. It also shows how to surface the OAuth consent step as a live interactive page inside the Actor run, instead of a raw link buried in JSON output.

What this recipe covers:

Per-user identity without input fields — derive the connected-account identifier from Actor.getEnv().userId so users never type an email or ID
Shared vs per-user connectors — hardcode a single identifier for connectors shared across all users; derive one per user for private accounts
Interactive auth UX — serve a branded OAuth consent page on Apify’s live-view port so users click a button rather than hunting for a raw URL
Input schema design — expose only the task field to end users; keep all auth and config internal

The complete source is available in the notion-youtube-agent repository.

Before you start

You need working OAuth credentials for each third-party API your Actor will connect to. Scalekit manages the token lifecycle, but the underlying API must be enabled and the OAuth client must exist first.

For YouTube (or any Google API):

Open the Google Cloud Console and select your project.
Go to APIs & Services → Enabled APIs & services and enable YouTube Data API v3. Without this, every tool call returns permission_denied even if the OAuth token is valid.
Go to APIs & Services → OAuth consent screen and add the Google accounts that will authorize the Actor under Test users. While the app is in “Testing” publishing status, only accounts listed here can complete the OAuth flow — all others see Error 403: org_internal.
Create an OAuth 2.0 client (APIs & Services → Credentials → + Create credentials → OAuth client ID). Set the application type to Web application. Leave the redirect URI blank for now — you’ll add it from Scalekit in the next section.

For Notion:

Go to notion.so/my-integrations and create a new integration, or use Notion’s OAuth setup if your Actor uses Scalekit’s Notion OAuth connector.

For both connectors:

A Scalekit environment with API credentials (SCALEKIT_ENV_URL, SCALEKIT_CLIENT_ID, SCALEKIT_CLIENT_SECRET).
Apify CLI installed: npm install -g @apify/cli
Node.js 18+

1. Set up connections in Scalekit

In the Scalekit Dashboard, go to AgentKit → Connections and create two connections:

YouTube connection (shared)

Search for YouTube and click Create.
Copy the Redirect URI from the connection panel (it looks like https://<ENV_URL>/sso/v1/oauth/<CONNECTION_ID>/callback).
Paste it into your Google Cloud OAuth client under Authorized redirect URIs and save.
Back in Scalekit, enter the Client ID and Client Secret from your Google Cloud OAuth client.
Under Scopes, select at least youtube.readonly. Add youtube if your Actor needs write access (playlists, subscriptions). Add yt-analytics.readonly if you query analytics data.
Click Save. Note the Connection name (e.g., youtube) — your code must match it exactly.

Notion connection (per-user)

Search for Notion and click Create.
Enter the Client ID and Client Secret from your Notion integration or OAuth app.
Scalekit pre-configures the redirect URI and scopes for Notion. Click Save.
Note the Connection name (e.g., notion).

2. Create the Apify Actor project

1
apify create notion-youtube-agent -t project_empty
2
cd notion-youtube-agent
3
npm install @scalekit-sdk/node openai apify

Set your Scalekit credentials as Actor environment variables in the Apify Console under Settings → Environment variables:

1
SCALEKIT_ENV_URL=https://your-env.scalekit.dev
2
SCALEKIT_CLIENT_ID=skc_...
3
SCALEKIT_CLIENT_SECRET=your-secret

If your Actor creates new Notion pages (not just writing to existing ones), also set a default parent location. Without this, the Actor can only write to pages that already exist by exact title match.

1
NOTION_DEFAULT_PARENT_PAGE_ID=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d

To find a Notion page ID: open the page in Notion, click Share → Copy link. The 32-character hex string at the end of the URL is the page ID.

3. Derive user identity from Apify’s runtime

Apify exposes the identity of the account running the Actor through Actor.getEnv(). Use userId directly as the Scalekit connected-account identifier — no email field, no manual input.

1
import { Actor } from 'apify';
2

3
await Actor.init();
4

5
const { userId } = Actor.getEnv();
6

7
// userId is stable per Apify account — the same user always gets the same token.
8
const notionIdentifier = userId;

userId is a stable opaque string that Apify sets for the account running the Actor. It persists across runs, so the first run that completes OAuth will find an active token on every subsequent run.

Actor.getEnv().userId is undefined when you run the Actor locally with apify run. Use a hardcoded fallback for local development:

1
const { userId } = Actor.getEnv();
2
const notionIdentifier = userId ?? 'local-dev-user';

4. Choose shared vs per-user identifiers

Not every connector needs per-user isolation. A YouTube data connection used for research can be shared across all Actor runs with a hardcoded identifier. Only connectors that access private user data need per-user identifiers.

1
// Per-user: each Apify account connects their own Notion workspace.
2
const notionIdentifier = userId;
3

4
// Shared: one YouTube OAuth session used by all runs.
5
const youtubeIdentifier = 'shared-youtube';

Hardcode the shared identifier in code — do not expose it as an input field. End users should not need to know it exists.

5. Ensure each connector is authorized

Before calling any API, check whether the connected account is active. If not, generate a magic link and wait for the user to complete the OAuth flow.

1
import { Actor } from 'apify';
2

3
const ACTIVE = 1;
4

5
export async function ensureNotionConnected(scalekitActions, identifier, {
6
  pollIntervalMs = 5_000,
7
  timeoutMs = 300_000,
8
  onMagicLink = async () => {},
9
} = {}) {
10
  const resp = await scalekitActions.getOrCreateConnectedAccount({
11
    connectionName: 'notion',
12
    identifier,
13
  });
14
  const account = resp.connectedAccount ?? resp;
15

16
  if (account.status === ACTIVE) {
17
    return account.id;
18
  }
19

20
  const { link } = await scalekitActions.getAuthorizationLink({
21
    connectionName: 'notion',
22
    identifier,
23
  });
24

25
  const markDone = await onMagicLink(link);
26

27
  const deadline = Date.now() + timeoutMs;
28

29
  while (Date.now() < deadline) {
30
    await sleep(pollIntervalMs);
31

32
    const pollResp = await scalekitActions.getOrCreateConnectedAccount({
33
      connectionName: 'notion',
34
      identifier,
35
    });
36
    const polled = pollResp.connectedAccount ?? pollResp;
37

38
    if (polled.status === ACTIVE) {
39
      markDone?.();
40
      await Actor.setStatusMessage('Notion authorized — proceeding.');
41
      return polled.id;
42
    }
43
  }
44

45
  throw new Error(`Timed out waiting for Notion authorization.`);
46
}
47

48
function sleep(ms) {
49
  return new Promise(resolve => setTimeout(resolve, ms));
50
}

The same pattern applies to every connector. Copy the function, change connectionName, and pass in the appropriate identifier.

6. Surface auth as a live interactive page

Printing a raw magic link to the console or burying it in JSON output creates a poor experience. Apify Actors can start an HTTP server on ACTOR_WEB_SERVER_PORT (default 4321), and Apify automatically exposes it as a public URL while the run is active. Use this to serve a branded OAuth consent page.

1
import http from 'http';
2
import { Actor } from 'apify';
3

4
const PORT = parseInt(process.env.ACTOR_WEB_SERVER_PORT ?? '4321', 10);
5

6
let server = null;
7

8
export function getLiveViewUrl() {
9
  const { actorId, actorRunId } = Actor.getEnv();
10
  return `https://${actorId}--${actorRunId}-${PORT}.runs.apify.net`;
11
}
12

13
export async function serveAuthPage(link, serviceName) {
14
  let html = buildAuthPage(link, serviceName);
15

16
  if (server) server.close();
17
  server = http.createServer((_req, res) => {
18
    res.writeHead(200, { 'Content-Type': 'text/html' });
19
    res.end(html);
20
  });
21
  server.listen(PORT);
22

23
  return {
24
    liveViewUrl: getLiveViewUrl(),
25
    markDone: () => { html = buildDonePage(serviceName); },
26
  };
27
}
28

29
function buildAuthPage(link, serviceName) {
30
  return `<!DOCTYPE html>
31
<html lang="en">
32
<head>
33
  <meta charset="UTF-8" />
34
  <title>Authorize ${serviceName}</title>
35
  <style>
36
    body { font-family: system-ui, sans-serif; display: flex; align-items: center;
37
           justify-content: center; min-height: 100vh; margin: 0; background: #f5f5f5; }
38
    .card { background: white; padding: 2rem; border-radius: 12px; text-align: center;
39
            box-shadow: 0 4px 20px rgba(0,0,0,0.08); max-width: 480px; width: 100%; }
40
    a.btn { display: inline-block; background: #0a6b50; color: white; padding: 0.75rem 1.5rem;
41
            border-radius: 8px; text-decoration: none; font-weight: 600; }
42
  </style>
43
</head>
44
<body>
45
  <div class="card">
46
    <h1>🔐 Connect ${serviceName}</h1>
47
    <p>Click below to authorize access to your ${serviceName} account.
48
       The actor will continue automatically once you complete authorization.</p>
49
    <a class="btn" href="${link}" target="_blank" rel="noopener">Authorize ${serviceName} →</a>
50
  </div>
51
</body>
52
</html>`;
53
}
54

55
function buildDonePage(serviceName) {
56
  return `<!DOCTYPE html>
57
<html lang="en">
58
<head><meta charset="UTF-8" /><title>${serviceName} Authorized</title></head>
59
<body style="font-family:system-ui;text-align:center;padding:3rem">
60
  <h1>✅ ${serviceName} Authorized</h1>
61
  <p>Returning to task — you can close this tab.</p>
62
</body>
63
</html>`;
64
}

The live view URL follows this pattern:

1
https://{actorId}--{actorRunId}-{PORT}.runs.apify.net

Both actorId and actorRunId come from Actor.getEnv() — the same call that gives you userId.

7. Wire auth into the Actor entry point

Pass the live view callback into ensureNotionConnected. The callback starts the HTTP server, stores the markDone function, and returns it so the polling loop can update the page when auth completes.

1
import { Actor } from 'apify';
2
import { ScalekitClient } from '@scalekit-sdk/node';
3
import { ensureNotionConnected } from './notionAuth.js';
4
import { serveAuthPage } from './authServer.js';
5

6
await Actor.init();
7

8
const input = await Actor.getInput();
9
const { task, llmApiKey } = input;
10

11
const { userId } = Actor.getEnv();
12
const notionIdentifier = userId;
13
const youtubeIdentifier = 'shared-youtube';
14

15
const scalekit = new ScalekitClient(
16
  process.env.SCALEKIT_ENV_URL,
17
  process.env.SCALEKIT_CLIENT_ID,
18
  process.env.SCALEKIT_CLIENT_SECRET,
19
);
20

21
await ensureNotionConnected(scalekit.actions, notionIdentifier, {
22
  onMagicLink: async (link) => {
23
    const { liveViewUrl, markDone } = await serveAuthPage(link, 'Notion');
24

25
    // Store the live view URL in OUTPUT so the Apify UI shows a clickable link.
26
    await Actor.setValue('OUTPUT', {
27
      status: 'AWAITING_NOTION_AUTH',
28
      authPageUrl: liveViewUrl,
29
      message: 'Open authPageUrl in your browser to authorize Notion.',
30
    });
31

32
    await Actor.setStatusMessage(`ACTION REQUIRED: Authorize Notion → ${liveViewUrl}`);
33

34
    return markDone;
35
  },
36
});
37

38
// ... run the agent, push results

End-user experience after this change:

User starts the Actor run and types their task
Output panel immediately shows a clickable authPageUrl
User opens the URL and sees a branded “Authorize Notion →” button
After completing OAuth, the page updates to ”✅ Notion Authorized”
The Actor continues automatically — no re-run needed

8. Design the input schema for end users

The Actor’s input form should show only what the end user actually needs to provide. All auth identifiers, LLM config, and internal settings stay out of the form.

1
{
2
  "title": "Notion + YouTube AI Agent",
3
  "type": "object",
4
  "schemaVersion": 1,
5
  "properties": {
6
    "task": {
7
      "title": "Task",
8
      "type": "string",
9
      "description": "Natural language task for the agent. Examples: 'List the 5 most recently edited pages in my Notion workspace' or 'Search YouTube for React tutorial channels and append the top 10 to my Research page'.",
10
      "editor": "textarea"
11
    },
12
    "llmApiKey": {
13
      "title": "LLM API Key",
14
      "type": "string",
15
      "description": "API key for the LLM endpoint.",
16
      "isSecret": true,
17
      "editor": "textfield"
18
    }
19
  },
20
  "required": ["task", "llmApiKey"]
21
}

Everything else — notionIdentifier, youtubeIdentifier, timeouts, model name, base URL — is either derived at runtime (userId) or hardcoded and deployed as an Actor environment variable.

9. Testing

Run locally:

1
apify run

Provide input in storage/key_value_stores/default/INPUT.json:

1
{
2
  "task": "List the 5 most recently edited pages in my Notion workspace",
3
  "llmApiKey": "sk-..."
4
}

Because Actor.getEnv().userId is undefined locally, the notionIdentifier falls back to your local development value. After you confirm the flow works, deploy to Apify:

1
apify push

On the first cloud run, the Actor outputs an authPageUrl. Open it, click Authorize Notion, and complete the OAuth flow. The Actor polls and continues automatically. On every subsequent run for the same Apify account, the token is already active and the auth step is skipped entirely.

Common mistakes

Tool calls fail with permission_denied even though the account is ACTIVE

Symptom: [permission_denied] tool execution failed - forbidden access in logs. The connected account status is ACTIVE and authorization completed successfully.
Cause: The underlying API is not enabled in the cloud provider console. An ACTIVE connected account means the OAuth token exists — it does not mean the API accepts calls. For YouTube, this happens when YouTube Data API v3 is not enabled in the Google Cloud project.
Fix: Go to Google Cloud Console → APIs & Services → Enabled APIs and enable YouTube Data API v3. No code change or re-authorization needed — existing tokens work once the API is enabled.

Authorization fails with Error 403: org_internal

Symptom: Google shows “Access blocked: [App name] can only be used within its organization” when a user tries to authorize.
Cause: The Google account attempting to authorize is not listed as a test user. While the OAuth app is in “Testing” publishing status, only accounts explicitly added as test users can complete the OAuth flow.
Fix: Go to Google Cloud Console → APIs & Services → OAuth consent screen and add the Google account under Test users. No need to change the app’s publishing status or user type — just add the account and retry.

Tool calls fail with permission_denied after adding scopes

Symptom: Same permission_denied error. The connection has the right scopes configured, but you added them after the user already authorized.
Cause: OAuth tokens carry the scopes that were configured at authorization time. Adding scopes to a connection does not retroactively update existing tokens.
Fix: Delete the connected account in the Scalekit dashboard (or via API) and have the user re-authorize. The new token will include the updated scopes.

Notion page creation fails with “no parent_page_id/database_id provided”

Symptom: The agent finds no page with the requested title and throws Notion page "X" was not found and cannot be created because no parent_page_id/database_id was provided.
Cause: Notion’s API requires a parent location for every new page. The Actor checks for a default parent in the input, then in environment variables, and throws if neither is set.
Fix: Set NOTION_DEFAULT_PARENT_PAGE_ID or NOTION_DEFAULT_DATABASE_ID as an Actor environment variable. To find a page ID, open the page in Notion, click Share → Copy link, and extract the 32-character hex string from the URL.

Using email as the identifier

Symptom: Input form asks for user email, or the identifier is passed in as an input field
Cause: Treating the connected-account identifier as a user-facing concept
Fix: Use Actor.getEnv().userId as the identifier. It is stable, unique per Apify account, and requires no input from the user. Scalekit does not require an email — it accepts any unique string as an identifier.

placeholder property causes build failure

Symptom: apify push fails with Property schema.properties.task.placeholder is not allowed.
Cause: placeholder is not part of the Apify input schema specification
Fix: Move example text into the description field. It appears as helper text in the Apify Console input form.

userId is undefined locally

Symptom: Actor crashes with Could not determine Apify user ID during apify run
Cause: Actor.getEnv() does not populate userId in local runs
Fix: Fall back to a local dev value: const notionIdentifier = userId ?? 'local-dev-user'

Stale variable name causes ReferenceError at runtime

Symptom: Actor fails with notionUserEmail is not defined even though you removed that field
Cause: The variable was renamed in some places but left in others — console logs, OUTPUT payloads, or runAgent arguments
Fix: Search the entire codebase for the old variable name before deploying. One missed reference fails at runtime, not at build time.

Live view URL not available in local runs

Symptom: getLiveViewUrl() returns a broken URL during apify run
Cause: actorId and actorRunId are also undefined locally
Fix: Guard the live view server behind a check: if (actorId && actorRunId) { ... }. Fall back to logging the raw magic link to the console for local development.

Production notes

Token persistence across runs — Scalekit stores the OAuth token server-side keyed by (connectionName, identifier). As long as userId is stable (it is), the user only completes the OAuth flow once. Subsequent runs call getOrCreateConnectedAccount and get an active account back immediately.

Token refresh — Scalekit refreshes expired tokens automatically before returning them. You do not need to track expiry or call a refresh endpoint.

Re-authorization — If a user revokes access in Notion’s settings, getOrCreateConnectedAccount returns a non-active account. The Actor generates a new magic link automatically. No code change required — the polling loop handles it the same way as a first-time auth.

Shared connectors — The shared-youtube identifier works because YouTube access is the same for all users (e.g., read-only public data). Any connector where all users share the same OAuth session can use a hardcoded identifier. Private data connectors — Notion, Gmail, GitHub — should always use a per-user identifier.

Input schema changes require a redeploy — The Apify Console reads the input schema from the deployed build. Changes to .actor/input_schema.json only take effect after apify push.

Next steps

Add more per-user connectors — The same ensureConnected + onMagicLink pattern works for any Scalekit connector. Add a src/githubAuth.js following the same structure as notionAuth.js.
Use built-in actions — For connectors with Scalekit built-in tools, replace manual API calls with scalekit.actions.executeTool. See all supported connectors.
Extend the input schema — Add optional fields like maxIterations or llmModel with defaults, so power users can tune the Actor without the defaults getting in the way for casual users.
Review the agent auth quickstart — For a broader overview of the connected-accounts model, see the agent auth quickstart.