Restricted access through invite-only sign ups

Build applications that enable organization owners to invite users to join their organization. Scalekit takes care of sending the invite emails, verifying their email addresses, and creating the user accounts end to end.

Invite-only signup is ideal for the following scenarios:

Closed beta applications: You want to control who can access your application during the beta phase.
Enterprise applications: Organization admins need to invite team members to join their workspace.
B2B SaaS platforms: You want to restrict access to invited users only
Exclusive communities: Applications that require invitation-based membership.

Scalekit helps you implement invite-only signup flows while handling the complexity of user management and authentication.

You can implement invite-only signup by configuring Scalekit to disable public signups and using the invitation flow. This ensures that only invited users can create accounts.

Configure your application for invite-only access

npm install @scalekit-sdk/node

pip install scalekit-sdk-python

go get -u github.com/scalekit-inc/scalekit-sdk-go

/* Gradle users - add the following to your dependencies in build file */
implementation "com.scalekit:scalekit-sdk-java:1.1.3"

<!-- Maven users - add the following to your `pom.xml` -->
<dependency>
    <groupId>com.scalekit</groupId>
    <artifactId>scalekit-sdk-java</artifactId>
    <version>1.1.3</version>
</dependency>

Copy your API credentials from the Scalekit dashboard’s API Config section and set them as environment variables.

1
SCALEKIT_ENVIRONMENT_URL='<YOUR_ENVIRONMENT_URL>'
2
SCALEKIT_CLIENT_ID='<ENVIRONMENT_CLIENT_ID>'
3
SCALEKIT_CLIENT_SECRET='<ENVIRONMENT_CLIENT_SECRET>'

Create a new Scalekit client instance after initializing the environment variables.

1
import { Scalekit } from '@scalekit-sdk/node';
2

3
export let scalekit = new Scalekit(
4
  process.env.SCALEKIT_ENVIRONMENT_URL,
5
  process.env.SCALEKIT_CLIENT_ID,
6
  process.env.SCALEKIT_CLIENT_SECRET
7
);

1
from scalekit import ScalekitClient, AuthorizationUrlOptions, CodeAuthenticationOptions
2
import os
3

4
scalekit = ScalekitClient(
5
    os.environ.get('SCALEKIT_ENVIRONMENT_URL'),
6
    os.environ.get('SCALEKIT_CLIENT_ID'),
7
    os.environ.get('SCALEKIT_CLIENT_SECRET')
8
)

1
package main
2

3
import (
4
    "os"
5
    "github.com/scalekit-inc/scalekit-sdk-go"
6
)
7

8
var scalekit, err = scalekit.NewScalekitClient(
9
    os.Getenv("SCALEKIT_ENVIRONMENT_URL"),
10
    os.Getenv("SCALEKIT_CLIENT_ID"),
11
    os.Getenv("SCALEKIT_CLIENT_SECRET"),
12
)
13
if err != nil {
14
    panic(err)
15
}

1
import com.scalekit.ScalekitClient;
2
import com.scalekit.Environment;
3

4
public class Auth {
5
    public static ScalekitClient scalekit;
6

7
    static {
8
        Environment.configure(
9
            System.getenv("SCALEKIT_ENVIRONMENT_URL"),
10
            System.getenv("SCALEKIT_CLIENT_ID"),
11
            System.getenv("SCALEKIT_CLIENT_SECRET")
12
        );
13
        scalekit = new ScalekitClient(
14
            System.getenv("SCALEKIT_ENVIRONMENT_URL"),
15
            System.getenv("SCALEKIT_CLIENT_ID"),
16
            System.getenv("SCALEKIT_CLIENT_SECRET")
17
        );
18
    }
19
}

Redirect users to the sign-in page
Section titled “Redirect users to the sign-in page”

Generate the authorization URL by passing a registered callback URL and scopes to the Scalekit SDK. Note that we don’t include the prompt: 'create' parameter since public signup is disabled.
Express.js
1 const redirectUri = 'http://localhost:3000/api/callback'; 2 const options = { 3 scopes: ['openid', 'profile', 'email', 'offline_access'], 4 }; 5 6 const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options); 7 8 res.redirect(authorizationUrl);
Flask
1 from scalekit import AuthorizationUrlOptions 2 3 redirect_uri = 'http://localhost:3000/api/callback' 4 options = AuthorizationUrlOptions() 5 options.scopes = ['openid', 'profile', 'email', 'offline_access'] 6 7 authorization_url = scalekit.get_authorization_url(redirect_uri, options) 8 9 # For web frameworks like Flask/Django: 10 # return redirect(authorization_url)
Gin
1 redirectUri := "http://localhost:3000/api/callback" 2 options := scalekit.AuthorizationUrlOptions{ 3 Scopes: []string{"openid", "profile", "email", "offline_access"}, 4 } 5 6 authorizationUrl, err := scalekit.GetAuthorizationUrl(redirectUri, options) 7 if err != nil { 8 // handle error appropriately 9 panic(err) 10 } 11 12 // For web frameworks like Gin: 13 // c.Redirect(http.StatusFound, authorizationUrl.String())
Spring
1 import com.scalekit.internal.http.AuthorizationUrlOptions; 2 import java.net.URL; 3 import java.util.Arrays; 4 5 String redirectUri = "http://localhost:3000/api/callback"; 6 AuthorizationUrlOptions options = new AuthorizationUrlOptions(); 7 options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access")); 8 9 URL authorizationUrl = scalekit.authentication().getAuthorizationUrl(redirectUri, options);
This will redirect the user to Scalekit’s managed sign-in page without signup options.

Retrieve user profile after authentication

Scalekit triggers a callback to your registered callback URL with an authorization code. Exchange the code to get the user’s profile information.

1
import scalekit from '@/utils/auth.js'
2
const redirectUri = 'http://localhost:3000/api/callback';
3

4
// Get the authorization code from the scalekit initiated callback
5
app.get('/api/callback', async (req, res) => {
6
  const { code, error, error_description } = req.query;
7

8
  if (error) {
9
    return res.status(401).json({ error, error_description });
10
  }
11

12
  try {
13
    // Exchange the authorization code for a user profile
14
    const authResult = await scalekit.authenticateWithCode(
15
      code, redirectUri
16
    );
17

18
    const { user } = authResult;
19

20
    // "user" object contains the user's profile information
21
    // Next step: Create a session and log in the user
5 collapsed lines
22
    res.redirect('/dashboard/profile');
23
  } catch (err) {
24
    console.error('Error exchanging code:', err);
25
    res.status(500).json({ error: 'Failed to authenticate user' });
26
  }
27
});


6 collapsed lines
1
from flask import Flask, request, redirect, jsonify
2
from scalekit import ScalekitClient, CodeAuthenticationOptions
3

4
app = Flask(__name__)
5
# scalekit imported from your auth utils
6

7
redirect_uri = 'http://localhost:3000/api/callback'
8

9
@app.route('/api/callback')
10
def callback():
11
    code = request.args.get('code')
12
    error = request.args.get('error')
13
    error_description = request.args.get('error_description')
14

15
    if error:
16
        return jsonify({'error': error, 'error_description': error_description}), 401
17

18
    try:
19
        # Exchange the authorization code for a user profile
20
        options = CodeAuthenticationOptions()
21
        auth_result = scalekit.authenticate_with_code(
22
            code, redirect_uri, options
23
        )
24

25
        user = auth_result.user
26

27
        # "user" object contains the user's profile information
28
        # Next step: Create a session and log in the user
4 collapsed lines
29
        return redirect('/dashboard/profile')
30
    except Exception as err:
31
        print(f'Error exchanging code: {err}')
32
        return jsonify({'error': 'Failed to authenticate user'}), 500


9 collapsed lines
1
package main
2

3
import (
4
    "log"
5
    "net/http"
6
    "os"
7
    "github.com/gin-gonic/gin"
8
    "github.com/scalekit-inc/scalekit-sdk-go"
9
)
10

11
// Create Scalekit client instance
12
var scalekitClient = scalekit.NewScalekitClient(
13
    os.Getenv("SCALEKIT_ENVIRONMENT_URL"),
14
    os.Getenv("SCALEKIT_CLIENT_ID"),
15
    os.Getenv("SCALEKIT_CLIENT_SECRET"),
16
)
17

18
const redirectUri = "http://localhost:3000/api/callback"
19

20
func callbackHandler(c *gin.Context) {
21
    code := c.Query("code")
22
    errorParam := c.Query("error")
23
    errorDescription := c.Query("error_description")
24

25
    if errorParam != "" {
26
        c.JSON(http.StatusUnauthorized, gin.H{
27
            "error": errorParam,
28
            "error_description": errorDescription,
29
        })
30
        return
31
    }
32

33
    // Exchange the authorization code for a user profile
34
    options := scalekit.AuthenticationOptions{}
35
    authResult, err := scalekitClient.AuthenticateWithCode(
36
        code, redirectUri, options,
37
    )
38

39
    if err != nil {
40
        log.Printf("Error exchanging code: %v", err)
41
        c.JSON(http.StatusInternalServerError, gin.H{
42
            "error": "Failed to authenticate user",
43
        })
44
        return
45
    }
46

47
    user := authResult.User
48

49
    // "user" object contains the user's profile information
50
    // Next step: Create a session and log in the user
51
    c.Redirect(http.StatusFound, "/dashboard/profile")
52
}


10 collapsed lines
1
import com.scalekit.ScalekitClient;
2
import com.scalekit.internal.http.AuthenticationOptions;
3
import com.scalekit.internal.http.AuthenticationResponse;
4
import org.springframework.web.bind.annotation.*;
5
import org.springframework.web.servlet.view.RedirectView;
6
import org.springframework.http.ResponseEntity;
7
import org.springframework.http.HttpStatus;
8
import java.util.HashMap;
9
import java.util.Map;
10

11
@RestController
12
public class CallbackController {
13

14
    private final String redirectUri = "http://localhost:3000/api/callback";
15

16
    @GetMapping("/api/callback")
17
    public Object callback(
18
        @RequestParam(required = false) String code,
19
        @RequestParam(required = false) String error,
20
        @RequestParam(name = "error_description", required = false) String errorDescription
21
    ) {
22
        if (error != null) {
23
            Map<String, String> errorResponse = new HashMap<>();
24
            errorResponse.put("error", error);
25
            errorResponse.put("error_description", errorDescription);
26
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(errorResponse);
27
        }
28

29
        try {
30
            // Exchange the authorization code for a user profile
31
            AuthenticationOptions options = new AuthenticationOptions();
32
            AuthenticationResponse authResult = scalekit.authentication()
33
                .authenticateWithCode(code, redirectUri, options);
34

35
            var user = authResult.getUser();
36

37
            // "user" object contains the user's profile information
38
            // Next step: Create a session and log in the user
39
            return new RedirectView("/dashboard/profile");
8 collapsed lines
40

41
        } catch (Exception err) {
42
            System.err.println("Error exchanging code: " + err.getMessage());
43
            Map<String, String> errorResponse = new HashMap<>();
44
            errorResponse.put("error", "Failed to authenticate user");
45
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(errorResponse);
46
        }
47
    }
48
}

The authenticateWithCode method returns an object containing the user’s profile information (user object) and idToken (JWT).

authResult
ID token (decoded)

1
{
2
  user: {
3
    email: "john.doe@example.com",
4
    emailVerified: true,
5
    givenName: "John",
6
    name: "John Doe",
7
    id: "usr_74599896446906854"
8
  },
9
  idToken: "eyJhbGciO..",
10
  accessToken: "eyJhbGciOi..",
11
  refreshToken: "rt_8f7d6e5c4b3a2d1e0f9g8h7i6j..",
12
  expiresIn: 299
13
}

1
{
2
  "at_hash": "ec_jU2ZKpFelCKLTRWiRsg",
3
  "aud": [
4
    "skc_58327482062864390"
5
  ],
6
  "azp": "skc_58327482062864390",
7
  "c_hash": "6wMreK9kWQQY6O5R0CiiYg",
8
  "client_id": "skc_58327482062864390",
9
  "email": "john.doe@example.com",
10
  "email_verified": true,
11
  "exp": 1742975822,
12
  "family_name": "Doe",
13
  "given_name": "John",
14
  "iat": 1742974022,
15
  "iss": "https://scalekit-z44iroqaaada-dev.scalekit.cloud",
16
  "name": "John Doe",
17
  "oid": "org_59615193906282635",
18
  "sid": "ses_65274187031249433",
19
  "sub": "usr_63261014140912135"
20
}

You can decode the idToken to access user information like email, name, and profile verification status directly from the token claims.

With these configurations, your B2B application now has a sign-in page but no public signup option, ensuring that only invited users can access your application. After successful authentication, you can proceed to create a session.

For applications where you want to build custom invitation flows in your own UI, Scalekit provides APIs to programmatically invite users. This is ideal when organization admins or workspace owners need to invite team members directly from your application’s dashboard.

Common use cases include:

Admin dashboards: Organization admins can invite users from a settings or team management page.
Bulk invitations: Import and invite multiple users at once from CSV files or directory systems.
Custom workflows: Implement approval processes or conditional invitations based on business logic.
Integration with existing systems: Connect invitation flows with your CRM, HR systems, or user directories.

Create user invitations programmatically

To invite a user to an organization, create a user membership with their email address and the target organization ID. Scalekit handles sending the invitation email and managing the signup process.

1
const newUser = await scalekit.user.createUserAndMembership('org_xxxxxxxxxxxx', {
2
  email: "user@example.com",
3
  externalId: "crm-user-87425",
4
  userProfile: {
5
    firstName: "John",
6
    lastName: "Doe"
7
  },
8
  metadata: {
9
    plan: "free",
10
    department: "Engineering"
11
  },
12
  sendInvitationEmail: true
13
});

1
from scalekit import ScalekitClient
2
from scalekit.v1.users.users_pb2 import CreateUser, CreateUserProfile
3

4
# Initialize scalekit client
5
scalekit = ScalekitClient(
6
        <'SCALEKIT_ENV_URL'>,
7
        <'SCALEKIT_CLIENT_ID'>,
8
        <'SCALEKIT_CLIENT_SECRET'>)
9

10
# Create user object
11
user = CreateUser(
12
    email="user@example.com",
13
    external_id="crm-user-87425",
14
    user_profile=CreateUserProfile(
15
        first_name="John",
16
        last_name="Doe"
17
    ),
18
    metadata={
19
        "plan": "free",
20
        "department": "Engineering"
21
    }
22
)
23

24
# Create the user
25
new_user = scalekit.users.create_user_and_membership(organization_id='org_xxxxxxxxxxxx', user=user)

1
import (
2
    "context"
3
    usersv1 "github.com/scalekit-inc/scalekit-sdk-go/pkg/grpc/scalekit/v1/users"
4
)
5

6
user := &usersv1.CreateUser{
7
    Email: "user@example.com",
8
    ExternalId: "crm-user-87425",
9
    UserProfile: &usersv1.CreateUserProfile{
10
        FirstName: "John",
11
        LastName:  "Doe",
12
    },
13
    Metadata: map[string]string{
14
        "plan": "free",
15
        "department":       "Engineering",
16
    },
17
}
18

19
newUser, err := scalekit.User().CreateUserAndMembership(
20
    context.Background(),
21
    "org_xxxxxxxxxxxx", // The ID of the organization the user belongs to
22
    user,
23
    false, // sendInvitationEmail
24
)
25
if err != nil {
26
    // handle error appropriately
27
    return err
28
}

1
import com.scalekit.grpc.scalekit.v1.users.*;
2

3
CreateUserAndMembershipRequest request = CreateUserAndMembershipRequest.newBuilder()
4
    .setUser(CreateUser.newBuilder()
5
        .setEmail("user@example.com")
6
        .setExternalId("crm-user-87425")
7
        .setUserProfile(CreateUserProfile.newBuilder()
8
            .setFirstName("John")
9
            .setLastName("Doe")
10
            .build())
11
        .putMetadata("plan", "free")
12
        .putMetadata("department", "Engineering")
13
        .build())
14
    .build();
15

16
CreateUserAndMembershipResponse newUser = scalekit.users()
17
    .createUserAndMembership("org_xxxxxxxxxxxx", request); // The ID of the organization the user belongs to

Key parameters:

email: The email address of the user to invite (required)
organization_id: The ID of the organization they’re joining (required)
sendActivationEmail: Set to true to automatically send invitation emails (recommended)
roles: Optional array of roles to assign to the invited user
metadata: Optional custom data to associate with the membership

Handle invitation responses

When a user is successfully invited, Scalekit returns a user object with membership details. The membership status will be INVITED until the user accepts the invitation.

1
{
2
  "user": {
3
    "id": "usr_01HTR0ABCXYZ",
4
    "environmentId": "env_01HTQZ99MMNZ",
5
    "createTime": "2025-06-19T15:41:22Z",
6
    "updateTime": "2025-06-19T15:41:22Z",
7
    "email": "user@example.com",
8
    "externalId": "crm-user-87425",
9
    "memberships": [
10
      {
11
        "organizationId": "org_xxxxxxxxxxxx",
12
        "joinTime": "2025-06-19T15:41:22Z",
13
        "membershipStatus": "ACTIVE",
14
        "roles": [
15
          {
16
            "id": "role_admin",
17
            "name": "admin"
18
          }
19
        ],
20
        "primaryIdentityProvider": "IDENTITY_PROVIDER_UNSPECIFIED",
21
        "metadata": {
22
          "plan": "free",
23
          "department": "Engineering"
24
        }
25
      }
26
    ],
27
    "userProfile": {
28
      "id": "prof_01HTR0PQRMNO",
29
      "firstName": "John",
30
      "lastName": "Doe",
31
      "name": "John Doe",
32
      "locale": "en",
33
      "emailVerified": false,
34
      "phoneNumber": "",
35
      "metadata": {},
36
      "customAttributes": {}
37
    },
38
    "metadata": {
39
      "plan": "free",
40
      "department": "Engineering"
41
    },
42
    "lastLogin": null
43
  }
44
}

Handle user invitation acceptance

When invited users click the invitation link in their email, Scalekit redirects them to your application’s registered initiate login endpoint. Your application then completes the authentication flow.

Set up the initiate login endpoint:

Register your endpoint in the Scalekit dashboard (for example, https://your-app.com/auth/login/initiate)
Handle the redirect by constructing an authorization URL and redirecting the user to Scalekit’s hosted login page
Complete authentication when the user returns to your callback URL

Example endpoint implementation:

1
app.get('/auth/login/initiate', (req, res) => {
2
  const redirectUri = 'http://localhost:3000/api/callback';
3
  const options = {
4
    scopes: ['openid', 'profile', 'email', 'offline_access'],
5
    prompt: 'create'
6
  };
7

8
  const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
9
  res.redirect(authorizationUrl);
10
});

1
@app.route('/auth/login/initiate')
2
def initiate_login():
3
    redirect_uri = 'http://localhost:3000/api/callback'
4
    options = AuthorizationUrlOptions()
5
    optons.scopes = ['openid', 'profile', 'email', 'offline_access']
6
    options.prompt = 'create'
7

8
    authorization_url = scalekit.get_authorization_url(redirect_uri, options)
9
    return redirect(authorization_url)

1
func initiateLogin(c *gin.Context) {
2
    redirectUri := "http://localhost:3000/api/callback"
3
    options := scalekit.AuthorizationUrlOptions{
4
        Scopes: []string{"openid", "profile", "email", "offline_access"},
5
        Prompt: "create",
6
    }
7

8
    authorizationUrl, err := scalekit.GetAuthorizationUrl(redirectUri, options)
9
    if err != nil {
10
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
11
        return
12
    }
13

14
    c.Redirect(http.StatusFound, authorizationUrl.String())
15
}

1
@GetMapping("/auth/login/initiate")
2
public ResponseEntity<Void> initiateLogin() {
3
    String redirectUri = "http://localhost:3000/api/callback";
4
    AuthorizationUrlOptions options = new AuthorizationUrlOptions();
5
    options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access"));
6
    options.setPrompt("create");
7

8
    URL authorizationUrl = scalekit.authentication().getAuthorizationUrl(redirectUri, options);
9

10
    return ResponseEntity.status(HttpStatus.FOUND)
11
        .header("Location", authorizationUrl.toString())
12
        .build();
13
}

Authentication flow:

User clicks invitation link → Redirected to your initiate login endpoint
Your endpoint redirects → User goes to Scalekit’s hosted login page
User authenticates → Scalekit verifies their email and credentials
Scalekit redirects back → User returns to your callback URL with authorization code
Your app exchanges code → Retrieve user profile and create session

User Management API Reference Explore all user and membership management endpoints for advanced invitation flows.

This programmatic approach gives you full control over the invitation experience while leveraging Scalekit’s robust user management and email delivery infrastructure.