> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation.
>
> - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install <auth-type>@scalekit-auth-stack`
> - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install <auth-type>@scalekit-auth-stack`
> - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `<auth-type>`
> - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill <skill-name>`
>
> `<auth-type>` / `<skill-name>`: `agentkit`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Just-in-time provisioning

Automatically provision users when they sign in through SSO for the first time
Just-in-time (JIT) provisioning automatically creates users and organization memberships when they sign in through SSO for the first time. This feature allows users to access your application without requiring manual invitations from IT administrators. For example, users don't need to remember separate credentials or go through additional signup steps - they just sign in through their familiar SSO portal. Your app signs them up instantly.

## Introduction

JIT provisioning is particularly useful for enterprise customers who want to provide seamless access to your application for their employees while maintaining security and control through their identity provider.

{/* TODO: Add illustration showing JIT provisioning flow */}

When a user signs in through SSO for the first time, Scalekit automatically:

1. **Detects the verified domain** - Scalekit checks if the user's email domain matches a verified domain in the organization
2. **Creates the user account** - A new user profile is created using information from the identity provider
3. **Establishes membership** - The user is automatically added as a member of the organization
4. **Completes authentication** - The user is signed in and redirected to your application

This process happens seamlessly in the background, providing immediate access without manual intervention.

## Enabling JIT provisioning

JIT provisioning must be enabled for each organization that wants to use this feature. You can enable it through the Scalekit Dashboard or programmatically using the API.

### Enable via Dashboard 

1. Log in to your [Scalekit Dashboard](https://app.scalekit.com).
2. Navigate to **Organizations** and select the organization.
3. Go to **Settings** and find the **JIT Provisioning** section.
4. Toggle the setting to enable JIT provisioning for this organization.

### Enable via API

You can also enable JIT provisioning programmatically using the Scalekit API:

### Node.js

```bash showLineNumbers=false frame="none"
npm install @scalekit-sdk/node
```

   ### Python

```sh showLineNumbers=false frame="none"
pip install scalekit-sdk-python
```

  ### Go

```sh showLineNumbers=false frame="none"
go get -u github.com/scalekit-inc/scalekit-sdk-go
```

   ### Java

```groovy showLineNumbers=false frame="none"
/* Gradle users - add the following to your dependencies in build file */
implementation "com.scalekit:scalekit-sdk-java:2.0.11"
```

```xml showLineNumbers=false frame="none"
<!-- Maven users - add the following to your `pom.xml` -->
<dependency>
    <groupId>com.scalekit</groupId>
    <artifactId>scalekit-sdk-java</artifactId>
    <version>2.0.11</version>
</dependency>
```

```javascript title="Enable JIT provisioning"
// Coming soon - API to enable JIT provisioning
```

## Domain verification requirement

JIT provisioning only works for users whose email domains have been verified by the organization. This ensures that only legitimate members of the organization can automatically gain access to your application.

**Organization admins** can verify domains through the [admin portal](/guides/admin-portal/). Once verified, any user with an email address from that domain can use JIT provisioning when signing in through SSO.

> note
>
> Learn more about [domain verification](/sso/guides/onboard-enterprise-customers/) in the Enterprise SSO guide.

{/*

TODO: Uncomment after invite-only signup is published + reviewed

## Guest users

JIT provisioning has limitations for guest users whose email domains have not been verified by the organization:

- **Contractors and external users** with unverified email domains cannot use JIT provisioning
- These users must be [manually invited](/fsa/guides/invite-only-signup/) to join the organization before they can sign in through SSO
- This ensures security by preventing unauthorized users from automatically gaining access

*/}

## What's next?

- Learn about [Allowed Email Domains](/authenticate/manage-users-orgs/email-domain-rules/) for non-SSO authentication methods
- Explore [Enterprise SSO](/sso/guides/onboard-enterprise-customers/) setup and configuration
- Set up [organization switching](/authenticate/manage-users-orgs/organization-switching/) for users who belong to multiple organizations


---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |