Invite users

Build applications that enable organization owners to invite users to join their organization. Scalekit takes care of sending the invite emails, verifying their email addresses, and creating the user accounts end to end.

Invite-only access is ideal for the following scenarios:

Enterprise applications: Organization admins need to invite team members to join their workspace.
B2B SaaS platforms: You want to restrict access to invited users only
Exclusive communities: Applications that require invitation-based membership.

Scalekit helps you implement invite-only access while handling the complexity of user management and authentication.

For applications where you want to build custom invitation flows in your own UI, Scalekit provides APIs to programmatically invite users. This is ideal when organization admins or workspace owners need to invite team members directly from your application’s dashboard.

Common use cases include:

Admin dashboards: Organization admins can invite users from a settings or team management page.
Bulk invitations: Import and invite multiple users at once from CSV files or directory systems.
Custom workflows: Implement approval processes or conditional invitations based on business logic.
Integration with existing systems: Connect invitation flows with your CRM, HR systems, or user directories.

Use the dashboard to invite users

The quickest way to get started with user invitations is through the Scalekit Dashboard. Navigate to the Users section and click the “Add User” button to invite new members to your organization. You can specify their email address, assign roles, and customize the invitation settings directly from the UI.

Build custom invitation flows with the SDK

For applications that require custom invitation flows or automated user management, Scalekit provides a comprehensive SDK. This allows you to programmatically invite users, manage invitations, and integrate with your existing systems.

Create user invitations

To invite a user to an organization, create a user membership with their email address and the target organization ID. Scalekit handles sending the invitation email and managing the invitation process.

1
const newUser = await scalekit.user.createUserAndMembership('org_xxxxxxxxxxxx', {
2
  email: "user@example.com",
3
  externalId: "crm-user-87425",
4
  userProfile: {
5
    firstName: "John",
6
    lastName: "Doe"
7
  },
8
  metadata: {
9
    plan: "free",
10
    department: "Engineering"
11
  },
12
  sendInvitationEmail: true
13
});

1
from scalekit import ScalekitClient
2
from scalekit.v1.users.users_pb2 import CreateUser, CreateUserProfile
3

4
# Initialize scalekit client
5
scalekit = ScalekitClient(
6
        <'SCALEKIT_ENV_URL'>,
7
        <'SCALEKIT_CLIENT_ID'>,
8
        <'SCALEKIT_CLIENT_SECRET'>)
9

10
# Create user object
11
user = CreateUser(
12
    email="user@example.com",
13
    external_id="crm-user-87425",
14
    user_profile=CreateUserProfile(
15
        first_name="John",
16
        last_name="Doe"
17
    ),
18
    metadata={
19
        "plan": "free",
20
        "department": "Engineering"
21
    }
22
)
23

24
# Create the user
25
new_user = scalekit.users.create_user_and_membership(organization_id='org_xxxxxxxxxxxx', user=user)

1
import (
2
    "context"
3
    usersv1 "github.com/scalekit-inc/scalekit-sdk-go/pkg/grpc/scalekit/v1/users"
4
)
5

6
user := &usersv1.CreateUser{
7
    Email: "user@example.com",
8
    ExternalId: "crm-user-87425",
9
    UserProfile: &usersv1.CreateUserProfile{
10
        FirstName: "John",
11
        LastName:  "Doe",
12
    },
13
    Metadata: map[string]string{
14
        "plan": "free",
15
        "department":       "Engineering",
16
    },
17
}
18

19
newUser, err := scalekit.User().CreateUserAndMembership(
20
    context.Background(),
21
    "org_xxxxxxxxxxxx", // The ID of the organization the user belongs to
22
    user,
23
    false, // sendInvitationEmail
24
)
25
if err != nil {
26
    // handle error appropriately
27
    return err
28
}

1
import com.scalekit.grpc.scalekit.v1.users.*;
2

3
CreateUserAndMembershipRequest request = CreateUserAndMembershipRequest.newBuilder()
4
    .setUser(CreateUser.newBuilder()
5
        .setEmail("user@example.com")
6
        .setExternalId("crm-user-87425")
7
        .setUserProfile(CreateUserProfile.newBuilder()
8
            .setFirstName("John")
9
            .setLastName("Doe")
10
            .build())
11
        .putMetadata("plan", "free")
12
        .putMetadata("department", "Engineering")
13
        .build())
14
    .build();
15

16
CreateUserAndMembershipResponse newUser = scalekit.users()
17
    .createUserAndMembership("org_xxxxxxxxxxxx", request); // The ID of the organization the user belongs to

Key parameters:

email: The email address of the user to invite (required)
organization_id: The ID of the organization they’re joining (required)
sendActivationEmail: Set to true to automatically send invitation emails (recommended)
roles: Optional array of roles to assign to the invited user
metadata: Optional custom data to associate with the membership

View invitation response

When a user is successfully invited, Scalekit returns a user object with membership details. The membership status will be PENDING_INVITE until the user accepts the invitation.

1
{
2
  "user": {
3
    "id": "usr_01HTR0ABCXYZ",
4
    "environmentId": "env_01HTQZ99MMNZ",
5
    "createTime": "2025-06-19T15:41:22Z",
6
    "updateTime": "2025-06-19T15:41:22Z",
7
    "email": "user@example.com",
8
    "externalId": "crm-user-87425",
9
    "memberships": [
10
      {
11
        "organizationId": "org_xxxxxxxxxxxx",
12
        "joinTime": "2025-06-19T15:41:22Z",
13
        "membershipStatus": "ACTIVE",
14
        "roles": [
15
          {
16
            "id": "role_admin",
17
            "name": "admin"
18
          }
19
        ],
20
        "primaryIdentityProvider": "IDENTITY_PROVIDER_UNSPECIFIED",
21
        "metadata": {
22
          "plan": "free",
23
          "department": "Engineering"
24
        }
25
      }
26
    ],
27
    "userProfile": {
28
      "id": "prof_01HTR0PQRMNO",
29
      "firstName": "John",
30
      "lastName": "Doe",
31
      "name": "John Doe",
32
      "locale": "en",
33
      "emailVerified": false,
34
      "phoneNumber": "",
35
      "metadata": {},
36
      "customAttributes": {}
37
    },
38
    "metadata": {
39
      "plan": "free",
40
      "department": "Engineering"
41
    },
42
    "lastLogin": null
43
  }
44
}

Resend user invitation
Section titled “Resend user invitation”

Resend invitation emails to users who have pending or expired invitations. If the invitation has expired, a new one is automatically created and sent. If still valid, a reminder email is sent instead.

When to resend invitations:
- Users haven’t responded to their initial invitation
- Original invitations have expired
- Users request a new invitation link
- Users can’t find the original email
The invitation email includes a secure magic link that allows the user to complete their account setup and join the organization. Each resend operation increments the resend counter. The expiration time stamp is updated if a resend is requested upon the expiry, if not previous expiry timestamp remains.
Resend invitation
1 curl 'https://$SCALEKIT_ENVIRONMENT_URL/api/v1/invites/organizations/{organization_id}/users/{id}/resend' \ 2 --request PATCH \ 3 --header 'Content-Type: application/json' \ 4 --data 'null'
Express.js
1 // Example Node.js implementation coming soon
Flask
1 # Example Python implementation coming soon
Parameters:

Parameter Description
organization_id Unique identifier of the organization (starts with ‘org_‘)
id System-generated user ID of the user with a pending invitation (starts with ‘usr_’)

Response:
200
```
1
{
2
  "invite": {
3
    "created_at": "2025-07-10T08:00:00Z",
4
    "expires_at": "2025-12-31T23:59:59Z",
5
    "invited_by": "admin_998877",
6
    "organization_id": "org_987654321",
7
    "resent_at": "2025-07-15T09:30:00Z",
8
    "resent_count": 2,
9
    "status": "pending_invite",
10
    "user_id": "usr_123456"
11
  }
12
}
```
Response status codes
- 200: Success - Invitation resent. New expiry timestamp is set only if previous invitation is expired.
- 400: Bad Request - Invalid parameters, user already active, or invitation accepted
- 404: Not Found - User, organization, or invitation not found. Verify all IDs are correct.
- 500: Internal Server Error - Email service unavailable or system error
Monitor the resent_count field to track how many times an invitation has been resent. Consider implementing rate limiting to prevent excessive resends.

Parameter	Description
`organization_id`	Unique identifier of the organization (starts with ‘org_‘)
`id`	System-generated user ID of the user with a pending invitation (starts with ‘usr_’)

Handle user invitation acceptance

When invited users click the invitation link in their email, Scalekit redirects them to your application’s registered initiate login endpoint. Your application then completes the authentication flow.

Set up the initiate login endpoint:

Register your endpoint in the Scalekit dashboard (for example, https://your-app.com/auth/login/initiate)
Handle the redirect by constructing an authorization URL and redirecting the user to Scalekit’s hosted login page
Complete authentication when the user returns to your callback URL

Example endpoint implementation:

1
app.get('/auth/login/initiate', (req, res) => {
2
  const redirectUri = 'http://localhost:3000/api/callback';
3
  const options = {
4
    scopes: ['openid', 'profile', 'email', 'offline_access']
5
  };
6

7
  const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
8
  res.redirect(authorizationUrl);
9
});

1
@app.route('/auth/login/initiate')
2
def initiate_login():
3
    redirect_uri = 'http://localhost:3000/api/callback'
4
    options = AuthorizationUrlOptions()
5
    options.scopes = ['openid', 'profile', 'email', 'offline_access']
6

7
    authorization_url = scalekit.get_authorization_url(redirect_uri, options)
8
    return redirect(authorization_url)

1
func initiateLogin(c *gin.Context) {
2
    redirectUri := "http://localhost:3000/api/callback"
3
    options := scalekit.AuthorizationUrlOptions{
4
        Scopes: []string{"openid", "profile", "email", "offline_access"}
5
    }
6

7
    authorizationUrl, err := scalekit.GetAuthorizationUrl(redirectUri, options)
8
    if err != nil {
9
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
10
        return
11
    }
12

13
    c.Redirect(http.StatusFound, authorizationUrl.String())
14
}

1
@GetMapping("/auth/login/initiate")
2
public ResponseEntity<Void> initiateLogin() {
3
    String redirectUri = "http://localhost:3000/api/callback";
4
    AuthorizationUrlOptions options = new AuthorizationUrlOptions();
5
    options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access"));
6

7
    URL authorizationUrl = scalekit.authentication().getAuthorizationUrl(redirectUri, options);
8

9
    return ResponseEntity.status(HttpStatus.FOUND)
10
        .header("Location", authorizationUrl.toString())
11
        .build();
12
}

Authentication flow:

When a user accepts an invitation, Scalekit handles the authentication process automatically:

User clicks invitation link → Scalekit redirects to your initiate login endpoint
Your app redirects to Scalekit → Your initiate login endpoint creates an authorization URL and redirects to Scalekit’s login page
User completes authentication → Scalekit processes the login and redirects back to your callback URL with an authorization code
Your app exchanges code for user details → Your callback endpoint exchanges the authorization code for ID Token and redirects the user to your dashboard
Decode ID Token for user profile → Decode the JWT ID Token to access user information like email, name and verification status