Invite users

Build applications that enable organization owners to invite users to join their organization. Scalekit takes care of sending the invite emails, verifying their email addresses, and creating the user accounts end to end.

Invite-only access is ideal for the following scenarios:

Enterprise applications: Organization admins need to invite team members to join their workspace.
B2B SaaS platforms: You want to restrict access to invited users only
Exclusive communities: Applications that require invitation-based membership.

Scalekit helps you implement invite-only access while handling the complexity of user management and authentication.

For applications where you want to build custom invitation flows in your own UI, Scalekit provides APIs to programmatically invite users. This is ideal when organization admins or workspace owners need to invite team members directly from your application’s dashboard.

Common use cases include:

Admin dashboards: Organization admins can invite users from a settings or team management page.
Bulk invitations: Import and invite multiple users at once from CSV files or directory systems.
Custom workflows: Implement approval processes or conditional invitations based on business logic.
Integration with existing systems: Connect invitation flows with your CRM, HR systems, or user directories.

Inviting Users through the Scalekit Dashboard

The quickest way to get started with user invitations is through the Scalekit Dashboard. Navigate to the Users section and click the “Add User” button to invite new members to your organization. You can specify their email address, assign roles, and customize the invitation settings directly from the UI.

Programmatic Invitations with Scalekit SDK

For applications that require custom invitation flows or automated user management, Scalekit provides a comprehensive SDK. This allows you to programmatically invite users, manage invitations, and integrate with your existing systems.

Create user invitations

To invite a user to an organization, create a user membership with their email address and the target organization ID. Scalekit handles sending the invitation email and managing the invitation process.

1
const newUser = await scalekit.user.createUserAndMembership('org_xxxxxxxxxxxx', {
2
  email: "user@example.com",
3
  externalId: "crm-user-87425",
4
  userProfile: {
5
    firstName: "John",
6
    lastName: "Doe"
7
  },
8
  metadata: {
9
    plan: "free",
10
    department: "Engineering"
11
  },
12
  sendInvitationEmail: true
13
});

1
from scalekit import ScalekitClient
2
from scalekit.v1.users.users_pb2 import CreateUser, CreateUserProfile
3

4
# Initialize scalekit client
5
scalekit = ScalekitClient(
6
        <'SCALEKIT_ENV_URL'>,
7
        <'SCALEKIT_CLIENT_ID'>,
8
        <'SCALEKIT_CLIENT_SECRET'>)
9

10
# Create user object
11
user = CreateUser(
12
    email="user@example.com",
13
    external_id="crm-user-87425",
14
    user_profile=CreateUserProfile(
15
        first_name="John",
16
        last_name="Doe"
17
    ),
18
    metadata={
19
        "plan": "free",
20
        "department": "Engineering"
21
    }
22
)
23

24
# Create the user
25
new_user = scalekit.users.create_user_and_membership(organization_id='org_xxxxxxxxxxxx', user=user)

1
import (
2
    "context"
3
    usersv1 "github.com/scalekit-inc/scalekit-sdk-go/pkg/grpc/scalekit/v1/users"
4
)
5

6
user := &usersv1.CreateUser{
7
    Email: "user@example.com",
8
    ExternalId: "crm-user-87425",
9
    UserProfile: &usersv1.CreateUserProfile{
10
        FirstName: "John",
11
        LastName:  "Doe",
12
    },
13
    Metadata: map[string]string{
14
        "plan": "free",
15
        "department":       "Engineering",
16
    },
17
}
18

19
newUser, err := scalekit.User().CreateUserAndMembership(
20
    context.Background(),
21
    "org_xxxxxxxxxxxx", // The ID of the organization the user belongs to
22
    user,
23
    false, // sendInvitationEmail
24
)
25
if err != nil {
26
    // handle error appropriately
27
    return err
28
}

1
import com.scalekit.grpc.scalekit.v1.users.*;
2

3
CreateUserAndMembershipRequest request = CreateUserAndMembershipRequest.newBuilder()
4
    .setUser(CreateUser.newBuilder()
5
        .setEmail("user@example.com")
6
        .setExternalId("crm-user-87425")
7
        .setUserProfile(CreateUserProfile.newBuilder()
8
            .setFirstName("John")
9
            .setLastName("Doe")
10
            .build())
11
        .putMetadata("plan", "free")
12
        .putMetadata("department", "Engineering")
13
        .build())
14
    .build();
15

16
CreateUserAndMembershipResponse newUser = scalekit.users()
17
    .createUserAndMembership("org_xxxxxxxxxxxx", request); // The ID of the organization the user belongs to

Key parameters:

email: The email address of the user to invite (required)
organization_id: The ID of the organization they’re joining (required)
sendActivationEmail: Set to true to automatically send invitation emails (recommended)
roles: Optional array of roles to assign to the invited user
metadata: Optional custom data to associate with the membership

View invitation response

When a user is successfully invited, Scalekit returns a user object with membership details. The membership status will be PENDING_INVITE until the user accepts the invitation.

1
{
2
  "user": {
3
    "id": "usr_01HTR0ABCXYZ",
4
    "environmentId": "env_01HTQZ99MMNZ",
5
    "createTime": "2025-06-19T15:41:22Z",
6
    "updateTime": "2025-06-19T15:41:22Z",
7
    "email": "user@example.com",
8
    "externalId": "crm-user-87425",
9
    "memberships": [
10
      {
11
        "organizationId": "org_xxxxxxxxxxxx",
12
        "joinTime": "2025-06-19T15:41:22Z",
13
        "membershipStatus": "ACTIVE",
14
        "roles": [
15
          {
16
            "id": "role_admin",
17
            "name": "admin"
18
          }
19
        ],
20
        "primaryIdentityProvider": "IDENTITY_PROVIDER_UNSPECIFIED",
21
        "metadata": {
22
          "plan": "free",
23
          "department": "Engineering"
24
        }
25
      }
26
    ],
27
    "userProfile": {
28
      "id": "prof_01HTR0PQRMNO",
29
      "firstName": "John",
30
      "lastName": "Doe",
31
      "name": "John Doe",
32
      "locale": "en",
33
      "emailVerified": false,
34
      "phoneNumber": "",
35
      "metadata": {},
36
      "customAttributes": {}
37
    },
38
    "metadata": {
39
      "plan": "free",
40
      "department": "Engineering"
41
    },
42
    "lastLogin": null
43
  }
44
}

Handle user invitation acceptance
Section titled “Handle user invitation acceptance”

When invited users click the invitation link in their email, Scalekit redirects them to your application’s registered initiate login endpoint. Your application then completes the authentication flow.

Set up the initiate login endpoint:
1. Register your endpoint in the Scalekit dashboard (for example, https://your-app.com/auth/login/initiate)
2. Handle the redirect by constructing an authorization URL and redirecting the user to Scalekit’s hosted login page
3. Complete authentication when the user returns to your callback URL
Example endpoint implementation:
Express.js
1 app.get('/auth/login/initiate', (req, res) => { 2 const redirectUri = 'http://localhost:3000/api/callback'; 3 const options = { 4 scopes: ['openid', 'profile', 'email', 'offline_access'] 5 }; 6 7 const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options); 8 res.redirect(authorizationUrl); 9 });
Flask
1 @app.route('/auth/login/initiate') 2 def initiate_login(): 3 redirect_uri = 'http://localhost:3000/api/callback' 4 options = AuthorizationUrlOptions() 5 options.scopes = ['openid', 'profile', 'email', 'offline_access'] 6 7 authorization_url = scalekit.get_authorization_url(redirect_uri, options) 8 return redirect(authorization_url)
Gin
1 func initiateLogin(c *gin.Context) { 2 redirectUri := "http://localhost:3000/api/callback" 3 options := scalekit.AuthorizationUrlOptions{ 4 Scopes: []string{"openid", "profile", "email", "offline_access"} 5 } 6 7 authorizationUrl, err := scalekit.GetAuthorizationUrl(redirectUri, options) 8 if err != nil { 9 c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) 10 return 11 } 12 13 c.Redirect(http.StatusFound, authorizationUrl.String()) 14 }
Spring
1 @GetMapping("/auth/login/initiate") 2 public ResponseEntity<Void> initiateLogin() { 3 String redirectUri = "http://localhost:3000/api/callback"; 4 AuthorizationUrlOptions options = new AuthorizationUrlOptions(); 5 options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access")); 6 7 URL authorizationUrl = scalekit.authentication().getAuthorizationUrl(redirectUri, options); 8 9 return ResponseEntity.status(HttpStatus.FOUND) 10 .header("Location", authorizationUrl.toString()) 11 .build(); 12 }
Authentication flow:

When a user accepts an invitation, Scalekit handles the authentication process automatically:
1. User clicks invitation link → Scalekit redirects to your initiate login endpoint
2. Your app redirects to Scalekit → Your initiate login endpoint creates an authorization URL and redirects to Scalekit’s login page
3. User completes authentication → Scalekit processes the login and redirects back to your callback URL with an authorization code
4. Your app exchanges code for user details → Your callback endpoint exchanges the authorization code for ID Token and redirects the user to your dashboard
5. Decode ID Token for user profile → Decode the JWT ID Token to access user information like email, name and verification status
Scalekit automatically verifies the user’s email address during this process. Experience of the user will be seamless and are logged in to your application instantly.