Quickstart

Get up and running with Scalekit’s Full Stack Authentication in under 10 minutes. You’ll build a complete authentication flow with hosted login and sign up pages, user session management, and secure logout - all optimized for B2B SaaS applications.

What you’ll build

By the end of this guide, your application will have:

Hosted authentication pages - Let Scalekit handle sign-in/sign-up UI
Multi-tenant user management - Automatic workspace creation and manage users within workspaces
Session management - Secure token handling with automatic refresh
Multiple auth methods - Passwordless, social logins, and enterprise SSO
Secure logout - Complete session invalidation

How it works

Scalekit handles the complex authentication flow while you focus on your core product:

Full-Stack Authentication Flow

User initiates sign-in - Your app redirects to Scalekit’s hosted auth page
Identity verification - User authenticates via their preferred method
Secure callback - Scalekit returns user profile and session tokens
Session creation - Your app establishes a secure user session
Protected access - User can access your application’s features

Before you begin

Signup for a Scalekit account
Copy your API credentials from the Scalekit dashboard’s API Config section
Register your redirect URLs in the Scalekit Dashboard under Redirects section

Let’s get started!

Install the Scalekit SDK
Section titled “Install the Scalekit SDK”
npm install @scalekit-sdk/node
pip install scalekit-sdk-python
go get -u github.com/scalekit-inc/scalekit-sdk-go
/* Gradle users - add the following to your dependencies in build file */ implementation "com.scalekit:scalekit-sdk-java:2.0.1"
 <dependency> <groupId>com.scalekit</groupId> <artifactId>scalekit-sdk-java</artifactId> <version>2.0.1</version> </dependency>
Copy your API credentials from the Scalekit dashboard’s API Config section and set them as environment variables.
Terminal window
```
1
SCALEKIT_ENVIRONMENT_URL='<YOUR_ENVIRONMENT_URL>'
2
SCALEKIT_CLIENT_ID='<ENVIRONMENT_CLIENT_ID>'
3
SCALEKIT_CLIENT_SECRET='<ENVIRONMENT_CLIENT_SECRET>'
```
Create a new Scalekit client instance after initializing the environment variables.
utils/auth.js
1 import { Scalekit } from '@scalekit-sdk/node'; 2 3 export let scalekit = new Scalekit( 4 process.env.SCALEKIT_ENVIRONMENT_URL, 5 process.env.SCALEKIT_CLIENT_ID, 6 process.env.SCALEKIT_CLIENT_SECRET 7 );
utils/auth.py
1 from scalekit import ScalekitClient 2 import os 3 4 scalekit = ScalekitClient( 5 os.environ.get('SCALEKIT_ENVIRONMENT_URL'), 6 os.environ.get('SCALEKIT_CLIENT_ID'), 7 os.environ.get('SCALEKIT_CLIENT_SECRET') 8 )
utils/auth.go
1 package main 2 3 import ( 4 "os" 5 "github.com/scalekit-inc/scalekit-sdk-go" 6 ) 7 8 scalekit := scalekit.NewScalekitClient( 9 os.Getenv("SCALEKIT_ENVIRONMENT_URL"), 10 os.Getenv("SCALEKIT_CLIENT_ID"), 11 os.Getenv("SCALEKIT_CLIENT_SECRET"), 12 )
utils/Auth.java
1 import com.scalekit.ScalekitClient; 2 3 public class Auth { 4 public ScalekitClient createScalekitClient() { 5 return new ScalekitClient( 6 System.getenv("SCALEKIT_ENVIRONMENT_URL"), 7 System.getenv("SCALEKIT_CLIENT_ID"), 8 System.getenv("SCALEKIT_CLIENT_SECRET") 9 ); 10 } 11 }

Generate the authorization URL by passing a registered callback URL and scopes to the Scalekit SDK.

1
curl -G -v --location "<SCALEKIT_ENVIRONMENT_URL>/oauth/authorize" \
2
--data-urlencode 'grant_type=authorization_code' \
3
--data-urlencode "organization_id={organization_id}" \
4
--data-urlencode "response_type=code" \
5
--data-urlencode "scope=openid profile" \
6
--data-urlencode 'redirect_uri=https://your-app.com/callback' \
7
--data-urlencode "client_id={client_id}" \
8
--data-urlencode "state=random_state_value"

1
const redirectUri = '<http://localhost:3000/api/callback>';
2
const options = {
3
  scopes: ['openid', 'profile', 'email', 'offline_access']
4
};
5

6
const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
7

8
res.redirect(authorizationUrl);

1
from scalekit import AuthorizationUrlOptions
2

3
redirect_uri = 'http://localhost:3000/api/callback'
4
options = AuthorizationUrlOptions(
5
    scopes=['openid', 'profile', 'email', 'offline_access']
6
)
7

8
authorization_url = scalekit.get_authorization_url(redirect_uri, options)
9

10
# For web frameworks like Flask/Django:
11
# return redirect(authorization_url)

1
redirectUri := "http://localhost:3000/api/callback"
2
options := scalekit.AuthorizationUrlOptions{
3
    Scopes: []string{"openid", "profile", "email", "offline_access"}
4
}
5

6
authorizationUrl, err := scalekit.GetAuthorizationUrl(redirectUri, options)
7
if err != nil {
8
    // handle error appropriately
9
    panic(err)
10
}
11

12
// For web frameworks like Gin:
13
// c.Redirect(http.StatusFound, authorizationUrl.String())

1
import com.scalekit.internal.http.AuthorizationUrlOptions;
2
import java.net.URL;
3
import java.util.Arrays;
4

5
String redirectUri = "http://localhost:3000/api/callback";
6
AuthorizationUrlOptions options = new AuthorizationUrlOptions();
7
options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access"));
8

9
URL authorizationUrl = scalekit.authentication().getAuthorizationUrl(redirectUri, options);

This will redirect the user to Scalekit’s managed sign-in page.

Handle Authentication Callback

After users authenticate, Scalekit redirects them back to your registered callback URL with an authorization code. Exchange this code to get the user’s profile and session tokens:

1
curl -v --location "<SCALEKIT_ENVIRONMENT_URL>/oauth/token" \
2
--header 'Content-Type: application/x-www-form-urlencoded' \
3
--data-urlencode 'grant_type=authorization_code' \
4
--data-urlencode "code={authorization_code}" \
5
--data-urlencode 'redirect_uri=https://your-app.com/callback' \
6
--data-urlencode "client_id={client_id}" \
7
--data-urlencode "client_secret={client_secret}"

1
import scalekit from '@/utils/auth.js'
2
const redirectUri = '<http://localhost:3000/api/callback>';
3

4
// Get the authorization code from the scalekit initiated callback
5
app.get('/api/callback', async (req, res) => {
6
  const { code, error, error_description } = req.query;
7

8
  if (error) {
9
    return res.status(401).json({ error, error_description });
10
  }
11

12
  try {
13
    // Exchange the authorization code for a user profile
14
    const authResult = await scalekit.authenticateWithCode(
15
      code, redirectUri
16
    );
17

18
    const { user } = authResult;
19

20
    // "user" object contains the user's profile information
21
    // Next step: Create a session and log in the user
5 collapsed lines
22
    res.redirect('/dashboard/profile');
23
  } catch (err) {
24
    console.error('Error exchanging code:', err);
25
    res.status(500).json({ error: 'Failed to authenticate user' });
26
  }
27
});


6 collapsed lines
1
from flask import Flask, request, redirect, jsonify
2
from scalekit import ScalekitClient, CodeAuthenticationOptions
3

4
app = Flask(__name__)
5
# scalekit imported from your auth utils
6

7
redirect_uri = 'http://localhost:3000/api/callback'
8

9
@app.route('/api/callback')
10
def callback():
11
    code = request.args.get('code')
12
    error = request.args.get('error')
13
    error_description = request.args.get('error_description')
14

15
    if error:
16
        return jsonify({'error': error, 'error_description': error_description}), 401
17

18
    try:
19
        # Exchange the authorization code for a user profile
20
        options = CodeAuthenticationOptions()
21
        auth_result = scalekit.authenticate_with_code(
22
            code, redirect_uri, options
23
        )
24

25
        user = auth_result.user
26

27
        # "user" object contains the user's profile information
28
        # Next step: Create a session and log in the user
4 collapsed lines
29
        return redirect('/dashboard/profile')
30
    except Exception as err:
31
        print(f'Error exchanging code: {err}')
32
        return jsonify({'error': 'Failed to authenticate user'}), 500


9 collapsed lines
1
package main
2

3
import (
4
    "log"
5
    "net/http"
6
    "os"
7
    "github.com/gin-gonic/gin"
8
    "github.com/scalekit-inc/scalekit-sdk-go"
9
)
10

11
// Create Scalekit client instance
12
var scalekitClient = scalekit.NewScalekitClient(
13
    os.Getenv("SCALEKIT_ENVIRONMENT_URL"),
14
    os.Getenv("SCALEKIT_CLIENT_ID"),
15
    os.Getenv("SCALEKIT_CLIENT_SECRET"),
16
)
17

18
const redirectUri = "http://localhost:3000/api/callback"
19

20
func callbackHandler(c *gin.Context) {
21
    code := c.Query("code")
22
    errorParam := c.Query("error")
23
    errorDescription := c.Query("error_description")
24

25
    if errorParam != "" {
26
        c.JSON(http.StatusUnauthorized, gin.H{
27
            "error": errorParam,
28
            "error_description": errorDescription,
29
        })
30
        return
31
    }
32

33
    // Exchange the authorization code for a user profile
34
    options := scalekit.AuthenticationOptions{}
35
    authResult, err := scalekitClient.AuthenticateWithCode(
36
        code, redirectUri, options,
37
    )
38

39
    if err != nil {
40
        log.Printf("Error exchanging code: %v", err)
41
        c.JSON(http.StatusInternalServerError, gin.H{
42
            "error": "Failed to authenticate user",
43
        })
44
        return
45
    }
46

47
    user := authResult.User
48

49
    // "user" object contains the user's profile information
50
    // Next step: Create a session and log in the user
51
    c.Redirect(http.StatusFound, "/dashboard/profile")
52
}


10 collapsed lines
1
import com.scalekit.ScalekitClient;
2
import com.scalekit.internal.http.AuthenticationOptions;
3
import com.scalekit.internal.http.AuthenticationResponse;
4
import org.springframework.web.bind.annotation.*;
5
import org.springframework.web.servlet.view.RedirectView;
6
import org.springframework.http.ResponseEntity;
7
import org.springframework.http.HttpStatus;
8
import java.util.HashMap;
9
import java.util.Map;
10

11
@RestController
12
public class CallbackController {
13

14
    private final String redirectUri = "http://localhost:3000/api/callback";
15

16
    @GetMapping("/api/callback")
17
    public Object callback(
18
        @RequestParam(required = false) String code,
19
        @RequestParam(required = false) String error,
20
        @RequestParam(name = "error_description", required = false) String errorDescription
21
    ) {
22
        if (error != null) {
23
           // handle error
24
        }
25

26
        try {
27
            // Exchange the authorization code for a user profile
28
            AuthenticationOptions options = new AuthenticationOptions();
29
            AuthenticationResponse authResult = scalekit
30
                .authentication()
31
                .authenticateWithCode(code,redirectUri,options);
32

33
            var user = authResult.getIdTokenClaims();
34

35
            // "user" object contains the user's profile information
36
            // Next step: Create a session and log in the user
37
            return new RedirectView("/dashboard/profile");
38

39
        } catch (Exception err) {
4 collapsed lines
40
            // Handle exception (e.g., log error, return error response)
41
        }
42
    }
43
}

The authenticateWithCode method returns an object containing the user’s profile information (user object) and session tokens including idToken, accessToken and refreshToken.

1
{
2
"access_token": "eyJhImtpZCI6InNu2NiIsInR5cCI6IkpXVCJ9...",
3
"token_type": "Bearer",
4
"expires_in": 86399,
5
"scope": "openid profile",
6
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNuIsInR5cCI6IkpXVCJ9..."
7
}

1
{
2
  user: {
3
    email: "john.doe@example.com",
4
    emailVerified: true,
5
    givenName: "John",
6
    name: "John Doe",
7
    id: "usr_74599896446906854"
8
  },
9
  idToken: "eyJhbGciO..",
10
  accessToken: "eyJhbGciOi..",
11
  refreshToken: "rt_8f7d6e5c4b3a2d1e0f9g8h7i6j..",
12
  expiresIn: 299
13
}

1
{
2
  "at_hash": "ec_jU2ZKpFelCKLTRWiRsg",
3
  "aud": [
4
    "skc_58327482062864390"
5
  ],
6
  "azp": "skc_58327482062864390",
7
  "c_hash": "6wMreK9kWQQY6O5R0CiiYg",
8
  "client_id": "skc_58327482062864390",
9
  "email": "john.doe@example.com",
10
  "email_verified": true,
11
  "exp": 1742975822,
12
  "family_name": "Doe",
13
  "given_name": "John",
14
  "iat": 1742974022,
15
  "iss": "https://scalekit-z44iroqaaada-dev.scalekit.cloud",
16
  "name": "John Doe",
17
  "oid": "org_59615193906282635",
18
  "sid": "ses_65274187031249433",
19
  "sub": "usr_63261014140912135"
20
}

You can decode the idToken to access user information like email, name, and profile verification status directly from the token claims.

Create and manage user sessions

Now that you’ve the entire user’s profile details including their email address, verification status, create a secure session by storing the session tokens. Use encrypted HTTP-only cookies for the access token and securely store the refresh token:

1
import cookieParser from 'cookie-parser';
2
// Set cookie parser middleware
3
app.use(cookieParser());
4

5
// encrypt the accessToken using a secure encryption algorithm
6
const encryptedAccessToken = encrypt(authResult.accessToken);
7

8
// setting up accessToken as HTTP-only cookie
9
res.cookie('accessToken', encryptedAccessToken, {
10
  maxAge: (authResult.expiresIn - 60) * 1000,
11
  httpOnly: true,
12
  secure: true,
13
  path: '/',
14
  sameSite: 'strict'
15
});
16

17
// Store the refreshToken in a secure place

1
from flask import Flask, make_response
2
from cryptography.fernet import Fernet
3
import os
4

5
# Cookie parsing is built-in with Flask's request object
6
app = Flask(__name__)
7

8
# encrypt the accessToken using a secure encryption algorithm
9
key = os.environ.get('ENCRYPTION_KEY')  # Store securely
10
cipher_suite = Fernet(key)
11
encrypted_access_token = cipher_suite.encrypt(authResult['accessToken'].encode()).decode()
12

13
// setting up accessToken as HTTP-only cookie
14
response = make_response()
15
response.set_cookie(
16
    'accessToken',
17
    encrypted_access_token,
18
    max_age=(authResult['expiresIn'] - 60) * 1000,
19
    httponly=True,
20
    secure=True,
21
    path='/',
22
    samesite='Strict'
23
)
24

25
// Store the refreshToken in a secure place

1
import (
2
    "crypto/aes"
3
    "crypto/cipher"
4
    "net/http"
5
    "os"
6
)
7

8
// encrypt the accessToken using a secure encryption algorithm
9
key := []byte(os.Getenv("ENCRYPTION_KEY"))
10
block, _ := aes.NewCipher(key)
11
gcm, _ := cipher.NewGCM(block)
12
encryptedAccessToken, _ := encrypt(authResult.AccessToken)
13

14
// setting up accessToken as HTTP-only cookie
15
cookie := &http.Cookie{
16
    Name:     "accessToken",
17
    Value:    encryptedAccessToken,
18
    MaxAge:   (authResult.ExpiresIn - 60) * 1000,
19
    HttpOnly: true,
20
    Secure:   true,
21
    Path:     "/",
22
    SameSite: http.SameSiteStrictMode,
23
}
24
http.SetCookie(w, cookie)
25

26
// Store the refreshToken in a secure place

1
import javax.crypto.Cipher;
2
import javax.crypto.SecretKey;
3
import javax.servlet.http.Cookie;
4
import javax.servlet.http.HttpServletResponse;
5
import java.util.Base64;
6

7

8

9

10
// setting up accessToken as HTTP-only cookie
11
String encryptedRefreshToken = encrypt(authResult.getAccessToken());
12
Cookie accessTokenCookie = new Cookie("accessToken", encryptedAccessToken);
13
accessTokenCookie.setMaxAge((authResult.getExpiresIn() - 60) * 1000);
14
accessTokenCookie.setHttpOnly(true);
15
accessTokenCookie.setSecure(true);
16
accessTokenCookie.setPath("/");
17
response.addCookie(accessTokenCookie);
18

19
// setting up refreshToken as HTTP-only cookie
20
String encryptedRefreshToken = encrypt(authResult.getRefreshToken());
21
Cookie refreshTokenCookie = new Cookie("refreshToken", encryptedRefreshToken);
22
refreshTokenCookie.setHttpOnly(true);
23
refreshTokenCookie.setSecure(true);
24
refreshTokenCookie.setPath("/");
25
response.addCookie(refreshTokenCookie);
26

27
// Store the refreshToken in a secure place

This sets browser cookies with the session tokens. Every request to your backend needs to verify the accessToken to ensure the user is authenticated. If expired, use the refreshToken to get a new access token.

1
// Middleware to verify and refresh tokens if needed
2
const verifyToken = async (req, res, next) => {
3
  try {
4
    // Get access token from cookie
5
    const accessToken = req.cookies.accessToken;
6

7
    // Decrypt the accessToken using the same encryption algorithm
8
    const decryptedAccessToken = decrypt(accessToken);
9

10
    if (!accessToken) {
11
      return res.status(401).json({ message: 'No access token provided' });
12
    }
13

14
    // Use Scalekit SDK to validate the token
15
    const isValid = await scalekit.validateAccessToken(decryptedAccessToken);
16

17
    if (!isValid) {
18
      // Use stored refreshToken to get a new access token
19
       const {
20
            user,
21
            idToken,
22
            accessToken,
23
            refreshToken: newRefreshToken,
24
      } = await scalekit.refreshAccessToken(refreshToken);
25

26
      // Store the new refresh token
27
      // Update the cookie with the new access token
28
    }
29
    next();
30
};
31

32
// Example of using the middleware to protect routes
33
app.get('/dashboard', verifyToken, (req, res) => {
34
  // The user object is now available in req.user
35
  res.json({
36
    message: 'This is a protected route',
37
    user: req.user
38
  });
39
});

1
from functools import wraps
2
from flask import request, jsonify, make_response
3

4
def verify_token(f):
5
    """Decorator to verify and refresh tokens if needed"""
6
    @wraps(f)
7
    def decorated_function(*args, **kwargs):
8
        try:
9
            # Get access token from cookie
10
            access_token = request.cookies.get('accessToken')
11

12
            if not access_token:
13
                return jsonify({'message': 'No access token provided'}), 401
14

15
            # Decrypt the accessToken using the same encryption algorithm
16
            decrypted_access_token = decrypt(access_token)
17

18
            # Use Scalekit SDK to validate the token
19
            is_valid = scalekit.validate_access_token(decrypted_access_token)
20

21
            if not is_valid:
22
                # Get stored refresh token
23
                refresh_token = get_stored_refresh_token()
24

25
                if not refresh_token:
26
                    return jsonify({'message': 'No refresh token available'}), 401
27

28
                # Use stored refreshToken to get a new access token
29
                token_response = scalekit.refresh_access_token(refresh_token)
30

31
                # Python SDK returns dict with access_token and refresh_token
32
                new_access_token = token_response.get('access_token')
33
                new_refresh_token = token_response.get('refresh_token')
34

35
                # Store the new refresh token
36
                store_refresh_token(new_refresh_token)
37

38
                # Update the cookie with the new access token
39
                encrypted_new_access_token = encrypt(new_access_token)
40
                response = make_response(f(*args, **kwargs))
41
                response.set_cookie(
42
                    'accessToken',
43
                    encrypted_new_access_token,
44
                    httponly=True,
45
                    secure=True,
46
                    path='/',
47
                    samesite='Strict'
48
                )
49

50
                return response
51

52
            # If the token was valid we just invoke the view as-is
53
            return f(*args, **kwargs)
54

55
        except Exception as e:
56
            return jsonify({'message': f'Token verification failed: {str(e)}'}), 401
57

58
    return decorated_function
59

60
# Example of using the decorator to protect routes
61
@app.route('/dashboard')
62
@verify_token
63
def dashboard():
64
    return jsonify({
65
        'message': 'This is a protected route',
66
        'user': getattr(request, 'user', None)
67
    })

1
import (
2
    "context"
3
    "net/http"
4
)
5

6
func verifyToken(next http.HandlerFunc) http.HandlerFunc {
7
    return func(w http.ResponseWriter, r *http.Request) {
8
        // Get access token from cookie
9
        cookie, err := r.Cookie("accessToken")
10
        if err != nil {
11
            http.Error(w, `{"message": "No access token provided"}`, http.StatusUnauthorized)
12
            return
13
        }
14

15
        accessToken := cookie.Value
16

17
        // Decrypt the accessToken
18
        decryptedAccessToken, err := decrypt(accessToken)
19
        if err != nil {
20
            http.Error(w, `{"message": "Token decryption failed"}`, http.StatusUnauthorized)
21
            return
22
        }
23

24
        // Use Scalekit SDK to validate the token
25
        isValid, err := scalekit.ValidateAccessToken(decryptedAccessToken)
26
        if err != nil || !isValid {
27
            // Get stored refresh token
28
            refreshToken, err := getStoredRefreshToken(r)
29
            if err != nil {
30
                http.Error(w, `{"message": "No refresh token available"}`, http.StatusUnauthorized)
31
                return
32
            }
33

34
            // Use stored refreshToken to get a new access token
35
            tokenResponse, err := scalekit.RefreshAccessToken(refreshToken)
36
            if err != nil {
37
                http.Error(w, `{"message": "Token refresh failed"}`, http.StatusUnauthorized)
38
                return
39
            }
40

41
            // Go SDK returns TokenResponse with AccessToken, RefreshToken, ExpiresIn
42
            // Store the new refresh token
43
            err = storeRefreshToken(tokenResponse.RefreshToken)
44
            if err != nil {
45
                http.Error(w, `{"message": "Failed to store refresh token"}`, http.StatusInternalServerError)
46
                return
47
            }
48

49
            // Update the cookie with the new access token
50
            encryptedNewAccessToken, err := encrypt(tokenResponse.AccessToken)
51
            if err != nil {
52
                http.Error(w, `{"message": "Token encryption failed"}`, http.StatusInternalServerError)
53
                return
54
            }
55

56
            newCookie := &http.Cookie{
57
                Name:     "accessToken",
58
                Value:    encryptedNewAccessToken,
59
                HttpOnly: true,
60
                Secure:   true,
61
                Path:     "/",
62
                SameSite: http.SameSiteStrictMode,
63
            }
64
            http.SetCookie(w, newCookie)
65

66
            r = r.WithContext(context.WithValue(r.Context(), "tokenValid", true))
67
        } else {
68
            r = r.WithContext(context.WithValue(r.Context(), "tokenValid", true))
69
        }
70

71
        next(w, r)
72
    }
73
}
74

75
// Example of using the middleware to protect routes
76
func dashboardHandler(w http.ResponseWriter, r *http.Request) {
77
    w.Header().Set("Content-Type", "application/json")
78
    w.Write([]byte(`{
79
        "message": "This is a protected route",
80
        "tokenValid": true
81
    }`))
82
}
83

84
// Usage: http.HandleFunc("/dashboard", verifyToken(dashboardHandler))

1
import javax.servlet.http.HttpServletRequest;
2
import javax.servlet.http.HttpServletResponse;
3
import javax.servlet.http.Cookie;
4
import org.springframework.web.servlet.HandlerInterceptor;
5

6
@Component
7
public class TokenVerificationInterceptor implements HandlerInterceptor {
8
    @Override
9
    public boolean preHandle(
10
        HttpServletRequest request,
11
        HttpServletResponse response,
12
        Object handler
13
    ) throws Exception {
14
        try {
15
            // Get access token from cookie
16
            String accessToken = getCookieValue(request, "accessToken");
17
            String refreshToken = getCookieValue(request, "refreshToken");
18

19
            // Decrypt the tokens
20
            String decryptedAccessToken = decrypt(accessToken);
21
            String decryptedRefreshToken = decrypt(refreshToken);
22

23
            // Use Scalekit SDK to validate the token
24
            boolean isValid = scalekit.authentication().validateAccessToken(decryptedAccessToken);
25

26

27
            // Use refreshToken to get a new access token
28
            AuthenticationResponse tokenResponse = scalekit
29
                    .authentication()
30
                    .refreshToken(decryptedRefreshToken);
31

32

33

34
            // Update the cookie with the new access token and refresh token
35
            String encryptedNewAccessToken = encrypt(tokenResponse.getAccessToken());
36
            String encryptedNewRefreshToken = encrypt(tokenResponse.getRefreshToken());
37

38
            Cookie accessTokenCookie = new Cookie("accessToken", encryptedNewAccessToken);
39
            accessTokenCookie.setHttpOnly(true);
40
            accessTokenCookie.setSecure(true);
41
            accessTokenCookie.setPath("/");
42
            response.addCookie(accessTokenCookie);
43

44
            Cookie refreshTokenCookie = new Cookie("refreshToken", encryptedNewRefreshToken);
45
            refreshTokenCookie.setHttpOnly(true);
46
            refreshTokenCookie.setSecure(true);
47
            refreshTokenCookie.setPath("/");
48
            response.addCookie(refreshTokenCookie);
49

50
            return true;
51
        } catch (Exception e) {
52
           // handle exception
53
        }
54
    }
55

56
    private String getCookieValue(HttpServletRequest request, String cookieName) {
57
        Cookie[] cookies = request.getCookies();
58
        if (cookies != null) {
59
            for (Cookie cookie : cookies) {
60
                if (cookieName.equals(cookie.getName())) {
61
                    return cookie.getValue();
62
                }
63
            }
64
        }
65
        return null;
66
    }
67
}

Successfully authenticated users can now access your dashboard.

Log out the user

To properly log out users, clear local session data and invalidate their session on Scalekit’s servers:

1
/**
2
 * Handles user logout by:
3
 * 1. Clearing local session data
4
 * 2. Invalidating the Scalekit session
5
 * 3. Redirecting to post-logout URL
6
 */
7
app.get('/logout', (req, res) => {
8
  // Clear all session data including cookies and local storage
9
  clearSessionData();
10

11
  /**
12
   * Generates a Scalekit logout URL that will:
13
   * - Invalidate the user's session on Scalekit's servers
14
   * - Redirect the user to the specified post-logout URL
15
   * @param {string} idToken - The user's ID token to invalidate
16
   * @param {string} postLogoutRedirectUri - URL to redirect after logout
17
   * @returns {string} The complete logout URL
18
   */
19
  const logoutUrl = scalekit.getLogoutUrl(
20
    idToken,
21
    postLogoutRedirectUri
22
  );
23

24
  // Redirect to Scalekit's logout endpoint
25
  // Note: This is a one-time use URL that becomes invalid after use
26
  res.redirect(logoutUrl);
27
});

1
from flask import Flask, redirect
2
from scalekit import LogoutUrlOptions
3

4
app = Flask(__name__)
5

6
@app.route('/logout')
7
def logout():
8
    # Clear all session data including cookies and local storage
9
    clear_session_data()
10

11
    # Generate Scalekit logout URL
12
    options = LogoutUrlOptions(
13
        id_token_hint=id_token,
14
        post_logout_redirect_uri=post_logout_redirect_uri
15
    )
16
    logout_url = scalekit.get_logout_url(options)
17

18
    # Redirect to Scalekit's logout endpoint
19
    # Note: This is a one-time use URL that becomes invalid after use
20
    return redirect(logout_url)

1
package main
2

3
import (
4
    "net/http"
5
    "github.com/gin-gonic/gin"
6
    "github.com/scalekit-inc/scalekit-sdk-go"
7
)
8

9
func logoutHandler(c *gin.Context) {
10
    // Clear all session data including cookies and local storage
11
    clearSessionData()
12

13
    // Generate Scalekit logout URL
14
    options := scalekit.LogoutUrlOptions{
15
        IdTokenHint:           idToken,
16
        PostLogoutRedirectUri: postLogoutRedirectUri,
17
    }
18
    logoutUrl, err := scalekit.GetLogoutUrl(options)
19
    if err != nil {
20
        c.JSON(http.StatusInternalServerError, gin.H{
21
            "error": "Failed to generate logout URL",
22
        })
23
        return
24
    }
25

26
    // Redirect to Scalekit's logout endpoint
27
    // Note: This is a one-time use URL that becomes invalid after use
28
    c.Redirect(http.StatusFound, logoutUrl.String())
29
}

1
import com.scalekit.internal.http.LogoutUrlOptions;
2
import org.springframework.web.bind.annotation.*;
3
import org.springframework.web.servlet.view.RedirectView;
4
import java.net.URL;
5

6
@RestController
7
public class LogoutController {
8

9
    @GetMapping("/logout")
10
    public RedirectView logout() {
11
        // Clear all session data including cookies and local storage
12
        clearSessionData();
13

14
        // Generate Scalekit logout URL
15
        LogoutUrlOptions options = new LogoutUrlOptions();
16
        options.setIdTokenHint(idToken);
17
        options.setPostLogoutRedirectUri(postLogoutRedirectUri);
18

19
        URL logoutUrl = scalekit.authentication()
20
            .getLogoutUrl(options);
21

22
        // Redirect to Scalekit's logout endpoint
23
        // Note: This is a one-time use URL that becomes invalid after use
24
        return new RedirectView(logoutUrl.toString());
25
    }
26
}

The logout process completes when Scalekit invalidates the user’s session and redirects them to your specified post-logout URL.

What you’ve accomplished

🎉 Congratulations! You’ve successfully integrated Scalekit’s Full Stack Authentication. Your application now has:

Complete authentication flow - Sign-in, sign-up, and logout
Secure session management - Encrypted tokens with automatic refresh
Multi-tenant architecture - Ready for B2B SaaS scaling
Enterprise-ready foundation - Built to handle SSO and advanced auth methods

What’s next?

You’ve completed the Scalekit quickstart and enabled secure authentication for your users and sign-in flow.

Design your data model to learn how to model your data to best work with Scalekit.
Manage users to create, update, and delete user accounts.
Customize the login page to match your brand’s design and style.