Skip to content

Authorization URL

The authorization endpoint is where your application redirects users to begin the authentication process. Scalekit powers this endpoint and handles redirecting users to the appropriate identity provider.

Example authorization URL
https://SCALEKIT_ENVIRONMENT_URL/oauth/authorize?
response_type=code&
client_id=skc_1234&
scope=openid%20profile&
redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&
organization_id=org_1243412&
state=aHR0cHM6Ly95b3Vyc2Fhcy5jb20vZGVlcGxpbms%3D
ParameterRequirementDescription
client_idRequiredYour unique client identifier from the API credentials page
nonceOptionalRandom value for replay protection
organization_idRequired*Identifier for the organization initiating SSO
connection_idRequired*Identifier for the specific SSO connection
domainRequired*Domain portion of email addresses configured for an organization
providerRequired*Social login provider name. Supported providers: google, microsoft, github, gitlab, linkedin, salesforce
response_typeRequiredMust be set to code
redirect_uriRequiredURL where Scalekit sends the response. Must match an authorized redirect URI
scopeRequiredMust be set to openid email profile
stateOptionalOpaque string for request-response correlation
login_hintOptionalUser’s email address for prefilling the login form

* You must provide one of organization_id, connection_id, domain, or provider.

Use Scalekit SDKs to generate authorization URLs programmatically. This approach handles parameter encoding and validation automatically.

import { ScalekitClient } from '@scalekit-sdk/node';
const scalekit = new ScalekitClient(
'https://your-subdomain.scalekit.dev',
'<SCALEKIT_CLIENT_ID>',
'<SCALEKIT_CLIENT_SECRET>'
);
const options = {
loginHint: 'user@example.com',
organizationId: 'org_123235245',
};
const authorizationURL = scalekit.getAuthorizationUrl(redirectUri, options);
// Example generated URL:
// https://your-subdomain.scalekit.dev/oauth/authorize?response_type=code&client_id=skc_1234&scope=openid%20profile&redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&organization_id=org_123235245&login_hint=user%40example.com&state=abc123

When you provide multiple connection parameters, Scalekit follows a specific precedence order to determine which identity provider to use:

  1. provider (highest precedence): If present, Scalekit ignores all other connection parameters and directs users to the specified social login provider. For example, provider=google redirects users to Google’s login screen. See Social Login for more details.

  2. connection_id: Takes highest precedence among enterprise SSO parameters. Scalekit uses this specific connection if you provide a valid connection ID. If the connection ID is invalid, the authorization request fails.

  3. organization_id: Scalekit uses this parameter when no valid connection_id is provided. It selects the SSO connection configured for the specified organization.

  4. domain: Scalekit uses this parameter when neither connection_id nor organization_id are provided. It selects the SSO connection configured for the specified domain.

  5. login_hint (lowest precedence): Scalekit extracts the domain portion from the email address and uses the corresponding SSO connection mapped to that organization.