Passwordless quickstart (via OIDC)

This guide will walk you through implementing passwordless authentication via Scalekit’s OIDC flow. Depending on your configuration, your users will be sent either a one time passcode (OTP) or a magic link to verify their identity.

Prerequisites

Before you begin, ensure you have:

Access to your Scalekit Account and the API credentials. If you don’t have a Scalekit account yet, you can signup here.

Installed Scalekit SDK into your project

npm install @scalekit-sdk/node

import { Scalekit } from '@scalekit-sdk/node';

const scalekit = new Scalekit(
  '<SCALEKIT_ENVIRONMENT_URL>',
  '<SCALEKIT_CLIENT_ID>',
  '<SCALEKIT_CLIENT_SECRET>',
);

Implementation guide

Generate OIDC Passwordless Auth Code with AI in Minutes

Input this prompt in your IDE to analyze your existing code base and generate OIDC implementation code accordingly.

Compatible with Cursor, Windsurf, VS Code, and any AI-powered IDE

Copy Prompt

Configure settings
Section titled “Configure settings”

Before implementing the code, ensure passwordless authentication is properly configured in your Scalekit dashboard.
1. Navigate to Authentication > Auth Methods.
2. In the Passwordless section, choose your preferred login method.
3. For enhanced security, you can also configure these settings:
  - Enforce same browser origin: Requires users to complete magic link authentication in the same browser where they initiated the sign-in process. This helps prevent phishing attacks.
  - Enable new passwordless credentials on resend: Generates a new verification code or magic link on each resend request, invalidating the previous one.
4. Click Save.

Initiate authorize request

To initiate passwordless authentication, redirect users to the Scalekit authorization endpoint with the appropriate parameters.

Construct your authorization URL with the following parameters and redirect the user to the authorization URL.

Parameter	Description
`redirect_uri`	Your application endpoint that will receive the authorization code after successful authentication. Example: `https://your-app.com/auth/callback`
`client_id`	Your unique Scalekit application identifier that specifies both your app and environment (staging, production).
`login_hint`	The email address of the user to send the verification email

Example implementation

1
import { ScalekitClient } from '@scalekit-sdk/node';
2
// Initialize the SDK client
3
const scalekit = new ScalekitClient(
4
  '<SCALEKIT_ENVIRONMENT_URL>',
5
  '<SCALEKIT_CLIENT_ID>',
6
  '<SCALEKIT_CLIENT_SECRET>',
7
);
8

9
const options = {};
10

11
options['loginHint'] = 'user@example.com';
12

13
const authorizationURL = scalekit.getAuthorizationUrl(redirectUrl, options);

1
from scalekit import ScalekitClient, AuthorizationUrlOptions, CodeAuthenticationOptions
2

3
# Initialize the SDK client
4
scalekit = ScalekitClient(
5
  '<SCALEKIT_ENVIRONMENT_URL>',
6
  '<SCALEKIT_CLIENT_ID>',
7
  '<SCALEKIT_CLIENT_SECRET>'
8
)
9

10
options = AuthorizationUrlOptions()
11

12
# Authorization URL with login hint
13
options.login_hint = 'user@example.com'
14

15
authorization_url = scalekit_client.get_authorization_url(
16
  redirect_uri=<redirect_uri>,
17
  options=options
18
)
19

20
# Redirect the user to this authorization URL

1
import (
2
  "github.com/scalekit/scalekit-sdk-go"
3
)
4

5
func main() {
6
  // Initialize the SDK client
7
  scalekitClient := scalekit.NewScalekitClient(
8
    "<SCALEKIT_ENVIRONMENT_URL>",
9
    "<SCALEKIT_CLIENT_ID>",
10
    "<SCALEKIT_CLIENT_SECRET>"
11
  )
12

13
  options := scalekitClient.AuthorizationUrlOptions{}
14
  // User's email domain detects the correct enterprise SSO connection.
15
  options.LoginHint = "user@example.com"
16

17
  authorizationURL := scalekitClient.GetAuthorizationUrl(
18
    redirectUrl,
19
    options,
20
  )
21
  // Next step is to redirect the user to this authorization URL
22
}
23

24
// Redirect the user to this authorization URL

1
package com.scalekit;
2

3
import com.scalekit.ScalekitClient;
4
import com.scalekit.internal.http.AuthorizationUrlOptions;
5

6
public class Main {
7

8
  public static void main(String[] args) {
9
    // Initialize the SDK client
10
    ScalekitClient scalekitClient = new ScalekitClient(
11
      "<SCALEKIT_ENVIRONMENT_URL>",
12
      "<SCALEKIT_CLIENT_ID>",
13
      "<SCALEKIT_CLIENT_SECRET>"
14
    );
15
    AuthorizationUrlOptions options = new AuthorizationUrlOptions();
16
    // User's email domain detects the correct enterprise SSO connection.
17
    options.setLoginHint("user@example.com");
18
    try {
19
      String url = scalekitClient
20
        .authentication()
21
        .getAuthorizationUrl(redirectUrl, options)
22
        .toString();
23
    } catch (Exception e) {
24
      System.out.println(e.getMessage());
25
    }
26
  }
27
}
28
// Redirect the user to this authorization URL

This redirect will send users to the Scalekit authentication flow, where they’ll authenticate with their email before being returned to your application.

1
<YOURAPP_SCALEKIT_ENVIRONMENT_URL>/oauth/authorize?
2
  client_id=skc_122056050118122349527&
3
  redirect_uri=https://yourapp.com/auth/callback&
4
  login_hint=user@example.com&
5
  response_type=code&
6
  scope=openid%20profile%20email&
7
  state=jAy-state1-gM4fdZdV22nqm6Q_jAy-XwpYdYFh..2nqm6Q

After redirecting users to the Scalekit authorization endpoint, handle the callback at your redirect_uri to retrieve the user profile and complete the authentication process.

Fetch user details

After successful user authentication via OTP, Scalekit redirects users to your specified redirect_uri with a temporary authorization code parameter. This code must be exchanged for the user’s profile information through a secure server-side request.

The authorization code exchange process should always be performed server-side to maintain security. This server-side request will:

Validate the authorization code
Return the authenticated user’s profile details

1
// Handle oauth redirect_url, fetch code and error_description from request params
2
const { code, error, error_description } = req.query;
3

4
if (error) {
5
  // Handle errors
6
}
7

8
const result = await scalekit.authenticateWithCode(code, redirectUri);
9
const userEmail = result.user.email;
10

11
// Next step: create a session for this user and allow access

1
# Handle oauth redirect_url, fetch code and error_description from request params
2
code = request.args.get('code')
3
error = request.args.get('error')
4
error_description = request.args.get('error_description')
5

6
if error:
7
    raise Exception(error_description)
8

9
result = scalekit.authenticate_with_code(code, '<redirect_uri>')
10

11
# result.user has the authenticated user's details
12
user_email = result.user.email
13

14
# Next step: create a session for this user and allow access

1
// Handle oauth redirect_url, fetch code and error_description from request params
2
code: = r.URL.Query().Get("code")
3
error: = r.URL.Query().Get("error")
4
errorDescription: = r.URL.Query().Get("error_description")
5

6
if error != "" {
7
  // Handle errors
8
}
9

10
result, err: = a.scalekit.AuthenticateWithCode(code,<redirectUrl>)
11

12
if err != nil {
13
  // Handle errors
14
}
15

16
// result.User has the authenticated user's details
17
userEmail: = result.User.Email
18

19
// Next step: create a session for this user and allow access

1
// Handle oauth redirect_url, fetch code and error_description from request params
2
String code = request.getParameter("code");
3
String error = request.getParameter("error");
4
String errorDescription = request.getParameter("error_description");
5

6
if (error != null && !error.isEmpty()) {
7
    // Handle errors
8
    return;
9
}
10

11
try {
12
    AuthenticationResponse result = scalekit.authentication().authenticateWithCode(code, redirectUrl);
13
    String userEmail = result.getIdTokenClaims().getEmail();
14

15
    // Next step: create a session for this user and allow access
16
} catch (Exception e) {
17
    // Handle errors
18
}

The result object

{
  user: {
    email: "john.doe@example.com"  // User's email address
  },
  idToken: "<USER_PROFILE_JWT>",   // JWT containing user profile information
  accessToken: "<API_CALL_JWT>",   // Temporary Access Token for accessing user's email
  expiresIn: 899                    // Token expiration time in seconds
}

{
  "alg": "RS256",
  "kid": "snk_82937465019283746",
  "typ": "JWT"
}.{
  "amr": [
    "conn_92847563920187364"
  ],
  "at_hash": "j8kqPm3nRt5Kx2Vy9wL_Zp",
  "aud": [
    "skc_73645291837465928"
  ],
  "azp": "skc_73645291837465928",
  "c_hash": "Hy4k2M9pWnX7vqR8_Jt3bg",
  "client_id": "skc_73645291837465928",
  "email": "alice.smith@example.com",
  "email_verified": true,
  "exp": 1751697469,
  "iat": 1751438269,
  "iss": "https://demo-company-dev.scalekit.cloud",
  "sid": "ses_83746592018273645",
  "sub": "conn_92847563920187364;alice.smith@example.com" // A scalekit user ID is sent if user management is enabled
}.[Signature]

{
  "alg": "RS256",
  "kid": "snk_794467716206433",
  "typ": "JWT"
}.{
  "iss": "https://acme-corp-dev.scalekit.cloud",
  "sub": "conn_794467724427269;robert.wilson@acme.com",
  "aud": [
    "skc_794467724259497"
  ],
  "exp": 1751439169,
  "iat": 1751438269,
  "nbf": 1751438269,
  "client_id": "skc_794467724259497",
  "jti": "tkn_794754665320942"
}.[Signature]

Congratulations! You’ve successfully implemented passwordless authentication in your application. Users can now sign in securely without passwords by entering a verification code or clicking a magic link sent to their email.

Need more help? Reach out to us for any questions or support