Skip to content
Scalekit Docs
Talk to an Engineer Start implementing

Passwordless OIDC Quickstart

Add passwordless sign-in with OTP or magic link via OIDC

This guide shows you how to implement passwordless authentication with Scalekit over OIDC protocol. Users verify with a email verification code (OTP) or a magic link or both.

Review the authentication sequence UserScalekitYour app Enter email address Send OTP or magic link Verify identity (OTP/magic link) Exchange code for user details Create session and grant access

Get moving, instantly, with your go-to AI assistant

Input this prompt in your IDE to analyze your existing code base and generate implementation code accordingly.

*Compatible with Cursor, Windsurf, VS Code, and any AI-powered tools

Copy llm prompt

  1. Set up Scalekit and register a callback endpoint

    Section titled “Set up Scalekit and register a callback endpoint”

    Follow the installation guide to configure Scalekit in your application.

    Scalekit verifies user identities and creates sessions. After successful verification, Scalekit creates a user record and sends the user information to your callback endpoint.

    Create a callback endpoint:

    1. Add a callback endpoint to your application (typically https://your-app.com/auth/callback)
    2. Register this URL in your Scalekit dashboard

    Learn more about callback URL requirements.

  2. Configure passwordless settings

    Section titled “Configure passwordless settings”

    In the Scalekit dashboard, enable Magic link & OTP and choose your login method.

    Optional security settings:

    • Enforce same-browser origin: Users must complete magic-link auth in the same browser they started in.
    • Issue new credentials on resend: Each resend generates a fresh code or link and invalidates the previous one.

  3. Redirect users to sign up (or) login

    Section titled “Redirect users to sign up (or) login”

    Create an authorization URL and redirect users to Scalekit’s sign-in page. Include:

    ParameterDescription
    redirect_uriYour app’s callback endpoint (for example, https://your-app.com/auth/callback).
    client_idYour Scalekit application identifier (scoped to the environment).
    login_hintThe user’s email address to receive the verification email.

    Example implementation

    import { ScalekitClient } from '@scalekit-sdk/node';
    // Initialize the SDK client
    const scalekit = new ScalekitClient(
      '<SCALEKIT_ENVIRONMENT_URL>',
      '<SCALEKIT_CLIENT_ID>',
      '<SCALEKIT_CLIENT_SECRET>',
    );
    

    const options = {};
    

    options['loginHint'] = 'user@example.com';
    

    const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
    // Generated URL will look like:
    // https://<SCALEKIT_ENVIRONMENT_URL>/oauth/authorize?response_type=code&client_id=skc_1234&scope=openid%20profile%20email&redirect_uri=https%3A%2F%2Fyourapp.com%2Fcallback
    

    res.redirect(authorizationUrl);

    This redirects users to Scalekit’s authentication flow. After verification, they return to your application.

    Example authorization URL
    Example authorization URL
    <YOURAPP_SCALEKIT_ENVIRONMENT_URL>/oauth/authorize?
      client_id=skc_122056050118122349527&
      redirect_uri=https://yourapp.com/auth/callback&
      login_hint=user@example.com&
      response_type=code&
      scope=openid%20profile%20email&
      state=jAy-state1-gM4fdZdV22nqm6Q_jAy-XwpYdYFh..2nqm6Q

    At your redirect_uri, handle the callback to exchange the code for the user profile. Ensure this URL is registered as an Allowed Callback URI in the dashboard.

  4. Get user details from the callback

    Section titled “Get user details from the callback”

    Scalekit redirects to your redirect_uri with an authorization code. Exchange it server-side for the user’s profile.

    Always perform the code exchange on the server to validate the code and return the authenticated user’s profile.

    Fetch user profile
    // Handle oauth redirect_url, fetch code and error_description from request params
    const { code, error, error_description } = req.query;
    

    if (error) {
      // Handle errors
    }
    

    const result = await scalekit.authenticateWithCode(code, redirectUri);
    const userEmail = result.user.email;
    

    // Next step: create a session for this user and allow access

    The result object

    {
      user: {
        email: "john.doe@example.com"  // Authenticated user's email address
      },
      idToken: "<USER_PROFILE_JWT>",   // ID token (JWT) containing user profile claims
      accessToken: "<API_CALL_JWT>",   // Access token (JWT) for calling backend APIs on behalf of the user
      expiresIn: 899                   // Time in seconds
    }

Congratulations! Your application now supports passwordless authentication. Users can sign in securely by:

  • Entering a verification code sent to their email
  • Clicking a magic link sent to their email

To complete the implementation, create a session for the user to allow access to protected resources.