> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation.
>
> - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install <auth-type>@scalekit-auth-stack`
> - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install <auth-type>@scalekit-auth-stack`
> - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `<auth-type>`
> - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill <skill-name>`
>
> `<auth-type>` / `<skill-name>`: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Manage applications

Register and manage applications in Scalekit. Each application gets its own OAuth client and configuration while sharing the same underlying user session across your web, mobile, and desktop apps.

1. ## Navigate to Applications

1. Sign in to **https://app.scalekit.com**
2. From the left sidebar, go to **Developers > Applications**

   You will see a list of applications already created for the selected environment.
**Scalekit creates a default web application:** Scalekit creates a **default web application** for every environment at creation time to help developers get started quickly. This app is environment-scoped and **cannot be deleted**.

2. ## Create a new application

   Click **Create Application** to add a new app. You'll be asked to provide:

   - **Application name** — A human-readable name for identifying the app
   - **Application type** — Determines how authentication and credentials work

   Available application types:

   - **Web Application** — Server-side applications that can securely store secrets
   - **Single Page Application (SPA)** — Browser-based applications; public clients with PKCE enforced
   - **Native Application** — Desktop or mobile apps; public clients with PKCE enforced

   ![Create application modal showing app name and type selection](@/assets/docs/guides/multi-app/web-modal.png)

   Once created, Scalekit generates a **Client ID**. Only Web Applications can generate **Client Secrets**.

3. ## Application configuration

   ### Application details

   Open an application to view and edit its configuration.

   - **Allow Scalekit Management API access** — Enables this application's credentials to call Scalekit Management APIs. Applicable only to **Web Applications**.
   - **Enforce PKCE** — Requires PKCE for authorization requests. Always enabled and not editable for **SPA** and **Native** applications.
   - **Access token expiry time** — Overrides the environment default access token lifetime for this application.
**Access token expiry must be shorter than idle session timeout:** If tokens outlive the session, users may encounter inconsistent logout behavior across apps. When the session expires but the access token is still valid, subsequent token refresh attempts will fail because the underlying session no longer exists.

   ![Application details page with configuration options](@/assets/docs/guides/multi-app/web-app-details.png)

   ### Client credentials

   Each application has a unique **Client ID**. When you generate a new client secret, Scalekit shows it **only once**. Copy and store it securely.
**Treat client secrets like passwords:** Anyone with access to your client secret can authenticate as your application and obtain tokens for any user. Never commit secrets to version control, expose them in client-side code, or share them in plain text. Use environment variables or a secrets manager.

   - **Web Applications**
     - Can generate a **Client Secret**
     - A maximum of **two active secrets** is allowed at a time
     - Generating a new secret always creates a **new value**, enabling safe rotation

   ![Client credentials section showing Client ID and secret management](@/assets/docs/guides/multi-app/web-client-creds.png)

   - **SPA and Native Applications**
     - Do not have client secrets
     - Authenticate using Authorization Code with PKCE only

   ![SPA client ID section without client secret option](@/assets/docs/guides/multi-app/spa-client-id.png)

4. ## Configure redirect URLs

   Open the **Redirects** tab for an application to manage redirect endpoints. These URLs act as an allowlist and control where Scalekit can redirect users during authentication flows.

   ### Redirect URL types

   - **Post login URLs** — Allowed values for `redirect_uri` used with `/oauth/authorize`
   - **Initiate login URL** — Where Scalekit redirects users when authentication starts outside your app
   - **Post logout URLs** — Where users are redirected after a successful logout
   - **Back-channel logout URL** — A secure endpoint that Scalekit calls to notify your application that a user session has been revoked

   ![Redirect URLs configuration tab with URL types](@/assets/docs/guides/multi-app/web-app-redirects.png)
**Back-channel logout is only available for Web Applications:** Back-channel logout requires a backend endpoint to receive notifications from Scalekit. SPA and Native applications cannot receive back-channel logout notifications because they don't have a persistent server.

   For definitions, validation rules, custom URI schemes, and environment-specific behavior, see [Redirect URL configuration](/guides/dashboard/redirects/).

5. ## Delete an application

   Delete applications from the bottom of the configuration page.

   ![Delete application button at bottom of configuration page](@/assets/docs/guides/multi-app/delete-app.png)
**Deleting an application is permanent:** This action is **permanent and irreversible**. Existing refresh tokens associated with the application will no longer be valid, and users will need to re-authenticate. Ensure you have communicated this change to affected users before deleting.

---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |