> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Best practices for client secrets Client ID and Client Secret are a form of API credentials, like a username and password. You are responsible for keeping Client Secrets safe and secure. Below are some best practices for how you can keep your secrets safe and how you can leverage some of the functionality offered by us to help you do the same. **Store secrets securely** Whenever a client secret is generated from the Scalekit Dashboard, it is shown only once and cannot be recovered. Therefore, it should be immediately stored in a secure Key Management System (KMS), which offers encryption and access control features. It is crucial not to leave a duplicate copy of the key in the local file. **Avoid insecure sharing** Sharing of secret keys through insecure channels, such as emails, Slack, or customer support messages, should be strictly avoided. **Prevent hardcoding** Storing client secrets within source code as hardcoded strings should be avoided. Instead, store them in your properties file or environments file. These files should not be checked into your source code repository. **Establish rotation procedures** Establishing a Standard Operating Procedure (SOP) for rotating Client Secrets can help in case of accidental secret leakage. Having such procedures in place will ensure a swift and effective response to emergencies, minimizing business impact. **Control access** Access to create, update, or read keys should be granted only to those individuals who require it for their roles. Regularly auditing access can prevent excess privilege allocation. **Monitor usage** Regular monitoring of API logs is recommended to identify potential misuse of API keys early. Developers should avoid using live mode keys when a test mode key is suitable. **Respond to incidents** If suspicious activity is detected or a secret leak is suspected, the current secret should be immediately revoked from the Scalekit Dashboard, and a new one should be generated. In case of uncertainty, it is better to generate a new secret and revoke the existing one. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |