> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation.
>
> - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install <auth-type>@scalekit-auth-stack`
> - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install <auth-type>@scalekit-auth-stack`
> - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `<auth-type>`
> - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill <skill-name>`
>
> `<auth-type>` / `<skill-name>`: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Configure initiate login endpoint

In certain scenarios, Scalekit redirects users to your application's login endpoint using OIDC third-party initiated login. Your application must implement this endpoint to construct the authorization URL and redirect users to Scalekit's authentication flow.

Scalekit redirects to your login endpoint in these (example) scenarios:

- **Bookmarked login page**: Users bookmark your login page and visit it later. When they access the bookmarked URL, Scalekit redirects them to your application's login endpoint because the original authentication transaction has expired.

- **Password reset completion**: After users complete a password reset, Scalekit redirects them to your login endpoint. Users can then sign in with their new password.

- **Email verification completion**: After users verify their email address during signup, Scalekit redirects them to your login endpoint to complete authentication.

- **Organization invitations**: When users click an invitation link to join an organization, Scalekit redirects them to your login endpoint with invitation parameters. Your application must forward these parameters to Scalekit's authorization endpoint.

- **Disabled cookies**: If users navigate to Scalekit's authorization endpoint with cookies disabled, Scalekit redirects them to your login endpoint.

## Configure the initiate login endpoint

Register your login endpoint in the Scalekit dashboard.

Go to **Dashboard** > **Authentication** > **Redirect URLs** > **Initiate Login URL** and add your endpoint.

![](@/assets/docs/intitate-login-endpoint/add-initiate-login-url.png)

The endpoint must:
- Use HTTPS (required in production)
- Not point to localhost (production only)
- Accept query parameters that Scalekit appends

## Implement the login endpoint

Create a `/login` endpoint that constructs the authorization URL and redirects users to Scalekit.

```javascript title="routes/auth.js" {2,9}
  // Handle indirect auth entry points
  app.get('/login', (req, res) => {
    const redirectUri = 'http://localhost:3000/auth/callback';
    const options = {
      scopes: ['openid', 'profile', 'email', 'offline_access']
    };

    const authorizationUrl = scalekit.getAuthorizationUrl(redirectUri, options);
    res.redirect(authorizationUrl);
  });
  ```
  ```python title="routes/auth.py" collapse={1-3} {5,13}
  from flask import redirect
  from scalekit import AuthorizationUrlOptions

  # Handle indirect auth entry points
  @app.route('/login')
  def login():
      redirect_uri = 'http://localhost:3000/auth/callback'
      options = AuthorizationUrlOptions(
          scopes=['openid', 'profile', 'email', 'offline_access']
      )

      authorization_url = scalekit_client.get_authorization_url(redirect_uri, options)
      return redirect(authorization_url)
  ```
  ```go title="routes/auth.go" {2,9}
  // Handle indirect auth entry points
  r.GET("/login", func(c *gin.Context) {
    redirectUri := "http://localhost:3000/auth/callback"
    options := scalekitClient.AuthorizationUrlOptions{
      Scopes: []string{"openid", "profile", "email", "offline_access"}
    }

    authorizationUrl, _ := scalekitClient.GetAuthorizationUrl(redirectUri, options)
    c.Redirect(http.StatusFound, authorizationUrl.String())
  })
  ```
  ```java title="AuthController.java" {6,12-13} collapse={1-4}
  import org.springframework.web.bind.annotation.GetMapping;
  import org.springframework.web.bind.annotation.RestController;
  import java.net.URL;

  // Handle indirect auth entry points
  @GetMapping("/login")
  public String login() {
      String redirectUri = "http://localhost:3000/auth/callback";
      AuthorizationUrlOptions options = new AuthorizationUrlOptions();
      options.setScopes(Arrays.asList("openid", "profile", "email", "offline_access"));

      URL authorizationUrl = scalekitClient.authentication().getAuthorizationUrl(redirectUri, options);
      return "redirect:" + authorizationUrl.toString();
  }
  ```
  {/*
 Check with the team if this is still needed
**Caution:** If users have cookies disabled, Scalekit redirects them to your login endpoint. This can cause a redirect loop. Consider adding a landing page that checks for cookies and warns users to enable them before proceeding.

*/}

---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |