> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Auth0 This guide is designed to provide you a walkthrough of integrating Scalekit with Auth0, thereby facilitating seamless Single Sign-on (SSO) authentication for your application's users. We demonstrate how to configure Scalekit so that Auth0 can allow some of your enterprise users to login via Scalekit and still continue to act as the identity management solution for your users and manage the login, session management functionality. ![Scalekit - Auth0 Integration ](@/assets/docs/guides/auth-systems/auth0/0.png) Scalekit is designed as a fully compatible OpenID Connect (OIDC) provider, thus streamlining the integration. As Auth0 continues to act as your identity management system, you'll be able to seamlessly integrate Single Sign-on into your application without having to write code. **Note:** Auth0 classifies OpenID Connect as Enterprise Connection and this feature is available only in the paid plans of Auth0. Please check whether your current plan has access to creating Enterprise Connections with OpenID Connect providers. Ensure you have: - Access to Auth0's Authenticate dashboard. You need to have a role as an 'Admin' or 'Editor - Connections' to create and edit OIDC connections on Auth0 - Access to your Scalekit dashboard ## Add Scalekit as OIDC connection Use Auth0 Connections API to create Scalekit as a OpenID connection for your tenant. Sample curl command below: ```bash showLineNumbers=false wrap curl --request POST \ --url 'https://.us.auth0.com/api/v2/connections' \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ --header 'authorization: Bearer ' \ --data-raw '{ "strategy": "oidc", "name": "Scalekit", "options": { "type": "back_channel", "discovery_url": "/.well-known/openid-configuration", "client_secret" : "", "client_id" : "", "scopes": "openid profile email" } }' ``` **Caution:** Because of an existing issue in adding OIDC connections via Auth0 Management Console, you need to use Auth0 API to create OIDC connection. | Parameter | Description | | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `AUTH0_TENANT_DOMAIN` | This is your Auth0 tenant url. Typically, looks like https://yourapp.us.auth0.com | | `API_TOKEN` | Generate an API token from your Auth0 dashboard and use it to authenticate your Auth0 API calls | | `SCALEKIT_ENVIRONMENT_URL` | Find this in your API config section of Scalekit Dashboard. For development use `https://{your-subdomain}.scalekit.dev`, for production use `https://{your-subdomain}.scalekit.com` | | `SCALEKIT_CLIENT_SECRET` | Generate a new client secret in your API config section of Scalekit Dashboard and use that here | | `SCALEKIT_CLIENT_ID` | Find this in your API config section of Scalekit Dashboard | After the successful execution of the above API call, you will see a new OpenID connection created in your Auth0 tenant. To confirm this, you can navigate to Enterprise Connections in your Auth0 dashboard. ## Register redirect URI in Scalekit After creating Scalekit as a new OIDC connection, you need to: 1. Copy the Callback URL from your Auth0 Dashboard 2. Add it as a new Allowed Callback URI in your Scalekit Authentication > Redirects section ## Copy callback URL from Auth0 In your Auth0 dashboard, go to Authentication > Enterprise > OpenID Connect > Scalekit > Settings. Copy the "Callback URL" that's available in the General section of settings. ![Copy Callback URL from your Auth0 Dashboard](@/assets/docs/guides/auth-systems/auth0/1.png) ## Set redirect URI in Scalekit API config Go to your Scalekit dashboard. Select environment as Development or Production. Navigate to **Authentication** > **Redirects** > **Allowed Callback URIs**. In the Allowed Callback URIs section, select **Add new URI**. Paste the Callback URL that you copied from Auth0 dashboard. Click on Add button. ![Add new Redirect URI in Scalekit Dashboard](@/assets/docs/redirects/screenshot.png) ## Onboard Single Sign-on customers in Scalekit To onboard new enterprise customers using Single Sign-on login, you need to: 1. Create an Organization in Scalekit 2. Generate Admin Portal link to allow your customers configure SSO settings 3. Configure Domain in the Scalekit dashboard for that Organization 4. Update Home Realm Discovery settings in your Auth0 tenant with this Organization's domain ## Update home realm discovery in Auth0 In step 2, you have successfully configured Scalekit as an OIDC connection in your Auth0 tenant. It's time to enable Home Realm Discovery for your enterprise customers in Auth0. This configuration will help Auth0 determine which users to be routed to login via Single Sign-on. In your Auth0 dashboard, go to Authentication > Enterprise > OpenID Connect > Scalekit > Login Experience. Navigate to "Home Realm Discovery" in the Login Experience Customization section. In the Identity Provider domains, add the comma separated list of domains that need to be authenticated with Single Sign-on via Scalekit. Auth0 uses this configuration to compare the users email domain at the time of login: - If there is a match in the configured domains, users will be redirected to the Scalekit's Single Sign-on - If there is no match, users will be prompted to login via other authentication methods like password or Magic Link & OTP based on your Auth0 configuration For example, if you would like users from three Organizations (FooCorp, BarCorp, AcmeCorp) to access your application using their respective identity providers, you need to add them as a comma separated list foocorp.com, barcorp.com, acmecorp.com. Screenshot below for reference ![Add domains for Home Realm Discovery in Auth0](@/assets/docs/guides/auth-systems/auth0/3.png) **Save** the Home Realm Discovery settings. You have now successfully integrated Scalekit with Auth0, thereby facilitating seamless SSO authentication for your application's users. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |