Scalekit

Setting	Value
Allowed Callback URL	Your application’s callback URL (e.g., `https://app.example.com/callback`)
Initiate-login URL	Your application’s login initiation URL
Post-logout URL	Where users should land after logout

Configure Authentication Methods

In Authentication → Auth Methods, enable the login methods you want:

Email/Password
Magic Link / Email OTP
Social logins (Google, Microsoft, GitHub, etc.)
Enterprise SSO (SAML/OIDC)

Configure Char

In the Char Dashboard:

Navigate to Settings → Integration
Under SSO Configuration, select Custom OIDC as the provider
Enter your Issuer URL (your Scalekit environment URL, e.g., https://your-app.scalekit.com)
Enter your Client ID (e.g., skc_58327482062864390)
Click Test Connection to verify
Click Save Changes

Configuration Reference

Char Field	Scalekit Value	Example
Provider Type	Custom OIDC	`oidc`
Issuer URL	Environment URL	`https://your-app.scalekit.com`
Client ID	Application Client ID	`skc_58327482062864390`

Scalekit uses your environment URL as the issuer. The JWKS endpoint is at {environment_url}/.well-known/jwks.json and the discovery document is at {environment_url}/.well-known/openid-configuration.

Token Requirements

Char validates Scalekit ID tokens with these requirements:

Claim	Requirement
`iss`	Must match your Scalekit environment URL
`aud`	Must include your configured Client ID
`sub`	Required - used as the user identifier (e.g., `usr_63261014140912135`)
`exp`	Must not be expired

Scalekit ID Token Claims

Scalekit ID tokens include these standard claims:

{
  "sub": "usr_63261014140912135",
  "email": "[email protected]",
  "email_verified": true,
  "name": "John Doe",
  "given_name": "John",
  "family_name": "Doe",
  "oid": "org_59615193906282635",
  "sid": "ses_65274187031249433",
  "aud": ["skc_58327482062864390"],
  "iss": "https://your-app.scalekit.com",
  "exp": 1742975822,
  "iat": 1742974022
}

Claim	Description
`sub`	Unique user identifier
`oid`	Organization ID (if user belongs to an organization)
`sid`	Session ID
`email`	User’s email address
`email_verified`	Whether email has been verified

Example: Obtaining and Passing the Token

Node.js SDK
React
Next.js (SSR with Ticket)
Express.js Callback

import { ScalekitClient } from '@scalekit-sdk/node';
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

// Server-side: Exchange code for tokens after OAuth callback
const scalekit = new ScalekitClient(
  process.env.SCALEKIT_ENVIRONMENT_URL,
  process.env.SCALEKIT_CLIENT_ID,
  process.env.SCALEKIT_CLIENT_SECRET
);

const CLIENT_ID = "your-scalekit-client-id";

// In your callback handler
const result = await scalekit.authenticateWithCode(code, redirectUri);
const idToken = result.idToken;

// Client-side: Pass the ID token to the agent
const agent = document.querySelector("char-agent") as WebMCPAgentElement
  ?? document.createElement("char-agent") as WebMCPAgentElement;

if (!agent.isConnected) {
  document.body.appendChild(agent);
}

// Use connect() - keeps token out of DOM
agent.connect({ idToken, clientId: CLIENT_ID });

import { useEffect, useRef, useState } from 'react';
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

// Assuming you have a custom auth hook or context for Scalekit
function useScalekitAuth() {
  // Your Scalekit auth implementation
  // Returns { isAuthenticated, idToken, user }
}

const CLIENT_ID = "your-scalekit-client-id";

function App() {
  const { isAuthenticated, idToken } = useScalekitAuth();
  const agentRef = useRef<WebMCPAgentElement>(null);

  useEffect(() => {
    if (isAuthenticated && idToken && agentRef.current) {
      // Use connect() - keeps token out of DOM
      agentRef.current.connect({ idToken, clientId: CLIENT_ID });
    }
  }, [isAuthenticated, idToken]);

  return <char-agent ref={agentRef} />;
}

For Next.js with server-side sessions, exchange the Scalekit token for a short-lived ticket instead of passing the JWT to the client:

// app/dashboard/page.tsx (App Router)
import { cookies } from 'next/headers';
import { redirect } from 'next/navigation';
import { CharAgent } from './char-agent';

const CLIENT_ID = "your-scalekit-client-id";

async function getTicketAuth(idToken: string) {
  const response = await fetch('https://api.usechar.ai/api/auth/ticket', {
    method: 'POST',
    headers: {
      Authorization: `Bearer ${idToken}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      client_id: CLIENT_ID,
    }),
  });
  return response.json(); // { ticket, userId, orgId, expiresAt }
}

export default async function Dashboard() {
  const cookieStore = await cookies();
  const idToken = cookieStore.get('scalekit_id_token')?.value;
  if (!idToken) redirect('/login');

  const ticketAuth = await getTicketAuth(idToken);

  return (
    <main>
      <CharAgent ticketAuth={ticketAuth} />
    </main>
  );
}

// app/dashboard/char-agent.tsx
'use client';
import { useEffect, useRef } from 'react';
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement, TicketAuth } from "@mcp-b/char/web-component";

export function CharAgent({ ticketAuth }: { ticketAuth: TicketAuth }) {
  const agentRef = useRef<WebMCPAgentElement>(null);

  useEffect(() => {
    agentRef.current?.connect({ ticketAuth });
  }, [ticketAuth]);

  return <char-agent ref={agentRef} />;
}

This approach keeps your Scalekit JWT server-side. The ticket is opaque, single-use, and expires in 60 seconds. See SSR Authentication for details.

import express from 'express';
import { ScalekitClient } from '@scalekit-sdk/node';

const app = express();
const scalekit = new ScalekitClient(
  process.env.SCALEKIT_ENVIRONMENT_URL!,
  process.env.SCALEKIT_CLIENT_ID!,
  process.env.SCALEKIT_CLIENT_SECRET!
);

// OAuth callback handler
app.get('/callback', async (req, res) => {
  const { code } = req.query;

  try {
    const result = await scalekit.authenticateWithCode(
      code as string,
      `${process.env.APP_URL}/callback`
    );

    // Store tokens securely (e.g., in encrypted session)
    req.session.idToken = result.idToken;
    req.session.accessToken = result.accessToken;
    req.session.refreshToken = result.refreshToken;
    req.session.user = result.user;

    res.redirect('/dashboard');
  } catch (error) {
    console.error('Auth failed:', error);
    res.redirect('/login?error=auth_failed');
  }
});

// API endpoint to get token for agent
app.get('/api/token', (req, res) => {
  if (!req.session.idToken) {
    return res.status(401).json({ error: 'Not authenticated' });
  }
  res.json({ idToken: req.session.idToken });
});

Which approach? Use SSR with Ticket if you want to keep Scalekit JWTs server-side (more secure). Use the SDK directly if you need the JWT client-side for other purposes.

Building the Authorization URL

To initiate login, redirect users to Scalekit’s authorization endpoint:

const authUrl = new URL(`${SCALEKIT_ENVIRONMENT_URL}/oauth/authorize`);
authUrl.searchParams.set('client_id', SCALEKIT_CLIENT_ID);
authUrl.searchParams.set('redirect_uri', 'https://app.example.com/callback');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');

// Optional: Pre-select an organization
authUrl.searchParams.set('organization_id', 'org_...');

window.location.href = authUrl.toString();

Organizations and Multi-Tenancy

Scalekit supports multi-tenant applications with organizations:

Organization ID (oid): Present in tokens when user belongs to an organization
Organization Switching: Use prompt=select_account with organization_id parameter
Roles: Available in access tokens as roles[] array

// Switch organization
const authUrl = new URL(`${SCALEKIT_ENVIRONMENT_URL}/oauth/authorize`);
authUrl.searchParams.set('client_id', SCALEKIT_CLIENT_ID);
authUrl.searchParams.set('redirect_uri', redirectUri);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('organization_id', targetOrgId);
authUrl.searchParams.set('prompt', 'select_account');

Troubleshooting

INVALID_ISSUER error

The token issuer doesn’t match your configured environment URL:

Verify the Issuer URL in Char matches your Scalekit environment URL exactly
Ensure you’re using the full URL including https://
Check that you’re using the correct environment (staging vs production)

INVALID_AUDIENCE error

The token’s aud claim doesn’t match your configured Client ID:

Ensure the Client ID matches your Scalekit application exactly (e.g., skc_...)
Verify you’re using the ID token, not the access token
Check that you’re using the correct environment’s credentials

JWKS_FETCH_FAILED error

Char couldn’t reach Scalekit’s JWKS endpoint:

Verify your environment URL is correct
Check that your Scalekit environment is active
Use Test Connection in the dashboard to verify

Token refresh issues

If tokens aren’t refreshing correctly:

Ensure offline_access scope is included in authorization request
Check that refresh tokens are stored securely server-side
Verify your client secret is correct for the token refresh call

Scalekit Features

Scalekit offers additional features that complement Char integration:

Feature	Description
Enterprise SSO	Built-in SAML and OIDC support for enterprise customers
Directory Sync (SCIM)	Automatic user provisioning from identity directories
MCP Auth	Native OAuth 2.1 support for MCP servers
Agent Auth	Authentication for AI agents with 40+ OAuth providers
Admin Portal	Self-service SSO configuration for your customers

Scalekit Documentation

Explore the full Scalekit documentation

Security Best Practices

Store refresh tokens server-side in encrypted storage, never client-side
Use HttpOnly cookies for session tokens with Secure and SameSite=Strict flags
Enable MFA in Scalekit for enhanced security
Use short-lived access tokens (Scalekit default is 5 minutes)
Implement token refresh to avoid session interruptions
Monitor auth logs in the Scalekit dashboard for suspicious activity

Introduction

Getting Started

How-to Guides

Explanation

Private Beta

Prerequisites

Quick Links

Scalekit Dashboard

FSA Quickstart

Token Management

Code Samples

SDK References

@scalekit-sdk/node

scalekit-sdk-python

scalekit-sdk-go

Configuration Steps

Configuration Reference

Token Requirements

Scalekit ID Token Claims

Example: Obtaining and Passing the Token

Building the Authorization URL

Organizations and Multi-Tenancy

Troubleshooting

Scalekit Features

Scalekit Documentation

Security Best Practices

Introduction

Getting Started

How-to Guides

Explanation

Private Beta

​Prerequisites

​Quick Links

Scalekit Dashboard

FSA Quickstart

Token Management

Code Samples

​SDK References

@scalekit-sdk/node

scalekit-sdk-python

scalekit-sdk-go

​Configuration Steps

​Configuration Reference

​Token Requirements

​Scalekit ID Token Claims

​Example: Obtaining and Passing the Token

​Building the Authorization URL

​Organizations and Multi-Tenancy

​Troubleshooting

​Scalekit Features

Scalekit Documentation

​Security Best Practices

Prerequisites

Quick Links

SDK References

Configuration Steps

Configuration Reference

Token Requirements

Scalekit ID Token Claims

Example: Obtaining and Passing the Token

Building the Authorization URL

Organizations and Multi-Tenancy

Troubleshooting

Scalekit Features

Security Best Practices