diff --git a/src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx b/src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx index bd88f5181..1afea87fb 100644 --- a/src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx +++ b/src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx @@ -729,7 +729,9 @@ async def pre_signup(request: Request): ### Modify claims in session tokens -Add custom claims to Access tokens issued by Scalekit. Fetch user metadata from your database and return claims in the `response.claims` object. Claims are automatically included in the access token after authentication. +Add custom claims to access tokens issued by Scalekit. Your `PRE_SESSION_CREATION` interceptor fires on every path that creates a new session token: standard login (password, SSO, social), magic link and email OTP, invitation magic link (including an invitee's first login), and organization switch. Fetch user metadata from your database and return claims in the `response.claims` object. Scalekit embeds them in the access token under the `custom_claims` key. + +If you need custom scope strings validated directly by your resource server (for example, Spring Security's `@PreAuthorize`), use [native custom scopes](/authenticate/fsa/multiapp/single-page-app/) instead — `custom_claims` do not appear in the `scope` claim. diff --git a/src/content/docs/authenticate/manage-organizations/add-users-to-organization.mdx b/src/content/docs/authenticate/manage-organizations/add-users-to-organization.mdx index 05385f0f9..1ea3e366c 100644 --- a/src/content/docs/authenticate/manage-organizations/add-users-to-organization.mdx +++ b/src/content/docs/authenticate/manage-organizations/add-users-to-organization.mdx @@ -271,4 +271,15 @@ The user will receive an email with a link to accept the invitation and join you Users belonging to multiple organizations will see an organization selection interface in subsequent login flows, allowing them to choose their desired organization. - \ No newline at end of file + + +## Common questions + +
+Does PRE_SESSION_CREATION fire on an invitee's first login? + +Yes. When an invitee clicks their magic link and completes signup, `PRE_SESSION_CREATION` fires the same as any other login path. Custom claims your interceptor returns are embedded in the issued JWT. No additional configuration is required. + +See [Intercept auth flows](/authenticate/interceptors/auth-flow-interceptors/#modify-claims-in-session-tokens). + +
\ No newline at end of file diff --git a/src/content/docs/home/saaskit/index.mdx b/src/content/docs/home/saaskit/index.mdx index cff0d49ae..a680a8726 100644 --- a/src/content/docs/home/saaskit/index.mdx +++ b/src/content/docs/home/saaskit/index.mdx @@ -11,6 +11,10 @@ banner: hero: tagline: Add SSO, SCIM, or MCP Auth as modular capabilities, or adopt Scalekit as your full identity layer for your SaaS app head: + - tag: meta + attrs: + name: robots + content: noindex - tag: style content: | right-sidebar-panel { @@ -260,7 +264,7 @@ import complianceImage from '@/content/docs/compliance.svg' -
+
@@ -302,7 +306,7 @@ import complianceImage from '@/content/docs/compliance.svg'
-
+
@@ -327,7 +331,7 @@ import complianceImage from '@/content/docs/compliance.svg'
-
+

Extensibility & Controls

@@ -353,7 +357,7 @@ import complianceImage from '@/content/docs/compliance.svg'
-
+

Developer Resources