Skip to content

docs: clarify PRE_SESSION_CREATION session paths and add invitation FAQ #739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saif-at-scalekit wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: clarify PRE_SESSION_CREATION session paths and add invitation FAQ #739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
54f560d
fix(search): prevent SaaSKit hub from surfacing in Algolia for 'Auth …
saif-at-scalekit Jun 6, 2026
70ae000
docs: clarify PRE_SESSION_CREATION session paths and add invitation FAQ
saif-at-scalekit Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -729,7 +729,9 @@ async def pre_signup(request: Request):

### Modify claims in session tokens

Add custom claims to Access tokens issued by Scalekit. Fetch user metadata from your database and return claims in the `response.claims` object. Claims are automatically included in the access token after authentication.
Add custom claims to access tokens issued by Scalekit. Your `PRE_SESSION_CREATION` interceptor fires on every path that creates a new session token: standard login (password, SSO, social), magic link and email OTP, invitation magic link (including an invitee's first login), and organization switch. Fetch user metadata from your database and return claims in the `response.claims` object. Scalekit embeds them in the access token under the `custom_claims` key.

Comment on lines +732 to +733

@coderabbitai coderabbitai Bot Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify token coverage for response.claims.

This wording narrows behavior to access tokens only, but your interceptor contract documents response.claims as included in both access and ID tokens. Update this sentence to avoid conflicting guidance.

Suggested wording 
- Add custom claims to access tokens issued by Scalekit. ... Scalekit embeds them in the access token under the `custom_claims` key.
+ Add custom claims to tokens issued by Scalekit. ... Scalekit embeds them under the `custom_claims` key in issued tokens (access and ID tokens).
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/authenticate/interceptors/auth-flow-interceptors.mdx` around
lines 732 - 733, The sentence incorrectly limits response.claims to access
tokens; update the wording in the PRE_SESSION_CREATION interceptor docs to state
that response.claims are included in both access and ID tokens (and note that
Scalekit embeds them under the custom_claims key in the access token),
referencing PRE_SESSION_CREATION and response.claims so readers understand the
scope and where custom_claims appear.

@ravibits ravibits Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@saif-at-scalekit are you resolving this?

@coderabbitai coderabbitai Bot Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

If you need custom scope strings validated directly by your resource server (for example, Spring Security's `@PreAuthorize`), use [native custom scopes](/authenticate/fsa/multiapp/single-page-app/) instead — `custom_claims` do not appear in the `scope` claim.

<Tabs syncKey="tech-stack">
<TabItem value="node" label="Node.js">
Expand Down
13 changes: 12 additions & 1 deletion src/content/docs/authenticate/manage-organizations/add-users-to-organization.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,4 +271,15 @@ The user will receive an email with a link to accept the invitation and join you

Users belonging to multiple organizations will see an organization selection interface in subsequent login flows, allowing them to choose their desired organization.

</Aside>
</Aside>

## Common questions

<details>
<summary>Does PRE_SESSION_CREATION fire on an invitee's first login?</summary>

Yes. When an invitee clicks their magic link and completes signup, `PRE_SESSION_CREATION` fires the same as any other login path. Custom claims your interceptor returns are embedded in the issued JWT. No additional configuration is required.

See [Intercept auth flows](/authenticate/interceptors/auth-flow-interceptors/#modify-claims-in-session-tokens).

</details>
12 changes: 8 additions & 4 deletions src/content/docs/home/saaskit/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ banner:
hero:
tagline: Add SSO, SCIM, or MCP Auth as modular capabilities, or adopt Scalekit as your full identity layer for your SaaS app
head:
- tag: meta
attrs:
name: robots
content: noindex
- tag: style
content: |
right-sidebar-panel {
Expand Down Expand Up @@ -260,7 +264,7 @@ import complianceImage from '@/content/docs/compliance.svg'
</div>
</div>

<div class="fold-section fold--background-muted fold-full-width">
<div class="fold-section fold--background-muted fold-full-width" data-docsearch-ignore>
<div class="fold-container">
<div class="modular-auth-layout">
<div class="modular-auth-left">
Expand Down Expand Up @@ -302,7 +306,7 @@ import complianceImage from '@/content/docs/compliance.svg'
</div>
</div>

<div class="fold-section fold-full-width" style="padding-top: 0;">
<div class="fold-section fold-full-width" style="padding-top: 0;" data-docsearch-ignore>
<div class="fold-container">
<ResponsiveCardGrid columnsDesktop={3} columnsLarge={3}>
<FoldCard title="User lifecycle" iconKey="usercheck" href="/fsa/data-modelling" clickable={true}>
Expand All @@ -327,7 +331,7 @@ import complianceImage from '@/content/docs/compliance.svg'
</div>
</div>

<div class="fold-section fold--background-muted fold-full-width">
<div class="fold-section fold--background-muted fold-full-width" data-docsearch-ignore>
<div class="fold-container">
<div>
<h2 style="font-size: 1.8rem; margin: 0.5rem 0; text-align: left;">Extensibility & Controls</h2>
Expand All @@ -353,7 +357,7 @@ import complianceImage from '@/content/docs/compliance.svg'
</div>
</div>

<div class="fold-section fold-full-width">
<div class="fold-section fold-full-width" data-docsearch-ignore>
<div class="fold-container">
<div>
<h2 style="font-size: 1.8rem; margin: 0.5rem 0; text-align: left;">Developer Resources</h2>
Expand Down