feat: add Scalekit SSO provider

Scalekit is an enterprise SSO platform (SAML, OIDC, social login)
that exposes a single OIDC-compliant interface. Auth.js auto-discovers
all endpoints from the issuer URL via .well-known/openid-configuration.

Supports flexible SSO routing via connectionId, organizationId, or domain.

Author: saif-at-scalekit

.github/ISSUE_TEMPLATE/2_bug_provider.yml

@@ -87,6 +87,7 @@ body:
         - "Reddit"
         - "Roblox"
         - "Salesforce"
+        - "Scalekit"
         - "SimpleLogin"
         - "Slack"
         - "Spotify"

docs/pages/getting-started/providers/scalekit.mdx

@@ -0,0 +1,201 @@
+import { Callout } from "nextra/components"
+import { Code } from "@/components/Code"
+
+<img align="right" src="/img/providers/scalekit.png" height="64" width="64" />
+
+# Scalekit Provider
+
+## Resources
+
+- [Scalekit Single Sign-On documentation](https://docs.scalekit.com/sso/quickstart)
+- [Scalekit OIDC documentation](https://docs.scalekit.com/sso/oidc)
+
+## Setup
+
+### Callback URL
+
+<Code>
+  <Code.Next>
+
+```bash
+https://example.com/api/auth/callback/scalekit
+```
+
+  </Code.Next>
+  <Code.Qwik>
+
+```bash
+https://example.com/auth/callback/scalekit
+```
+
+  </Code.Qwik>
+  <Code.Svelte>
+
+```bash
+https://example.com/auth/callback/scalekit
+```
+
+  </Code.Svelte>
+  <Code.Express>
+
+```bash
+https://example.com/auth/callback/scalekit
+```
+
+  </Code.Express>
+</Code>
+
+### Environment Variables
+
+```
+AUTH_SCALEKIT_ID
+AUTH_SCALEKIT_SECRET
+AUTH_SCALEKIT_ISSUER
+```
+
+`AUTH_SCALEKIT_ISSUER` is your Scalekit environment URL (e.g. `https://yourenv.scalekit.dev`).
+
+### Configuration
+
+<Code>
+  <Code.Next>
+
+```ts filename="/auth.ts"
+import NextAuth from "next-auth"
+import Scalekit from "next-auth/providers/scalekit"
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  providers: [Scalekit],
+})
+```
+
+  </Code.Next>
+  <Code.Qwik>
+
+```ts filename="/src/routes/[email protected]"
+import { QwikAuth$ } from "@auth/qwik"
+import Scalekit from "@auth/qwik/providers/scalekit"
+
+export const { onRequest, useSession, useSignIn, useSignOut } = QwikAuth$(
+  () => ({
+    providers: [Scalekit],
+  })
+)
+```
+
+  </Code.Qwik>
+  <Code.Svelte>
+
+```ts filename="/src/auth.ts"
+import { SvelteKitAuth } from "@auth/sveltekit"
+import Scalekit from "@auth/sveltekit/providers/scalekit"
+
+export const { handle, signIn, signOut } = SvelteKitAuth({
+  providers: [Scalekit],
+})
+```
+
+  </Code.Svelte>
+  <Code.Express>
+
+```ts filename="/src/app.ts"
+import { ExpressAuth } from "@auth/express"
+import Scalekit from "@auth/express/providers/scalekit"
+
+app.use("/auth/*", ExpressAuth({ providers: [Scalekit] }))
+```
+
+  </Code.Express>
+</Code>
+
+### SSO Routing
+
+Scalekit supports multiple ways to route users to their SSO connection. You can pass optional routing parameters to target a specific connection:
+
+<Code>
+  <Code.Next>
+
+```ts filename="/auth.ts"
+import NextAuth from "next-auth"
+import Scalekit from "next-auth/providers/scalekit"
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  providers: [
+    Scalekit({
+      // pick one of the following routing strategies:
+      connectionId: "conn_...", // exact connection (highest precedence)
+      organizationId: "org_...", // org's active SSO connection
+      domain: "acme.com", // resolve org from email domain
+    }),
+  ],
+})
+```
+
+  </Code.Next>
+  <Code.Qwik>
+
+```ts filename="/src/routes/[email protected]"
+import { QwikAuth$ } from "@auth/qwik"
+import Scalekit from "@auth/qwik/providers/scalekit"
+
+export const { onRequest, useSession, useSignIn, useSignOut } = QwikAuth$(
+  () => ({
+    providers: [
+      Scalekit({
+        connectionId: "conn_...",
+        organizationId: "org_...",
+        domain: "acme.com",
+      }),
+    ],
+  })
+)
+```
+
+  </Code.Qwik>
+  <Code.Svelte>
+
+```ts filename="/src/auth.ts"
+import { SvelteKitAuth } from "@auth/sveltekit"
+import Scalekit from "@auth/sveltekit/providers/scalekit"
+
+export const { handle, signIn, signOut } = SvelteKitAuth({
+  providers: [
+    Scalekit({
+      connectionId: "conn_...",
+      organizationId: "org_...",
+      domain: "acme.com",
+    }),
+  ],
+})
+```
+
+  </Code.Svelte>
+  <Code.Express>
+
+```ts filename="/src/app.ts"
+import { ExpressAuth } from "@auth/express"
+import Scalekit from "@auth/express/providers/scalekit"
+
+app.use(
+  "/auth/*",
+  ExpressAuth({
+    providers: [
+      Scalekit({
+        connectionId: "conn_...",
+        organizationId: "org_...",
+        domain: "acme.com",
+      }),
+    ],
+  })
+)
+```
+
+  </Code.Express>
+</Code>
+
+<Callout>
+  Scalekit is an OIDC-compliant platform — Auth.js automatically discovers all
+  endpoints from your `AUTH_SCALEKIT_ISSUER` URL via
+  `/.well-known/openid-configuration`. No manual endpoint configuration is
+  required.
+</Callout>

docs/public/img/providers/scalekit.png

@@ -2,5 +2,6 @@ pre-commit:
   parallel: true
   commands:
     format:
+      glob: "*.{ts,tsx,js,mjs,cjs,json,md,mdx,svelte,yml,yaml}"
       run: pnpm prettier --cache --write {staged_files}
       stage_fixed: true

lefthook.yml

@@ -0,0 +1,159 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#1c1c1e", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Scalekit</b> integration.</span>
+ * <a href="https://scalekit.com/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/scalekit.png" height="48" />
+ * </a>
+ * </div>
+ *
+ * @module providers/scalekit
+ */
+import type { OIDCConfig, OAuthUserConfig } from "./index.js"
+
+/**
+ * The profile returned by Scalekit's userinfo endpoint.
+ *
+ * - {@link https://docs.scalekit.com/apis/userinfo | Scalekit UserInfo endpoint}
+ */
+export interface ScalekitProfile extends Record<string, any> {
+  /** Unique user ID (`usr_...`) */
+  sub: string
+  email: string
+  email_verified: boolean
+  name: string
+  given_name: string
+  family_name: string
+  picture: string
+  /** Organization ID (`org_...`) */
+  oid: string
+}
+
+/**
+ * Add Scalekit SSO login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/scalekit
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import Scalekit from "@auth/core/providers/scalekit"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Scalekit({
+ *       clientId: AUTH_SCALEKIT_ID,
+ *       clientSecret: AUTH_SCALEKIT_SECRET,
+ *       issuer: AUTH_SCALEKIT_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ * - [Scalekit Single Sign-On documentation](https://docs.scalekit.com/sso/quickstart)
+ * - [Scalekit OIDC documentation](https://docs.scalekit.com/sso/oidc)
+ *
+ * ### SSO Routing
+ *
+ * Scalekit supports multiple ways to route a user to their SSO connection.
+ * Pass one of the following optional parameters to target a specific connection:
+ *
+ * ```ts
+ * Scalekit({
+ *   clientId: AUTH_SCALEKIT_ID,
+ *   clientSecret: AUTH_SCALEKIT_SECRET,
+ *   issuer: AUTH_SCALEKIT_ISSUER,
+ *   // pick one of the following routing strategies:
+ *   connectionId: "conn_...",      // exact connection (highest precedence)
+ *   organizationId: "org_...",     // org's active SSO connection
+ *   domain: "acme.com",            // resolve org from email domain
+ * })
+ * ```
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Scalekit provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * Scalekit is an enterprise SSO platform that supports SAML, OIDC, and social login
+ * (Google, Microsoft, GitHub, etc.) connections. It exposes a single OIDC-compliant
+ * interface, so Auth.js auto-discovers all endpoints from the issuer URL via
+ * `/.well-known/openid-configuration` — no manual endpoint configuration required.
+ *
+ * Each Scalekit environment has a unique issuer URL of the form
+ * `https://<subdomain>.scalekit.dev` (dev) or `https://<subdomain>.scalekit.com` (prod).
+ * Set `AUTH_SCALEKIT_ISSUER` to this URL.
+ *
+ * :::tip
+ *
+ * The Scalekit provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/scalekit.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Scalekit<P extends ScalekitProfile>(
+  options: OAuthUserConfig<P> & {
+    /**
+     * Your Scalekit environment URL (e.g. `https://yourenv.scalekit.dev`).
+     * Used for OIDC discovery and as the token issuer.
+     */
+    issuer: string
+    /**
+     * Route the user to a specific SSO connection by its ID (`conn_...`).
+     * Takes precedence over `organizationId` and `domain`.
+     */
+    connectionId?: string
+    /**
+     * Route the user to a specific organization's active SSO connection (`org_...`).
+     */
+    organizationId?: string
+    /**
+     * Route the user to the SSO connection associated with this email domain.
+     */
+    domain?: string
+  }
+): OIDCConfig<P> {
+  const { issuer, connectionId, organizationId, domain } = options
+
+  return {
+    id: "scalekit",
+    name: "Scalekit",
+    type: "oidc",
+    issuer,
+    authorization: {
+      params: {
+        scope: "openid email profile",
+        ...(connectionId && { connection_id: connectionId }),
+        ...(organizationId && { organization_id: organizationId }),
+        ...(domain && { domain }),
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name ?? `${profile.given_name} ${profile.family_name}`,
+        email: profile.email,
+        image: profile.picture ?? null,
+      }
+    },
+    style: { bg: "#1c1c1e", text: "#fff" },
+    options,
+  }
+}