Production Readiness Scalekit

Core auth flows

• Test login initiation with authorization URL
• Validate redirect URLs match dashboard configuration exactly
• Test authentication completion and code exchange
• Validate state parameter in callbacks (CSRF protection)
• Verify session token storage uses httpOnly, secure, and sameSite flags
• Configure token lifetimes for your security requirements
• Test session timeout and automatic token refresh
• Verify logout clears sessions completely

Test each enabled auth method:

• Email/password: sign-up, login, password reset
• Magic links: initiation, delivery, redemption, expiry
• Social logins: each configured provider (Google, Microsoft, GitHub, etc.) → Provider setup guides: https://docs.scalekit.com/guides/integrations/social-connections/
• Passkeys: registration, authentication, fallback
• Auth method selection UI renders correctly
• Fallback scenarios when an auth method fails

Error handling:

• Expired tokens handled gracefully
• Invalid authorization codes rejected
• Network failures show user-friendly messages
• Complete end-to-end flow validated in staging before production

Enterprise auth (if enterprise customers at launch)

SSO:

• Test SSO with target IdPs: Okta, Azure AD, Google Workspace → IT admin setup guides per IdP: https://docs.scalekit.com/guides/integrations/sso-integrations/
• Configure user attribute mapping (email, name, groups)
• Test both SP-initiated and IdP-initiated SSO flows
• Verify SSO error handling for misconfigured connections
• Test SSO with: new users, existing users, deactivated users

JIT provisioning:

• Register all organization domains for JIT provisioning
• Configure consistent user identifiers across SSO connections (email or userPrincipalName)
• Set default roles for JIT-provisioned users
• Enable "Sync user attributes during login"
• Plan manual invitation process for contractors/external users with non-matching domains

SCIM provisioning:

• Configure webhook endpoints to receive SCIM events → IT admin setup guides per IdP: https://docs.scalekit.com/guides/integrations/scim-integrations/
• Verify webhook security with signature validation
• Test user provisioning (automatic creation)
• Test user deprovisioning (deactivation/deletion)
• Test user profile updates and role changes
• Set up group-based role assignment and sync
• Test error cases: duplicate users, invalid data

Admin portal:

• Configure admin portal access for enterprise customers
• Test admin portal SSO configuration flows
• Verify user management features in admin portal

Network/firewall — enterprise customers behind VPN must whitelist:

• Customer firewalls allow Scalekit domains
• SSO tested from customer's network environment

User and organization management (if implemented)

User flows:

• Configure profile fields collected at sign-up
• Test invitation flow and email templates
• Test user deletion flow

Organization flows:

• Test organization creation
• Test adding and removing users from organizations
• Set allowed email domains for org sign-ups (if applicable)
• Verify organization switching for users in multiple orgs
• Test organization deletion flow

RBAC (if implemented):

• Define and create roles and permissions
• Set default roles for new users
• Test role assignment to users and org members
• Verify permission checks in application code
• Test access control across all role levels
• Validate permission enforcement at API endpoints

MCP authentication (if implemented)

• Test MCP server authentication flow
• Verify OAuth consent screen for MCP clients
• Test token exchange for MCP connections
• Verify custom auth handlers (if using)
• Test MCP session management

Monitoring and incident readiness

Observability:

• Auth logs monitoring configured in Dashboard > Auth Logs
• Alerts set for suspicious activity (multiple failed logins, unusual locations)
• Webhook event monitoring and logging active
• Error tracking configured for authentication failures

Key metrics to track from day one:

• Sign-up rate and conversion
• Login success/failure rates
• Session creation and duration
• Token refresh frequency
• Webhook delivery success rate

Reliability:

• Log retention policies configured
• Webhook delivery and retry mechanism tested
• Incident response runbook written (who to contact, how to roll back, escalation path)
• Rollback plan ready (feature flag to disable new auth flows if needed)