Introducing Auth Interceptors

Authentication isn't one-size-fits-all. Every application has unique security requirements, business rules, and user experience needs. Yet most authentication systems treat auth as a black box, you can configure it, but you can't truly extend it.

The challenge is fundamental: authentication needs to be comprehensive enough to handle diverse requirements, yet flexible enough to adapt as those requirements evolve. Most providers force you to choose either: rigid, complete solutions that work until they don't, or bare-bones systems that require extensive custom development.

The best authentication infrastructure should be both. It should handle standard flows seamlessly while giving you control points to inject your own logic exactly where you need it.

That's exactly why we’re now introducing Auth Interceptors, functional services that run at critical points during authentication, letting you inject custom validation logic exactly when you need it. Think of them as strategic checkpoints where you can enforce security policies, apply business rules, or customize the user experience.

How it works

Auth Interceptors are functional services that run at critical points during authentication. When specific events occur, like a user attempting to sign up or a session being created: Scalekit calls your custom endpoint, waits for your response, and proceeds based on your decision.

Here's a scenario we hear constantly: Your sales team closes an enterprise deal, but the contract requires invite-only registration. Or your compliance team needs an approval workflow for new organizations. Or you need to block sign-ups from disposable email domains.

In most authentication systems, these requirements mean building complex workarounds, middleware that polls your database, cron jobs that retroactively clean up invalid sign-ups, or custom logic scattered across your application.

With Auth Interceptors, you handle these elegantly at the authentication layer itself:

• Block signups from restricted IP addresses
• Enforce invite-only registration for beta programs
• Restrict access based on IP geolocation
• Add custom claims to tokens with user metadata
• Implement approval workflows for new organizations
• Integrate with fraud detection services
• Sync user data with your CRM or analytics platform

Authentication becomes both comprehensive and extensible.

Trigger points

Scalekit exposes four strategic trigger points:

Pre-signup: Runs before a user creates a new organization. Enforce domain restrictions, check invitation lists, or validate email addresses against your business rules.

Pre-session creation: Executes before session tokens are issued. Add custom claims to tokens, perform additional security checks, or enrich tokens with application-specific data.

Pre-user invitation: Triggers before sending an invitation to a user. Prevent spam, enforce team size limits, or validate invitation permissions based on your business logic.

Pre-M2M token creation: Runs before issuing machine-to-machine access tokens. Add custom claims, enforce rate limits, or validate service-to-service authentication.

Workflow

1. An authentication event occurs in your application
2. Scalekit sends a POST request to your registered endpoint with event context and data
3. Your application processes the request and returns a decision (allow/deny) with optional modifications
4. Scalekit proceeds based on your response, either continuing the flow or blocking it with your custom error message

Key features

Flexible fallback behavior: If your endpoint is down or times out, you decide whether to allow (fail open) or block (fail closed) the authentication attempt.

Production-ready testing: The Test tab in your dashboard shows you the exact request body sent to your endpoint, your application's response, and whether the flow would be allowed or denied. Test requests don't appear in your production logs, keeping your audit trail clean.

Audit everything: Scalekit automatically logs every interceptor request and response with complete history, timestamps, success and failure tracking, and response times.

Modify token claims: For session creation and M2M token interceptors, add custom claims that will be included in both access tokens and ID tokens—user roles, organization metadata, feature flags, or custom identifiers.

Get started

Setting up your first interceptor takes minutes:

1. Navigate to the Interceptors tab in your Scalekit dashboard
2. Click "Create Interceptor"
3. Choose your trigger point
4. Enter your HTTPS endpoint
5. Set your timeout and fallback behavior
6. Test it, then toggle "Enable"

Check out the full documentation or talk to an engineer to get started.

FAQs

What are Scalekit Auth Interceptors and their core benefits?

Scalekit Auth Interceptors are functional services that execute custom validation logic at critical points during the authentication process. Unlike traditional black box authentication systems, these interceptors allow engineering teams to inject strategic checkpoints for enforcing security policies or business rules. By calling a custom endpoint and waiting for a response before proceeding, developers can handle complex scenarios like invite only registrations or restricted IP access directly within the auth layer. This approach provides a perfect balance between a comprehensive, managed infrastructure and the flexibility needed to adapt to evolving enterprise requirements without building complex middleware workarounds.

Which trigger points are available for implementing custom logic?

Scalekit provides four strategic trigger points to give you complete control over the user and machine lifecycle. The pre signup trigger runs before organization creation to validate domains or email addresses. Pre session creation executes before issuing tokens, allowing for claim enrichment or security checks. Pre user invitation triggers before sending invites to prevent spam or enforce team size limits. Finally, pre M2M token creation runs before issuing machine to machine access tokens, enabling custom claims or rate limits. These specific points ensure you can intervene exactly when and where your business logic demands throughout the entire authentication and authorization flow.

How do Auth Interceptors handle machine to machine token requests?

For machine to machine or M2M communication, Scalekit offers a specific pre M2M token creation trigger point. This allows technical architects to validate service to service authentication requests before an access token is issued. During this phase, you can inject custom claims into the token, enforce granular rate limits, or verify specific service permissions against external databases. This is particularly valuable for securing AI agents and automated workflows where traditional user based authentication is not applicable. By extending the M2M flow, you ensure that every machine interaction adheres to your strict security protocols and organizational metadata requirements seamlessly.

Can I add custom claims to session and access tokens?

Yes, both the pre session creation and pre M2M token creation interceptors allow you to modify token claims dynamically. When Scalekit triggers your endpoint, you can return a response that includes additional metadata such as user roles, organization specific identifiers, or feature flags. These custom claims are then automatically embedded into both the access tokens and ID tokens issued by Scalekit. This capability eliminates the need for your application to perform secondary database lookups or session enrichment logic after a user logs in, effectively streamlining your architecture and improving overall application performance for end users.

What happens if an interceptor endpoint fails or times out?

Resilience is a core component of Scalekit architecture, which is why we provide flexible fallback behavior settings for every interceptor. You can configure your system to either fail open or fail closed depending on your specific security posture. If your custom endpoint is down or exceeds the defined timeout, a fail open configuration allows the authentication attempt to proceed regardless. Conversely, a fail closed configuration will block the attempt to ensure no unverified actions occur. This level of control ensures that you can balance system availability with strict security requirements based on the criticality of the specific trigger point.

How do developers test interceptors before moving to production?

Scalekit includes a dedicated testing interface within the dashboard to ensure production readiness. The Test tab allows you to view the exact request body sent to your endpoint and inspect your application response in real time. You can verify whether a specific payload would result in an allowed or denied flow without impacting your live production environment. These test requests are excluded from your production logs to maintain a clean audit trail. This robust testing framework gives engineering teams the confidence to deploy complex business logic and validation rules knowing exactly how the system will behave under various conditions.

Are interceptor actions logged for compliance and security auditing?

Security and compliance are top priorities for CISOs and CTOs using Scalekit. Every single interceptor request and response is automatically logged with a comprehensive history. These logs include precise timestamps, success or failure tracking, and detailed response times for each event. By maintaining a complete audit trail of how and why authentication decisions were made, your organization can easily demonstrate compliance with regulatory requirements. This transparency is vital for troubleshooting issues and analyzing security patterns, as it provides a clear record of every custom validation check performed at the authentication layer across your entire application ecosystem.

How can interceptors prevent signups from disposable email domains?

By utilizing the pre signup trigger point, you can enforce strict domain restrictions at the very beginning of the registration process. When a user attempts to sign up, Scalekit sends a POST request to your endpoint containing the user email and organization details. Your logic can then cross reference this email against a list of known disposable domains or your internal business rules. If the email is invalid, your endpoint returns a deny response with a custom error message. This prevents unwanted accounts from ever being created in your system, reducing database clutter and protecting your platform from potential spam or fraudulent activities.

Why use interceptors instead of standard application middleware?

Standard middleware often requires building complex workarounds like polling databases or running retroactive cleanup jobs for invalid signups. In contrast, Auth Interceptors operate directly within the authentication layer, allowing you to block or modify actions before they are finalized. This architectural approach centralizes security policies and business rules, making them easier to manage and audit across multiple services. By moving this logic to Scalekit, you reduce the custom code footprint within your application and ensure that critical checkpoints are consistently applied. This results in a cleaner architecture that is both highly extensible and easier for engineering teams to maintain.