Introducing Auth Interceptors

Authentication isn't one-size-fits-all. Every application has unique security requirements, business rules, and user experience needs. Yet most authentication systems treat auth as a black box, you can configure it, but you can't truly extend it.

The challenge is fundamental: authentication needs to be comprehensive enough to handle diverse requirements, yet flexible enough to adapt as those requirements evolve. Most providers force you to choose either: rigid, complete solutions that work until they don't, or bare-bones systems that require extensive custom development.

The best authentication infrastructure should be both. It should handle standard flows seamlessly while giving you control points to inject your own logic exactly where you need it.

That's exactly why we’re now introducing Auth Interceptors, functional services that run at critical points during authentication, letting you inject custom validation logic exactly when you need it. Think of them as strategic checkpoints where you can enforce security policies, apply business rules, or customize the user experience.

‍

How It Works

Auth Interceptors are functional services that run at critical points during authentication. When specific events occur, like a user attempting to sign up or a session being created: Scalekit calls your custom endpoint, waits for your response, and proceeds based on your decision.

Here's a scenario we hear constantly: Your sales team closes an enterprise deal, but the contract requires invite-only registration. Or your compliance team needs an approval workflow for new organizations. Or you need to block sign-ups from disposable email domains.

In most authentication systems, these requirements mean building complex workarounds, middleware that polls your database, cron jobs that retroactively clean up invalid sign-ups, or custom logic scattered across your application.

With Auth Interceptors, you handle these elegantly at the authentication layer itself:

• Block sign-ups from disposable email domains
• Enforce invite-only registration for beta programs
• Restrict access based on IP geolocation
• Add custom claims to tokens with user metadata
• Implement approval workflows for new organizations
• Integrate with fraud detection services
• Sync user data with your CRM or analytics platform

Authentication becomes both comprehensive and extensible.

Trigger Points

Scalekit exposes four strategic trigger points:

Pre-Signup: Runs before a user creates a new organization. Enforce domain restrictions, check invitation lists, or validate email addresses against your business rules.

Pre-Session Creation: Executes before session tokens are issued. Add custom claims to tokens, perform additional security checks, or enrich tokens with application-specific data.

Pre-User Invitation: Triggers before sending an invitation to a user. Prevent spam, enforce team size limits, or validate invitation permissions based on your business logic.

Pre-M2M Token Creation: Runs before issuing machine-to-machine access tokens. Add custom claims, enforce rate limits, or validate service-to-service authentication.

The Workflow

1. An authentication event occurs in your application
2. Scalekit sends a POST request to your registered endpoint with event context and data
3. Your application processes the request and returns a decision (allow/deny) with optional modifications
4. Scalekit proceeds based on your response, either continuing the flow or blocking it with your custom error message

Key Features

Flexible Fallback Behavior: If your endpoint is down or times out, you decide whether to allow (fail open) or block (fail closed) the authentication attempt.

Production-Ready Testing: The Test tab in your dashboard shows you the exact request body sent to your endpoint, your application's response, and whether the flow would be allowed or denied. Test requests don't appear in your production logs, keeping your audit trail clean.

Audit Everything: Scalekit automatically logs every interceptor request and response with complete history, timestamps, success and failure tracking, and response times.

Modify Token Claims: For session creation and M2M token interceptors, add custom claims that will be included in both access tokens and ID tokens—user roles, organization metadata, feature flags, or custom identifiers.

Get Started

Setting up your first interceptor takes minutes:

1. Navigate to the Interceptors tab in your Scalekit dashboard
2. Click "Create Interceptor"
3. Choose your trigger point
4. Enter your HTTPS endpoint
5. Set your timeout and fallback behavior
6. Test it, then toggle "Enable"

Check out the full documentation or talk to an engineer to get started.

‍