Announcing CIMD support for MCP Client registration
Learn more
B2B Authentication
Nov 6, 2025

Introducing Passkeys in Scalekit

Team Scalekit
Open in ChatGPT

Scalekit now provides Passkeys as an authentication method that developers can enable directly within their apps. Passkeys replace passwords with secure, device-based authentication built on FIDO2 and WebAuthn standards. Users can sign in with a fingerprint, face scan, or device PIN, and your app gains a phishing-resistant login experience that’s faster, simpler, and safer.

Instead of relying on shared secrets, passkeys authenticate users through asymmetric cryptography. Each device creates a unique pair of keys — a private key stored securely on the user’s device and a public key stored on your server. When a user signs in, their device signs a one-time challenge with its private key. Scalekit verifies it using the public key, meaning no passwords are exchanged or stored. The result is authentication that’s secure by design and seamless to use.

A Security Standard That Has Already Arrived

The latest FIDO Passkey Index shows that 93% of all user accounts are already passkey-ready across platforms, and more than a third have a passkey enrolled. One in four sign-ins globally now uses passkeys, reflecting a rapid shift from experimental technology to mainstream adoption.

The data also shows that passkeys outperform older methods in every measurable way. They achieve a 93% login success rate compared to 63% for multi-factor or social logins, and they cut average sign-in time by 73% — from 31 seconds down to about 8 seconds. Companies that have deployed passkeys report an 81% reduction in sign-in–related support incidents, freeing developers and support teams to focus on building features rather than resetting credentials.

Taken together, these numbers show that passkeys are no longer a “nice to have.” They are a reliability and efficiency upgrade that improves both user experience and operational resilience.

Enabling Passkeys in Scalekit

If your app already uses Scalekit Auth, you can enable passkeys in minutes:

  1. Open your Scalekit Dashboard
  2. Go to Authentication → Auth Methods → Passkeys
  3. Click Enable

Once enabled, users can register and manage their passkeys through Scalekit’s hosted page or via your own UI built using the Scalekit WebAuthn APIs. Passkeys work alongside existing authentication options such as SSO, magic links, and social logins, allowing you to roll out modern authentication without migrations or downtime.

Why This Matters Right Now

Passkeys directly address three of the biggest problems facing software teams today.

1. Security debt: Each stored password represents risk. Passkeys eliminate the need to store or hash secrets, removing entire categories of breach exposure.

2. User experience: Every login that fails is a user lost. With higher success rates and near-instant sign-in, passkeys keep users moving through your app rather than your support queue.

3. Operational cost: An 81%  drop in login-related help desk incidents means lower costs for resets and MFA troubleshooting, and more time for development.

In short, adopting passkeys is not just about security. It is about speed, retention, and credibility.

The Future of Authentication

With over 90% of the internet now passkey-ready, the transition away from passwords has already begun. What used to be a theoretical improvement is now an industry baseline.

Scalekit makes it simple to adopt this standard without rebuilding your identity stack. Our implementation brings cryptographic authentication to every developer, combining strong security with a user experience that feels native across platforms.

Authentication is changing, and fast. The apps that act now will define what secure and effortless login looks like in the years ahead.

👉 Get started with Scalekit Passkeys, today.

Data reference attributed to the Fido Passkey Index, Oct 2025.

FAQs

How do passkeys improve the security posture of B2B applications

Passkeys significantly improve security by replacing shared secrets with asymmetric cryptography based on FIDO2 standards. Since only a public key is stored on your server while the private key remains on the user device the risk of credential theft during a breach is virtually eliminated. This architectural shift removes the need for password hashing and mitigates phishing attacks as there are no secrets for users to reveal to attackers. By adopting this device based approach CISOs can effectively reduce security debt and protect enterprise data against modern identity threats without compromising user convenience or operational efficiency.

What technical standards govern the implementation of Scalekit passkeys

Scalekit passkeys are built upon the robust FIDO2 and WebAuthn global standards which facilitate secure and passwordless authentication across various platforms. These protocols ensure that authentication is phishing resistant and relies on device based biometric or PIN verification rather than memorized secrets. By leveraging these industry recognized standards developers can implement a secure login experience that is native to modern operating systems and browsers. This alignment with global security frameworks ensures that your application remains compliant with evolving regulatory requirements while providing a future proof identity solution for both internal teams and external customers.

How does switching to passkeys reduce operational support overhead

Transitioning to passkeys provides a substantial reduction in operational costs by minimizing common login issues. Industry data indicates that companies deploying passkeys report an 81 percent drop in sign in related support incidents such as password resets and multi factor authentication troubleshooting. With a 93 percent login success rate users experience fewer friction points which directly translates to fewer help desk tickets. This shift allows engineering and support teams to redirect their resources toward core product development and strategic initiatives rather than managing credential recovery workflows ultimately improving the overall efficiency and productivity of the organization.

Can passkeys be integrated alongside existing enterprise SSO solutions

Yes Scalekit allows passkeys to function seamlessly alongside existing authentication methods like Single Sign On magic links and social logins. This flexibility enables developers to roll out modern authentication gradually without requiring a full scale migration or causing system downtime. Users can choose their preferred method while the enterprise maintains high security standards. For B2B applications this means you can offer the convenience of passkeys to some users while still supporting legacy SSO requirements for others. This hybrid approach ensures a smooth transition to passwordless authentication while maintaining compatibility with diverse enterprise identity stacks and workflows.

Why are passkeys more efficient for end users during login

Passkeys optimize the user experience by reducing the average sign in time by approximately 73 percent. Instead of manually entering complex passwords or waiting for one time codes users can authenticate in about eight seconds using biometrics like fingerprints or face scans. This streamlined process achieves a much higher success rate compared to traditional multi factor or social logins. For engineering managers this means higher user retention and engagement as the friction typically associated with authentication is removed. By providing a faster and more intuitive entry point applications can deliver a premium experience that meets modern user expectations.

How does asymmetric cryptography prevent credential theft in passkeys

Passkey authentication utilizes asymmetric cryptography where a unique pair of keys is generated for each account. The private key stays securely on the user device while only the public key is stored on the Scalekit server. During authentication the device signs a unique challenge that the server verifies using the public key. This mechanism ensures that no shared secrets are ever transmitted or stored centrally. Even if a server is compromised the public keys are useless to attackers without the corresponding private keys providing a robust defense against large scale data breaches and credential stuffing attacks.

What is the process for enabling passkeys within Scalekit

Enabling passkeys in Scalekit is a straightforward process that takes only a few minutes. Developers simply need to log into the Scalekit Dashboard navigate to the Authentication section select Auth Methods then Passkeys and click Enable. Once activated passkeys can be managed through Scalekit hosted pages or custom user interfaces built with the Scalekit WebAuthn APIs. This ease of implementation allows teams to upgrade their security infrastructure without extensive code changes or complex backend reconfigurations. This rapid deployment capability is ideal for fast moving engineering teams looking to enhance their authentication stack with minimal effort.

What is the current level of global passkey readiness

Recent data from the FIDO Passkey Index shows that 93 percent of user accounts globally are already passkey ready across various platforms. Furthermore over one third of users have already enrolled a passkey and one in four global sign ins now utilize this technology. This rapid adoption signifies that passkeys have moved from experimental to a mainstream industry baseline. For CTOs and product leaders this represents a critical opportunity to adopt a widely supported standard that aligns with current user behavior and platform capabilities ensuring your application remains competitive and secure in the modern digital landscape.

How do passkeys help organizations address growing security debt

Every stored password represents a potential security liability or debt that organizations must manage through hashing and complex storage protocols. Passkeys eliminate this debt by removing the requirement to store or manage sensitive secrets entirely. By shifting to a cryptographic model organizations remove entire categories of breach exposure related to credential handling. This architectural simplification not only reduces the risk of massive data breaches but also lowers the long term maintenance costs associated with legacy security infrastructure. Addressing security debt with passkeys allows CISOs to build a more resilient and scalable identity foundation for their entire B2B application ecosystem.

No items found.
Ready to go Passwordless?
Start today!
Open in ChatGPT
On this page
Toc link here
Share this article
Copy link
Ready to go Passwordless?
Start today!
More from our blog
More articles
B2B Authentication
Oct 31, 2025
Beyond the password: a B2B SaaS guide to passkeys
Kuntal Banerjee
B2B Authentication
Behind the build: Building passwordless auth for developers
Srinivas Karre
Authentication
Aug 28, 2025
Migrating from password-based to passwordless authentication
Kuntal Banerjee
More articles

Acquire enterprise customers with zero upfront cost

Every feature unlocked. No hidden fees.
Start for free
Talk to an engineer
Start Free
$0
/ month
1 million Monthly Active Users
100 Monthly Active Organizations
1 SSO connection
1 SCIM connection
10K Connected Accounts
Unlimited Dev & Prod environments
The Auth Stack
for AI applications
hi@scalekit.com
16192 Coastal Hwy Lewes,
DE 19958
slack logo
Join our community 
Modular Auth
MCP AuthAgent AuthSSOSCIM
Full Stack Auth
User & Org ManagementAuth MethodsAPI AuthRoles & PermissionsCustomizationEnterprise Auth
Extensibility
Auth workflowsIntegrations
Compare
Scalekit vs Auth0Scalekit vs StytchScalekit vs DescopeScalekit vs CognitoScalekit vs ClerkScalekit vs WorkOS
Industry Reports
State of Auth 2025Enterprise MCP patterns
Auth Guides
MCP AuthSingle Sign-onPasswordlessSCIMOAuth
Resources
DocsAPI ReferenceBlogRelease NotesSDKs
Company
LegalTrust CenterCustomers
Compliance
Follow us on
All systems operational
Copyright © 2026.
ScaleKit Inc. All rights reserved

We use cookies, so things load fast, we learn what to fix, and you can always reach us on chat

Okay, got it! 
Connectors
/
salesforce
Live 25 tools

Salesforce integeration for AI Agents

The Salesforce API is documented. Connecting your agent to itcorrectly — for real users, at scale — is the part that takes weeks.
Start building free
Read the quickstart

OAuth 2.0

Auto token refresh

Zero credential storage

Revocation detection

Sandbox + production

The real problem

Why this is harder than it looks

Most teams underestimate what "Salesforce OAuth" actually requires. The authorization flow itself is straightforward. The problems start after the user approves your app.

In production, each of your customers' employees connects their own Salesforce org. Access tokens expire — you need refresh logic that runs before expiry, not after a failed call. If a user revokes access inside Salesforce, you need to detect it and stop making calls on their behalf. Sandbox orgs use a different base URL than production; your code has to handle both without asking the user to configure anything. And if you're building a product — not an internal tool — the consent screen should show your brand, not a third-party library's name.

None of this is impossible to build. But it's a month of work that doesn't move your agent forward. And then you do it again for the next connector.

Scalekit is the infrastructure layer that handles all of it. Your agent names a tool and passes parameters. Scalekit takes care of which token to use, whether it's still valid, and what to do if it isn't.

Capabilities

What your agent can do with Salesforce

Once connected, your agent has 25 pre-built tools covering the full Salesforce object model:

  • Query anything with SOQL: filtered lists, aggregations, cross-object joins, custom fields
  • Create and update pipeline records: accounts, opportunities, contacts as deals move through stages
  • Full-text search with SOSL: across multiple Salesforce objects simultaneously
  • Atomic batch operations: create a Contact and link an Opportunity in one round trip via the Composite API
  • Schema introspection at runtime: describe any SObject, check org API limits, read report metadata
Jump to full tool reference
Setup context

What we're building

This guide connects a sales assistant agent to Salesforce — helping reps query accounts, surface open opportunities, and create records without leaving your product.

🤖
Example agent
Sales assistant managing pipeline on behalf of each rep
🔐
Auth model
B2B SaaS — each rep connects their own org. identifier = your user ID
⚙️
Scalekit account
app.scalekit.com — Client ID, Secret, Env URL
🐍
Runtime
Python 3.8+ · Node.js also available
Setup context

1 Setup: One SDK, One credential

Install the Scalekit SDK. The only credential your application manages is the Scalekit API key — no Salesforce secrets, no user tokens, nothing belonging to your customers.

Connected Accounts

2 Per-User Auth: Creating connected accounts

Each rep gets their own Connected Account, giving them a dedicated auth context. The identifier is any unique string from your system — a UUID, email, whatever you use internally

This call is idempotent — safe to call on every session start. Returns the existing account if one already exists.

Authorization Flow

3 The authorization flow

The rep authorizes your agent once. Scalekit generates the OAuth URL with correct scopes, PKCE challenge, and redirect handling pre-configured. After approval, you never see the token.

This call is idempotent — safe to call on every session start. Returns the existing account if one already exists.

Token management is automatic
After the user approves, Scalekit stores encrypted tokens and the connected account moves to ACTIVE. Access tokens refresh 5 minutes before expiry. If a rep revokes access in Salesforce, the account moves to REVOKED — no silent failures. Check account.status before critical operations.
Enterprise branding: Bring Your Own Credentials
For deployments where users should see your app name on the consent screen, register your own Salesforce Connected App credentials in the Scalekit dashboard. Token management stays fully handled.
See BYOC docs
Already have credentials?
Skip to code examplesGet a free account
Tool reference

All 25 Salesforce tools

Grouped by object and capability. Your agent calls tools by name — no API wrappers to write.

Accounts
salesforce_account_create
Create a new account with billing address, industry, revenue, and company metadata
salesforce_account_get
Retrieve a single account by ID with all standard and custom fields
salesforce_account_update
Update any field on an existing account record
salesforce_account_delete
Soft-delete an account from the org
Opportunities
salesforce_account_create
Create an opportunity with stage, amount, close date, and account association
salesforce_account_get
Retrieve a specific opportunity by ID with field selection
salesforce_account_update
Update stage, amount, close date, or any other opportunity field
salesforce_account_delete
List opportunities with pagination
Contacts
salesforce_account_create
Create a contact with name, email, phone, job title, and account association
salesforce_account_get
Retrieve a specific contact by ID with field selection
Queries & Search
salesforce_query_soql
Execute any SOQL query — filters, joins, aggregations, custom fields
salesforce_soql_execute
Alternative SOQL execution endpoint for custom query patterns
salesforce_search_sosl
Full-text search across multiple Salesforce objects simultaneously
salesforce_search_parameterized
Simplified search with predefined parameters — object type, fields, search text
Generic SObject Operations
salesforce_sobject_create
Create a record for any SObject type — standard or custom objects
salesforce_sobject_get
Retrieve any SObject record by ID and type
salesforce_sobject_update
Update any SObject record. Only the fields provided are changed
salesforce_sobject_delete
Permanently delete any SObject record by ID
Batch & Metadata
salesforce_composite
Create a record for any SObject type — standard or custom objects
salesforce_global_describe
Retrieve any SObject record by ID and type
salesforce_object_describe
Update any SObject record. Only the fields provided are changed
salesforce_limits_get
Update any SObject record. Only the fields provided are changed
salesforce_dashboard_metadata_get
Update any SObject record. Only the fields provided are changed
salesforce_report_metadata_get
Retrieve structure, fields, groupings, and configuration for a specific report
Connector notes

Salesforce-Specific behavior

Sandbox vs. production — handled automatically
Salesforce sandbox orgs use a different base URL for API calls than production orgs. Scalekit detects this based on which environment the user authorizes through and routes accordingly. No code changes needed.
Connected App IP restrictions cause silent 401s
If your Salesforce Connected App has IP range restrictions configured, tokens may fail silently for users outside those ranges. This is a Salesforce org configuration issue. If you see unexplained 401s after successful authorization, check the Connected App's IP restriction settings in Salesforce Setup.
See BYOC docs
Infrastructure decision

Why not build this yourself

The Salesforce OAuth flow is documented. Token storage isn't technically hard. But here's what you're actually signing up for:

PROBLEM 01
Org-specific token endpoints and sandbox vs. production URL handling that varies by configuration
PROBLEM 02
Refresh token rotation behavior that differs by Connected App config — silent failures if handled wrong
PROBLEM 03
Revocation detection and graceful handling when users disconnect from Salesforce org settings
PROBLEM 04
Scoped, zero-trust credential architecture — your app stores zero Salesforce credentials by design

That's one connector. Your agent product will eventually need Slack, Gmail, HubSpot, Notion, and whatever else your customers ask for. Each has its own OAuth quirks and failure modes.

Scalekit maintains every connector. You maintain none of them.

Ready to ship

Connect your agent to Salesforce in minutes

Free to start. No Salesforce Connected App required. Token management fully handled.
Start building freeRead the quickstart
2 columns Table
salesforce_sobject_create
Create a record for any SObject type — standard or custom objects
salesforce_sobject_get
Retrieve any SObject record by ID and type
salesforce_sobject_update
Update any SObject record. Only the fields provided are changed
salesforce_sobject_delete
Permanently delete any SObject record by ID
3 columns Table
salesforce_sobject_create
Create a record for any SObject type — standard or custom objects
Create a record for any SObject type — standard or custom objects
salesforce_sobject_get
Retrieve any SObject record by ID and type
Retrieve any SObject record by ID and type
salesforce_sobject_update
Update any SObject record. Only the fields provided are changed
Update any SObject record. Only the fields provided are changed
salesforce_sobject_delete
Permanently delete any SObject record by ID
Permanently delete any SObject record by ID
4 columns Table
salesforce_sobject_create
Create a record for any SObject type — standard or custom objects
Create a record for any SObject type — standard or custom objects
Create a record for any SObject type — standard or custom objects
salesforce_sobject_get
Retrieve any SObject record by ID and type
Retrieve any SObject record by ID and type
Retrieve any SObject record by ID and type
salesforce_sobject_update
Update any SObject record. Only the fields provided are changed
Update any SObject record. Only the fields provided are changed
Update any SObject record. Only the fields provided are changed
salesforce_sobject_delete
Permanently delete any SObject record by ID
Permanently delete any SObject record by ID
Permanently delete any SObject record by ID

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Open in ChatGPT
On this page
Ready to go Passwordless?
Start today!