Launching Passwordless Auth as a Service

Frictionless logins, email-first flow, no passwords

Scalekit now supports passwordless authentication, allowing your users to sign in using just their email — either by clicking a secure magic link or by entering a one-time passcode (OTP) sent to their inbox. No passwords to create, reset, or store.

Whether you're building a custom UI or want a fast drop-in redirect experience, Scalekit gives you production-grade passwordless auth in minutes.

Why go Passwordless?

  • No passwords to store or reset
  • Works out of the box with modern browsers and clients
  • Secure against phishing and reuse
  • Works with hosted login or your custom UI
  • Full branding control via email templates and domain setup

Here are two ways you can implement passwordless auth: 

  • OIDC Flow (Redirect-based)
    Let Scalekit handle the UI and auth state. Ideal for apps using hosted login or needing quick setup with token-based sessions.
  • Headless API Flow
    Use direct API calls to send OTPs or magic links and verify them manually. Fully customizable UX with complete control over the frontend.

This guide covers the Headless API flow.

How it works

What You’ll Need

Before getting started, make sure you have:

  • Access to your Scalekit account and API credentials
  • The Scalekit SDK installed in your project
  • A terminal or dev environment ready to send API requests

Step 1: Configure Passwordless Auth in the Dashboard

In your Scalekit Dashboard:

  • Go to Authentication → Auth Methods
  • Under Passwordless, choose your preferred method: code, link, or both
  • Save your changes to activate the flow

Step 2: Trigger the Verification Email

Once a user submits their email:

  • Send a request to Scalekit to deliver a verification email
  • You can customize the expiry time, email template, and redirect URI
  • The API returns an auth_request_id, which is used in the next step

Depending on your setup, users will receive either:

  • A one-time code to enter in your app
  • A magic link that verifies them when clicked
  • Or both, giving them a choice

If users request another email:

  • Send a resend request using the same auth_request_id
  • You can optionally enable the dashboard setting to generate new credentials on resend

Scalekit allows up to 2 emails per minute per email address

Step 3: Verify the User

Once the user receives the email:

  • If you’re using a verification code, prompt them to enter it and verify using the API.
  • If you’re using a magic link, extract the link_token from the URL when they click it and verify.

For added security, if you’ve enabled “Enforce same browser origin”, you’ll also pass the auth_request_id when verifying a magic link.

Scalekit allows up to 5 verification attempts per user within a 10-minute window.

Passwordless Auth is included in every Scalekit plan. Start your trial now or refer to docs.

Schedule a demo with Scalekit today.

Acquire enterprise customers with zero upfront cost

Every feature unlocked. No hidden fees.
Start Free
$0
/ month
1 FREE SSO/SCIM connection each
1000 Monthly active users
25 Monthly active organizations
Passwordless auth
API auth: 1000 M2M tokens
MCP auth: 1000 M2M tokens