Skip to content

docs(multiapp): add Configure custom scopes step to manage-apps guide #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AkshayParihar33 wants to merge 2 commits into
base: main
Choose a base branch
from
+18 −1
Open

docs(multiapp): add Configure custom scopes step to manage-apps guide #726

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7202cc0
docs(multiapp): add Configure custom scopes step to manage-apps guide
claude May 26, 2026
e4585ab
docs(multiapp): remove missing image reference to unblock build
claude May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion src/content/docs/authenticate/fsa/multiapp/manage-apps.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,24 @@ Register and manage applications in Scalekit. Each application gets its own OAut

For definitions, validation rules, custom URI schemes, and environment-specific behavior, see [Redirect URL configuration](/guides/dashboard/redirects/).

5. ## Delete an application
5. ## Configure custom scopes

Scalekit includes `openid`, `email`, `profile`, and `offline_access` as default scopes. If your application needs additional scopes — such as `todo:read` or `data:read` — in the access token during an OAuth authorization flow, define them in the application's **Advanced Settings**.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify token lifetime and secure usage when describing scopes in access tokens.

This section states scopes appear in the access token, but it does not state token lifetime and secure handling guidance. Add one short sentence covering both.

As per coding guidelines: “Any reference to tokens (idToken, accessToken, refreshToken) MUST clarify: what it contains, its lifetime, and how to use it securely.”

Also applies to: 140-140

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/authenticate/fsa/multiapp/manage-apps.mdx` at line 125,
Append a single short sentence after the paragraph that begins "Scalekit
includes `openid`, `email`, `profile`, and `offline_access` as default scopes"
to clarify token lifetime and secure handling: state that the access token
contains scopes/claims and is short‑lived (use refresh tokens or offline_access
for long sessions), and advise secure handling (store tokens in secure,
HTTP‑only cookies or in-memory, never expose them to third‑party scripts or
logs). Ensure the sentence mentions accessToken/refreshToken/idToken when
applicable and is concise.


To configure a custom scope:
1. Open the application and go to the **Advanced Settings** tab
2. Under **Define Scopes**, select an existing scope or type a new one and add it
3. Click **Save**

When initiating the authorization request, pass the custom scope in the `scope` parameter alongside the standard scopes:

```
scope=openid profile email offline_access todo:read
```
Comment on lines +134 to +136
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language identifier (or <Code>) for the scope snippet.

The fenced block is untyped. Use a language-tagged block (for example, txt) or convert to <Code> with single-line settings (showLineNumbers={false} + wrap) for consistency.

As per coding guidelines: “Always add a language identifier to fenced code blocks” and “For single-line code snippets, set showLineNumbers={false} and add wrap prop.”

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/authenticate/fsa/multiapp/manage-apps.mdx` around lines 136
- 138, The fenced code block containing the single-line snippet "scope=openid
profile email offline_access todo:read" is missing a language identifier; update
that block to either use a language-tagged fenced block such as ```txt or
replace it with the <Code> component configured for single-line snippets (set
showLineNumbers={false} and add the wrap prop) to conform to the coding
guidelines for consistent rendering.


Scalekit includes the requested scopes in the access token, provided they are configured for the application.

6. ## Delete an application

Delete applications from the bottom of the configuration page.

Expand Down