> **Building with AI coding agents?** Install the authstack plugin with one command. This equips your agent with accurate Scalekit implementation patterns.
>
> **Recommended**:
> ```bash
> npx @scalekit-inc/cli setup
> ```
>
> Global:
> ```bash
> npm install -g @scalekit-inc/cli
> scalekit setup
> ```
>
> Supports Claude Code, Cursor, GitHub Copilot, Codex + skills for 40+ agents.
> Features: full-stack-auth, agent-auth, mcp-auth, modular-sso, modular-scim.
> [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# How to register a callback endpoint

Learn how to register a callback endpoint in the Scalekit dashboard.
In the authentication flow for a user, a callback endpoint is the endpoint that Scalekit remembers about your application, trusts it, and sends a authentication grant (code). It further expects your application to exchange the code for a user token and user profile.

This needs to be pre-registered in the Scalekit dashboard.

Go to **Dashboard** > **Authentication** > **Redirect URLS** > **Allowed Callback URLs** and add the callback endpoint.

> Image: Scalekit Redirect URLs tab showing the Allowed callback URLs section with several registered callback endpoints and an Add URL button

Your redirect URIs must meet specific requirements that vary between development and production environments:

| Requirement | Development | Production |
| ----------- | ----------- | ---------- |
| Supported schemes | <span class="icon-text"> `http`  `https`  `{scheme}`</span> | <span class="icon-text"> `https`  `{scheme}`</span> |
| Localhost support | <span class="icon-text"> Allowed</span> | <span class="icon-text"> Not allowed</span> |
| Wildcard domains | <span class="icon-text"> Allowed</span> | <span class="icon-text"> Not allowed</span> |
| URI length limit | 256 characters | 256 characters |
| Query parameters | <span class="icon-text"> Not allowed</span> | <span class="icon-text"> Not allowed</span> |
| URL fragments | <span class="icon-text"> Not allowed</span> | <span class="icon-text"> Not allowed</span> |

Wildcards can simplify testing in development environments, but they must follow specific patterns:

| Validation rule                                                                     | Examples                                                                                                                                                                                                          |
| ----------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Wildcards cannot be used as root-level domains                          | <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://auth-*.acmecorp.com`</div> |
| Only one wildcard character is allowed per URI                                 | <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.acmecorp.com`</div>                                                                            |
| Wildcards must be in the hostname component only     | <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://acmecorp.*.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.acmecorp.com`</div>                                                                  |
| Wildcards must be in the outermost subdomain | <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://auth.*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;"> `https://*.auth.acmecorp.com`</div>                                                        |

> caution
>
> According to the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749#section-3.1.2), redirect URIs must be absolute URIs. For development convenience, Scalekit relaxes this restriction slightly by allowing wildcards in development environments.


---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |
