> **Building with AI coding agents?** Install the authstack plugin with one command. This equips your agent with accurate Scalekit implementation patterns.
>
> **Recommended**:
> ```bash
> npx @scalekit-inc/cli setup
> ```
>
> Global:
> ```bash
> npm install -g @scalekit-inc/cli
> scalekit setup
> ```
>
> Supports Claude Code, Cursor, GitHub Copilot, Codex + skills for 40+ agents.
> Features: full-stack-auth, agent-auth, mcp-auth, modular-sso, modular-scim.
> [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/)

---

# Hosted UI widgets

Redirect users to a branded self-serve portal for organization settings, member management, SSO, SCIM, domains, and user profiles.
Redirect signed-in users from your application to Hosted UI widgets at `/ui/` so their workspace administrators can self-manage organizations, members, single sign-on (SSO), SCIM provisioning, domains, and profiles.

For example, add a link in your app’s settings or account area. Scalekit will use the active session and show users their workspace automatically.

```sh title="Hosted UI widgets URL" showLineNumbers=false frame
/ui/  # https://your-app-env.scalekit.com/ui/
```

## When to use Hosted UI widgets

Use Hosted UI widgets when you want customers to self-manage their organizations and accounts without you building custom UIs.

- **Advantages**: Enterprise customers can self-serve member management, SSO setup, SCIM provisioning, domain verification, session policy, and their own profiles. Permissions and organization features are handled automatically. The portal stays up to date with new Scalekit capabilities.
- **Trade-offs**: Customers leave your application UI and work in Scalekit-hosted pages. Branding follows your shared application customization settings. You send users to `/ui/`; they use portal navigation to open individual modules.

If you need a shareable link or iframe embed for enterprise IT administrators to configure SSO, SCIM, and organization domain verification, use the [Admin portal](/guides/admin-portal/) instead. The Admin portal supports only those three modules. Hosted UI widgets are the better fit for signed-in users who open self-serve settings from inside your product.

```d2 pad=56 layout=elk
direction: down

your_app: "Your B2B app" {
  style.font-size: 22
}

hosted: "Hosted UI widgets URL\n/ui/" {
  style.font-size: 22
  width: 720
}

user_widgets: "User widgets\n- User profile\n- User security" {
  style.font-size: 20
  width: 320
}

org_widgets: "Organization widgets\n- Organization settings\n- Member management\n- SSO configuration\n- SCIM configuration\n- Domain verification\n- Session policy" {
  style.font-size: 20
  width: 420
}

your_app -> hosted: "Redirect"
hosted -> user_widgets
hosted -> org_widgets
```

## Organization widgets

Organization widgets let your customers manage their organization's settings, members, and configurations. These widgets are access-controlled using Scalekit permissions and the features enabled for the organization. A widget appears only if the user has the required permissions and the organization has the corresponding feature enabled.

### Manage organization settings

Your customers can view and manage their organization profile, including allowed email domains. Navigate to **Organization settings** to update organization details.

> Image: Organization settings widget showing the organization name field and a list of allowed email domains

### Manage organization members

Your customers can view organization members, invite new members, manage roles, and remove members from the organization. The **Member management** widget provides a complete view of their team.

> Image: Member management widget listing organization users with their roles and active status, plus an Invite User button

### Configure SSO for the organization

Your customers can set up and manage Single Sign-On for their organization. The widget includes a setup guide tailored to their identity provider, making it easy to connect their SSO connection.

> note: Feature must be enabled
>
> The SSO widget appears only if SSO is enabled for the organization. You can enable SSO in the Scalekit dashboard or using the [SDK](/authenticate/auth-methods/enterprise-sso/#enable-sso-for-the-organization).

> Image: Single Sign-On widget prompting the user to choose an identity provider such as Okta, OneLogin, Google Workspace, or Entra ID

### Configure SCIM for the organization

Your customers can set up and manage SCIM provisioning for their organization. The widget includes a setup guide tailored to their identity provider to automate user and group provisioning.

> note: Feature must be enabled
>
> The SCIM widget appears only if SCIM is enabled for the organization. You can enable SCIM in the Scalekit dashboard or using the [SDK](/guides/user-management/scim-provisioning/#enable-scim-provisioning-for-the-organization).

> Image: SCIM provisioning widget prompting the user to select a directory provider such as Okta, OneLogin, Google Workspace, or Entra ID

### Verify organization domains

Your customers can add and verify the domains they own, enabling Home Realm Discovery and SCIM provisioning for their organization. [Learn more about organization domains](/authenticate/manage-users-orgs/organization-domains/).

After entering a domain, the widget displays the DNS TXT record to publish. Scalekit verifies ownership in the background and marks the domain as verified once the record propagates.

> note: Feature must be enabled
>
> The domain verification widget appears only if **Domain Verification** is enabled for the organization. You can enable Domain Verification in the Scalekit dashboard or via the [organization settings API](/apis/#tag/organizations/PATCH/api/v1/organizations/{id}/settings).

> Image: Domain verification via Hosted UI widgets

### Manage session policy

Your customers can view and configure their organization's session policy, setting custom absolute and idle session timeouts that override your application defaults. Scalekit always enforces the stricter of the two.

> note: Feature must be enabled
>
> The session policy widget appears only if **Session Policy** is enabled for the organization. You can enable it in the Scalekit dashboard or using the [organization settings API](/apis/#tag/organizations/PATCH/api/v1/organizations/{id}/settings).

> Image: Session policy widget with Application and Custom options selected, showing absolute and idle session timeout settings

## User widgets

User widgets let your customers manage their personal profile and security settings. These widgets are accessible to all authenticated users and are not controlled by organization features or Scalekit permissions.

### Manage profile

Your customers can view and manage their personal profile information, including their name, email, and other account details.

> Image: My Account widget showing editable first name and last name fields and a verified email address

### Manage security

Your customers can register and manage passkeys, view active sessions, and revoke sessions. The **User security** widget helps them maintain account security.

> Image: User security widget showing a registered passkey and a list of active sessions with options to revoke them

## Access management

Hosted UI widgets enforce access using **Scalekit permissions**. You can map these permissions to any application roles assigned to the end user. When a user accesses Hosted UI widgets, Scalekit checks their permissions and shows the available widgets.

| Permission | Purpose |
| --- | --- |
| `sk_org_settings_read` | View organization profile and settings |
| `sk_org_settings_manage` | View and modify organization profile and settings |
| `sk_org_users_read` | View users in an organization |
| `sk_org_users_invite` | Invite new users to an organization |
| `sk_org_users_delete` | Remove users from an organization |
| `sk_org_users_role_change` | Change roles of users in an organization |
| `sk_org_sso_read` | View SSO configuration for an organization |
| `sk_org_sso_manage` | View and modify SSO configuration for an organization |
| `sk_org_scim_read` | View SCIM configuration for an organization |
| `sk_org_scim_manage` | View and modify SCIM configuration for an organization |
| `sk_org_session_policy_read` | View session policy for an organization |
| `sk_org_session_policy_manage` | View and manage session policy for an organization |

> note: Default Admin and Member roles
>
> Scalekit creates **Admin** and **Member** roles for every environment by default. Scalekit permissions are mapped to these two roles by default. The Admin role has all Scalekit permissions and can access all Hosted UI widgets enabled for the organization. The Member role has limited access to organization widgets and can only view organization settings and organization members. Both roles have access to user widgets.
>
> You can customize the permission mapping for these roles or create a [custom role](/authenticate/authz/create-roles-permissions/) and assign Scalekit permissions to control access to Hosted UI widgets.

## Branding and customization

Hosted UI widgets use your application [branding](/fsa/guides/login-page-branding/) so the portal looks like an extension of your app. The same customization settings apply across hosted experiences, including the login page and [Admin portal](/guides/admin-portal/). You can also apply [organization branding](/fsa/guides/organization-branding/) where that feature is enabled.

You can change the Hosted UI widgets URL to match your application URL by setting up a [custom domain](/guides/custom-domain/).

## Common scenarios

## What is the shared session between my app and Hosted UI widgets?

It is the same Scalekit session issued to your application for that user. After your [authentication flow](/authenticate/fsa/quickstart/), the browser holds Scalekit cookies for your environment or custom domain. Hosted UI widgets read those same cookies, so users do not sign in again when you redirect them to `/ui/`.

## What happens if a user does not have a session?

Scalekit redirects the user to that Scalekit environment's login page for their account. Send users to `/ui/` only after they complete your [authentication flow](/authenticate/fsa/quickstart/) so a Scalekit session cookie is available.

## What happens when a user logs out from Hosted UI widgets?

Scalekit ends the Scalekit session and redirects the user to that Scalekit environment's login page for their account (the hosted login screen on your environment or [custom domain](/guides/custom-domain/)). Because Hosted UI widgets and your app share that session via Scalekit cookies, the user must sign in again before returning to `/ui/` or to app routes that rely on the same browser session.

If you keep a separate application session in your own backend, clear it when Scalekit logs the user out. Use [back-channel logout](/guides/dashboard/redirects/#back-channel-logout-url) or the [user logout webhook](/apis/#webhook/userlogout) so your backend stays in sync. See [manage sessions](/authenticate/fsa/manage-session/) for guidance.

## How does `/ui/` choose the organization for multi-org users?

The portal uses the user's **current active organization** from their Scalekit session. Set or switch the active organization in your application before redirecting to `/ui/`. You do not pass an organization ID as a query parameter on the portal URL.

## Do Hosted UI widgets require webhooks to load data?

No. Scalekit hosts the pages and loads the data they need. Use webhooks for your application workflows, for example logout propagation or provisioning events, not to supply data to Hosted UI widgets.

## Can I embed Hosted UI widgets in an iframe?

No. Use the [Admin portal](/guides/admin-portal/) for iframe embeds and shareable links. The Admin portal supports only the SSO, SCIM, and organization domain verification modules. For every other module, such as member management, session policy, and user profile, use Hosted UI widgets, which are full-page experiences only; redirect users to `/ui/`.


---

## More Scalekit documentation

| Resource | What it contains | When to use it |
|----------|-----------------|----------------|
| [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content |
| [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas |
| [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |
