fix: Use Kinde without an SDK overhaul

[tamalchowdhury]

This PR does an overhaul to the Use Kinde without an SDK. The doc adds detailed steps on the authorization code flow along with the PKCE flow for SPAs. It includes detailed code examples for users to get started with Kinde without an SDK.

Summary by CodeRabbit

• Documentation
  • Renamed and updated "Use Kinde without an SDK" guide with expanded frontmatter (title, page_id, updated date, topics, keywords) and TOC depth.
  • New Quickstart: app creation, keys, callback/logout URLs, auth method selection, and tabbed backend vs SPA/mobile flows (PKCE, state, token exchange, refresh, sign-out).
  • Reworked request-parameter reference, clarified scopes (offline), deprecated start_page, added FAQs (Implicit Flow not supported; userinfo vs id_token).
  • Linked redirect guidance updated to reference the revised guide.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c26c33a8-7816-4ef8-88e2-9bc1b4e3b9f1

📥 Commits

Reviewing files that changed from the base of the PR and between 206c177 and 5553e1e.

📒 Files selected for processing (2)

• src/content/docs/authenticate/custom-configurations/redirect-users.mdx
• src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx

---

Walkthrough

Rewrites and expands the "Use Kinde without an SDK" guide (frontmatter, full quickstart, backend vs SPA/mobile authorization flows with state and PKCE, callback/token exchange, route protection, request-parameter reference, and FAQs) and updates one redirect reference in a related doc.

Changes

Kinde without SDK Documentation

Layer / File(s)	Summary
Page metadata and title src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Frontmatter updated with new page_id, tableOfContents.maxHeadingLevel, shortened title to "Use Kinde without an SDK", updated timestamp, and expanded topics/keywords.
Frontmatter topics expansion src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Added authentication-, token-, and security-related entries to the topics list in frontmatter.
Authentication quickstart and flow guide src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Main content rewritten into "What you need" and "Quickstart": app creation, obtaining keys, registering callback/logout URLs, selecting auth method, locating OpenID endpoints, and tabbed authorization flows for backend vs SPA/mobile (state handling, PKCE), callback handling and token exchange, userinfo/id_token options, two-layer route protection patterns, refresh-token behavior, claims validation, sign-out, supported grants, and OAuth scopes.
response_type parameter clarification src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	New response_type subsection specifying code must be used and that Implicit Flow is not supported.
Request parameters and PKCE details src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Expanded subsections for redirect_uri, scope, state, nonce, PKCE fields (code_challenge, code_challenge_method), prompt, and login_hint, including offline refresh-token semantics and requirement notes.
Additional parameters and FAQs src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Added parameter coverage (is_create_org, org_name, audience, UI/workflow flags), deprecated note for start_page, and new FAQs covering Implicit Flow and when to call the userinfo endpoint vs decode id_token, with a sample HTTP request/response and scope-dependent field notes.

Redirect link correction

Layer / File(s)	Summary
Redirect guide reference update src/content/docs/authenticate/custom-configurations/redirect-users.mdx	Step 6 link updated to reference the "Use Kinde without an SDK" page without the #handling-the-callback fragment; token exchange via code and redirect via nextUrl remains the same.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• victoreronmosele
• onderay

Poem

🐰 A rabbit hops through docs renewed,
Quickstarts bloom where text once stewed,
Backend, SPA—both paths explained,
Tokens, PKCE, no flow constrained,
A handy guide, tidy and true.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: a comprehensive overhaul of the 'Use Kinde without an SDK' documentation guide.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tamal/update/use-kinde-without-an-sdk-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kinde-docs-preview with    Cloudflare Pages

Latest commit:	5553e1e
Status:	✅  Deploy successful!
Preview URL:	https://249aaf5a.kinde-docs-preview.pages.dev
Branch Preview URL:	https://tamal-update-use-kinde-witho.kinde-docs-preview.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx`:
- Around line 324-339: Update the "Handling token expiry" section to distinguish
confidential vs public clients: clarify that the provided refresh POST example
(the grant_type=refresh_token request including client_secret) applies to
confidential backend apps, and add a separate note (or alternate example)
stating that SPAs/mobile apps using PKCE do not include client_secret when
exchanging a refresh token; ensure the text references the existing example and
the PKCE flow described earlier so readers know which client type each approach
(with or without client_secret) applies to.
- Around line 633-635: Complete the unfinished sentence under the "Does Kinde
support the Implicit Flow?" heading by appending the reason (e.g., "because it
is considered insecure and has known vulnerabilities") — you can mirror the
wording used earlier in the document (line referencing the earlier statement
that "Kinde does not support the implicit flow as it has shown to be unsecure")
so the final line reads something like: "No, Kinde does not support the Implicit
Flow because it is considered insecure and has known vulnerabilities."

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 39ea6e50-fa81-42ab-a9f1-8261b7bcd859

📥 Commits

Reviewing files that changed from the base of the PR and between b750eb9 and 0c21d32.

📒 Files selected for processing (1)

• src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx