fix: Use Kinde without an SDK overhaul

[tamalchowdhury]

This PR does an overhaul to the Use Kinde without an SDK. The doc adds detailed steps on the authorization code flow along with the PKCE flow for SPAs. It includes detailed code examples for users to get started with Kinde without an SDK.

Summary by CodeRabbit

• Documentation
  • Renamed and updated "Use Kinde without an SDK" guide with a clearer step-by-step Quickstart and expanded frontmatter and table-of-contents
  • Added guided setup: app creation, keys, callback/logout URLs, and authentication method selection
  • New tabbed authorization flows for backend vs SPA/mobile, callback/token exchange, refresh-token behavior, and sign-out
  • Reworked request-parameter reference, clarified scopes (use offline), deprecated start_page, and added FAQs on Implicit Flow and userinfo vs id_token

[coderabbitai]

Walkthrough

The PR rewrites and expands the "Use Kinde without an SDK" guide: frontmatter metadata updates, a step-by-step quickstart, tabbed backend vs SPA/mobile authorization flows (state + PKCE), callback/token exchange, userinfo vs id_token guidance, detailed request-parameter reference, and new FAQs.

Changes

Kinde without SDK Documentation

Layer / File(s)	Summary
Page metadata and title src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Frontmatter updated with new page_id, tableOfContents.maxHeadingLevel, shortened title to "Use Kinde without an SDK", updated timestamp, and expanded topics/keywords.
Frontmatter topics expansion src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Added authentication-, token-, and security-related entries to the topics list in frontmatter.
Authentication quickstart and flow guide src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Main content rewritten into "What you need" and "Quickstart": app creation, obtaining keys, registering callback/logout URLs, selecting auth method, locating OpenID endpoints, and tabbed authorization flows for backend vs SPA/mobile (state handling, PKCE), callback handling and token exchange, userinfo/id_token options, two-layer route protection patterns, refresh-token behavior, claims validation, sign-out, supported grants, and OAuth scopes.
response_type parameter clarification src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	New response_type subsection specifying code must be used and that Implicit Flow is not supported.
Request parameters and PKCE details src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Expanded subsections for redirect_uri, scope, state, nonce, PKCE fields (code_challenge, code_challenge_method), prompt, and login_hint, including offline refresh-token semantics and requirement notes.
Additional parameters and FAQs src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx	Added parameter coverage (is_create_org, org_name, audience, UI/workflow flags), deprecated note for start_page, and new FAQs covering Implicit Flow and when to call the userinfo endpoint vs decode id_token, with a sample HTTP request/response and scope-dependent field notes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through docs renewed,
Quickstarts bloom where text once stewed,
Backend, SPA—both paths explained,
Tokens, PKCE, no flow constrained,
A handy guide, tidy and true.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'fix: Use Kinde without an SDK overhaul' is partially related to the changeset. It mentions the main page being updated but doesn't clearly convey that this is a comprehensive restructuring of documentation content with new guides, expanded parameters, and FAQs rather than a bug fix.	Change the prefix from 'fix:' to 'docs:' or 'chore:' since this is documentation content restructuring, not a bug fix. Consider a more specific title like 'docs: Restructure Use Kinde without an SDK guide with detailed OAuth/OIDC instructions'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tamal/update/use-kinde-without-an-sdk-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kinde-docs-preview with    Cloudflare Pages

Latest commit:	997d548
Status:	✅  Deploy successful!
Preview URL:	https://3f453434.kinde-docs-preview.pages.dev
Branch Preview URL:	https://tamal-update-use-kinde-witho.kinde-docs-preview.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx`:
- Around line 324-339: Update the "Handling token expiry" section to distinguish
confidential vs public clients: clarify that the provided refresh POST example
(the grant_type=refresh_token request including client_secret) applies to
confidential backend apps, and add a separate note (or alternate example)
stating that SPAs/mobile apps using PKCE do not include client_secret when
exchanging a refresh token; ensure the text references the existing example and
the PKCE flow described earlier so readers know which client type each approach
(with or without client_secret) applies to.
- Around line 633-635: Complete the unfinished sentence under the "Does Kinde
support the Implicit Flow?" heading by appending the reason (e.g., "because it
is considered insecure and has known vulnerabilities") — you can mirror the
wording used earlier in the document (line referencing the earlier statement
that "Kinde does not support the implicit flow as it has shown to be unsecure")
so the final line reads something like: "No, Kinde does not support the Implicit
Flow because it is considered insecure and has known vulnerabilities."

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 39ea6e50-fa81-42ab-a9f1-8261b7bcd859

📥 Commits

Reviewing files that changed from the base of the PR and between b750eb9 and 0c21d32.

📒 Files selected for processing (1)

• src/content/docs/developer-tools/about/using-kinde-without-an-sdk.mdx