Sync B2B billing with Scalekit and Chargebee

Map Scalekit organizations to Chargebee customers, run hosted checkout, and keep subscription state in sync via webhooks.

Multi-tenant B2B SaaS apps authenticate users through Scalekit organizations, but bill through Chargebee subscriptions. Those two systems do not share a database. Without an explicit mapping, you end up with duplicate Chargebee customers, subscriptions that never activate after checkout, or feature gates that read stale plan data.

This cookbook wires Scalekit Full Stack Auth to Chargebee using org-mode billing: the organization ID from the access token (oid) becomes the billing referenceId, Scalekit webhooks provision Chargebee customers, and Chargebee webhooks keep your local subscription table current.

The problem

Shipping org-level billing on top of Scalekit auth surfaces four recurring failures:

Orphan organizations — a customer signs up in Scalekit, but no Chargebee customer exists when they open your billing page.
ID drift — you create Chargebee customers keyed by email or an internal UUID while auth sessions carry oid. Checkout and webhooks cannot reconcile the two records.
Checkout without local state — hosted checkout succeeds, but your app still shows “no subscription” because nothing linked the Chargebee subscription back to the org.
Webhook blind spots — Scalekit org events and Chargebee subscription events update different stores. Without handlers on both sides, deletes and plan changes leave ghost data behind.

Who needs this

This cookbook is for you if:

✅ You run Full Stack Auth with organization support (oid in access tokens)
✅ You bill per organization, not per individual user
✅ You use Chargebee hosted checkout or the customer portal
✅ You maintain a local subscription cache to gate features in your app

You don’t need this if:

❌ You bill per user, not per organization
❌ You use the Chargebee Better Auth adapter and Better Auth’s session model
❌ Scalekit manages your entire product catalog and entitlements (no separate billing system)

The solution

Treat the Scalekit organization ID as the single billing reference for the tenant. The integration has three seams:

Provision on org create — Scalekit organization.created webhook → create a Chargebee customer and store the mapping locally.
Future subscription before checkout — create a local row with status: future before redirecting to Chargebee hosted checkout. Stamp pendingSubscriptionId on the Chargebee customer metadata so webhooks can match the right row.
Reconcile from Chargebee — Chargebee subscription webhooks (and an eager sync on checkout redirect) update the local row to active or in_trial.

Authorization stays in your app: every billing API call checks that referenceId === organizationId from the session before calling Chargebee.

Before you start

Gather these before you write code:

Prerequisite	Where to get it
Scalekit environment with organizations	Scalekit dashboard
OAuth client (`skc_...`) + redirect URI	API Keys in the dashboard
Chargebee sandbox site (Product Catalog 2.0)	Chargebee test site
Plan item price ID (e.g. `growth-plan-monthly`)	Chargebee Product Catalog
Test payment gateway (`gw_...`)	Chargebee Payment Gateways
Public tunnel for webhooks	ngrok, LocalTunnel, or similar

Environment variables (store in .env, never commit):

1
SCALEKIT_ENV_URL=https://your-env.scalekit.dev
2
SCALEKIT_CLIENT_ID=skc_...
3
SCALEKIT_CLIENT_SECRET=
4
SCALEKIT_WEBHOOK_SECRET=
5
CHARGEBEE_SITE=your-site-test
6
CHARGEBEE_API_KEY=
7
CHARGEBEE_PLAN_ITEM_PRICE_ID=growth-plan-monthly
8
CHARGEBEE_GATEWAY_ACCOUNT_ID=gw_your_test_gateway_id
9
CHARGEBEE_WEBHOOK_USERNAME=
10
CHARGEBEE_WEBHOOK_PASSWORD=
11
NEXT_PUBLIC_APP_URL=http://localhost:3000

Implementation

1. Store the org ↔ customer mapping

Add tables for organizations and subscriptions. The organization row holds the Chargebee customer ID; subscriptions are keyed by reference_id (the Scalekit org ID).

1
CREATE TABLE organization (
2
  id TEXT PRIMARY KEY,
3
  display_name TEXT,
4
  chargebee_customer_id TEXT UNIQUE
5
);
6

7
CREATE TABLE subscription (
8
  id TEXT PRIMARY KEY,
9
  reference_id TEXT NOT NULL,
10
  chargebee_customer_id TEXT NOT NULL,
11
  chargebee_subscription_id TEXT,
12
  status TEXT NOT NULL DEFAULT 'future',
13
  plan_id TEXT,
14
  seats INTEGER DEFAULT 1,
15
  trial_start INTEGER,
16
  trial_end INTEGER,
17
  current_period_end INTEGER,
18
  cancel_at_period_end INTEGER DEFAULT 0
19
);

Translate to your ORM. The reference_id column always stores the Scalekit organization ID from the oid claim.

2. Provision a Chargebee customer when Scalekit creates an org

Register a Scalekit webhook for organization.created, organization.updated, and organization.deleted. Verify the signature on the raw request body before parsing JSON.

1
import { NextRequest, NextResponse } from 'next/server';
2
import { getScalekitClient } from '@/lib/scalekit';
3
import { createOrgCustomer } from '@/lib/billing/create-org-customer';
4

5
export async function POST(req: NextRequest) {
6
  const rawBody = await req.text();
7
  const secret = process.env.SCALEKIT_WEBHOOK_SECRET!;
8
  const scalekit = getScalekitClient();
9

10
  // Get the Scalekit signature header (do not use a full headers map for the new API)
11
  const signature = req.headers.get('scalekit-signature') ?? '';
12

13
  // Verify webhook signature using the current SDK: scalekit.webhooks.verifySignature(rawBody, signature, secret)
14
  const isValid = await scalekit.webhooks.verifySignature(rawBody, signature, secret);
15
  if (!isValid) {
16
    return NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
17
  }
18

19
  const event = JSON.parse(rawBody);
20

21
  if (event.type === 'organization.created') {
22
    const organizationId = event.organization_id ?? event.data?.id;
23
    await createOrgCustomer({
24
      organizationId,
25
      displayName: event.data?.display_name ?? null,
26
    });
27
  }
28

29
  return NextResponse.json({ received: true });
30
}

The createOrgCustomer helper upserts the local organization row, creates a Chargebee customer if one does not exist, and stores organizationId in Chargebee meta_data:

1
const { customer } = await chargebee.customer.create({
2
  company: displayName ?? undefined,
3
  preferred_currency_code: 'USD',
4
  meta_data: {
5
    organizationId,
6
    customerType: 'organization',
7
  },
8
});
9

10
await setChargebeeCustomerId(organizationId, customer.id);

Return 200 after enqueueing work. Scalekit retries on non-2xx responses.

3. Read the organization ID from the session

Billing routes need the org context from the access token. Validate the token on every request and require the oid claim:

1
import { decodeJwt } from 'jose';
2

3
const isValid = await scalekit.validateAccessToken(accessToken);
4
if (!isValid) {
5
  throw new SessionError(401, 'Invalid or expired token');
6
}
7

8
// After successful validation, decode to read claims (e.g. `oid`, `sub`).
9
// decodeJwt is safe here because validateAccessToken already performed
10
// cryptographic signature validation + standard claim checks (exp, iss, aud).
11
const claims = decodeJwt(accessToken);
12

13
const organizationId = claims.oid as string | undefined;
14
if (!organizationId) {
15
  throw new SessionError(403, 'Organization context required for billing');
16
}
17

18
return {
19
  userId: claims.sub as string,
20
  email: claims.email as string,
21
  organizationId,
22
};

Do not call /userinfo for billing context. Use scalekit.validateAccessToken(accessToken) (boolean) followed by a JWT decode (e.g. decodeJwt from jose) to read the oid claim from the access token. This matches the recommended pattern in the access control guide.

4. Authorize billing actions per organization

Before any Chargebee API call, confirm the caller’s session org matches the billing reference:

1
export async function authorizeReference({
2
  organizationId,
3
  referenceId,
4
}: {
5
  organizationId: string;
6
  referenceId: string;
7
}): Promise<boolean> {
8
  return referenceId === organizationId;
9
}

Extend this hook to deny billing for specific orgs (trial abuse, delinquent accounts) without changing Chargebee configuration.

5. Create a future subscription and start hosted checkout

When an org admin clicks Subscribe, create a local future row first, then call Chargebee hostedPage.checkoutNewForItems:

1
const referenceId = body.referenceId ?? ctx.organizationId;
2
if (!(await authorizeReference({ organizationId: ctx.organizationId, referenceId }))) {
3
  return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
4
}
5

6
const customerId = await getOrCreateCustomerId({ organizationId: referenceId });
7
const localSub = await createFutureSubscription({
8
  referenceId,
9
  chargebeeCustomerId: customerId,
10
});
11

12
await chargebee.customer.update(customerId, {
13
  meta_data: {
14
    pendingSubscriptionId: localSub.id,
15
    organizationId: referenceId,
16
  },
17
});
18

19
const result = await chargebee.hostedPage.checkoutNewForItems({
20
  subscription_items: [{ item_price_id: planItemPriceId, quantity: seats }],
21
  customer: { id: customerId },
22
  redirect_url: `${appUrl}/api/subscription/success?callbackURL=/billing?success=1&subscriptionId=${localSub.id}`,
23
  cancel_url: `${appUrl}/billing`,
24
});
25

26
return NextResponse.json({ mode: 'hosted', url: result.hosted_page.url });

The future row gives your app a stable ID to reconcile against before Chargebee assigns a subscription ID.

6. Sync subscription state from Chargebee webhooks

Chargebee event	Action
`subscription_created`	Link `chargebee_subscription_id`, set status
`subscription_activated` / `subscription_started`	Mark `active` or `in_trial`, fire entitlements hook
`subscription_changed` / `subscription_renewed`	Update plan, seats, period end
`subscription_cancelled`	Mark cancelled, revoke entitlements
`customer_deleted`	Clear local mapping

Lookup order when matching a webhook to a local row:

chargebee_subscription_id on the local row
meta_data.subscriptionId on the Chargebee subscription
meta_data.pendingSubscriptionId on the Chargebee customer
future row by reference_id

7. Eager-sync on checkout redirect

Hosted checkout redirects to your success URL before webhooks arrive. Add an eager sync in the success handler so the billing page shows the subscription immediately:

1
export async function GET(request: NextRequest) {
2
  const subscriptionId = request.nextUrl.searchParams.get('subscriptionId');
3

4
  if (subscriptionId) {
5
    const local = await findSubscriptionById(subscriptionId);
6
    if (local?.chargebeeSubscriptionId) {
7
      const result = await chargebee.subscription.retrieve(local.chargebeeSubscriptionId);
8
      await syncLocalFromChargebeeSubscription(local, result.subscription);
9
    }
10
  }
11

12
  return NextResponse.redirect(new URL('/billing?success=1', request.url));
13
}

Webhooks remain the source of truth for ongoing changes. The redirect sync removes the “refresh and wait” gap after checkout.

8. Gate features from local subscription state

Read subscription status from your database, not from Chargebee on every request:

1
const subs = await findActiveByReferenceId(ctx.organizationId);
2
return NextResponse.json({
3
  subscriptions: subs.map((sub) => ({
4
    id: sub.id,
5
    status: sub.status,
6
    planId: sub.planId,
7
    seats: sub.seats,
8
    trialEnd: sub.trialEnd,
9
  })),
10
});

Use onSubscriptionComplete and onSubscriptionDeleted hooks to flip feature flags, enable SSO, or send onboarding email when status changes.

Testing

Run this five-minute validation script after wiring both webhook endpoints through a tunnel:

Create an organization in Scalekit (or fire organization.created via the dashboard).
Confirm provisioning — local organization row exists and Chargebee dashboard shows a customer with matching organizationId metadata.
Sign in as a user in that org and open your billing page.
Start checkout — POST /api/subscription/create returns { mode: 'hosted', url }. Complete payment with test card 4111 1111 1111 1111.
Confirm redirect — browser lands on /billing?success=1 and the subscription appears without a manual refresh.
Replay a webhook — send a test subscription_activated event from the Chargebee dashboard and confirm the local row updates.

1
curl -s http://localhost:3000/api/session \
2
  -H "Cookie: scalekit_session=<your-session-cookie>" | jq '.organizationId'

Common mistakes

no_applicable_gateway on hosted checkout — Chargebee cannot select a payment gateway. Add a test gateway in the Chargebee dashboard, set CHARGEBEE_GATEWAY_ACCOUNT_ID, or enable Smart Routing.
Checkout succeeds but no redirect — NEXT_PUBLIC_APP_URL must appear in Chargebee Allowed redirect domains. A declined test card also prevents redirect.
Webhook signature failures — reading req.json() before verification mutates the body. Use the raw body string for Scalekit; use Basic Auth for Chargebee.
Duplicate Chargebee customers — race between org webhook and first checkout click. Make createOrgCustomer idempotent: check the local mapping before calling customer.create.
Billing API returns 403 — referenceId in the request body does not match session oid. In org-mode v1, always pass the session organization ID.

Production notes

Replace SQLite with Postgres or your production database. Keep the reference_id index — webhook handlers query by org ID on every event.
Rotate webhook secrets independently for Scalekit and Chargebee. Store them in your secrets manager, not .env files in the image.
Make handlers idempotent — Chargebee retries webhooks; subscription_activated may arrive twice. Upsert by chargebee_subscription_id, do not insert blindly.
Handle org deletion — on organization.deleted, cancel active Chargebee subscriptions and delete local rows. Orphan subscriptions continue billing otherwise.
Do not expose Chargebee API keys client-side — only publishable keys belong in NEXT_PUBLIC_* variables for Chargebee.js. Server routes call the Chargebee SDK with the secret key.

Next steps

Clone the saas-auth-chargebee-example repo for a runnable Next.js implementation
Enforce seat limits with SCIM provisioning when billing plans cap user count
External IDs and metadata for mapping Scalekit orgs to your internal tenant IDs
Organization webhook events for org lifecycle payloads
Chargebee webhook documentation for the full event catalog