WorkOS

Enables SaaS applications to integrate enterprise SSO by accepting SAML assertions and OIDC authorization codes from 20+ identity providers (Okta, Azure AD, Google Workspace, etc.). WorkOS acts as a service provider that normalizes identity responses across heterogeneous enterprise directories, exchanging authorization codes for user profiles and access tokens via language-specific SDKs (Node.js, Python, Ruby, Go, PHP, Java, .NET). The implementation uses a per-connection pricing model where each enterprise customer's identity provider is registered as a distinct connection, allowing multi-tenant SaaS platforms to onboard customers without custom integration work.

Automatically synchronizes user and group data from enterprise HR systems and directories (Workday, SuccessFactors, BambooHR, etc.) into SaaS applications using the SCIM 2.0 protocol. WorkOS acts as a SCIM service provider that receives provisioning/de-provisioning events from customer directories via webhooks, normalizing user lifecycle events (create, update, suspend, delete) and group memberships into a consistent schema. The implementation uses event-driven architecture where directory changes trigger webhook deliveries in real-time, eliminating manual user management and keeping application user rosters synchronized with authoritative HR systems.

Enables users to authenticate without passwords by sending one-time magic links via email. When a user enters their email address, WorkOS generates a unique, time-limited link (typically valid for 15-30 minutes) and sends it via email. Clicking the link verifies email ownership and creates an authenticated session without requiring password entry. The implementation eliminates password management burden and reduces phishing attacks because users never enter credentials into the application.

Enables users to authenticate using existing Microsoft or Google accounts via OAuth 2.0 protocol. WorkOS handles OAuth flow (authorization request, token exchange, user profile retrieval) transparently, allowing users to sign in with a single click. The implementation abstracts away OAuth complexity, supporting both Microsoft (Azure AD, Microsoft 365) and Google (Gmail, Google Workspace) without requiring application to implement separate OAuth clients for each provider.

Enables users to add a second authentication factor (time-based one-time password via authenticator app, or SMS code) to their account. WorkOS handles MFA enrollment, challenge generation, and verification transparently during authentication flow. The implementation supports both TOTP (authenticator apps like Google Authenticator, Authy) and SMS-based codes, allowing users to choose their preferred MFA method. MFA can be optional (user-initiated) or mandatory (enforced by SaaS application or enterprise customer policy).

Provides a pre-built, white-label authentication interface (AuthKit) that SaaS applications can embed or redirect to, supporting passwordless authentication (magic links via email), social sign-in (Microsoft, Google), multi-factor authentication (MFA), and traditional password-based login. The UI is hosted by WorkOS and customizable via dashboard (logo, colors, branding) without requiring frontend code changes. AuthKit handles the full authentication flow including credential validation, MFA challenges, and session token generation, reducing SaaS teams' responsibility to building and securing authentication UI from scratch.

Enables SaaS applications to define custom roles and granular permissions, then assign them to users and groups provisioned via SSO or directory sync. WorkOS RBAC allows applications to create hierarchical role structures (e.g., Admin > Manager > Member) with custom permission sets, then enforce authorization decisions at the application layer using role and permission data returned in user profiles. The implementation uses a permission-based model where each role is a collection of named permissions (e.g., 'users:read', 'users:write', 'billing:admin'), allowing fine-grained access control without hardcoding authorization logic.

Captures and stores all authentication, authorization, and user lifecycle events (logins, SSO attempts, directory sync actions, role changes, permission grants) with full audit trail including timestamp, actor, action, resource, and outcome. WorkOS streams audit logs to external SIEM systems (Splunk, Datadog, etc.) via dedicated connections, or allows export via API for compliance reporting. The implementation uses event-driven architecture where all identity operations generate immutable audit records, enabling forensic analysis and compliance audits (SOC 2, HIPAA, etc.).

Radar product analyzes authentication attempts in real-time to detect and block bot attacks, credential stuffing, account takeover attempts, and fraudulent access patterns. The implementation uses behavioral analysis (IP reputation, device fingerprinting, login velocity, geographic anomalies) to assign risk scores to each authentication attempt, allowing SaaS applications to enforce adaptive authentication (e.g., require MFA for high-risk logins) or block suspicious attempts outright. Radar operates transparently during authentication flow without requiring application code changes.

Vault product provides encryption key management (EKM) service where WorkOS generates and manages encryption keys, and optionally encrypts and stores sensitive objects (user data, secrets, etc.) on behalf of SaaS applications. The implementation allows applications to request encryption of sensitive data, with WorkOS handling key rotation, secure key storage, and decryption on demand. Optional storage means applications can either use WorkOS as key manager only (bring-your-own-encryption) or delegate both key management and encrypted storage to WorkOS.

Provides a self-serve admin dashboard where enterprise customers can configure their own SSO connections, manage directory sync settings, and administer users without contacting SaaS support. The admin portal is white-labeled and customizable, allowing SaaS platforms to embed it in their own admin interface or provide direct access to customers. The implementation reduces support burden by enabling customers to self-serve common identity management tasks (adding SSO provider, syncing directory, managing users).

Provides secure authentication for MCP servers, allowing AI agents and LLM applications to authenticate to MCP servers using WorkOS-managed credentials. The implementation handles credential generation, rotation, and revocation for MCP server connections, eliminating the need for applications to manage API keys or secrets directly. MCP Auth integrates with WorkOS identity platform, allowing MCP servers to be treated as first-class identity subjects with their own roles and permissions.

Enables SaaS platforms to manage users across multiple enterprise customers with complete identity isolation — each customer's users, roles, and permissions are segregated and cannot access other customers' data. The implementation uses customer/organization context in all identity operations (SSO, directory sync, RBAC, audit logs), ensuring that user provisioning, authentication, and authorization are scoped to the correct customer. This allows SaaS platforms to serve multiple enterprise customers from a single application instance without custom multi-tenancy logic.