WorkOS

Abstracts 20+ enterprise identity providers (Okta, Azure AD, Google Workspace, etc.) behind a unified SAML 2.0 and OIDC-compliant API, handling provider-specific protocol variations, metadata parsing, and assertion validation internally. Developers exchange authorization codes for normalized user profiles and access tokens via a single `sso.getProfileAndToken(code, clientID)` method, eliminating per-provider integration work.

Implements SCIM 2.0 protocol endpoints to receive user and group provisioning events from corporate directories (Okta, Azure AD, Workday, etc.) in real-time. WorkOS exposes SCIM endpoints that directory services push to; when users are added/modified/removed in the corporate directory, webhooks trigger immediately, allowing your application to sync user lifecycle events without polling. Supports role mapping and custom attribute synchronization.

Provides MCP Auth, a dedicated product for securing MCP (Model Context Protocol) servers and clients. Enables authentication and authorization for MCP connections, allowing you to control which AI models or applications can access your MCP resources. Integrates with WorkOS's identity system to enforce role-based access control on MCP operations.

WorkOS Pipes enables users to connect third-party accounts (e.g., GitHub, Slack, Google) to their WorkOS identity. Handles OAuth flows for third-party services, securely stores access tokens, and provides APIs to retrieve and use those tokens. Eliminates the need to implement OAuth flows for each third-party service separately.

WorkOS provides feature flag management integrated with identity data, allowing you to target feature flags based on user attributes, roles, organizations, or custom metadata. Enables gradual rollouts, A/B testing, and per-customer feature enablement without requiring separate feature flag infrastructure. Flags are evaluated server-side or client-side via SDK.

Provides domain verification capabilities to prove ownership of email domains. Supports DNS-based verification (TXT records) and email-based verification. Used for configuring custom email domains for authentication communications (e.g., magic link emails, password reset emails) and for restricting SSO to specific email domains. Enables branded authentication experiences and domain-based access control.

Provides reusable UI components (buttons, forms, modals) for common authentication flows (login, signup, password reset, MFA). Components are pre-styled and customizable via CSS/theme configuration. Can be embedded directly in your application without redirecting to a hosted UI. Handles form validation, error handling, and submission logic internally.

Provides AuthKit, a pre-built, hosted authentication interface that handles user login, signup, password reset, and multi-factor authentication flows. Developers embed a single component or redirect to a hosted URL; WorkOS manages the entire authentication UX, including social login (Google, Microsoft, Apple), passwordless magic-link authentication, and MFA enforcement. Customizable via CSS/theme configuration without requiring custom authentication UI code.

Provides a permission and role management system where developers define custom roles, assign permissions to roles, and check user permissions at runtime via API calls. Supports hierarchical role structures and per-resource permission checks. Permissions are evaluated server-side, allowing your application to enforce authorization rules without managing role/permission data separately.

Captures all authentication, authorization, and user lifecycle events (login, logout, permission changes, user creation/deletion, etc.) and stores them in WorkOS's audit log. Supports real-time event streaming to SIEM systems (Datadog, Splunk, etc.) via webhook or log export APIs. Provides queryable audit trail for compliance reporting and security investigations.

WorkOS Radar analyzes authentication requests in real-time, assigning risk scores based on IP reputation, device fingerprinting, geolocation anomalies, and behavioral patterns. Returns risk assessment results that your application can use to trigger additional verification steps (MFA, CAPTCHA, etc.) or block suspicious requests. Operates as a middleware in the authentication flow without requiring code changes.

WorkOS Vault provides encryption key management and object-level encryption capabilities. Developers can encrypt sensitive data (PII, API keys, etc.) using WorkOS-managed keys, with optional encrypted storage in WorkOS's vault. Keys are rotated automatically, and decryption is audited. Eliminates the need to manage encryption keys separately or implement custom encryption logic.

Allows storing and querying custom attributes on users and organizations (e.g., department, cost center, custom roles). Metadata is stored in WorkOS and accessible via API, enabling applications to build custom business logic on top of identity data without maintaining separate user/org databases. Supports nested objects and arrays for complex data structures.

Supports separate WorkOS environments for development, staging, and production, each with independent API keys, configurations, and data. Allows testing authentication flows and identity changes in non-production environments before deploying to production. Environment-specific settings (allowed redirect URIs, SSO providers, etc.) are isolated.

Emits webhook events for all identity-related changes (user created, updated, deleted; organization created; SSO provider configured; etc.). Your application registers webhook endpoints, and WorkOS delivers events in real-time as they occur. Supports event filtering and retry logic for failed deliveries. Enables reactive architectures where downstream systems stay synchronized with identity changes.