Blog

User Management APIs (free up to 1 million MAUs), Domain Verification API, Dashboard SAML for all teams, and the Enterprise Readiness Guide for Product Managers

AuthKit is a Radix-powered open source authentication UI built for effortless customizations. User Management is the backend platform handling email verification, account linking, bot blocking, organization modeling, and more.

Domain verification is an important measure for establishing security and trust between providers and organizations. This blog examines best practices to consider when building in-house as well as a simple alternative that WorkOS provides.

This guide is for SaaS product managers that want to better understand the essential features enterprises expect, ideal timing for going upmarket, build vs. buy considerations, and pricing & packaging implications.

Events page for advanced workflow debugging, Automatic volume discounts, Custom domains for Admin Portal invites, Secure user state management flow

SFTP integrations and native APIs are two methods that exist when SCIM is not available. Both have pros and cons, but ultimately, for developers prioritizing simplicity and cost-effectiveness, SFTP is the recommended route, and for those prioritizing flexibility and scalability, native APIs are recommended.

Adding SSO to your app is a common requirement for selling to enterprise customers. Here’s a guide that will help you understand SSO and choose the best way to add it to your app.

Passport.js is an authentication middleware for Node.js. While suitable for addressing initial authentication needs, scaling with enterprise features like SSO and SCIM becomes unsustainably complex. This guide details 8 steps to transition from Passport.js to WorkOS.

While OAuth offers a powerful framework for secure authorization across various services, it is not infallible from vulnerabilities. Login CSRF attacks are one instance of vulnerabilities that may arise when using OAuth, and the nonce technique functions as an effective tool to defend against potential breaches.

New updates: 99.99% uptime guarantee, Events API, Audit Logs retention period API, and Directory Sync group membership consolidation.

SCIM protocol implementation variability creates challenges for developers building applications for enterprises. WorkOS has standardized the process of managing group memberships, reducing the potential for inconsistencies and errors, and enhancing security.

Some of the notable August releases were the Admin Portal email invite, SCIM setup validation flow, and support for Google Cloud Storage as a Log Streams destination. As we continue to innovate and improve our platform, we'll share a recap of important updates at the end of every month.

Configuring SAML-based SSO authentication is prone to a number of different types of errors, resulting in confusion for IT admins configuring your application or authentication issues for your end users. In this post, we will take a deep dive into the five most common SAML errors.

Even if you understand the significance of adding SSO to your application, you may still feel overwhelmed by the different authentication-related acronyms and protocols. Nevertheless, after reading this post, we hope that you will have a better understanding of the distinctions between SAML, OIDC, and OAuth and feel more confident in implementing SSO in your application.

Log Streams, Admin Portal Custom Branding, Auto-mapped Directory Sync Custom Attributes, and more! Learn about all of the latest features and product updates we've added to the WorkOS platform in Q4.

Developers act, think, and behave differently than your average customer. So selling, marketing, and supporting them should be different too.

Audit Logs API, new webhooks experience, new SAML providers, and more! Learn about all of the latest features and product updates we've added to the WorkOS platform from April to June 2022.

We are delighted to announce that WorkOS has raised $80m in Series B financing, led by Greenoaks with participation from previous investors Lachy Groom, Lightspeed Ventures, and Abstract Ventures.

I’m delighted to announce that WorkOS is a fully carbon neutral company. We have offset the company’s full carbon footprint since its founding and plan to stay carbon neutral as we scale up.‍

Learn how to get started with the WorkOS Multi-Factor Authentication (MFA) API to add Time-based one-time passwords (TOTP) and SMS verification to secure your application.

New MFA API, better customer onboarding, new SAML providers and more! Learn about all of the latest features and product updates we've added to the WorkOS platform from January to March 2022.

Learn how to leverage the WorkOS Admin Portal to quickly onboard enterprise customers. The Admin Portal is an interactive setup experience for SSO and directory sync.

We built one of our most requested features, custom attribute mapping. Map and rename attributes without custom code to easily bring in additional information from HR directories.

Learn how SSO and the traditional email & password login features can coexist in the same application, and discover 4 common design patterns for making it happen.

Explore some of the considerations to be made when deciding whether to build an SSO or Directory Sync solution on your own, or to pay for an existing authentication service.

In this step-by-step tutorial, learn how to configure and validate your WorkOS webhooks from your development machine by using ngrok's secure, public URLs.

Learn the key differences between SP-initiated SSO and IdP-initiated authentication.

Jim Barksdale once said, “There [are] only two ways to make money in business: One is to bundle; the other is unbundle.” Here's when you should bundle your product for enterprise sales.

In this blog post you'll learn how the Engineering team at WorkOS communicates asynchronously using Threads

Changelogs are important communication tools, and should be made for people to enjoy reading. Here are five decisions we made to make the best changelog we possibly could.

Designing a dark mode version of your app comes with its own challenges. In this post, we will share some of the lessons we learned during the implementation of dark mode at WorkOS.

In this guide, we'll explore 15 ways to keep your teammates and customers secure at your growing startup from threats such as data breaches, phishing, cryptojacking, ransomware, and DDoS attack.

The size of your startup, no matter how small, won’t keep it safe. In this post, we cover five common threats facing your startup and explain how they work.

GDPR and CCPA are data privacy protection laws in the EU and California, respectively, that regulate how firms handle and share consumers’ personal information.

One time passwords (OTPs), such as those created by authenticator apps and Yubikeys, are a common way to add additional security to application authentication.

Nullable references are a familiar sight in many programming languages. Today we'll be exploring how to stack optionals in TypeScript and where null and undefined fall short.

Architecting SSO from a Systems Design perspective: what code and data lives where, who controls what, and what this ultimately means for your business as you grow your app

I’m delighted to announce our Series A financing! In this post I’ll share more details about the problem WorkOS is solving, why we are solving it, and what the future holds if we are successful in our mission.

Developers are tired of being tied to the technology stack their CMS vendor requires. Is a headless CMS the solution? Learn more in our Developer's Guide to Headless CMSs.

Creating great developer documentation is harder than it looks. Learn from Stripe, Twilio, GitHub, and more to learn how you can create docs like the greats. Acquire more users, retain more users

Zendesk crossed the chasm between the SMB market and the enterprise market, all while expanding its product line and developing the features that made enterprises want to adopt its products.

Identity is an important problem, but solving it is outside your core skill set. Lucky for you, and with apologies to Steve Jobs, there’s a SaaS - and a guide! - for that.

RBAC and ABAC are the two most common access control models for system authorization. Understanding the differences between the two is key for choosing between RBAC vs. ABAC for your system.

User provisioning and user deprovisioning is how you can enable system access to new employees and restrict access to departing employees. Learn how this can make you more efficient and secure.

If you build it, they won't come. As a founder, it's your job to make the sales that fuel your company's growth––and that includes enterprise sales. Read this guide so you can land the big deals.

Twilio built a business model that started with individual developers and expanded into massive enterprise sales. Learn how they did it––and how you can too.

Compliance stands between your company and growth. If you want to sign enterprise deals, learn the differences between SOC 1, SOC 2, and SOC 3––and how best you can comply.

What does federated mean? Federation refers to group of entities that are independent yet united under a central organization. Learn how that meaning applies to search, identity, and databases.

So, you're writing your first service level agreement? Learn from the best: examples from Slack, Amazon, and Google show how you can write your SLA for comprehension and effectiveness.

A guide to magic links: the how they work and why you should use them. We’ll take a deep dive into how magic links work from a technical, security, and UX perspective.

GDRP affects companies the world over and as a developer, it's your job to ensure compliance. Read our guide to the basics to understand what GDPR entails.

Last month, we held our WorkOS Fall Release! We debuted new features, gave product updates, launched our new docs site, and hosted a fireside chat with the CTO of Webflow.

The WorkOS style guide for technical content. Our descriptive guide to writing blogs, tutorials, and technical documentation for developers by a developer.

In this article, we’ll cover a baseline of authentication protocols: PAP, CHAP, and EAP. We’ll cover what the protocol is, give a detailed example, and talk through some of the weaknesses.

This post will walk through the basics of how to send out webhooks from your app, manage authentication, handle security, and provide a smooth developer experience to your customers.

Last month, we held our first public event: the WorkOS Summer Release! Putting together a fully remote event as a fully remote team involved a lot of prep work.

If you’ve been put in charge of writing a security policy document, you might feel a tad overwhelmed. This guide will help, with examples from companies like Slack and Stripe.

The history of digital authentication spans just 60 years, but things have progressed (really) quickly. This guide walks through the basics and where things might be going.

For intrepid developers planning on homebrewing enterprise SAML SSO, here's a guide covering common SAML security vulnerabilities, footguns, and countermeasures.

How Dropbox built enterprise ready features like admin controls and integrations that let them close bigger, more impactful deals, move upmarket, and stay competitive.

This post explores UI/UX best practices for Identity Provider (IdP) and Service Provider (SP) initiated SSO flows, like subdomaining tenants and separating email and password screens.

Our guide will walk you through the audit log basics that every developer should know: why audit logs are important, event formats, SIEM tools, retention best practices, and more.

Our guide will walk you through everything Directory Sync: what it is, why you should care, protocols like SCIM, Directory Sync vs JIT, and how to build it into your product.

Incorporating enterprise features unlocked big deals for Slack. This post looks at how features like SAML SSO, EKM, and audit logs help Slack close those enterprise deals.

The Enterprise Chasm separates early-adopter users from larger enterprise customers in B2B SaaS apps. This post shares why and how you should cross this chasm with Enterprise Ready features.