Blog

Mar 21, 2025

New widgets available for user profiles and organization switching

We just released four new widgets to make your life easier: user profile, user sessions, user security, and organization switcher. They are now available for free to all AuthKit customers.

Lucas Motta

Product

Mar 20, 2025

New enterprise login integrations in AuthKit

With AuthKit enterprise logins are now easier than ever. We are announcing the addition of key B2B login providers, like LinkedIn, Slack, Xero, and more, giving your users seamless access to your platform with the credentials they already use.

Custom Metadata, External ID, and JWT Templates

Expand your WorkOS integration by customizing attributes on users, orgs, and session tokens.

Introducing RFC 9728: Say hello to standardized OAuth 2.0 resource metadata

OAuth 2.0 just got a major upgrade in how resources describe themselves — find out what RFC 9728 introduces and why it matters.

Diagnosing SAML assertion failures: A step-by-step debugging guide

From expired assertions to signature fails — a survival guide for anyone who's ever screamed at a SAML error message.

On-premises and hybrid authentication: Challenges and best practices

How to avoid common pitfalls and build resilient auth systems in on-prem and hybrid setups.

The hidden pitfalls of SAML metadata: How to avoid downtime

Misconfigured SAML metadata is one of the most overlooked causes of SSO failures. Learn how to spot hidden risks—and fix them before they break your login flow.

Mastra.ai Quickstart - How to build a TypeScript agent in 5 minutes or less

Mastra is a batteries‑included TypeScript framework for agentic apps. In this post, we'll use it to build an agentic app that can fetch data from GitHub in less than 5 minutes.

oRPC: OpenAPI Remote Procedure Call for Type-Safe APIs

oRPC (OpenAPI Remote Procedure Call) combines the familiarity of RPC with the industry-standard OpenAPI spec so that every request/response is fully typed from client to server.

Best practices for MCP secrets management

Every outbound call from your MCP server carries credentials—API keys, database passwords, OAuth tokens, you name it. If those secrets leak, the blast radius extends far beyond your LLM demo. Learn to secure your MCP secrets.

DBConnection pooling deep dive

A deep dive on how pooled connections work in the Elixir DBConnection library.

In-Memory Distributed State with Delta CRDTs

How to utilize delta conflict-free replicated data types for managing distributed cache or configuration state on an Elixir cluster.

Why your app needs refresh tokens—and how they work

Session management is hard. Refresh tokens make it easier—and safer. This guide breaks down how they work, why you need them, and how to avoid common mistakes (with code included).

IBM’s Agent Communication Protocol (ACP): A technical overview for software engineers

IBM Research’s Agent Communication Protocol (ACP) provides autonomous agents with a common “wire format” for talking to each other. But how does it differ from MCP and A2A?

SAML's signature problem: It’s not you, it’s XML

A deep dive into the messy world of SAML signature verification bugs — complete with real examples, cautionary tales, and practical tips to keep your app out of trouble.

Agent to agent, not tool to tool: an engineer’s guide to Google’s A2A protocol

Think of MCP as “plug this model into my data” and A2A as “now let several specialised models talk to each other.”

From 1.0.0 to 2025.4: Making sense of software versioning

Confused by versioning? This guide breaks down the top strategies to help you pick the right one, keeping your project organized and your users in the loop.

MCP, ACP, A2A, Oh my!

Let’s explore the MCP, ACP and A2A protocols, understand what they do, and highlight how they differ and complement one another.

Zack Proser

Apr 16, 2025

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles

About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more