Air-gapping and authentication: How WorkOS supports secure & isolated environments

In many high-security, regulated, or enterprise settings, network connectivity is a risk vector. Sometimes systems must be physically or logically isolated (disconnected from the public Internet or heavily firewalled) to meet compliance, security, or operational requirements. This type of setup is commonly known as an air-gapped environment.

In this article, you’ll learn:

• What air-gapped environments are, and why organizations use them.
• The particular challenges authentication systems face when operating in air-gapped or on-prem/on-hybrid deployments.
• How WorkOS can be used (or adapted) in these scenarios.
• Recommendations and best practices for deploying WorkOS in air-gapped, heavily firewalled, or on-prem settings.

What is air-gapping?

Air-gapping means isolating an environment from external networks (especially the public Internet). That isolation can be physical, with no network connections to the outside world, or logical, using strict firewall rules, private networks, and other controls. You can also have a combination of these two approaches for a more effective defense against threats.

There are a few reasons you might choose to air-gap your software system.

Regulatory and compliance requirements often drive the decision. Industries like defense, healthcare, and finance operate under frameworks that leave little room for interpretation.

• A government agency handling classified intelligence might be required to physically separate its systems from the Internet to comply with national security mandates.
• A bank managing trading platforms or customer financial data may need to ensure isolation to meet standards like PCI DSS.
• Hospitals, insurers, and healthcare providers often isolate environments that process protected health information (PHI) to maintain HIPAA compliance.

Around the world, similar regulations enforce the same principle: when sensitive data is at stake, connectivity must be carefully restricted, or eliminated altogether.

Another common motivator is the protection of high-value assets. Research labs, pharmaceutical companies, and technology firms often rely on intellectual property and proprietary algorithms that represent years of work and billions of dollars in investment. In these cases, even if strict regulations do not demand isolation, the business case for air-gapping is compelling. Preventing corporate espionage, data theft, and the reputational damage of a breach is often reason enough to justify the added complexity of operating in an isolated environment.

Finally, some organizations end up with air-gapped systems not because of regulation or security concerns, but because of circumstance. Remote operations, such as cruise ships, oil rigs, or mining stations, often lack reliable Internet connectivity altogether. While satellite networks might be available, they can be too costly or slow to support continuous connectivity. In these cases, the environment itself enforces isolation, and systems must be designed to function with minimal or no external access.

Authentication challenges in air-gapped / on-prem environments

Air-gapping isn’t just about isolating servers; it changes the way software is expected to behave. Most parts of an application can run quietly in the background without ever reaching beyond the local network. Authentication is different.

Unlike many other parts of a software stack, authentication almost always assumes some external communication. Redirect flows, SAML/OIDC handshakes, JWT validation, webhook events, and token exchange are all network-based. If your system is cut off from the Internet, or behind strict firewalls, those flows either break or require careful re-engineering.

Suddenly, the very service that ensures security and trust becomes harder to deliver inside the most security-sensitive environments. That tension—between the need for airtight isolation and the need for a reliable identity layer—is what makes authentication one of the hardest pieces to get right in air-gapped deployments. And it’s exactly the gap WorkOS can help bridge.

WorkOS and air-gapped authentication

WorkOS is designed to support both cloud and on-prem deployments. For customers requiring isolation or operating environments without external network connectivity, there are concrete ways to adapt WorkOS integrations.

One way it does this is through environment isolation. Instead of a single API key serving every deployment, each customer can have their own dedicated environment in the WorkOS dashboard, complete with unique credentials. This prevents cross-tenant overlap and gives administrators confidence that their systems remain walled off, even if they’re running the same software stack as dozens of other organizations.

Network restrictions are another place where WorkOS fits neatly. For customers who can allow limited connectivity, traffic between the on-prem system and WorkOS can be tightly controlled. Firewalls can be configured to accept only HTTPS traffic on port 443, limited to Cloudflare’s published IP ranges, ensuring authentication requests remain both secure and predictable. Where outbound connections are necessary—for example, to deliver webhooks or stream events—those paths are equally narrow, auditable, and designed to comply with least-privilege principles.

And for organizations that are truly air-gapped, WorkOS acknowledges the reality: in environments with no external network connectivity, its APIs can’t operate directly. Instead, teams can take a dual approach—using WorkOS for cloud-based and connected deployments, while offering a specialized package for air-gapped systems that integrates with the customer’s internal identity provider. This way, enterprises get consistency across their deployments without compromising the security posture of their most sensitive environments.

In short, WorkOS doesn’t force customers to choose between modern authentication and air-gapped security. It offers a path to both, aligning identity needs with the realities of strict isolation.

!!For more details, see Using WorkOS with On-prem Customers.!!

Best practices when deploying WorkOS in restricted/isolated environments

Here are some practical recommendations to make deployments smoother, safer, and more maintainable.

1. Minimum network exposure: Start with deny-all policies; only open the specific ports and protocols required (usually HTTPS/TLS over port 443).
2. Static per-customer credentials & environment separation: As mentioned above, use separate WorkOS environments (API key + client ID) per customer deployment to avoid cross-tenant access or data leakage.
3. Allowlisting IPs and DNS configuration: Ensure the proper external endpoints and IP ranges used by WorkOS (including Cloudflare) are allowlisted in customer firewalls; ensure that redirect URIs and callback endpoints resolve correctly inside the network.
4. Event/Webhook handling: If webhook delivery from WorkOS external endpoints is blocked, consider having internal proxies or relays, or use polling/event pull models instead. Buffer events locally if necessary.
5. Monitoring, logging & auditing: Maintain logs of all cross-boundary traffic; audit configurations; monitor failures of callbacks, failed authentications or dispatch of webhooks.
6. Update & patch strategy: In air-gapped or semi-isolated environments, plan for off-network update mechanisms. Use secure transfer, checksums, versioning, rollback plans.
7. Security principle of least privilege: Both at the network layer (ACLs, firewalls) and in software (scoping of API keys, roles, permissions).

!!For more best practices for on-prem systems, see On-premises and hybrid authentication: Challenges and best practices!!

Conclusion

Air-gapped, on-prem, and hybrid deployments are becoming increasingly common in enterprise settings, especially for customers with strong security, compliance, or data isolation needs. While external connectivity restrictions complicate authentication flows, with thoughtful architecture, proper credentials and network isolation, and a dual-implementation mindset, WorkOS can be integrated into these environments effectively.

With WorkOS, you don’t have to choose between modern authentication and air-gapped security. WorkOS supports authentication in air-gapped, on-prem, and hybrid deployments, making it the simplest way to deliver enterprise-ready authentication no matter how isolated your customer environments are.

If you’re considering deploying WorkOS in an air-gapped or otherwise restricted environment and want hands-on support or architectural review, our support / professional services team is happy to help.