API Gateway: Managed auth and security for your API

Most apps built on WorkOS already handle two kinds of traffic: users authenticated with AuthKit, and services or agents calling in with API keys. These are two different integration patterns, two different validation flows, and two different places where things can go wrong.

The WorkOS API Gateway consolidates that into a single layer your backend already knows how to work with: a JWT.

What we are shipping

The first release of the API Gateway focuses on API key integration. Today, when a request comes in with an API key, your backend has to call out to WorkOS to validate it, then parse the response to extract the caller's identity and permissions. That is an extra network hop on every request, and a separate integration pattern to maintain alongside your AuthKit setup.

The gateway removes that hop. When a request arrives with a WorkOS API key, the gateway verifies it inline and exchanges it for a JWT containing the user ID, org ID, and permissions associated with that key. Your backend decodes a JWT and reads the claims, the same as it does for AuthKit sessions. No outbound call to WorkOS, no separate validation logic.

The latency improvement is immediate and automatic. The integration simplification is the longer-term win: one pattern for both authentication methods, handled at the edge before the request reaches your service.

Where this is going

API key verification is the beginning. The capabilities we are building toward are what make the gateway a meaningful piece of infrastructure for any team running an API.

• ‍Rate limiting. Per-key and per-customer rate limits are enforced at the gateway, before requests reach your backend. No library to integrate, no state to manage.‍
• API spec ingestion and permission enforcement. Bring your OpenAPI spec and the gateway maps your endpoints to WorkOS permissions. Authorization checks happen in the gateway rather than scattered across your service layer. Combined with FGA, this extends to fine-grained, resource-level policies enforced at the edge.‍
• Agent-ready infrastructure. Agents make a lot of API calls, often concurrently, from multiple sessions or identities. The gateway is where you enforce who can call what, how often, and with what permissions before any of that traffic hits your backend. As agentic usage of APIs grows, having that control surface in one place matters more, not less.

The goal is to make your API first-class, whether the caller is a user, a service, or an agent, without requiring you to rebuild that infrastructure yourself.

Get access now

The API Gateway is available in early access. If you are interested in getting early access, get in touch and we will get you set up.