How WorkOS Radar really works
How does WorkOS Radar really work? How do you install and set it up and what does it reveal?
What happens in the milliseconds after someone attempts to log into your application? For most systems, it's a simple check of username and password.
But what if that login attempt comes from a bot farm in a distant country? What if it's the 500th attempt in the last hour? What if it's a valid credential being tested across thousands of accounts?
These are the threats that modern applications face, and they're why WorkOS built Radar. This real-time protection system makes split-second decisions about every authentication attempt that hits your application.
While the technical documentation covers implementation details and the launch blog introduces features, this article takes you behind the scenes to understand what it's actually like to use Radar day-to-day - from seeing your first suspicious login attempt to fine-tuning your security rules based on real-world patterns.
Installation and setup
Radar builds on top of AuthKit, WorkOS's authentication SDK. While Radar isn't enabled by default for all AuthKit instances, it can be activated by contacting the WorkOS team. Once enabled, Radar immediately begins collecting signals about user behavior during authentication attempts.
Real-time monitoring and analysis
Radar's dashboard provides a comprehensive view of your application's authentication activity:
- A real-time chart showing counts of suspicious events and automated actions
- Time-range toggles for 24 hours, 7 days, and 30 days of historical data
- Detailed cards showing detection activity by different identifiers (devices, locations, users)
- A complete event list that can be filtered by detection type, action taken, or specific users
Each event captures rich metadata, including:
- Device fingerprints
- Location data
- User-agent information
- IP addresses
- Authentication attempt timing
What can WorkOS Radar detect?
1. Bots...of all kinds
Radar's bot detection goes beyond simple pattern matching. It can differentiate between:
- AI agents
- Search engine crawlers
- Automation scripts
- Testing tools
This granular detection allows you to block or allow different types of automated access selectively.
2. Brute force and credential stuffing attacks
Radar uses device fingerprinting to isolate attack traffic from legitimate users, ensuring your application stays available even during an attack. The system tracks:
- Authentication frequency per client
- Pattern matching across multiple accounts
- Password variation patterns
- Geographic distribution of attempts
3.“ Impossible travel”
The system tracks login locations and calculates whether sequential authentication attempts could be physically possible, flagging suspiciously rapid changes in location.
4. Stale account compromise
For enhanced security, Radar monitors dormant accounts (no successful logins in 30+ days) and can notify administrators when they become active - a common indicator of account takeover.
5. Unrecognized devices
Using sophisticated device fingerprinting, Radar maintains a history of known devices per user and can trigger additional verification for new devices.
6. Custom restrictions
Organizations can implement specific allow/deny rules based on:
- IP ranges
- User agents
- Device types
- Individual users
Installing Radar through AuthKit
Before Radar can protect your application, you must install AuthKit - WorkOS's authentication SDK. AuthKit enables Radar to monitor every authentication attempt in real time.
Here's how to set it up with Next.js (a similar process for other frameworks):
First, install the AuthKit SDK:
npm install @workos-inc/authkit-nextjs
Configure your environment variables:
WORKOS_API_KEY='your_api_key'
WORKOS_CLIENT_ID='your_client_id'
WORKOS_COOKIE_PASSWORD="your_secure_password"
NEXT_PUBLIC_WORKOS_REDIRECT_URI="http://localhost:3000/callback"
Add the AuthKit provider to your app layout:
import { AuthKitProvider } from '@workos-inc/authkit-nextjs';
export default function RootLayout({ children }) {
return (
<html lang="en">
<body>
<AuthKitProvider>{children}</AuthKitProvider>
</body>
</html>
);
}
Once AuthKit is installed, Radar begins delivering events and data to the Radar panel in the WorkOS dashboard.
How Radar makes decisions
What sets Radar apart is its sophisticated decision-making process. Rather than using simple yes/no rules, Radar evaluates each authentication attempt through a multi-stage pipeline. Here's how an authentication attempt flows through the system:
Real-world protection
Let's say an attacker starts testing stolen credentials against your application. Within seconds, Radar will:
- Detect the high-frequency login attempts
- Identify patterns indicating automated tools
- Notice if the attempts are coming from unusual locations
- Calculate a risk score based on all these factors
- Take appropriate action based on your security settings
Try WorkOS Radar today
WorkOS Radar represents a new approach to authentication security that combines sophisticated threat detection with practical, real-world usability.
As it evolves and integrates with features like Actions, it will continue to expand its capabilities while maintaining its streamlined implementation.