Blog

How WorkOS Radar really works

How does WorkOS Radar really work? How do you install and set it up and what does it reveal?


What happens in the milliseconds after someone attempts to log into your application? For most systems, it's a simple check of username and password.

But what if that login attempt comes from a bot farm in a distant country? What if it's the 500th attempt in the last hour? What if it's a valid credential being tested across thousands of accounts?

These are the threats that modern applications face, and they're why WorkOS built Radar. This real-time protection system makes split-second decisions about every authentication attempt that hits your application.

While the technical documentation covers implementation details and the launch blog introduces features, this article takes you behind the scenes to understand what it's actually like to use Radar day-to-day - from seeing your first suspicious login attempt to fine-tuning your security rules based on real-world patterns.

Installation and setup

Radar builds on top of AuthKit, WorkOS's authentication SDK. While Radar isn't enabled by default for all AuthKit instances, it can be activated by contacting the WorkOS team. Once enabled, Radar immediately begins collecting signals about user behavior during authentication attempts.

Real-time monitoring and analysis

Radar's dashboard provides a comprehensive view of your application's authentication activity:

  • A real-time chart showing counts of suspicious events and automated actions
  • Time-range toggles for 24 hours, 7 days, and 30 days of historical data
  • Detailed cards showing detection activity by different identifiers (devices, locations, users)
  • A complete event list that can be filtered by detection type, action taken, or specific users

Each event captures rich metadata, including:

  • Device fingerprints
  • Location data
  • User-agent information
  • IP addresses
  • Authentication attempt timing

What can WorkOS Radar detect?

1. Bots...of all kinds

Radar's bot detection goes beyond simple pattern matching. It can differentiate between:

  • AI agents
  • Search engine crawlers
  • Automation scripts
  • Testing tools

This granular detection allows you to block or allow different types of automated access selectively.

2. Brute force and credential stuffing attacks

Radar uses device fingerprinting to isolate attack traffic from legitimate users, ensuring your application stays available even during an attack. The system tracks:

  • Authentication frequency per client
  • Pattern matching across multiple accounts
  • Password variation patterns
  • Geographic distribution of attempts

3.“ Impossible travel”

The system tracks login locations and calculates whether sequential authentication attempts could be physically possible, flagging suspiciously rapid changes in location.

4. Stale account compromise

For enhanced security, Radar monitors dormant accounts (no successful logins in 30+ days) and can notify administrators when they become active - a common indicator of account takeover.

5. Unrecognized devices

Using sophisticated device fingerprinting, Radar maintains a history of known devices per user and can trigger additional verification for new devices.

6. Custom restrictions

Organizations can implement specific allow/deny rules based on:

  • IP ranges
  • User agents
  • Device types
  • Individual users

Installing Radar through AuthKit

Before Radar can protect your application, you must install AuthKit - WorkOS's authentication SDK. AuthKit enables Radar to monitor every authentication attempt in real time.

Here's how to set it up with Next.js (a similar process for other frameworks):

First, install the AuthKit SDK:

npm install @workos-inc/authkit-nextjs

Configure your environment variables:

WORKOS_API_KEY='your_api_key'
WORKOS_CLIENT_ID='your_client_id'
WORKOS_COOKIE_PASSWORD="your_secure_password"
NEXT_PUBLIC_WORKOS_REDIRECT_URI="http://localhost:3000/callback"

Add the AuthKit provider to your app layout:

import { AuthKitProvider } from '@workos-inc/authkit-nextjs';

export default function RootLayout({ children }) {
  return (
    <html lang="en">
      <body>
        <AuthKitProvider>{children}</AuthKitProvider>
      </body>
    </html>
  );
}

Once AuthKit is installed, Radar begins delivering events and data to the Radar panel in the WorkOS dashboard.

How Radar makes decisions

What sets Radar apart is its sophisticated decision-making process. Rather than using simple yes/no rules, Radar evaluates each authentication attempt through a multi-stage pipeline. Here's how an authentication attempt flows through the system:

Real-world protection

Let's say an attacker starts testing stolen credentials against your application. Within seconds, Radar will:

  • Detect the high-frequency login attempts
  • Identify patterns indicating automated tools
  • Notice if the attempts are coming from unusual locations
  • Calculate a risk score based on all these factors
  • Take appropriate action based on your security settings

Try WorkOS Radar today

WorkOS Radar represents a new approach to authentication security that combines sophisticated threat detection with practical, real-world usability.

As it evolves and integrates with features like Actions, it will continue to expand its capabilities while maintaining its streamlined implementation.

In this article

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.