May Updates
New this month: MCP Authorization, Update User Emails, SAML Custom Attributes, & More
New this month: MCP Authorization, Update User Emails, SAML Custom Attributes, & More
MCP Authorization with AuthKit
As previewed during MCP Night—a night of live demos, discussions, and community building—AuthKit now supports acting as an OAuth 2.0–compatible authorization server for MCP servers, based on the latest MCP protocol specification. This enables fine-grained authorization for agentic applications. The feature is currently in preview—contact WorkOS Support to request access. In the meantime, check out the documentation.
Support for Changing Email Addresses
It's now possible to update a user’s email address via the Update User API or directly in the Dashboard—helping teams handle common scenarios like email migrations or domain changes more smoothly. When an email is changed:
- The new email becomes unverified.
- OAuth identities that no longer match the updated email are unlinked.
- Email changes are blocked for users managed via SSO or SCIM.
Learn how to update user emails →
SAML Custom Attributes
Custom attributes now support mapping from SAML responses during SSO. This enables fragmented identity provider configurations to be unified under a consistent schema within the WorkOS SSO Profile.
Learn more about SAML attribute mapping →
FGA Policy Helpers
WorkOS FGA now supports two special context variables—check_ctx and warrant_ctx—along with a new get_metadata helper. These additions make it easier to write dynamic, context-aware policies by:
- Accessing details about the current check using
check_ctx. - Referencing matched warrant attributes with
warrant_ctx. - Fetching resource metadata directly within policies using
get_metadata, without needing to pass it manually.
View the FGA documentation for details →
Domain Verification: Improved UX, Setup Notifications, Easier Debugging
The Admin Portal now displays clearer guidance for domain verification during SSO setup. A new UI-level notification informs users when domain verification is required before configuring SAML or OIDC connections. If no verified domains exist, an inline warning appears during setup to prompt verification before continuing. These updates help prevent misconfigurations and reduce support requests.
See how domain verification works →
More featured content
- MCP Night 2025: When the AI infra community overflowed the Exploratorium in San Francisco
- What is free trial abuse — and how can you stop it?
- How MCP servers work: Components, logic, and architecture