November Updates

Client ID Metadata Support for MCP Auth

‍WorkOS Connect now supports Client ID Metadata Document (CIMD) for use with MCP.

MCP clients need a way to identify themselves to authorization servers without pre-registration, and CIMD provides a secure way to do that. When clients redirect to the WorkOS Connect authorize endpoint, they provide a HTTPS URL as a client_id. WorkOS Connect reads the metadata served at that endpoint to identify the client and display a relevant consent screen to the end user.

MCP clients previously used dynamic client registration (DCR) to identify themselves to WorkOS Connect, and Connect will continue to support DCR for clients that have not yet implemented CIMD.

‍Learn more about CIMD support in MCP Auth →‍

‍SSO Sign-in Consent Screen

An additional layer of protection has been added to Single Sign-On to defend against CSRF and phishing attacks. When enabled, end users may be prompted to confirm that the profile information provided by their identity provider is correct before being redirected to the application.

‍See how to enable the consent screen →‍

‍AuthKit SDK for TanStack Start

A first-class AuthKit SDK for TanStack Start is now available, making it easy to add secure, server-first authentication to Start apps. The SDK includes middleware, server utilities, optional client hooks, and helpers for protected routes and redirects.Highlights include:

• Middleware that validates and refreshes sessions on every request
• Server helpers such as getAuth(), getSignInUrl(), getSignUpUrl(), signOut(), and switchToOrganization()
• Optional client hooks: useAuth(), useAccessToken(), and useTokenClaims()
• Fully typed with seamless inference in loaders and components

An example app is also available to help you see the full integration in practice.

‍Dive in to the AuthKit + TanStack Start SDK →‍

Clever SSO Support

WorkOS now supports the Clever identity platform for SSO connections. This integration uses OIDC and includes dedicated Admin Portal setup instructions to simplify configuration.

‍Learn more about Clever SSO support →‍

‍More featured content‍

• MCP Night is back on December 10 in SF with a holiday twist!
• WorkOS is working with Microsoft product teams to shape the development of Microsoft Entra Agent ID.
• The latest Developer’s Guide to SAML authentication, updated with detailed guidance on assertions, signing, encryption, certificates, metadata, and debugging.