Everything you need to know to secure your MCP server using OAuth 2.1 and PKCE, server and auth metadata, client registration, JWT validation, and role-based access control.
By creating a central catalog of available servers, the MCP Registry has solved the discovery problem—but that's only half the equation. The real challenge lies in authentication.
42% of companies abandoned most AI initiatives in 2025, up from just 17% in 2024. After analyzing dozens of enterprise deployments, we found 4 patterns that separate winners from the graveyard of abandoned prototypes.
In January 2025, the IETF published RFC 9700: Best Current Practice for OAuth 2.0 Security. We read it and summarized the best practices you should follow to keep your OAuth implementation safe.
Choosing between FGA and ABAC can be tricky, but it doesn’t have to be. In this article, we break down both models to help you decide which one works best for your needs.
Want to keep your JWTs safe from attackers? This guide covers the best practices for securely storing your tokens and ensuring your app's security.
Today, I want to share the emotional side of hitting PMF at WorkOS, plus some advice I’ve learned the hard way from growing the company to where it is today.
Learn how to enhance your API's security with granular permissions using OAuth scopes, allowing you to control access precisely and protect user data effectively. This guide covers the basics of OAuth scopes, implementing fine-grained permissions, and best practices for secure API management.
The “aud” claim tells the system which recipient the token is meant for.
Your auth system can issue a JWT with user details, enabling API routes to decode and use claims without extra queries.
Multiple customers, one software instance—sounds tricky, right? Find out how multi-tenancy ensures secure, separate access for everyone and why it matters.
OAuth 2.0 set the standard for delegated authorization, but OpenID Connect (OIDC) compliments this protocol by adding user authentication
API authentication ensures that only authorized requests access protected resources. It’s a mechanism for verifying credentials against predetermined rules to reject unauthorized traffic.
LLMs excel at automating code and content tasks, but their accuracy depends on the context you provide—especially as your codebase evolves. Learn key tools and techniques to keep your AI assistants up to date.
Operator models can use the computer the way humans do. This unlocks new capabilities like shopping, researching and performing tasks on our behalf, but raises important security and compliance ramifications.
Identity and access management have many terms, and it’s not always clear what they mean. Many people are confused about the differences between identity federation and identity delegation. Read this article to understand each one once and for all.
Honeypots are traps you can set up at your website to catch bots. Read how you can implement one and what are the best practices to follow.
This article examines five leading feature toggle providers in 2025—LaunchDarkly, Optimizely, Unleash, Bucket, Split.io, and Eppo—each offering unique benefits for different technical and organizational requirements.
Our global team is growing and we’re hiring all types of roles.
WorkOS builds developer tools for quickly adding enterprise features to applications.
This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)