Blog

Product

Jun 27, 2025

Authenticate CLI tools seamlessly with OAuth Device Flow

Allow users to sign in via CLIs and on TVs and other non-traditional devices

Eric Roberts

Product

Jun 26, 2025

Introducing AuthKit Add-ons

Connect AuthKit to the tools you already use.

Enterprise Ready authentication for Supabase, powered by WorkOS

Now you can integrate WorkOS as a third-party auth provider in Supabase—unlocking Enterprise Ready authentication for your app in minutes.

Why implementing SAML from scratch is a terrible idea

SAML might look simple, but under the hood, it’s a legacy minefield of XML signatures, IdP quirks, and security pitfalls. Here’s why building it yourself is a guaranteed regret.

Your codebase is now addressable: Codex, Jules, and the Rise of agentic parallel coding

Platforms like OpenAI Codex and Google Jules are taking a swing at distributed cognition for software teams. What does this mean?

Agno: The agent framework for Python teams

Agno is an open-source framework that helps you build clean, composable and Pythonic agentic applications with tools, memory and reasoning capabilities.

Security threats in SPAs and how to defend against them

A developer’s guide to identifying and fixing the most common security flaws in Single-page applications.

How to sync users from Entra ID to your app using Node and WorkOS

Step-by-step tutorial that walks you through the necessary steps to add automated user provisioning to your app using SCIM, Entra ID, Node, and WorkOS, with just a few lines of code.

OAuth 2.1: What’s new, what’s gone, and how to migrate securely

Learn what’s changed in OAuth 2.1, including the removal of implicit flow, mandatory PKCE, and modern refresh token strategies. This guide walks you through the security upgrades and offers a clear migration checklist to help you stay compliant and secure.

Secure by design: How engineers should build and consume APIs

A practical guide to avoiding common pitfalls and implementing security best practices across both internal and third-party API integrations.

What is NIST and why should developers care?

What if the most practical security guidance didn’t come from a startup, but from a government agency? Read how NIST’s peer-reviewed frameworks are powering real-world security.

Introducing RFC 9728: Say hello to standardized OAuth 2.0 resource metadata

OAuth 2.0 just got a major upgrade in how resources describe themselves — find out what RFC 9728 introduces and why it matters.

Diagnosing SAML assertion failures: A step-by-step debugging guide

From expired assertions to signature fails — a survival guide for anyone who's ever screamed at a SAML error message.

On-premises and hybrid authentication: Challenges and best practices

How to avoid common pitfalls and build resilient auth systems in on-prem and hybrid setups.

The hidden pitfalls of SAML metadata: How to avoid downtime

Misconfigured SAML metadata is one of the most overlooked causes of SSO failures. Learn how to spot hidden risks—and fix them before they break your login flow.

April Updates

New this month: SSO Role Mapping, Schema-Based Policies, On-Prem Guides, and more

Mastra.ai Quickstart - How to build a TypeScript agent in 5 minutes or less

Mastra is a TypeScript framework for agentic apps. In this post, we'll use it to build an agentic app that can fetch data from GitHub in less than 5 minutes.

oRPC: OpenAPI Remote Procedure Call for Type-Safe APIs

oRPC (OpenAPI Remote Procedure Call) combines the familiarity of RPC with the industry-standard OpenAPI spec so that every request/response is fully typed from client to server.

Zack Proser

Apr 28, 2025

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles

About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more