A detailed glimpse at Project Horizon: an internal code factory at WorkOS.
Grant agents time-limited access to OAuth connections using Pipes and MCP.
Develop with WorkOS entirely from your terminal, with agent-ready tooling built in.
What to use when your B2B auth needs outpace PropelAuth.
30 CVEs in 60 days, a backdoored npm package stealing emails, and a hosting platform flaw that put 3,000 servers at risk. Here's how to secure the supply chain your AI agents depend on.
A complete breakdown of one of the most dangerous JWT vulnerabilities, from the cryptographic mechanics to the defensive code patterns that stop it.
Symmetric vs asymmetric JWT signatures: how each algorithm works, when to use which, and the security tradeoffs every developer should know
A 2026 guide to the leading IAM solutions for SaaS teams, with a breakdown of features, pricing, and trade-offs to help you choose the right provider and start closing enterprise deals faster.
Your users enable multi-factor authentication, use strong passwords, and follow every security best practice you recommend. But none of it matters if an attacker is sitting between them and your login page, relaying traffic in real time and walking away with a valid session cookie.
From forged assertions to memory leaks, SAML's XML foundations keep producing serious bugs. Here's what happened and what you should be doing about it.
Most AI agents run with borrowed sessions and far more access than they need. Here's how to replace that with scoped, revocable credentials and tool-level authorization.
Master secure authentication in Laravel from Breeze and Sanctum to enterprise SSO, with production-ready patterns and security best practices.
API keys, token files, OAuth Device Flow, and Client Credentials compared. A practical guide to choosing the right authentication pattern for your CLI.
How FIDO2 and passkeys use cryptographic domain binding to stop phishing attacks, why SMS and push notification fallbacks destroy your security posture, and what to do about it.
MFA still blocks most automated attacks. But the new generation of AI-powered phishing tools does not send automated attacks. It runs real-time, human-speed session hijacking that MFA was never designed to stop.
A hijacked maintainer account, a hidden trojan, and a two-hour window that put millions of projects at risk. Here's the full story and how to protect yourself.
AI agents don't have phones, fingerprints, or sessions. The identity infrastructure they need looks nothing like what we built for humans.
What they are, how they work, and why modern password security has moved beyond them.
Please try a different search
Our global team is growing and we’re hiring all types of roles.
WorkOS builds developer tools for quickly adding enterprise features to applications.
This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.
.webp)
.jpg){kind=avatar}
.webp)
.webp)
