Blog

Aug 21, 2025

How WorkOS solved enterprise auth for MCP servers

Learn how WorkOS acts as an OAuth bridge that removes authentication complexity so you can focus on building your MCP server's core functionality.

Zack Proser

Guides

Sep 9, 2025

Implementing a generic SCIM client: A practical guide

If you’ve built a custom Identity Provider, you’ll need to implement SCIM client functionality yourself. This guide shows you how to build a standards-compliant SCIM 2.0 client that can provision users and groups using WorkOS as the SCIM service provider.

Product Engineering at WorkOS

Product engineers don’t just write code, they own the whole delivery lifecycle.

Security threats in SPAs and how to defend against them

A developer’s guide to identifying and fixing the most common security flaws in Single-page applications.

How to sync users from Entra ID to your app using Node and WorkOS

Step-by-step tutorial that walks you through the necessary steps to add automated user provisioning to your app using SCIM, Entra ID, Node, and WorkOS, with just a few lines of code.

OAuth 2.1: What’s new, what’s gone, and how to migrate securely

Learn what’s changed in OAuth 2.1, including the removal of implicit flow, mandatory PKCE, and modern refresh token strategies. This guide walks you through the security upgrades and offers a clear migration checklist to help you stay compliant and secure.

Secure by design: How engineers should build and consume APIs

A practical guide to avoiding common pitfalls and implementing security best practices across both internal and third-party API integrations.

What is NIST and why should developers care?

What if the most practical security guidance didn’t come from a startup, but from a government agency? Read how NIST’s peer-reviewed frameworks are powering real-world security.

Introducing RFC 9728: Say hello to standardized OAuth 2.0 resource metadata

OAuth 2.0 just got a major upgrade in how resources describe themselves — find out what RFC 9728 introduces and why it matters.

Diagnosing SAML assertion failures: A step-by-step debugging guide

From expired assertions to signature fails — a survival guide for anyone who's ever screamed at a SAML error message.

On-premises and hybrid authentication: Challenges and best practices

How to avoid common pitfalls and build resilient auth systems in on-prem and hybrid setups.

The hidden pitfalls of SAML metadata: How to avoid downtime

Misconfigured SAML metadata is one of the most overlooked causes of SSO failures. Learn how to spot hidden risks—and fix them before they break your login flow.

April Updates

New this month: SSO Role Mapping, Schema-Based Policies, On-Prem Guides, and more

Mastra.ai Quickstart - How to build a TypeScript agent in 5 minutes or less

Mastra is a TypeScript framework for agentic apps. In this post, we'll use it to build an agentic app that can fetch data from GitHub in less than 5 minutes.

oRPC: OpenAPI Remote Procedure Call for Type-Safe APIs

oRPC (OpenAPI Remote Procedure Call) combines the familiarity of RPC with the industry-standard OpenAPI spec so that every request/response is fully typed from client to server.

DBConnection pooling deep dive

A deep dive on how pooled connections work in the Elixir DBConnection library.

In-Memory Distributed State with Delta CRDTs

How to utilize delta conflict-free replicated data types for managing distributed cache or configuration state on an Elixir cluster.

Why your app needs refresh tokens—and how they work

Session management is hard. Refresh tokens make it easier—and safer. This guide breaks down how they work, why you need them, and how to avoid common mistakes (with code included).

Maria Paktiti

Apr 23, 2025

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles

About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more