API Gateway
Put your API behind a WorkOS-managed gateway that authenticates requests and forwards a signed identity assertion to your origin.
The API Gateway is a managed reverse proxy that sits in front of your API. Requests arrive on a WorkOS-managed gateway domain, or on your own custom domain, where the gateway authenticates the caller – using an API key or an AuthKit session – mints a short-lived, signed identity assertion, and forwards the request to your origin.
Your origin then trusts a single WorkOS-signed assertion instead of re-implementing authentication on every request.
The API Gateway is available in beta. Contact WorkOS to enable it for your environment.
- A client sends a request to your gateway domain, including its credentials – an API key or an AuthKit session.
- The gateway authenticates the caller at the edge.
- The gateway signs a short-lived assertion describing the caller and attaches it as the
X-WorkOS-Gateway-Assertionheader. - The gateway proxies the request to your origin over HTTPS.
The assertion is your origin’s perimeter: it proves the request passed through the gateway and carries the caller’s verified identity. The gateway strips any client-supplied X-WorkOS-Gateway-Assertion header before signing its own, so a caller can’t forge one.
The X-WorkOS-Gateway-Assertion header contains a JSON Web Token (JWT) signed with RS256 using a per-environment key. Each assertion is valid for approximately 60 seconds.
The token includes the standard registered claims:
| Claim | Description |
|---|---|
iss | The issuer – your gateway’s URL. |
aud | The audience configured for your gateway, usually the same as your gateway URL. |
sub | The authenticated principal. Absent for anonymous requests. |
iat | The time the assertion was issued. |
exp | The expiration time, approximately 60 seconds after iat. |
jti | A unique identifier for the assertion. |
It also includes WorkOS-specific claims that describe the caller:
| Claim | Description |
|---|---|
subject_type | api_key, authkit_session, or anonymous. |
org_id | The organization the caller belongs to, when applicable. |
user_id | The user id, for an API key owned by a user. |
permissions | The permissions granted to the caller, when applicable. |
roles | The roles granted to the caller, for AuthKit sessions. |
The claims present depend on subject_type:
api_key–subis the API key id, withorg_id, plususer_idandpermissionswhen the key has them.authkit_session–subis the user id, withorg_id,roles, andpermissionswhen present.anonymous– onlysubject_typeis set. The request reached the gateway without credentials, and your origin decides whether to allow it.
Verify the assertion on every request, and reject any request that doesn’t carry a valid one.
- Read the
X-WorkOS-Gateway-Assertionheader. - Fetch the per-environment JSON Web Key Set (JWKS) from
https://<your-gateway-domain>/.well-known/jwks.json. - Verify the token’s signature, along with its
iss,aud, andexp. - Authorize the request using the verified claims.
Always verify both iss and aud. This confirms the assertion was issued for
your environment and intended for your origin, which prevents an assertion
issued for one environment from being replayed against another.
Authorize each request from the verified claims. Switch on subject_type to handle API keys, AuthKit sessions, and anonymous traffic, then use sub, org_id, and permissions or roles to make an authorization decision. Because the gateway has already authenticated the caller, your origin only needs to authorize the identity in the assertion.