WorkOS Docs Homepage
Integrations

SFTP

Learn about syncing your user list using an SFTP connection.

An SFTP integration allows an organization to synchronize user and group information by uploading CSV files using SFTP. WorkOS maintains a receiving SFTP server that can be connected to from the organization’s HRIS provider/SFTP client.

If the organization’s HRIS has a built-in SFTP client, SFTP will allow them to automatically sync their data and ensure your data is always up to date. An SFTP integration allows for provider-agnostic ingestion of employee data into your product ecosystem.

Once the integration is set up, WorkOS automatically creates and hosts an SFTP folder for the organization’s HRIS provider to upload files at a regular cadence.

An SFTP integration has the following advantages:

  • Works with any system that has the ability to export CSVs
  • Has an easy integration path for an organization comfortable working with CSVs and SFTP
  • Allows a custom cadence of updates for your customer

Your app interfaces with an SFTP directory the same as with other directories; receiving events when the directory is created or updated:

A diagram showing the sequence of events for when an SFTP directory is activated

Note: The SFTP integration isn’t enabled by default in the WorkOS Dashboard or Admin Portal. Please reach out to support@workos.com or via your team’s WorkOS Slack channel if you would like SFTP enabled.

WorkOS provides an SFTP server URL and username specific to the directory. Once set up, the URL and username will be available under directory settings in the WorkOS Dashboard.

The SFTP URL is the location of the SFTP server to upload user and group information. Authentication uses a username and a key pair.

You will need to provide a public key for authentication. Normally this will come from a key pair provided your customer’s IT team and may be created by their HRIS. Maximum key length is 2048 bytes and supported keys are: ED25519, RSA, and ECDSA.

Your customer will need to export the users and groups as CSV files with the structure below.

This file is required.

CSV HeaderStatusDescription
user_idRequiredA unique ID representing the user
first_nameRequiredThe first name of the user
last_nameRequiredThe last name of the user
emailRequiredThe primary work email for the user
usernameRequiredA unique human readable user name
job_titleRequiredThe job title of the user
employee_typeOptionalThe type of employee
employment_start_dateOptionalThe date the user started working
department_nameOptionalThe name of the department the user belongs to
manager_emailOptionalThe email of the user’s manager
division_nameOptionalThe name of the division the user belongs to
cost_center_nameOptionalThe name of the cost center the user belongs to
work_address_streetOptionalWork street address
work_address_localityOptionalWork city
work_address_regionOptionalWork state
work_address_postal_codeOptionalWork postal/zip code
work_address_countryOptionalWork country

This file is required.

CSV HeaderStatusDescription
group_nameRequiredThe name of the group
user_idRequiredThe ID of the user. Must match the user_id on the users.csv file

This file is not required. Additional metadata may be also included in this file.

CSV HeaderStatusDescription
group_nameRequiredThe name of the group. Must match the group_name on the user_groups.csv file

Login to your WorkOS Dashboard and select “Organizations” from the left hand navigation bar. Select the organization you’ll be configuring a new Directory Sync connection with.

Click “Add Directory”. Select “SFTP” as the directory type, and then enter a name for this directory.

Click “Create Directory”.

A screenshot showing how to create a directory in the WorkOS Dashboard.

Retrieve the public key that will be used for SFTP from the organization’s admin.

Click “Update Directory” in the WorkOS Dashboard.

A screenshot showing where to find "Update directory" for an Organization in the WorkOS Dashboard.

Enter the customer’s public key in the input field.

The SSH public key format should include the key type (e.g. ssh-rsa, ssh-ed25519), base64 encoded body, and an optional comment, with spaces between each element. For example, ssh-rsa AAAABB1 keycomment.

RSA, ECDSA, and ED25519 keys are accepted.

  • For RSA keys, the key type is ssh-rsa.
  • For ED25519 keys, the key type is ssh-ed25519.
  • For ECDSA keys, the key type is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key generated.
A screenshot showing how to update SFTP directory details in the WorkOS Dashboard.

After adding the public key, WorkOS generates a username. You will see the green “Linked” icon appear.

A screenshot showing SFTP directory details in the WorkOS Dashboard.

Share the username with the organization admin and ask them to upload the CSV files using their private key to sftp.workos.com.

Now, whenever your customer assigns users or groups to your application, you’ll receive updates based on the changes in their directory.

Click on the “Users” tab in the dashboard to view synced users.

A screenshot showing a synced directory in the WorkOS Dashboard

A detailed guide to integrate the WorkOS API with your application can be found here

How is my organization’s data protected in transit?

SFTP (Secure File Transfer Protocol) uses SSH (Secure Shell protocol) to symmetrically encrypt traffic after an asymmetric key negotiation for authentication.

Our solution leverages The AWS Transfer Family so that we can support a common, secure protocol (SSH) with modern, isolated data storage (AWS S3).

We leverage the default security policy (security-policy-transfer-2020-06) for the choice of SSH cipher-suites, which determines the strength of cryptographic protection for data in transit.

How is my organization’s data protected at rest?

As the data is stored in an AWS S3 bucket the default (since January 2023) is that it is encrypted at rest (SSE-S3). The symmetric encryption used is AES-256, more information is available in the FAQ.

How does WorkOS isolate one of my organization’s data from the other?

Each of the organizations you’re onboarding will create an SSH key pair, this consists of a public key, and a private key. They will retain the private key, ensuring that only they can authenticate. The public key uploaded to WorkOS will be used to authenticate the organization’s connection via SFTP.

Each of your organizations is mapped to a distinct S3 bucket based on an internal (cryptographically random) identifier for the SSH key pair.

When does WorkOS dispose of the data and how is this done?

In either of the following events your organization’s data, and the S3 bucket will be deleted:

  1. You off-board the organization from your product/service.
  2. You no longer use the WorkOS Directory Sync service.

How often do SFTP directories perform a sync?

SFTP directories poll every 30 minutes starting from the time of the initial sync, but ultimately depend on how often your customer wants to upload the new files.