API Reference

The WorkOS API enables adding Enterprise Ready features to your application. This REST API provides programmatic access and management of SSO, Magic Link, Directory Sync, and Audit Trail resources.

Sign in to see code examples customized with your API keys and data.

Client Libraries

WorkOS offers native SDKs in several popular programming languages. Choose one language below to see our API Reference in your application’s language.

• 

  Node.js

• 

  Ruby

• 

  Go

• 

  Python

• 

  PHP

• 

  Laravel

• 

  .NET

• 

  Java

API Keys

WorkOS authenticates your API requests using your account's API keys. API requests made without authentication or using an incorrect key will return a 401 error. Requests using a valid key but with insufficient permissions will return a 403 error. All API requests must be made over HTTPS - requests over plain HTTP will fail.

You can view and manage your API keys in the WorkOS Dashboard.

API keys can perform any API request to WorkOS. They should be kept secure and private! Be sure to prevent API keys from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. API keys are prefixed with sk_.

Your Staging Environment comes with an API key already generated for you. Staging API Keys may be viewed as often as they are needed and will appear inline throughout our documentation in code examples if you are logged in to your WorkOS account. API requests will be scoped to the provided key's Environment.

Once you unlock Production access you will need to generate an API Key for it. Production API Keys may only be viewed once and will need to be saved in a secure location upon creation of them.

All API requests must be made over HTTPS. Any requests made over plain HTTP will fail.

Errors

WorkOS uses standard HTTP response codes to indicate the success or failure of your API requests.

• 2xx - Indicates success.
• 4xx - Indicates an error, normally due to error caused by incorrect or missing request information (e.g. providing an incorrect API key).
• 5xx - Indicates a WorkOS server error.

Pagination

Many top-level resources have support for bulk fetches via "list" API methods. For instance, you can list connections, list directory users, and list directory groups. These list API methods share a common structure, taking at least these three parameters: limit, after, and before.

WorkOS utilizes pagination via the after and before parameters. Both parameters take an existing object ID value (see below) and return objects in descending order by created_at timestamp. The after parameter returns objects created after the named object, which occur earlier in the list. The before parameter returns objects created before the named object, which occur later in the list.

• limit

  integer

  (optional)

  Upper limit on the number of objects to return, between 1 and 100. The default value is 10.

• after

  string

  (optional)

  A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, starting with obj_123, your subsequent call can include after=obj_123 to fetch the previous batch of objects created after obj_123.

• before

  string

  (optional)

  A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch the next batch of objects created before obj_123.

• data

  array of objects

  An array of objects in descending order by created_at timestamp.

• list_metadata

  object

  Contains cursor options to utilize for pagination.

Organization

An Organization is a top-level resource in WorkOS. Each Connection, Directory, and Audit Trail Event belongs to an Organization. An Organization will usually represent one of your customers.

Organizations can optionally have Organization Domains which are useful to tag any domains that used across all associated Connections and Directories.

• id

  string

  Unique identifier for the Organization.

• name

  string

  The name of the Organization.

• allow_profiles_outside_organization

  boolean

  Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.

  See here for more details.

• created_at

  string

  The timestamp when the Organization was created.

• updated_at

  string

  The timestamp when the Organization was last updated.

• domains

  array of objects

  List of Organization Domains.

Get an Organization

Get the details of an existing organization.

• id

  string

  The unique identifier of the Organization.

An Organization.

List Organizations

Get a list of all of your existing organizations matching the criteria specified.

• domains

  array of strings

  (optional)

  The domains of an Organization. Any Organization with a matching domain will be returned.

• after

  string

  (optional)

  A cursor to use for pagination. after is an Organization object ID that takes the form org_* and defines your place in the paginated list of Organization objects. after will return all Organizations created after the cursor's value.

• before

  string

  (optional)

  A cursor to use for pagination. before is an Organization object ID that takes the form org_* and defines your place in the paginated list of Organization objects. before will return all Organizations created before the cursor's value.

• limit

  integer

  (optional)

  Upper limit on the number of Organizations to return, between 1 and 100. The default value is 10.

An object containing Organizations.

• data

  array of objects

  Array of Organizations in descending order by created_at timestamp.

• list_metadata

  object

  Contains cursor options to utilize for pagination.

Create an Organization

Create an Organization with a set of domains.

• name

  string

  The name of the Organization.

• allow_profiles_outside_organization

  boolean

  (optional)

  Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.

  See here for more details.

• domains

  array of strings

  (optional)

  The domains of the Organization.

  At least one domain is required unless allow_profiles_outside_organization is true.

An Organization object.

Update an Organization

Update an Organization.

• name

  string

  The name of the Organization.

• allow_profiles_outside_organization

  boolean

  (optional)

  Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.

  See here for more details.

• domains

  array of strings

  (optional)

  The domains of the Organization.

  At least one domain is required unless allow_profiles_outside_organization is true.

An Organization object.

Delete an Organization

Delete an existing organization.

• id

  string

  The unique identifier of the Organization.

Organization Domain

An Organization Domain (also known as a User Email Domain) represents an Organization's domain.

These domains restrict which email addresses are able to sign in through SAML Connections when allow_profiles_outside_organization is false. This is the default behavior for Organizations. See here for more details on this behavior.

• id

  string

  Unique identifier for the Organization Domain.

• domain

  string

  Domain for the Organization Domain.

Single Sign-On

The Single Sign-On API has been modeled to meet the OAuth 2.0 framework specification. As a result, authentication flows constructed using the Single Sign-On API replicate the OAuth 2.0 protocol flow.

Redirect URI

In the OAuth 2.0 protocol, a redirect URI is the location your user is redirected to once they have successfully authenticated with their Identity Provider.

In Production Environments, the redirect URI to your application must use HTTPS and there should be at least one redirect URI configured and selected as a default for a WorkOS Environment. This can be done from the SSO Configuration page in the WorkOS dashboard. Without a valid redirect URI, users will be unable to sign in.

Redirect URIs that use HTTP and localhost are allowed in Sandbox Environments.

Get Authorization URL

Generate an OAuth 2.0 authorization URL.

WorkOS generates an OAuth 2.0 authorization URL that automatically directs a user to their Identity Provider. Once the user authenticates with their Identity Provider, WorkOS then issues a redirect to your Redirect URI to complete the login flow.

To indicate the connection to use for authentication, use one of the following connection selectors: connection, organization, or provider.

These connection selectors are mutually exclusive, and exactly one must be provided.

• client_id

  string

  This value can be obtained from the SSO Configuration page in the WorkOS dashboard.

• response_type

  string

  The only valid option for the response_type parameter is code.

  The code parameter value initiates an Authorization Code Grant Type. This grant type allows a Developer to exchange an authorization code for an access token during the redirect that takes place after a user has authenticated with an Identity Provider.

• redirect_uri

  string

  A Redirect URI to return an authorized user to.

• connection

  string

  (optional)

  The connection connection selector is used to initiate SSO for a Connection.

  The value of this parameter should be a WorkOS Connection ID.

  For example, the Developer can persist the WorkOS Connection ID with application User or Team identifiers. WorkOS will use the Connection indicated by the connection parameter to direct the user to the corresponding IdP for authentication.

• organization

  string

  (optional)

  The organization connection selector is used to initiate SSO for an Organization.

  The value of this parameter should be a WorkOS Organization ID.

  For example, the Developer can persist the WorkOS Organization ID with application User or Team identifiers. WorkOS will use the organization connection selector to determine the appropriate Connection and IdP to direct the user to for authentication.

  Note that the Organization must only have a single active SSO Connection, otherwise an ambiguous_connection_selector error code will be returned.

• provider

  string

  (optional)

  The provider connection selector is used to initiate SSO using an OAuth provider.

  Currently, the only supported values for provider are GoogleOAuth and MicrosoftOAuth. Provide the provider parameter when authenticating Google OAuth users, because Google OAuth does not take a user's domain into account when logging in with a "Sign in with Google" button.

• state

  string

  (optional)

  Optional parameter that a Developer can choose to include in their authorization URL. If included, then the redirect URI received from WorkOS will contain the exact state that was passed in the authorization URL.

  The state parameter can be used to encode arbitrary information to help restore application state between redirects.

• login_hint

  string

  (optional)

  Can be used to pre-fill the username/email address field of the IdP sign-in page for the user, if you know their username ahead of time.

  Currently, this parameter is only supported for OAuth, and OpenID Connect connection types.

The user is redirected to the generated OAuth 2.0 authorization URL to authenticate with their Identity Provider.

A code parameter is also provided and is a unique, short-lived (10 minutes) value that the Developer can exchange for an access token and user Profile. To perform this exchange, the Developer should make a POST request to the /sso/token endpoint.

If provided in the original request, the exact same state parameter and value is also returned.

If there is an issue generating an authorization URL, WorkOS will issue a redirect with an error query parameter, an error_description query parameter with additional information, and the original state parameter (if provided).

The set of error values is provided below.

Possible values

• ambiguous_connection_selector

  A Connection could not be uniquely identified using the provided connection selector (e.g., organization). This can occur when there are multiple SSO Connections under the same Organization. If you need multiple SSO Connections for an Organization, use the connection parameter to identify which Connection to use for SSO.

• connection_domain_invalid

  There is no Connection for the provided domain.

• connection_invalid

  There is no Connection for the provided ID.

• organization_invalid

  There is no Organization for the provided ID.

• connection_strategy_invalid

  The Provider has multiple strategies associated per environment.

• connection_unlinked

  The Connection associated with the request is unlinked.

• domain_connection_selector_not_allowed

  This is a legacy error code that only applies if using the deprecated "domain" query parameter which is no longer valid for the Get Authorization URL endpoint. Use the "organization" or "connection" query parameters to target a connection instead.

• invalid_connection_selector

  A valid connection selector query parameter must be provided in order to correctly determine the proper Connection to return an authorization URL for. Valid connection selectors are either connection, organization, or provider.

• profile_not_allowed_outside_organization

  A Profile was received that has an email that is outside the Organization's User Email Domains and the Organization does not allow this.

  To resolve this, either add the missing domain to the Organization's User Email Domains or configure the Organization to allow profiles outside of it.

  See here for more details.

Profile

A Profile is an object that represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized and raw attributes.

After receiving the Profile for an authenticated user, use the Profile object attributes to persist relevant data to your application’s user model for the specific, authenticated user.

No Profile attributes can be returned other than the normalized attributes listed below, and the raw attributes returned by an Identity Provider.

• id

  string

  Unique identifier for the user, assigned by WorkOS.

  This value can be persisted to the Developer's user model and used as a unique key for identifying a specific user.

• object

  string

  String representing the object's type. Currently the only possible value is profile.

• connection_id

  string

  Unique identifier for the Connection to which the Profile belongs.

• organization_id

  string

  (optional)

  Unique identifier for the Organization in which the Connection resides.

• connection_type

  enum

  The type of SSO Connection used to authenticate the user.

  Possible values

  • ADFSSAML
  • Auth0SAML
  • AzureSAML
  • CASSAML
  • CloudflareSAML
  • CyberArkSAML
  • ClassLinkSAML
  • DuoSAML
  • GenericOIDC
  • GenericSAML
  • GoogleOAuth
  • GoogleSAML
  • JumpCloudSAML
  • KeycloakSAML
  • LastPassSAML
  • MicrosoftOAuth
  • MiniOrangeSAML
  • NetIqSAML
  • OktaSAML
  • OneLoginSAML
  • OracleSAML
  • PingFederateSAML
  • PingOneSAML
  • SalesforceSAML
  • SimpleSamlPhpSAML
  • VMwareSAML

• email

  string

  The user's email address.

• first_name

  string

  The user's first name.

• last_name

  string

  The user's last name.

• idp_id

  string

  Unique identifier for the user, assigned by the Identity Provider. Different Identity Providers use different ID formats.

  One possible use case for idp_id is associating a user’s SSO Profile with any relevant Directory Sync actions related to that user.

• raw_attributes

  object

  Object of key-value pairs containing relevant user data from the Identity Provider.

  Raw attributes are an extended set of information one can expect for each user Profile. These raw attributes will vary by Identity Provider and Identity Provider configuration.

Get a Profile and Token

Get an access_token along with the user's Profile using the code we passed to your Redirect URI.

• client_id

  string

  This value can be obtained from the SSO Configuration page in the WorkOS dashboard.

• client_secret

  string

  This is the same value as the WorkOS Environment’s secret API key.

  This value can be obtained from the API Keys page in the WorkOS dashboard.

• grant_type

  string

  The method by which your application will receive an access token. This value should be authorization_code.

• code

  string

  The authorization value which was passed back as a query parameter in the callback to the redirect URI.

An object containing an access token and Profile.

• access_token

  string

  An access token that can be exchanged for a user profile. Access tokens are one-time use and expire 10 minutes after they’re created.

• profile

  object

  The user Profile.

Get a User Profile

Exchange an access_token for a user's Profile. Because this profile is returned in the Get a Profile and Token endpoint your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user's profile.

• access_token

  string

  The authorization value which was returned along with the profile when calling the Get a Profile and Token endpoint.

A user profile.

• profile

  object

  The user Profile.

Connection

A Connection represents the relationship between WorkOS and any collection of application users. This collection of application users may include personal or enterprise Identity Providers, or passwordless authentication methods like Magic Link. As a layer of abstraction, a WorkOS Connection rests between an application and its users, separating an application from the implementation details required by specific standards like OAuth 2.0 and SAML.

• object

  string

  String representing the object's type. Currently the only possible value is connection.

• id

  string

  Unique identifier for the Connection.

• organization_id

  string

  (optional)

  Unique identifier for the Organization in which the Connection resides.

• connection_type

  enum

  The type of SSO Connection used to authenticate a user.

  One possible use case for connection_type is dynamically generating authorization URLs.

  Possible values

  • ADFSSAML
  • ADPOIDC
  • Auth0SAML
  • AzureSAML
  • CASSAML
  • ClassLinkSAML
  • CloudflareSAML
  • CyberArkSAML
  • DuoSAML
  • GenericOIDC
  • DuoSAML
  • GenericSAML
  • GoogleOAuth
  • GoogleSAML
  • JumpCloudSAML
  • KeycloakSAML
  • LastPassSAML
  • MicrosoftOAuth
  • MiniOrangeSAML
  • NetIqSAML
  • OktaSAML
  • OneLoginSAML
  • OracleSAML
  • PingFederateSAML
  • PingOneSAML
  • SalesforceSAML
  • SimpleSamlPhpSAML
  • ShibbolethSAML
  • ShibbolethGenericSAML
  • VMwareSAML

• name

  string

  A human-readable name for the Connection. This will most commonly be the Enterprise Client's name.

• state

  enum

  Indicates whether a Connection is able to authenticate users.

  Possible values

  • draft
  • active
  • inactive

• created_at

  string

  The timestamp when the Connection was created.

• updated_at

  string

  The timestamp when the Connection was last updated.

Get a Connection

Get the details of an existing connection.

• id

  string

  The unique identifier of the Connection.

A Connection.

List Connections

Get a list of all of your existing connections matching the criteria specified.

• after

  string

  (optional)

  A cursor to use for pagination. after is a Connection object ID that takes the form conn_* and defines your place in the paginated list of Connection objects. after will return all Connections created after the cursor's value.

• before

  string

  (optional)

  A cursor to use for pagination. before is a Connection object ID that takes the form conn_* and defines your place in the paginated list of Connection objects. before will return all Connections created before the cursor's value.

• connection_type

  enum

  (optional)

  Filter Connections by their type.

  Possible values

  • ADFSSAML
  • Auth0SAML
  • AzureSAML
  • CyberArkSAML
  • CloudflareSAML
  • CASSAML
  • ClassLinkSAML
  • DuoSAML
  • GenericOIDC
  • GenericSAML
  • GoogleOAuth
  • GoogleSAML
  • JumpCloudSAML
  • KeycloakSAML
  • LastPassSAML
  • MicrosoftOAuth
  • MiniOrangeSAML
  • NetIqSAML
  • OktaSAML
  • OneLoginSAML
  • OracleSAML
  • PingFederateSAML
  • PingOneSAML
  • SalesforceSAML
  • SimpleSamlPhpSAML
  • VMwareSAML

• domain

  string

  (optional)

  Filter Connections by their associated domain.

• organization_id

  string

  (optional)

  Filter Connections by their associated organization.

• limit

  integer

  (optional)

  Upper limit on the number of Connections to return, between 1 and 100. The default value is 10.

An object containing Connections and metadata.

• data

  array of objects

  An array of Connections in descending order by created_at timestamp.

• list_metadata

  object

  Contains cursor options to utilize for pagination.

Delete a Connection

Delete an existing connection.

• id

  string

  The unique identifier of the Connection.

Magic Link

The Magic Link API can be used to add Passwordless Authentication to your app.

Passwordless Session

An object representing a passwordless authentication session.

• id

  string

  The unique ID of the session.

• email

  string

  The email address of the user for the session.

• expires_at

  date

  The ISO-8601 datetime at which the session expires.

• link

  string

  The link for the user to authenticate with. You can use this link to send a custom email to the user, or send an email using Email a Magic Link to the user.

  Once a user has authenticated with the link, WorkOS issues a redirect to the Environment's default redirect URI, with a code parameter and, if provided during session creation, a state parameter.

  code can then be exchanged for an access token and user Profile. To perform this exchange, the Developer should make aPOST request to the /sso/token endpoint.

  If the link has expired, WorkOS will issue a redirect with an error query parameter and value of access_denied.

• object

  string

  String representing the object's type. Currently, the only possible value is passwordless_session.

Create Passwordless Session

Create a Passwordless Session for a Magic Link Connection.

• email

  string

  The email of the user to authenticate.

• type

  string

  The type of Passwordless Session to create. Currently, the only supported value is MagicLink.

• connection

  string

  (optional)

  Value containing the ID of a specific Connection.

  This can be used to create a Passwordless Session for a specific Connection rather than relying on the domain from the email to determine the Organization and Connection.

• redirect_uri

  string

  (optional)

  Optional parameter that a Developer can choose to include in their authorization URL. If included, it will override the default Redirect URI set in the dashboard. This is the location your user will be redirected to once the session has been completed successfully.

• expires_in

  number

  (optional)

  , default is 300

  The number of seconds the Passwordless Session should live before expiring.

  This value must be between 300 (5 minutes) and 1800 (30 minutes), inclusive.

• state

  string

  (optional)

  Optional parameter that a Developer can choose to include in their authorization URL. If included, then the redirect URI received from WorkOS will contain the exact state that was passed in the authorization URL.

  The state parameter can be used to encode arbitrary information to help restore application state between redirects.

A Passwordless Session.

Email a Magic Link

Email a user the Magic Link confirmation URL.

• id

  string

  The unique identifier of the Passwordless Session to send an email for.

A boolean confirming the Magic Link was sent.

Directory Sync

Directory Sync allows you to connect with Directory Providers to inform your application of any changes in their users, groups, or access rules.

Using Directory Sync, one integration grants your application the ability to support multiple Directory Providers. Get real-time updates of any changes to your Enterprise Client's access rules, groups, and users by integrating webhooks into your application.

Directory

A Directory stores information about an Enterprise Client’s employee management system.

Synchronizing with a Directory enables Developers to receive changes to an Enterprise Client’s User and Group structure.

Directory Providers vary in implementation details and may require different sets of fields for integration, such as API keys, subdomains, endpoints, usernames, etc. Where available, the WorkOS API will provide these fields when fetching Directory records.

• id

  string

  Unique identifier for the Directory.

• domain

  string

  The URL associated with an Enterprise Client.

• name

  string

  The name of the directory.

• organization_id

  string

  (optional)

  The unique identifier for the Organization in which the directory resides.

• state

  enum

  Describes whether the Directory has been successfully connected to an external provider.

  Possible values

  • linked
  • unlinked
  • validating
  • deleting
  • invalid_credentials

• type

  enum

  The type of external Directory Provider integrated with.

  Possible values

  • azure scim v2.0
  • bamboohr
  • breathe hr
  • generic scim v1.1
  • generic scim v2.0
  • gsuite directory
  • jump cloud scim v2.0
  • okta scim v1.1
  • okta scim v2.0
  • onelogin scim v2.0
  • people hr
  • pingfederate scim v2.0
  • rippling
  • workday

• created_at

  string

  The timestamp when the Directory was created.

• updated_at

  string

  The timestamp when the Directory was last updated.

Get a Directory

Get the details of an existing directory.

• id

  string

  The unique identifier of the Directory.

A Directory.

List Directories

Get a list of all of your existing directories matching the criteria specified.

• domain

  string

  (optional)

  The domain of a Directory.

• search

  string

  (optional)

  Searchable text to match against Directory names.

• organization_id

  string

  (optional)

  Filter Directories by their associated organization.

• after

  string

  (optional)

  A cursor to use for pagination. after is a Directory object ID that takes the form directory_* and defines your place in the paginated list of Directory objects. after will return all Directories created after the cursor's value.

• before

  string

  (optional)

  A cursor to use for pagination. before is a Connection object ID that takes the form directory_* and defines your place in the paginated list of Directory objects. before will return all Directories created before the cursor's value.

• limit

  integer

  (optional)

  Upper limit on the number of Connections to return, between 1 and 100. The default value is 10.

An object containing Directories.

• data

  array of objects

  Array of Directories in descending order by created_at timestamp.

• list_metadata

  object

  Contains cursor options to utilize for pagination.

Delete a Directory

Delete an existing directory.

• id

  string

  The unique identifier of the Directory.

Directory User

A Directory User represents an active Enterprise user.

Developers can receive Webhooks as employees are added, updated or removed, allowing for provisioning and de-provisioning Users within an application.

The data stored for employees vary per Directory provider and may include attributes such as photo URLs, pay groups, supervisors, etc. Where available, the WorkOS API will provide the additional data in the raw_attributes field when fetching Directory User records.

• id

  string

  Unique identifier for the Directory User.

• idp_id

  string

  Unique identifier for the user, assigned by the Directory Provider. Different Directory Providers use different ID formats.

  One possible use case for idp_id is associating the Directory User with their SSO Profile.

• directory_id

  string

  The identifier of the Directory the Directory User belongs to.

• first_name

  string

  The first name of the user.

• last_name

  string

  The last name of the user.

• emails

  array of objects

  The emails of the user.

  Nested attributes

  (Click to expand)

• username

  string

  The username of the user.

• groups

  array of objects

  The groups that the user is a member of.

• state

  enum

  The state of the user.

  Possible values

  • active
  • suspended
  • inactive

• custom_attributes

  object

  An object containing the custom attribute mapping for the Directory Provider.

• raw_attributes

  object

  An object containing the data returned from the Directory Provider.

Get a Directory User

Get the details of an existing Directory User.

• id

  string

  The unique identifier of the Directory User.

A Directory User.

List Directory Users

Get a list of all of existing Directory Users matching the criteria specified.

One of directory or group must be provided.

• directory

  string

  (optional)

  Unique identifier of the WorkOS Directory.

  This value can be obtained from the WorkOS dashboard or from the WorkOS API.

• group

  string

  (optional)

  Unique identifier of the WorkOS Directory Group.

  This value can be obtained from the WorkOS API.

• after

  string

  (optional)

  A cursor to use for pagination. after is a Directory User object ID that takes the form directory_user_* and defines your place in the paginated list of Directory User objects. after will return all Directory Users created after the cursor's value.

• before

  string

  (optional)

  A cursor to use for pagination. before is a Directory User object ID that takes the form directory_user_* and defines your place in the paginated list of Directory User objects. before will return all Directory Users created before the cursor's value.

• limit

  integer

  (optional)

  Upper limit on the number of Directory Users to return, between 1 and 100. The default value is 10.

An object containing Directory Users and metadata.

• data

  array of objects

  Array of Directory Users in descending order by created_at timestamp. Since these can be bulk processed (ex. 10 updates were batched process), there is a secondary sort on the identifier, i.e. id.

• list_metadata

  object

  Contains cursor options to utilize for pagination.