The WorkOS API enables adding Enterprise Ready features to your application. This REST API provides programmatic access and management of SSO, Magic Link, Directory Sync, and Audit Log resources.
Sign in to see code examples customized with your API keys and data.
https://api.workos.com
WorkOS offers native SDKs in several popular programming languages. Choose one language below to see our API Reference in your application’s language.
Don't see an SDK you need? Contact us to request an SDK!
You can test the API directly with cURL, or use the Postman collection for convenience.
Check out the guide about the WorkOS API Postman collection to learn more about it.
WorkOS authenticates your API requests using your account’s API keys. API requests made without authentication or using an incorrect key will return a 401 error. Requests using a valid key but with insufficient permissions will return a 403 error. All API requests must be made over HTTPS. Any requests made over plain HTTP will fail.
curl https://api.workos.com/directories \ --header "Authorization: Bearer sk_example_123456789"
You can view and manage your API keys in the WorkOS Dashboard.
API keys can perform any API request to WorkOS. They should be kept secure and private! Be sure to prevent API keys from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. API keys are prefixed with sk_.
Your Staging Environment comes with an API key already generated for you. Staging API keys may be viewed as often as they are needed and will appear inline throughout our documentation in code examples if you are logged in to your WorkOS account. API requests will be scoped to the provided key’s Environment.
Once you unlock Production access you will need to generate an API Key for it. Production API keys may only be viewed once and will need to be saved in a secure location upon creation of them.
WorkOS uses standard HTTP response codes to indicate the success or failure of your API requests.
2004004014034045xxMany top-level resources have support for bulk fetches via list API methods. For instance, you can list connections, list directory users, and list directory groups. These list API methods share a common structure, taking at least these four parameters: limit, order, after, and before.
WorkOS utilizes pagination via the after and before parameters. Both parameters take an existing object ID value and return objects in either descending or ascending order by creation time.
curl https://api.workos.com/connections?limit=100 \ --header "Authorization: Bearer sk_example_123456789"
Parameters An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
WorkOS uses webhooks to automatically notify your application any time certain changes are made to your connections.
A webhook URL is an endpoint hosted by your application that subscribes to notifications from WorkOS. WorkOS sends these notifications as events which detail changes to users and groups. For example, you’ll receive an event when new users are created, group properties are updated, or users have been added to a group, etc.
To start using webhooks, you’ll need to set and save the webhook URL in the WorkOS Dashboard, so WorkOS knows where to deliver the events. For more details on receiving webhooks in your app, check out the webhooks best practices guide.
Events represent actions performed within WorkOS, identity, and directory providers. When an action occurs, we record an event. For example, an action could mean an IT admin assigning a user to your app or modifying a user group assigned to your app. These actions are most often performed as part of routine IT Admin workflows.
Your app can interface with WorkOS and retrieve these events using the Events API. The Events API offers a robust data synchronization solution compared to webhooks, ensuring seamless synchronization of your system state with WorkOS.
The after and range_start parameters are mutually exclusive, and at most one must be provided.
For more details on consuming events in your app, check out the events best practices guide.
curl --request GET --url "https://api.workos.com/events" \ --header "Authorization: Bearer sk_example_123456789"
GET/eventsParameters Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
Date range start for stream of events.
Date range end for stream of events.
Filter to only return events of particular types.
Pagination cursor to receive records after a provided event ID.
The WorkOS API supports idempotency which guarantees that performing the same operation multiple times will have the same result as if the operation were performed only once. This is handy in situations where you may need to retry a request due to a failure or prevent accidental duplicate requests from creating more than one resource.
To achieve idempotency, you can add Idempotency-Key request header to any WorkOS API request with a unique string as the value. Each subsequent request matching this unique string will return the same response. We suggest using v4 UUIDs for idempotency keys to avoid collisions.
curl --request POST \ --url https://api.workos.com/organizations \ -H "Authorization: Bearer sk_example_123456789" \ -H "Idempotency-Key: cd320c5c-e928-4212-a5bd-986c29362867" \ -d 'name="Foo Corp"' \ -d 'domains[]="foo-corp.com"'
Idempotency keys expire after 24 hours. The WorkOS API will generate a new response if you submit a request with an expired key.
An Organization is a top-level resource in WorkOS. Each Connection, Directory, and Audit Trail Event belongs to an Organization. An Organization will usually represent one of your customers.
const organization = { object: 'organization', id: 'org_01EHZNVPK3SFK441A1RGBFSHRT', name: 'Foo Corp', allowProfilesOutsideOrganization: false, createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', domains: [ { id: 'org_domain_01EHZNVPK2QXHMVWCEDQEKY69A', object: 'organization_domain', domain: 'foo-corp.com', }, ], };
interface OrganizationDistinguishes the Organization object.
Unique identifier of the Organization.
A descriptive name for the Organization. This field does not need to be unique.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization’s User Email Domains.
The timestamp when the Organization was last created.
The timestamp when the Organization was last updated.
List of Organization Domains.
Get the details of an existing organization.
curl https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789"
Get a list of all of your existing organizations matching the criteria specified.
curl https://api.workos.com/organizations?domains=foo-corp.com \ --header "Authorization: Bearer sk_example_123456789"
GET/organizationsParameters The domains of an Organization. Any Organization with a matching domain will be returned.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Organizations in descending order by creation time.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Creates a new organization in the current environment.
curl --request POST \ --url https://api.workos.com/organizations \ --header "Authorization: Bearer sk_example_123456789" \ -d name="Foo Corp" \ -d 'domains[]="foo-corp.com"'
POST/organizationsParameters A descriptive name for the Organization. This field does not need to be unique.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization’s User Email Domains.
The domains of the Organization.
At least one domain is required unless allow_profiles_outside_organization is true.
Returns Updates an organization in the current environment.
curl --request PUT \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789" \ -d name="Foo Corporation" \ -d 'domains[]="foo-corp.com"'
PUT/organizationsParameters A descriptive name for the Organization. This field does not need to be unique.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization’s User Email Domains.
The domains of the Organization.
At least one domain is required unless allow_profiles_outside_organization is true.
Returns Deletes an organization in the current environment.
curl --request DELETE \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789"
DELETE/organizationsParameters Unique identifier of the Organization.
An Organization Domain (also known as a User Email Domain) represents an Organization's domain.
These domains restrict which email addresses are able to sign in through SAML Connections when allow_profiles_outside_organization is false. This is the default behavior for Organizations. See here for more details on this behavior.
const organizationDomain = { object: 'organization_domain', id: 'org_01EHZNVPK3SFK441A1RGBFSVCT', domain: 'foo-corp.com', };
interface OrganizationDomainDistinguishes the Organization Domain object.
Unique identifier for the Organization Domain.
Domain for the Organization Domain.
The Single Sign-On API has been modeled to meet the OAuth 2.0 framework specification. As a result, authentication flows constructed using the Single Sign-On API replicate the OAuth 2.0 protocol flow.
In the OAuth 2.0 protocol, a redirect URI is the location your user is redirected to once they have successfully authenticated with their Identity Provider.
In Production Environments, the redirect URI to your application must use HTTPS and there should be at least one redirect URI configured and selected as a default for a WorkOS Environment. This can be done from the SSO Configuration page in the WorkOS dashboard. Without a valid redirect URI, users will be unable to sign in.
Redirect URIs that use HTTP and localhost are allowed in Sandbox Environments.
https://your-app.com/callback?code=01E2RJ4C05B52KKZ8FSRDAP23J&state=dj1kUXc0dzlXZ1hjUQ==
Generate an OAuth 2.0 authorization URL.
WorkOS generates an OAuth 2.0 authorization URL that automatically directs a user to their Identity Provider. Once the user authenticates with their Identity Provider, WorkOS then issues a redirect to your Redirect URI to complete the login flow.
To indicate the connection to use for authentication, use one of the following connection selectors: connection, organization, or provider.
These connection selectors are mutually exclusive, and exactly one must be provided.
curl https://api.workos.com/sso/authorize -G \ -d response_type=code \ -d client_id=client_123456789 \ -d redirect_uri=https://your-app.com/callback \ -d state=dj1kUXc0dzlXZ1hjUQ== \ -d connection=conn_01E4ZCR3C56J083X43JQXF3JK5
GET/ssoThe only valid option for the response type parameter is code.
The code parameter value initiates an Authorization Code Grant Type. This grant type allows a Developer to exchange an authorization code for an access token during the redirect that takes place after a user has authenticated with an Identity Provider.
This value can be obtained from the SSO Configuration page in the WorkOS dashboard.
A Redirect URI to return an authorized user to.
The connection connection selector is used to initiate SSO for a Connection.
The value of this parameter should be a WorkOS Connection ID.
For example, the Developer can persist the WorkOS Connection ID with application User or Team identifiers. WorkOS will use the Connection indicated by the connection parameter to direct the user to the corresponding IdP for authentication.
The organization connection selector is used to initiate SSO for an Organization.
The value of this parameter should be a WorkOS Organization ID.
For example, the Developer can persist the WorkOS Organization ID with application User or Team identifiers. WorkOS will use the organization connection selector to determine the appropriate Connection and IdP to direct the user to for authentication.
Note that the Organization must only have a single active SSO Connection, otherwise an ambiguous_connection_selector error code will be returned.
The provider connection selector is used to initiate SSO using an OAuth provider.
Currently, the only supported values for provider are GoogleOAuth and MicrosoftOAuth. Provide the provider parameter when authenticating Google OAuth users, because Google OAuth does not take a user’s domain into account when logging in with a “Sign in with Google” button.
An optional parameter that can be used to encode arbitrary information to help restore application state between redirects. If included, the redirect URI received from WorkOS will contain the exact state that was passed.
Can be used to pre-fill the username/email address field of the IdP sign-in page for the user, if you know their username ahead of time.
Currently, this parameter is supported for OAuth, OpenID Connect, OktaSAML, and AzureSAML connection types.
Can be used to pre-fill the domain field when initiating authentication with Microsoft OAuth, or with a GoogleSAML connection type.
Returns An OAuth 2.0 authorization URL.
If there is an issue generating an authorization URL, WorkOS will issue a redirect with an error query parameter, an error_description query parameter with additional information, and the original state parameter (if provided). Possible error codes are listed below.
ambiguous_connection_selectorconnection_domain_invalidconnection_invalidconnection_strategy_invalidconnection_unlinkeddomain_connection_selector_not_allowedinvalid_connection_selectorconnection, organization, or provider.organization_invalidprofile_not_allowed_outside_organizationemail that is outside the Organization's User Email Domains and the Organization does not allow this. To resolve this, either add the missing domain to the Organization's User Email Domains or configure the Organization to allow profiles outside of it.server_errorIn addition to the other error codes, OAuth providers may also return the following error codes.
access_deniedoauth_failedA Profile is an object that represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized and raw attributes.
After receiving the Profile for an authenticated user, use the Profile object attributes to persist relevant data to your application’s user model for the specific, authenticated user.
No Profile attributes can be returned other than the normalized attributes listed below, and the raw attributes returned by an Identity Provider.
const profile = { id: 'prof_01DMC79VCBZ0NY2099737PSVF1', connectionId: 'conn_01E4ZCR3C56J083X43JQXF3JK5', organizationId: 'org_01EHWNCE74X7JSDV0X3SZ3KJNY', connectionType: 'OktaSAML', email: 'todd@example.com', firstName: 'Todd', idpId: '00u1a0ufowBJlzPlk357', lastName: 'Rundgren', groups: ['Admins', 'Developers', 'Engineering'], object: 'profile', rawAttributes: {}, };
interface ProfileUnique identifier for the user, assigned by WorkOS.
This value can be persisted to the Developer’s user model and used as a unique key for identifying a specific user.
Unique identifier for the Connection to which the Profile belongs.
The type of the SSO Connection used to authenticate the user. The Connection type may be used to dynamically generate authorization URLs.
Possible values:
ADFSSAMLAdpOidcAuth0SAMLAzureSAMLCasSAMLClassLinkSAMLCloudflareSAMLCyberArkSAMLDuoSAMLGenericOIDCGenericSAMLGoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLLoginGovOidcMagicLinkMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLRipplingSAMLSalesforceSAMLShibbolethGenericSAMLShibbolethSAMLSimpleSamlPhpSAMLVMwareSAMLUnique identifier for the Organization in which the Connection resides.
The user’s email address.
The user’s first name.
The user’s last name.
Unique identifier for the user, assigned by the Identity Provider. Different Identity Providers use different ID formats.
One possible use case for idp_id is associating a user’s SSO Profile with any relevant Directory Sync actions related to that user.
List of groups the user is a member of, used in JIT Provisioning and Role Mapping.
This feature is currently in beta, contact customer support for more information.
Object of key-value pairs containing relevant user data from the Identity Provider.
Raw attributes are an extended set of information one can expect for each user Profile. These raw attributes will vary by Identity Provider and Identity Provider configuration.
Get an access token along with the user Profile using the code passed to your Redirect URI.
curl -X POST "https://api.workos.com/sso/token" \ -d 'client_id=client_123456789' \ -d 'client_secret=sk_example_123456789' \ -d 'grant_type=authorization_code' \ -d 'code=01E2RJ4C05B52KKZ8FSRDAP23J'
POST/ssoParameters This value can be obtained from the SSO Configuration page in the WorkOS dashboard.
The method by which your application will receive an access token. This value should be authorization_code.
The authorization value which was passed back as a query parameter in the callback to the Redirect URI.
Returns objectAn access token that can be exchanged for a user profile. Access tokens expire 5 minutes after they’re created.
The user Profile object.
Exchange an access token for a user’s Profile. Because this profile is returned in the Get a Profile and Token endpoint your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user’s profile.
curl https://api.workos.com/sso/profile \ --header "Authorization: Bearer 01DMEK0J53CVMC32CK5SE0KZ8Q"
GET/ssoParameters The authorization value which was returned along with the profile when calling the Get a Profile and Token endpoint.
Returns A Connection represents the relationship between WorkOS and any collection of application users. This collection of application users may include personal or enterprise Identity Providers, or passwordless authentication methods like Magic Link. As a layer of abstraction, a WorkOS Connection rests between an application and its users, separating an application from the implementation details required by specific standards like OAuth 2.0 and SAML.
const connection = { id: 'conn_01E4ZCR3C56J083X43JQXF3JK5', organizationId: 'org_01EHWNCE74X7JSDV0X3SZ3KJNY', type: 'OktaSAML', name: 'Foo Corp', state: 'active', createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', domains: [ { id: 'org_domain_01EHZNVPK2QXHMVWCEDQEKY69A', object: 'connection_domain', domain: 'foo-corp.com', }, ], };
interface ConnectionUnique identifier for the Connection.
Unique identifier for the Organization in which the Connection resides.
The type of the SSO Connection used to authenticate the user. The Connection type may be used to dynamically generate authorization URLs.
Possible values:
ADFSSAMLAdpOidcAuth0SAMLAzureSAMLCasSAMLClassLinkSAMLCloudflareSAMLCyberArkSAMLDuoSAMLGenericOIDCGenericSAMLGoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLLoginGovOidcMagicLinkMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLRipplingSAMLSalesforceSAMLShibbolethGenericSAMLShibbolethSAMLSimpleSamlPhpSAMLVMwareSAMLA human-readable name for the Connection. This will most commonly be the organization's name.
Indicates whether a Connection is able to authenticate users. Possible values:
activeinactivevalidatingConnections that can’t authenticate users are inactive. When a new connection is configured, it transitions to the validating state until its first successful authentication. After it successfully authorizes a user for the first time, the connection state changes to active.
The timestamp when the Connection was created.
The timestamp when the Connection was last updated.
List of Organization Domains.
Get the details of an existing connection.
curl https://api.workos.com/connections/conn_01E2NPPCT7XQ2MVVYDHWGK1WN4 \ --header "Authorization: Bearer sk_example_123456789"
Get a list of all of your existing connections matching the criteria specified.
curl https://api.workos.com/connections \ --header "Authorization: Bearer sk_example_123456789"
GET/connectionsParameters Filter Connections by their type.
Filter Connections by their associated domain.
Filter Connections by their associated organization.
Pagination cursor to receive records after a provided event ID.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectAn array of Connections in descending order by creation time.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Delete an existing connection.
curl --request DELETE \ --url https://api.workos.com/connections/conn_01E2NPPCT7XQ2MVVYDHWGK1WN4 \ --header "Authorization: Bearer sk_example_123456789"
DELETE/connectionsParameters Unique identifier for the Connection.
Triggers when a connection has been activated, deactivated, or deleted.
{ "event": "connection.activated", "id": "event_10FKJ843CVE8F7BXQSPFH0M53V", "data": { "object": "connection", "id": "conn_01EHWNC0FCBHZ3BJ7EGKYXK0E6", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "state": "active", "connection_type": "OktaSAML", "name": "Foo Corp's Connection", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "id": "conn_domain_01EHWNFTAFCF3CQAE5A9Q0P1YB", "object": "connection_domain", "domain": "foo-corp.com" } ] }, "created_at": "2021-06-25T19:07:33.155Z" }
connection
When receiving a connection.deleted event you can ignore the connection’s state attribute, since it indicates the state before the deletion occurs.
Directory Sync allows you to connect with Directory Providers to inform your application of any changes in their users, groups, or access rules.
Using Directory Sync, one integration grants your application the ability to support multiple Directory Providers. Get real-time updates of any changes to the organization's access rules, groups, and users by integrating webhooks into your application.
For the full list of webhook events, see our handle events guide.
A Directory stores information about an organization's employee management system.
Synchronizing with a Directory enables Developers to receive changes to an organization's User and Group structure.
Directory Providers vary in implementation details and may require different sets of fields for integration, such as API keys, subdomains, endpoints, usernames, etc. Where available, the WorkOS API will provide these fields when fetching Directory records.
const directory = { object: 'directory', id: 'directory_01ECAZ4NV9QMV47GW873HDCX74', domain: 'foo-corp.com', name: 'Foo Corp', organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT', state: 'inactive', type: 'gsuite directory', createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', };
interface DirectoryDistinguishes the Directory object.
Unique identifier for the Directory.
The URL associated with an Enterprise Client.
External Key for the Directory.
The name of the directory.
The unique identifier for the Organization in which the directory resides.
Describes whether the Directory has been successfully connected to an external provider.
activeinactivevalidatingdeletinginvalid_credentialsThe type of external Directory Provider integrated with.
azure scim v2.0bamboohrbreathe hrcezanne hrgeneric scim v1.1generic scim v2.0gsuite directoryjump cloud scim v2.0okta scim v2.0onelogin scim v2.0people hrpingfederate scim v2.0workdayThe timestamp when the Directory was created.
The timestamp when the Directory was last updated.
Get the details of an existing directory.
curl https://api.workos.com/directories/directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
Get a list of all of your existing directories matching the criteria specified.
curl https://api.workos.com/directories?search=WorkOS \ --header "Authorization: Bearer sk_example_123456789"
GET/directoriesParameters The domain of a Directory.
Searchable text to match against Directory names.
Filter Directories by their associated organization.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Directories in descending order by creation time.
Pagination cursor to receive records after a provided event ID.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Delete an existing directory.
curl --request DELETE \ --url https://api.workos.com/directories/directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
DELETE/directoriesParameters Unique identifier for the Directory.
Triggers when a directory has been activated or deleted.
{ "event": "dsync.activated", "id": "event_01FKJ843CVE8F7BXQSPFH0M53V", "data": { "object": "directory", "external_key": "UWuccu6o1E0GqkYs", "name": "Foo Corp's Directory", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "id": "directory_01EHWNC0FCBHZ3BJ7EGKYXK0E6", "state": "active", "type": "generic scim v2.0", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "object": "organization_domain", "id": "org_domain_01EZTR5N6Y9RQKHK2E9F31KZX6", "domain": "foo-corp.com" } ] }, "created_at": "2021-06-25T19:07:33.155Z" }
dsyncThe type of webhook event.
Unique identifier for the webhook.
The time the event was created.
The updated Directory.
When receiving a dsync.deleted event you can ignore the connection’s state attribute, since it indicates the state before the deletion occurs.
A Directory User represents an active organization user.
Developers can receive Webhooks as employees are added, updated or removed, allowing for provisioning and de-provisioning Users within an application.
The data stored for employees vary per directory provider and may include attributes such as photo URLs, pay groups, supervisors, etc. Where available, the WorkOS API will provide the additional data in the raw_attributes field when fetching Directory User records.
const user = { id: 'directory_user_01E1JG7J09H96KYP8HM9B0G5SJ', idpId: '2836', directoryId: 'directory_01ECAZ4NV9QMV47GW873HDCX74', organizationId: 'org_01EZTR6WYX1A0DSE2CYMGXQ24Y', firstName: 'Marcelina', lastName: 'Davis', jobTitle: 'Software Engineer', emails: [ { primary: true, type: 'work', value: 'marcelina@example.com', }, ], username: 'marcelina@example.com', groups: [ { id: 'directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT', name: 'Engineering', createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', rawAttributes: {}, }, ], state: 'active', createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', customAttributes: { department: 'Engineering', }, rawAttributes: {}, };
interface DirectoryUserUnique identifier for the Directory User.
Unique identifier for the user, assigned by the Directory Provider. Different Directory Providers use different ID formats.
One possible use case for idp_id is associating the Directory User with their SSO Profile.
The identifier of the Directory the Directory User belongs to.
The identifier for the Organization in which the Directory resides.
The first name of the user.
The last name of the user.
The job title of the user.
The type of the email account, e.g. "work" or "personal".
The email address of the user.
Whether this is the primary email of the user.
The username of the user.
The groups that the user is a member of.
The state of the user.
activeinactiveAn object containing the custom attribute mapping for the Directory Provider.
An object containing the data returned from the Directory Provider.
Get the details of an existing Directory User.
curl https://api.workos.com/directory_users/directory_user_01E1JG7J09H96KYP8HM9B0G5SJ \ --header "Authorization: Bearer sk_example_123456789"
Get a list of all of existing Directory Users matching the criteria specified.
curl https://api.workos.com/directory_users?directory=directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
GET/directory_userParameters Unique identifier of the WorkOS Directory.
This value can be obtained from the WorkOS dashboard or from the WorkOS API.
Unique identifier of the WorkOS Directory Group.
This value can be obtained from the WorkOS API.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Directory Users in descending order by creation time.
Since these can be bulk processed (ex. 10 updates were batched process), there is a secondary sort on the identifier, i.e. id.
Pagination cursor to receive records after a provided event ID.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Triggers when a user has been created, updated, or deleted.
{ "event": "dsync.user.created", "id": "event_07FKJ843CVE8F7BXQSPFH0M53V", "data": { "id": "directory_user_01E1X1B89NH8Z3SDFJR4H7RGX7", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "idp_id": "8931", "emails": [ { "primary": true, "type": "work", "value": "veda@example.com" } ], "first_name": "Lela", "last_name": "Block", "job_title": "Software Engineer", "username": "veda@example.com", "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "custom_attributes": { "department": "Engineering" }, "raw_attributes": {} }, "created_at": "2021-06-25T19:07:33.155Z" }
dsyncThe type of webhook event.
Unique identifier for the webhook.
The time the event was created.
The updated Directory User.
The payload for dsync.user.updated webhooks shows changes between Directory Group snapshots in a previous_attributes property.
The changes in the object are shallow differences for root properties, raw_attributes, and custom_attributes. If the current snapshot has a new attribute that did not exist previously, then the value for the attribute will be indicated as null.
A Directory Group represents an organizational unit of users.
Developers can receive Webhooks as groups are added, updated, or removed, allowing for group-based resource access.
At this time, only the Group identifier and name attributes are returned.
const group = { id: 'directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT', idpId: '02grqrue4294w24', directoryId: 'directory_01ECAZ4NV9QMV47GW873HDCX74', organizationId: 'org_01EZTR6WYX1A0DSE2CYMGXQ24Y', name: 'Developers', createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', rawAttributes: {}, };
interface DirectoryGroupUnique identifier for the Directory Group.
Unique identifier for the group, assigned by the Directory Provider. Different Directory Providers use different ID formats.
The identifier of the Directory the Directory Group belongs to.
The identifier for the Organization in which the Directory resides.
The name of the Directory Group.
The timestamp when the Directory Group was created.
The timestamp when the Directory Group was last updated.
An object containing the data returned from the Directory Provider.
Get the details of an existing Directory Group.
curl https://api.workos.com/directory_groups/directory_group_01E1JJS84MFPPQ3G655FHTKX6Z \ --header "Authorization: Bearer sk_example_123456789"
GET/directory_groupsParameters Unique identifier for the Directory Group.
Returns Get a list of all of existing directory groups matching the criteria specified.
curl https://api.workos.com/directory_groups?directory=directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
GET/directory_groupsParameters Unique identifier of the WorkOS Directory.
This value can be obtained from the WorkOS dashboard or from the WorkOS API.
Unique identifier of the WorkOS Directory User.
This value can be obtained from the WorkOS API.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Directory Groups in descending order by creation time.
Pagination cursor to receive records after a provided event ID.
Triggers when a group has been created, updated, or deleted. It also triggers when a user is added or removed from a group.
{ "event": "dsync.group.created", "id": "event_44FKJ843CVE8F7BXQSPFH0M53V", "data": { "id": "directory_group_01E1X5GPMMXF4T1DCERMVEEPVW", "idp_id": "02grqrue4294w24", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "name": "Developers", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} }, "created_at": "2021-06-25T19:07:33.155Z" }
dsyncThe type of webhook event.
Unique identifier for the webhook.
The time the event was created.
The updated Directory Group or Directory User.
The payload for dsync.group.updated webhooks shows changes between Directory Group snapshots in a previous_attributes property.
The changes in the object are shallow differences for root properties, raw_attributes, and custom_attributes. If the current snapshot has a new attribute that did not exist previously, then the value for the attribute will be indicated as null.
The Admin Portal is a standalone application where your users can configure and manage WorkOS resources such as Connections and Directories that are scoped to their Organization.
A Portal Link is a temporary endpoint to initiate an Admin Portal session. It expires five minutes after issuance.
https://setup.workos.com?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Generate a Portal Link scoped to an Organization.
curl --request POST \ --url https://api.workos.com/portal/generate_link \ --header "Authorization: Bearer sk_example_123456789" \ -d organization="org_01EHZNVPK3SFK441A1RGBFSHRT" \ -d intent="sso"
POST/portalParameters An Organization identifier.
The intent of the Admin Portal.
sso - Launch Admin Portal for creating SSO connectionsdsync - Launch Admin Portal for creating Directory Sync connectionsaudit_logs - Launch Admin Portal for viewing Audit Logslog_streams - Launch Admin Portal for creating Log StreamsThe URL to which WorkOS should send users when they click on the link to return to your website.
The URL to which WorkOS will redirect users to upon successfully setting up Single Sign-On or Directory Sync.
Returns objectAn ephemeral link to initiate the Admin Portal.
Audit Logs are a collection of events that contain information relevant to notable actions taken by users in your application. Every event in the collection contains details regarding what kind of action was taken (action), who performed the action (actor), what resources were affected by the action (targets), and additional details of when and where the action took place.
Emits an Audit Log Event.
curl --request POST \ --url https://api.workos.com/audit_logs/events \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ --header "Idempotency-Key: 884793cd-bef4-46cf-8790-e3d4957a09ce" \ -d @- <<BODY { "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "event": { "action": "user.signed_in", "occurred_at": "2022-09-02T16:35:39.317Z", "version": 1, "actor": { "type": "user", "id": "user_TF4C5938", "metadata": { "role": "admin" } }, "targets": [ { "type": "user", "id": "user_98432YHF", "name": "Jon Smith" }, { "type": "team", "id": "team_J8YASKA2", "metadata": { "owner": "user_01GBTCQ2" } } ], "context": { "location": "123.123.123.123", "user_agent": "Chrome/104.0.0.0" }, "metadata": { "extra": "data" } } } BODY
POST/audit_logsParameters The unique ID of the Organization.
Identifier of what happened
ISO-8601 value of when the action occurred
What schema version the event is associated with
Actor type
Actor identifier
Optional actor name
Additional data that should be associated with the event or entity. There is a limit of 50 keys. Key names can be up to 40 characters long, and values can be up to 500 characters long.
Target type
Target identifier
Optional target name
Additional data that should be associated with the event or entity. There is a limit of 50 keys. Key names can be up to 40 characters long, and values can be up to 500 characters long.
IP Address or some other geolocation identifier
User agent string
Additional data that should be associated with the event or entity. There is a limit of 50 keys. Key names can be up to 40 characters long, and values can be up to 500 characters long.
Creates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the :action does not exist, it will also be created.
curl --request POST \ --url https://api.workos.com/audit_logs/actions/user.viewed_invoice/schemas \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<BODY { "actor": { "metadata": { "type": "object", "properties": { "role": { "type": "string" } } } }, "targets": [ { "type": "invoice", "metadata": { "type": "object", "properties": { "status": { "type": "string" } } } } ], "metadata": { "type": "object", "properties": { "transactionId": { "type": "string" } } } } BODY
POST/audit_logsParameters JSON schema for Actor metadata
Actor type
Optional JSON schema for target metadata
Optional JSON schema for event metadata
Get a list of all schemas for the Audit Logs action identified by :name.
curl https://api.workos.com/audit_logs/actions/user.viewed_invoice/schemas \ --header "Authorization: Bearer sk_example_123456789"
GET/audit_logsParameters Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Audit Log schemas.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Get a list of all Audit Log actions in the current environment.
curl https://api.workos.com/audit_logs/actions \ --header "Authorization: Bearer sk_example_123456789"
GET/audit_logsParameters Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Audit Log actions.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
An object representing an Audit Log Export.
const auditLogExport = { object: 'audit_log_export', id: 'audit_log_export_01GBZK5MP7TD1YCFQHFR22180V', state: 'ready', url: 'https://exports.audit-logs.com/audit-log-exports/export.csv', created_at: '2022-09-02T17:14:57.094Z', updated_at: '2022-09-02T17:14:57.094Z', };
interface AuditLogExportDistinguishes the Audit Log Export object.
The unique ID of the Audit Log Export.
The timestamp when the Audit Log Export was created.
The timestamp when the Audit Log Export was last updated.
The state of the export. Possible values:
pendingreadyerror.A URL to the CSV file. Only defined when the Audit Log Export is ready.
Create an Audit Log Export.
curl --request POST \ --url https://api.workos.com/audit_logs/exports \ --header "Authorization: Bearer sk_example_123456789" \ -d organization_id="org_01EHZNVPK3SFK441A1RGBFSHRT" \ -d range_start="2022-07-02T18:09:06.996Z" \ -d range_end="2022-09-02T18:09:06.996Z" \ -d 'actions[]=user.signed_in' \ -d 'actors[]=Jon Smith' \ -d 'targets[]=team'
POST/audit_logsParameters The unique ID of the Organization.
ISO-8601 value for start of the export range.
ISO-8601 value for end of the export range.
List of actions to filter against.
List of actor names to filter against.
List of target types to filter against.
Returns Get an Audit Log Export.
curl https://api.workos.com/audit_logs/exports/audit_log_export_01GBZK5MP7TD1YCFQHFR22180V \ --header "Authorization: Bearer sk_example_123456789"
The URL will expire after 10 minutes. If the export is needed again at a later time, refetching the export will regenerate the URL.
Get the configured event retention period for the given Organization.
curl https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT/audit_logs_retention \ --header "Authorization: Bearer sk_example_123456789"
GET/organizationsParameters Unique identifier of the Organization.
Returns objectThe number of days Audit Log events will be retained.
Set the event retention period for the given Organization.
curl --request PUT \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT/audit_logs_retention \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d '{ "retention_period_in_days": 30 }'
PUT/organizationsParameters Unique identifier of the Organization.
The number of days Audit Log events will be retained. Valid values are 30 and 365.
Returns objectThe number of days Audit Log events will be retained.
A set of user authentication and organization security features designed to provide a fast, scalable integration while handling all of the user management complexity that comes with advanced business and customer needs.
A User object represents a user identity in your application.
A user can sign up in your application directly with a method like password, or they can be JIT provisioned through an organization's SSO connection.
Users can belong to Organizations as members.
const user = { object: 'user', id: 'user_01E4ZCR3C56J083X43JQXF3JK5', email: 'marcelina.davis@example.com', firstName: 'Marcelina', lastName: 'Davis', emailVerified: true, createdAt: '2021-06-25T19:07:33.155Z', updatedAt: '2021-06-25T19:07:33.155Z', };
Get the details of an existing user.
curl https://api.workos.com/user_management/users/user_01E4ZCR3C56J083X43JQXF3JK5 \ --header "Authorization: Bearer sk_example_123456789"
Get a list of all of your existing users matching the criteria specified.
curl https://api.workos.com/user_management/users \ --header "Authorization: Bearer sk_example_123456789"
GET/user_managementParameters Filter Users by their email.
Filter Users by the organization they are members of.
Maximum number of records to return. Accepts values between 1 and 100. Default is 10.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Order the results by the creation time. Supported values are "asc" and "desc" for showing older and newer records first respectively.
Returns objectArray of Users in descending order by creation time.
An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
For example, if you make a list request and receive 100 objects, ending with "obj_123", your subsequent call can include before="obj_123" to fetch a new batch of objects before "obj_123".
Pagination cursor to receive records after a provided event ID.
Create a new user.
After creating a user, you may optionally send the user a verification email.
curl --request POST \ --url https://api.workos.com/user_management/users \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<BODY { "email": "marcelina@example.com", "password": "i8uv6g34kd490s", "first_name": "Marcelina", "last_name": "Davis", "email_verified": false } BODY
POST/user_managementParameters The email address of the user.
The password to set for the user.
The user's first name.
The user's last name.
Whether the user's email address was previously verified.
You should normally use the Email Verification API
to verify a user's email address. However, if the user's email was previously verified, or
is being migrated from an existing user store, this can be set to true to mark it as
already verified.
Returns Updates the provided properties of a user. Any properties not provided will be left unchanged.
curl --request PUT \ --url https://api.workos.com/user_management/users/user_01EHQ7ZGZ2CZVQJGZ5ZJZ1ZJGZ \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<BODY { "first_name": "Marcelina", "last_name": "Davis", "email_verified": true } BODY
PUT/user_managementParameters The unique ID of the User.
The user's first name.
The user's last name.
Whether the user's email address was previously verified.
You should normally use the Email Verification API
to verify a user's email address. However, if the user's email was previously verified, or
is being migrated from an existing user store, this can be set to true to mark it as
already verified.
The password to set for the user.
The hashed password to set for the user, used when migrating from another user store. Mutually exclusive with password.
The algorithm originally used to hash the password, used when providing a password_hash. Valid values are bcrypt.
Returns Deletes a user.
curl --request DELETE \ --url https://api.workos.com/user_management/users/user_01F3GZ5ZGZBZVQGZVHJFVXZJGZ \ --header "Authorization: Bearer sk_example_123456789"
DELETE/user_managementParameters The unique ID of the User.
Triggers when a user has been created, updated, or deleted.
{ "id": "event_12345abcdefg", "name": "user.created", "data": { "id": "user_012345678910abcd", "email": "todd@example.com", "object": "user", "last_name": "Rundgren", "created_at": "2023-11-18T09:18:31.427Z", "first_name": "Todd", "updated_at": "2023-11-18T09:18:58.539Z", "email_verified": false }, "createdAt": "2023-11-18T04:18:13.126Z", "updatedAt": "2023-11-18T04:18:13.126Z" }
userThe type of webhook event.
Unique identifier for the webhook.
The time the event was created.
The updated User.