WorkOS Docs Homepage
API Reference
API referenceDashboardSign In

API reference

The WorkOS API enables adding Enterprise Ready features to your application. This REST API provides programmatic access to AuthKit (user management), Single Sign-On, Directory Sync, and Audit Log resources.

Sign in to see code examples customized with your API keys and data.

API Base URL

Client libraries

WorkOS offers native SDKs in several popular programming languages. Choose one language below to see our API Reference in your application’s language.

Don't see an SDK you need? Contact us to request an SDK!

Testing the API

You can test the API directly with cURL, or use the Postman collection for convenience.

Check out the guide about the WorkOS API Postman collection to learn more about it.

API Keys

WorkOS authenticates your API requests using your account’s API keys. API requests made without authentication or using an incorrect key will return a 401 error. Requests using a valid key but with insufficient permissions will return a 403 error. All API requests must be made over HTTPS. Any requests made over plain HTTP will fail.

Set API Key

You can view and manage your API keys in the WorkOS Dashboard.

Secure your API Keys

API keys can perform any API request to WorkOS. They should be kept secure and private! Be sure to prevent API keys from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. API keys are prefixed with sk_.

In Staging

Your Staging Environment comes with an API key already generated for you. Staging API keys may be viewed as often as they are needed and will appear inline throughout our documentation in code examples if you are logged in to your WorkOS account. API requests will be scoped to the provided key’s Environment.

In Production

Once you unlock Production access you will need to generate an API Key for it. Production API keys may only be viewed once and will need to be saved in a secure location upon creation of them.

Errors

WorkOS uses standard HTTP response codes to indicate the success or failure of your API requests.

200
Successful request.
400
The request was not acceptable. Check that the parameters were correct.
401
The API key used was invalid.
403
The API key used did not have the correct permissions.
404
The resource was not found.
422
Validation failed for the request. Check that the parameters were correct.
429
Too many requests. Refer to the Rate Limits section.
5xx
Indicates an error with WorkOS servers.

Pagination

Many top-level resources have support for bulk fetches via list API methods. For instance, you can list connections, list directory users, and list directory groups. These list API methods share a common structure, taking at least these four parameters: limit, order, after, and before.

WorkOS utilizes pagination via the after and before parameters. Both parameters take an existing object ID value and return objects in either descending or ascending order by creation time.

Parameters

Rate limits

WorkOS APIs are rate limited to ensure that they are fast for everyone. If you find yourself getting 429 errors, double check your integration to make sure you aren’t making unnecessary requests.

General

NamePathLimit
All requests*6,000 requests per 60 seconds per IP address

This rate limits applies to all environments, staging and production. Exceptions to the general rate limit are listed below.

Single Sign-On

NamePathLimit
Get Authorization URL/sso/authorize1,000 requests per 60 seconds per connection

Directory Sync

NamePathLimit
Directory Users/directory_users4 requests per second per directory

Organizations

NamePathLimit
Delete Organization/organizations/*50 requests per 60 seconds per API key

AuthKit

Rate limiting for AuthKit APIs are enforced on an account basis.

NamePathLimit
Reads/user_management/*1,000 requests per 10 seconds
Writes/user_management/*500 requests per 10 seconds
Authentication/user_management/authenticate10 requests per 60 seconds per email or challenge ID
Magic Auth/user_management/magic_auth/send3 requests per 60 seconds per email
Email verification/user_management/:id/email_verification/send3 requests per 60 seconds per user
Password reset/user_management/password_reset/send3 requests per 60 seconds per email

Hosted AuthKit

NameLimits
Reads1,000 requests per 10 seconds
Writes500 requests per 10 seconds
SSO sign-ins3 requests per 60 seconds per IP address
Email sign-ins10 requests per 60 seconds per email and IP address
Magic Auth sign-ins10 requests per 60 seconds per IP address and challenge ID
Magic Auth code requests3 requests per 60 seconds per IP address and email

Events

Events represent activity that has occurred within WorkOS or within third-party identity and directory providers. They are used to keep your app in sync with WorkOS data. For more details on consuming events in your app, check out the data syncing guide.

Refer to the Events page for a full list of events that WorkOS emits.

List events

Get a list of all of events up to 30 days old.

GET

/events

Parameters

Returns object

Organization

An Organization is a top-level resource in WorkOS. Each Connection, Directory, and Audit Trail Event belongs to an Organization. An Organization will usually represent one of your customers. There is no limit to the number of organizations you can create in WorkOS.

Example Organization

organization

Get an Organization

Get the details of an existing organization.

GET

/organizations/:id

Parameters

Returns

organization

Get an Organization by External ID

Get the details of an existing organization by an external identifier.

GET

/organizations/external_id/:external_id

Parameters

Returns

organization

List Organizations

Get a list of all of your existing organizations matching the criteria specified.

GET

/organizations

Parameters

Returns object

Create an Organization

Creates a new organization in the current environment.

You can include one or more domains to associate with the organization, but you should verify the ownership of every domain before setting its state to verified.

POST

/organizations

Parameters

Returns

organization

Update an Organization

Updates an organization in the current environment.

You can include one or more domains to associate with the organization, but you should verify the ownership of every domain before setting its state to verified.

PUT

/organizations/:id

Parameters

Returns

organization

Delete an Organization

Permanently deletes an organization in the current environment. It cannot be undone.

Request
DELETE

/organizations/:id

Parameters

Organization Domain

An Organization Domain (also known as a User Email Domain) represents an Organization’s domain.

These domains restrict which email addresses are able to sign in through SAML Connections when allow profiles outside organization is false. This is the default behavior for Organizations. See SSO frequently asked questions for more details on this behavior.

Organization domains can be verified manually (through the API or the Dashboard), or through a self-serve flow through the Admin Portal. The organization that defines this domain policy exerts authentication policy control over that domain across your application. For this reason, it is important to verify ownership of manually added domains. Additionally, WorkOS does not allow addition of common consumer domains, like gmail.com.

Example Organization Domain

organization_domain

Roles

A role is an access control resource that can be assigned to organization memberships, directory users, and SSO profiles.

Example Role

Role

List roles for an organization

Get a list of all roles for the provided organization in priority order. Includes all environment and organization roles.

GET

/organizations/:organization_id/roles

Returns object

AuthKit

AuthKit is a user management platform that provides a set of user authentication and organization security features designed to provide a fast, scalable integration while handling all of the user management complexity that comes with advanced B2B customer needs.

To automatically respond to AuthKit activities, like authentication and changes related to the users, use the corresponding events.

User

Represents a user identity in your application. A user can sign up in your application directly with a method like password, or they can be JIT-provisioned through an organization’s SSO connection.

Users may belong to organizations as members.

See the events reference documentation for the user events.

User

user

Get a user

Get the details of an existing user.

GET

/user_management/users/:id

Parameters

Returns

user

Get a user by external ID

Get the details of an existing user by an external identifier.

GET

/user_management/users/external_id/:external_id

Parameters

Returns

user

List users

Get a list of all of your existing users matching the criteria specified.

GET

/user_management/users

Parameters

Returns object

Create a user

Create a new user in the current environment.

POST

/user_management/users

Parameters

Returns

user

Update a user

Updates properties of a user. The omitted properties will be left unchanged.

PUT

/user_management/users/:id

Parameters

Returns

user

Delete a user

Permanently deletes a user in the current environment. It cannot be undone.

Request
DELETE

/user_management/users/:id

Parameters

Identities

Represents User identities obtained from external identity providers.

When a user authenticates using an external provider like Google OAuth, information from that provider will be made available as one of the user’s Identities. You can read more about the process in our identity linking guide.

Applications should check the type before making assumptions about the shape of the identity. Currently only OAuth identities are supported, but more types may be added in the future.

Identity

identity

Get user identities

Get a list of identities associated with the user. A user can have multiple associated identities after going through identity linking. Currently only OAuth identities are supported. More provider types may be added in the future.

GET

/user_management/users/:id/identities

Parameters

Returns

Authentication

Authenticate a user with a specified authentication method.

Get an authorization URL

Generates an OAuth 2.0 authorization URL to authenticate a user with AuthKit or SSO.

GET

/user_management/authorize

Returns

If you are using AuthKit, set the provider parameter to "authkit", which will generate an authorization URL for your AuthKit domain. AuthKit will take care of detecting the user’s authentication method, such as identifying whether they use Email + Password or Single Sign-On,and direct them to the corresponding login flow.

Otherwise, to generate an authorization URL for a WorkOS SSO connection, you’ll have to specify the user’s connection, organization, or OAuth provider as a parameter. These connection selectors are mutually exclusive, and exactly one must be provided. The generated URL automatically directs the user to their identity provider. Once the user authenticates with their identity provider, WorkOS then issues a redirect to your redirect URI to complete the sign-in flow.

Redirect URI

In the OAuth 2.0 protocol, a redirect URI is the location that the user is redirected to once they have successfully authenticated with their identity provider.

When redirecting the user, WorkOS will generate an authorization code and pass it to your redirect URI as a code query parameter, your app will use this code to authenticate the user. Additionally, WorkOS can pass a state parameter back to your application that you may use to encode arbitrary information to restore your application state between the redirects.

Redirect URI with query parameters

You can use state to encode parameters like originating URL and query parameters. This is useful in a flow where unauthenticated users are automatically redirected to a login page. After successful sign in, users will be routed to your redirect URI callback route. From there you can extract the originating URL from state and redirect the user to their intended destination.

You’ll need to configure the allowed redirect URIs for your application via the Redirects page in the dashboard. Without a valid redirect URI, your users will be unable to sign in. Make sure that the redirect URI you use as a parameter to get the authorization URL matches one of the redirect URIs you have configured in the dashboard.

Redirect URIs follow stricter requirements in production environments:

  • HTTPS protocol is required in production environments
  • HTTP and localhost are allowed in staging environments
  • The sole exception is the use of http://127.0.0.1 in production environments to support native clients.

Wildcards

WorkOS supports using wildcard characters in Redirect URIs. The * symbol can be used as a wildcard for subdomains; however, it must be used in accordance with the following rules in order to properly function.

  • The wildcard must be located in a subdomain within the hostname component. For example, http://*.com will not work.
  • The wildcard must be located in the subdomain which is furthest from the root domain. For example, https://sub.*.example.com will not work.
  • The URL must not contain more than one wildcard. For example, https://*.*.example.com will not work.
  • A wildcard character may be prefixed and/or suffixed with additional valid hostname characters. For example, https://prefix-*-suffix.example.com will work.
  • A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard. For example, https://*.example.com will not work with https://sub1.sub2.example.com.
  • In production environments, wildcards cannot be used with public suffix domains. For example, https://*.ngrok-free.app will not work.
  • The wildcard will match a sequence of letters (A through Z, and a through z ); digits (0 through 9), hyphens (-), and underscores (_). For example, https://user:secret@foo.example.com will not work with https://*.example.com.
  • A URL with a wildcard cannot be set as the default redirect URI.

PKCE

The Proof Key for Code Exchange (PKCE) flow is an extension to the OAuth 2.0 Authorization Code flow. It enables public clients, like native apps or single-page apps, to perform the authorization code flow securely. If you are developing a client that makes API calls in public, you’ll need to use this flow.

In this flow, your client generates a code verifier which is a high-entropy cryptographic random string. A code challenge is derived by hashing the code verifier. Instead of using a client secret, provide the code challenge when getting the authorization URL and the code verifier when authenticating a User.

Error codes

If there is an issue generating an authorization URL, the API will return the original redirect URI with error and error_description query parameters. If provided, the state value will also be included.

Redirect URI with an error code

Possible error codes and the corresponding descriptions are listed below.

Error codeDescription
access_deniedThe identity provider denied user access to the client application or the user denied an OAuth authorization request at the identity provider.
ambiguous_connection_selectorA connection could not be uniquely identified using the provided connection selector (e.g., organization). This can occur when there are multiple SSO connections under the same organization. If you need multiple SSO connections for an organization, use the connection parameter to identify which connection to use for SSO.
connection_invalidThere is no connection for the provided ID.
connection_strategy_invalidThe provider has multiple strategies associated per environment.
connection_unlinkedThe connection associated with the request is unlinked.
invalid_connection_selectorA valid connection selector query parameter must be provided in order to correctly determine the proper connection to return an authorization URL for. Valid connection selectors are either connection, organization, or provider.
organization_invalidThere is no organization matching the provided ID.
oauth_failedAn OAuth authorization request failed for a user.
server_errorThe SSO authentication failed for the user. More detailed errors and steps to resolve are available in the Sessions tab on the connection page in the WorkOS Dashboard.

Authenticate with code

Authenticates a user using AuthKit, OAuth or an organization’s SSO connection.

AuthKit handles all authentication methods, however it is conceptually similar to a social login experience. Like OAuth and SSO, AuthKit returns you a code that you can exchange for an authenticated user. See Integrating with AuthKit.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate a user with password

Authenticates a user with email and password.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate with Magic Auth

Authenticates a user by verifying the Magic Auth code sent to the user’s email.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate with refresh token

Use this endpoint to exchange a refresh token for a new access token. Refresh tokens may be rotated after use, so a replacement refresh token is also provided.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate with an email verification code

Authenticates a user with an unverified email and verifies their email address.

A user with an unverified email address won’t be able to authenticate right away. When they attempt to authenticate with their credentials, the API will return an email verification required error that contains a pending authentication token.

If the email setting for email verification is enabled, WorkOS will automatically send a one-time email verification code to the user’s email address. If the email setting is not enabled, retrieve the email verification code to send the email yourself. Use the pending authentication token from the error and the one-time code the user received to authenticate them and to complete the email verification process.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate with a time-based one-time password

Authenticates a user enrolled into MFA using time-based one-time password (TOTP).

Users enrolled into MFA are required to enter a TOTP each time they sign in. When they attempt to authenticate with their credentials, the API will return an MFA challenge error that contains a pending authentication token.

To continue with the authentication flow, challenge one of the factors returned by the MFA challenge error response and present a UI to the user to enter the TOTP code. Then, authenticate the user with the TOTP code, the challenge from the factor, and the pending authentication token from the MFA challenge error.

MFA can be enabled via the Authentication page in the WorkOS dashboard.

POST

/user_management/authenticate

Parameters

Returns object

Authenticate with organization selection

Authenticates a user into an organization they are a member of.

When a user who is a member of multiple organizations attempts to authenticate with their credentials, the API will return an organization selection error that contains a pending authentication token. To continue with the authentication flow, your application should display the list of organizations for the user to choose.

Use the pending authentication token from the error and the organization the user selected in your UI to complete the authentication.

POST

/user_management/authenticate

Parameters

Returns object

Authenticates a user using an AuthKit session cookie. This method does not make a network call, but simply unseals an existing session cookie and decodes the JWT claims from the access token.

JavaScript

userManagement.authenticateWithSessionCookie()

Parameters object

Returns object

Refresh and seal session data

Unseals the provided session data from a user’s session cookie, authenticates with the existing refresh token, and returns the sealed data for the refreshed session.

JavaScript

userManagement.refreshAndSealSessionData()

Parameters object

Returns object

Session tokens

JWKS URL

This hosts the public key that is used for verifying access tokens.

GET

/sso/jwks

Returns

Access token

The access token that is returned in successful authentication responses is a JWT that can be used to verify that a user has an active session. The JWT is signed by a JWKS which can be retrieved from the WorkOS API.

Decoded access token
JSON

Access Token JWT

Refresh token

The refresh token can be used to obtain a new access token using the authenticate with refresh token endpoint. Refresh tokens may only be used once. Refreshes will succeed as long as the user’s session is still active.

Session

Represents an authenticated user’s connection to your application. A session is created when a user signs in through AuthKit and contains information about the authentication method, device details, and session status.

Session
JSON

List sessions

Get a list of all active sessions for a specific user.

GET

/user_management/users/:id/sessions

Parameters

Returns object

Session helpers

After authenticating and storing the encrypted session as a cookie, retrieving and decrypting the session is made easy via the session helper methods.

Load sealed session

Load the session by providing the sealed session and the cookie password.

Load sealed session

userManagement.loadSealedSession()

Parameters object

Returns object

Authenticate

Unseals the session data and checks if the session is still valid.

Authenticate

session.authenticate()

Returns object

Refresh

Refreshes the user’s session with the refresh token. Passing in a new organization ID will switch the user to that organization.

Refresh

session.refresh()

Parameters object

Returns RefreshSessionResponse

Get log out URL

End a user’s session. The user’s browser should be redirected to this URL. Functionally similar to Get logout URL but extracts the session ID automatically from the session data.

Get log out URL

session.getLogOutUrl()

Returns

Authentication errors

Integrating the authentication API directly requires handling error responses for email verification, MFA challenges, identity linking, and organization selection. One or more of these responses may be returned for an authentication attempt with any authentication method.

Hosted AuthKit handles authentication errors for you and may be a good choice if you prefer a simpler integration.

Email verification required error

This error indicates that a user with an unverified email address attempted to authenticate in an environment where email verification is required. It includes a pending authentication token that should be used to complete the authentication.

Email verification required error
JSON
Sends email

email_verification_required

When this error occurs and the email setting for email verification is enabled, WorkOS will automatically send a one-time email verification code to the user’s email address and issue a pending authentication token. If the email setting is not enabled, retrieve the email verification code to send the email verification email yourself. To complete the authentication process, use the pending authentication token from the error and the one-time code the user received to authenticate them and to verify their email address.

The same applies when a user attempts to authenticate with OAuth or SSO, but there was already an account with a matching unverified email address.

MFA enrollment error

This error indicates that a user who is not enrolled into MFA attempted to authenticate in an environment where MFA is required. It includes a pending authentication token that should be used to authenticate the user once they enroll into MFA.

MFA enrollment error
JSON

mfa_enrollment

When this error occurs, you’ll need to present an MFA enrollment UI to the user. Once the user has enrolled, present an MFA challenge UI to the user and authenticate them with their TOTP code and the pending authentication token from this error.

MFA can be enabled via the Authentication page in the WorkOS dashboard.

MFA challenge error

This error indicates that a user enrolled into MFA attempted to authenticate in an environment where MFA is required. It includes a pending authentication token and a list of factors that the user is enrolled in that should be used to complete the authentication.

MFA challenge error
JSON

mfa_challenge

When this error occurs, you’ll need to present an MFA challenge UI to the user and authenticate them with their TOTP code, the pending authentication token from this error, and a challenge that corresponds to one of the authentication factors.

MFA can be enabled via the Authentication page in the WorkOS dashboard.

Organization selection required error

This error indicates that the user is a member of multiple organizations and must select which organization to sign in to. It includes a list of organizations the user is a member of and a pending authentication token that should be used to complete the authentication.

Organization selection required error
JSON

organization_selection_required

When this error occurs, you’ll need to display the list of organizations that the user is a member of and authenticate them with the selected organization using the pending authentication token from the error.

SSO required error

This error indicates that a user attempted to authenticate into an organization that requires SSO using a different authentication method. It includes a list of SSO connections that may be used to complete the authentication.

SSO required error
JSON

sso_required

When this error occurs, you’ll need to use one of the SSO connections from the error to get the authorization URL and redirect the user to that URL to complete the authentication with the organization’s identity provider.

Organization authentication required error

This error indicates that a user attempted to authenticate with an authentication method that is not allowed by the organization that has a domain policy managing this user. It includes all the possible methods the user can use to authenticate.

Organization authentication required error
JSON

organization_authentication_methods_required

When this error occurs, you’ll need to present the user with these options so they can choose which method to continue authentication.

Magic Auth

Magic Auth is a passwordless authentication method that allows users to sign in or sign up via a unique, six digit one-time-use code sent to their email inbox. To verify the code, authenticate the user with Magic Auth.

Example Magic Auth

Get a Magic Auth code

Get the details of an existing Magic Auth code that can be used to send an email to a user for authentication.

GET

/user_management/magic_auth/:id

Parameters

Returns

magic_auth

Create a Magic Auth code

Creates a one-time authentication code that can be sent to the user’s email address. The code expires in 10 minutes. To verify the code, authenticate the user with Magic Auth.

POSTSends email

/user_management/magic_auth

Parameters

Returns

magic_auth

Multi-Factor Authentication

Enroll users in multi-factor authentication for an additional layer of security. MFA can be enabled via the Authentication page in the WorkOS dashboard.

Authentication factor

Represents an authentication factor.

Authentication factor

authentication_factor

Authentication challenge

Represents a challenge of an authentication factor.

Authentication challenge

authentication_challenge

Enroll an authentication factor

Enrolls a user in a new authentication factor.

Request
POST

/user_management/users/:id/auth_factors

Parameters

Returns object

List authentication factors

Lists the authentication factors for a user.

Request
GET

/user_management/users/:id/auth_factors

Parameters

Returns object

Email verification

Email verification is a security feature that requires users to verify their email address before they can sign in to your application. It is enabled by default.

Users signing in with Magic Auth, Google OAuth, Apple OAuth, or SSO are automatically verified. For other authentication methods, an email verification flow is required to confirm that the user’s email address belongs to them.

Example email verification

Get an email verification code

Get the details of an existing email verification code that can be used to send an email to a user for verification.

GET

/user_management/email_verification/:id

Parameters

Returns

email_verification

Password reset

Create a password reset token for a user and reset the user’s password.

When a user’s password is reset, all of their active sessions are revoked.

Example Password reset

Get a password reset token

Get the details of an existing password reset token that can be used to reset a user’s password.

GET

/user_management/password_reset/:id

Parameters

Returns

password_reset

Create a password reset token

Creates a one-time token that can be used to reset a user’s password.

POSTSends email

/user_management/password_reset

Parameters

Returns

password_reset

Reset the password

Sets a new password using the token query parameter from the link that the user received. Successfully resetting the password will verify a user’s email, if it hasn’t been verified yet.

Request
POST

/user_management/password_reset/confirm

Parameters

Returns object

Organization membership

An organization membership is a top-level resource that represents a user’s relationship with an organization. A user may be a member of zero, one, or many organizations.

See the events reference documentation for the organization membership events.

Example organization membership

organization_membership

Get an organization membership

Get the details of an existing organization membership.

GET

/user_management/organization_memberships/:id

Parameters

Returns

organization_membership

List organization memberships

Get a list of all organization memberships matching the criteria specified. At least one of user_id or organization_id must be provided. By default only active memberships are returned. Use the statuses parameter to filter by other statuses.

GET

/user_management/organization_memberships

Parameters

Returns object

Create an organization membership

Creates a new active organization membership for the given organization and user.

Calling this API with an organization and user that match an inactive organization membership will activate the membership with the specified role.

POST

/user_management/organization_memberships

Parameters

Returns

organization_membership

Update an organization membership

Update the details of an existing organization membership.

PUT

/user_management/organization_memberships/:id

Parameters

Returns

organization_membership

Delete an organization membership

Permanently deletes an existing organization membership. It cannot be undone.

Request
DELETE

/user_management/organization_memberships/:id

Parameters

Deactivate an organization membership

Deactivates an active organization membership. Emits an organization_membership.updated event upon successful deactivation.

  • Deactivating an inactive membership is a no-op and does not emit an event.
  • Deactivating a pending membership returns an error. This membership should be deleted instead.

See the membership management documentation for additional details.

PUT

/user_management/organization_memberships/:id/deactivate

Parameters

Returns

organization_membership

Reactivate an organization membership

Reactivates an inactive organization membership, retaining the pre-existing role. Emits an organization_membership.updated event upon successful reactivation.

  • Reactivating an active membership is a no-op and does not emit an event.
  • Reactivating a pending membership returns an error. The user needs to accept the invitation instead.

See the membership management documentation for additional details.

PUT

/user_management/organization_memberships/:id/reactivate

Parameters

Returns

organization_membership

Invitation

An email invitation allows the recipient to sign up for your app and join a specific organization. When an invitation is accepted, a user and a corresponding organization membership are created.

Users may be invited to your app without joining an organization, or they may be invited to join an organization if they already have an account. Invitations may be also issued on behalf of another user. In this case, the invitation email will mention the name of the user who invited the recipient.

Example invitation

Get an invitation

Get the details of an existing invitation.

GET

/user_management/invitations/:id

Parameters

Returns

invitation

Find an invitation by token

Retrieve an existing invitation using the token.

GET

/user_management/invitations/by_token/:token

Parameters

Returns

invitation

List invitations

Get a list of all of invitations matching the criteria specified.

GET

/user_management/invitations

Parameters

Returns object

Send an invitation

Sends an invitation email to the recipient.

POSTSends email

/user_management/invitations

Parameters

Returns

invitation

Accept an invitation

Accepts an invitation and, if linked to an organization, activates the user’s membership in that organization.

In most cases, use existing authentication methods like authenticateWithCode, which also accept an invitation token. These methods offer the same functionality (invitation acceptance and membership activation) while also signing the user in.

This method is useful for apps requiring a highly customized invitation flow, as it focuses solely on handling invitations without authentication. It’s also helpful when users can be invited to multiple organizations and need a way to accept invitations after signing in.

Your application should verify that the invitation is intended for the user accepting it. For example, by fetching the invitation using the find-by-token endpoint and ensuring the email matches the email address of the accepting user.

POST

/user_management/invitations/:id/accept

Parameters

Returns

invitation

Revoke an invitation

Revokes an existing invitation.

POST

/user_management/invitations/:id/revoke

Parameters

Returns

invitation

Logout

End a user’s session. The user’s browser should be redirected to this URL.

Get logout URL

GET

/user_management/sessions/logout

Parameters

Returns

Get logout URL from session cookie

Generates the logout URL by extracting the session ID from the session cookie. Use this over getLogoutUrl if you don’t have a saved reference to the session ID and you’d like the SDK to handle extracting the session ID from the cookie for you.

JavaScript

userManagement.getLogoutUrlFromSessionCookie()

Parameters object

Returns

CLI Auth

CLI Auth enables command-line applications to authenticate users through the web using the OAuth 2.0 Device Authorization Flow.

The CLI Auth flow involves two main endpoints:

  1. The device authorization URL initiates the flow by obtaining a device code, user code, and verification URIs.
  2. The device access token URL is where the device exchanges the device code for access and refresh tokens after the user authenticates.

Read more about CLI Auth here.

Get device authorization URL

Initiates the CLI Auth flow by requesting a device code and verification URLs. This endpoint implements the OAuth 2.0 Device Authorization Flow (RFC 8628) and is designed for command-line applications or other devices with limited input capabilities.

cURL
POST

/user_management/authorize/device

Parameters

Returns

Device code

Exchanges a device code for access and refresh tokens as part of the CLI Auth flow. This endpoint should be polled repeatedly until the user authorizes the request, declines it, or the device code expires.

cURL
POST

/user_management/authenticate

Parameters

Returns

Error codes

When polling the device code endpoint, you may receive various error responses before the user completes authorization or if authorization fails. These errors help your application understand the current state and take appropriate action.

Possible error codes and the corresponding descriptions are listed below.

Error codeDescription
authorization_pendingThe authorization request is still pending as the user hasn’t yet completed the user interaction flow. Continue polling at the specified interval.
slow_downThe client is polling too frequently and should slow down. Increase your polling interval by at least 5 seconds and continue polling.
access_deniedThe user declined the authorization request. Stop polling and inform the user that authorization was denied.
expired_tokenThe device code has expired (typically after 5 minutes). Stop polling and restart the authorization flow if needed.
invalid_requestThe request is missing a required parameter or includes an invalid parameter value. Check that grant_type, device_code, and client_id are provided and correct.
invalid_clientClient authentication failed (e.g., unknown client, client authentication not included, or unsupported authentication method).
invalid_grantThe provided device code is invalid, malformed, or has already been used.
unsupported_grant_typeThe grant type is not supported. Ensure you’re using urn:ietf:params:oauth:grant-type:device_code.

Error response format

All error responses are returned with a 400 status code and follow the OAuth 2.0 error response format. For example:

Single Sign-On

The Single Sign-On API has been modeled to meet the OAuth 2.0 framework specification. As a result, authentication flows constructed using the Single Sign-On API replicate the OAuth 2.0 protocol flow.

To automatically respond to changes in your SSO connections, use the Connection events.

Get an authorization URL

Generates an OAuth 2.0 authorization URL to authenticate a user with SSO.

GET

/sso/authorize

Returns

You’ll have to specify the user’s connection, organization, or OAuth provider as a parameter. These connection selectors are mutually exclusive, and exactly one must be provided. The generated URL automatically directs the user to their identity provider. Once the user authenticates with their identity provider, WorkOS then issues a redirect to your redirect URI to complete the sign-in flow.

Redirect URI

In the OAuth 2.0 protocol, a redirect URI is the location that the user is redirected to once they have successfully authenticated with their identity provider.

When redirecting the user, WorkOS will generate an authorization code and pass it to your redirect URI as a code query parameter, your app will use this code to get the user’s profile. Additionally, WorkOS can pass a state parameter back to your application that you may use to encode arbitrary information to restore your application state between the redirects.

Redirect URI with query parameters

You’ll need to configure the allowed redirect URIs for your application via the Redirects page in the dashboard. Without a valid redirect URI, your users will be unable to sign in. Make sure that the redirect URI you use as a parameter to get the authorization URL matches one of the redirect URIs you have configured in the dashboard.

Redirect URIs follow stricter requirements in production environments:

  • HTTPS protocol is required in production environments
  • HTTP and localhost are allowed in staging environments
  • Wildcard characters are not allowed in production environments

Wildcards

WorkOS supports using wildcard characters in Redirect URIs. The * symbol can be used as a wildcard for subdomains; however, it must be used in accordance with the following rules in order to properly function.

  • The wildcard must be located in a subdomain within the hostname component. For example, http://*.com will not work.
  • The wildcard must be located in the subdomain which is furthest from the root domain. For example, https://sub.*.example.com will not work.
  • The URL must not contain more than one wildcard. For example, https://*.*.example.com will not work.
  • A wildcard character may be prefixed and/or suffixed with additional valid hostname characters. For example, https://prefix-*-suffix.example.com will work.
  • A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard. For example, https://*.example.com will not work with https://sub1.sub2.example.com.
  • In production environments, wildcards cannot be used with public suffix domains. For example, https://*.ngrok-free.app will not work.
  • The wildcard will match a sequence of letters (A through Z, and a through z ); digits (0 through 9), hyphens (-), and underscores (_). For example, https://user:secret@foo.example.com will not work with https://*.example.com.
  • A URL with a wildcard cannot be set as the default redirect URI.

Error codes

If there is an issue generating an authorization URL, the API will return the original redirect URI with error and error_description query parameters. If provided, the state value will also be included.

Redirect URI with an error code

Possible error codes and the corresponding descriptions are listed below.

Error codeDescription
access_deniedThe identity provider denied user access to the client application or the user denied an OAuth authorization request at the identity provider.
ambiguous_connection_selectorA connection could not be uniquely identified using the provided connection selector (e.g., organization). This can occur when there are multiple SSO connections under the same organization. If you need multiple SSO connections for an organization, use the connection parameter to identify which connection to use for SSO.
connection_domain_invalidThere is no connection for the provided domain.
connection_invalidThere is no connection for the provided ID.
connection_strategy_invalidThe provider has multiple strategies associated per environment.
connection_unlinkedThe connection associated with the request is unlinked.
domain_connection_selector_not_allowedThis is a legacy error code that only applies if using the deprecated “domain” query parameter which is no longer valid for this endpoint. Use the “organization” or “connection” query parameters to target a connection instead.
idp_initiated_sso_disabledIdP-initiated SSO is disabled for the connection (see Disable IdP-initiated SSO).
invalid_connection_selectorA valid connection selector query parameter must be provided in order to correctly determine the proper connection to return an authorization URL for. Valid connection selectors are either connection, organization, or provider.
organization_invalidThere is no organization matching the provided ID.
oauth_failedAn OAuth authorization request failed for a user.
profile_not_allowed_outside_organizationA profile was received that has an email that is outside the organization’s domain and the organization does not allow this. To resolve this, add the missing domain to the organization’s Domains. You can read about other options in the SSO Domains guide.
server_errorThe SSO authentication failed for the user. More detailed errors and steps to resolve are available in the Sessions tab on the connection page in the WorkOS Dashboard.

Profile

A Profile is an object that represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized attributes.

After receiving the Profile for an authenticated user, use the Profile object attributes to persist relevant data to your application’s user model for the specific, authenticated user.

No Profile attributes can be returned other than the normalized attributes listed below.

Example Profile

profile

Get a Profile and Token

Get an access token along with the user Profile using the code passed to your Redirect URI.

POST

/sso/token

Parameters

Returns object

Get a User Profile

Exchange an access token for a user’s Profile. Because this profile is returned in the Get a Profile and Token endpoint your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user’s profile.

GET

/sso/profile

Parameters

Returns

profile

Connection

A connection represents the relationship between WorkOS and any collection of application users. This collection of application users may include personal or enterprise identity providers. As a layer of abstraction, a WorkOS connection rests between an application and its users, separating an application from the implementation details required by specific standards like OAuth 2.0 and SAML.

See the events reference documentation for the connection events.

Example Connection

connection

Get a Connection

Get the details of an existing connection.

GET

/connections/:id

Parameters

Returns

connection

List Connections

Get a list of all of your existing connections matching the criteria specified.

GET

/connections

Parameters

Returns object

Delete a Connection

Permanently deletes an existing connection. It cannot be undone.

Request
DELETE

/connections/:id

Parameters

Directory Sync

Directory Sync allows you to connect with directory providers to inform your application of any changes in their users, groups, or access rules.

Using Directory Sync, one integration grants your application the ability to support multiple directory providers. Get real-time updates of any changes to the organization’s access rules, groups, and users by integrating webhooks into your application.

To automatically respond to changes in the connected directories and their users and groups, use the Directory Sync events.

Directory

A directory stores information about an organization’s employee management system.

Synchronizing with a directory enables you to receive changes to an organization’s user and group structure.

Directory providers vary in implementation details and may require different sets of fields for integration, such as API keys, subdomains, endpoints, usernames, etc. Where available, the WorkOS API will provide these fields when fetching directory records.

Example Directory

directory

Get a Directory

Get the details of an existing directory.

GET

/directory/:id

Parameters

Returns

directory

List Directories

Get a list of all of your existing directories matching the criteria specified.

GET

/directories

Parameters

Returns object

Delete a Directory

Permanently deletes an existing directory. It cannot be undone.

Request
DELETE

/directories/:id

Parameters

Directory User

A Directory User represents an active organization user.

Developers can receive Webhooks as employees are added, updated or removed, allowing for provisioning and de-provisioning Users within an application.

Example Directory User

directory_user

Get a Directory User

Get the details of an existing Directory User.

GET

/directory_users/:id

Parameters

Returns

directory_user

List Directory Users

Get a list of all of existing Directory Users matching the criteria specified.

GET

/directory_user

Parameters

Returns object

Directory Group

A directory group represents an organizational unit of users in a directory provider.

Example Directory Group

directory_group

Get a Directory Group

Get the details of an existing Directory Group.

GET

/directory_groups/:id

Parameters

Returns

directory_group

List Directory Groups

Get a list of all of existing directory groups matching the criteria specified.

GET

/directory_groups

Parameters

Returns object

Admin Portal

The Admin Portal is a standalone application where your users can configure and manage WorkOS resources such as Connections and Directories that are scoped to their Organization.

A Portal Link is a temporary endpoint to initiate an Admin Portal session. It expires five minutes after issuance.

Example Portal Link URL

Generate a Portal Link

Generate a Portal Link scoped to an Organization.

POST

/portal/generate_link

Parameters

Returns object

Provider Icons

Icons for third-party providers are available through the WorkOS CDN. These icons cover identity providers, Directory Sync, and domain verification services used within the Admin Portal.

List Provider Icons

Get a list of all of existing provider icons.

cURL
ResourcesThe icons are also available as a Figma community file.
Open in Figma

Get a Provider Icon

To use an icon in your project, you can reference the CDN link directly. You can alternate between light and dark mode icons by changing the path in the URL or using CSS media queries.

Example icon

You can change the icons to grayscale by adding the filter CSS property.

Grayscale style

Audit Logs

Audit Logs are a collection of events that contain information relevant to notable actions taken by users in your application. Every event in the collection contains details regarding what kind of action was taken (action), who performed the action (actor), what resources were affected by the action (targets), and additional details of when and where the action took place.

Create Event

Create an Audit Log Event.

This API supports idempotency which guarantees that performing the same operation multiple times will have the same result as if the operation were performed only once. This is handy in situations where you may need to retry a request due to a failure or prevent accidental duplicate requests from creating more than one resource.

To achieve idempotency, you can add Idempotency-Key request header to a Create Event request with a unique string as the value. Each subsequent request matching this unique string will return the same response. We suggest using v4 UUIDs for idempotency keys to avoid collisions.

Idempotency keys expire after 24 hours. The API will generate a new response if you submit a request with an expired key.

Request
POST

/audit_logs/events

Parameters

Audit Log Schema

An object representing an Audit Log Schema.

Audit Log Schema

audit_log_schema

Create Schema

Creates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the action does not exist, it will also be created.

Request
POST

/audit_logs/actions/:name/schemas

Parameters

Returns

audit_log_schema

List Schemas

Get a list of all schemas for the Audit Logs action identified by :name.

cURL
GET

/audit_logs/actions/:name/schemas

Parameters

Returns object

List Actions

Get a list of all Audit Log actions in the current environment.

cURL
GET

/audit_logs/actions

Parameters

Returns object

Audit Log Export

An object representing an Audit Log Export.

Audit Log Export

audit_log_export

Create Export

Create an Audit Log Export.

POST

/audit_logs/exports

Parameters

Returns

audit_log_export

Get Export

Get an Audit Log Export.

GET

/audit_logs/exports/:id

Parameters

Returns

audit_log_export

The URL will expire after 10 minutes. If the export is needed again at a later time, refetching the export will regenerate the URL.

Get Retention

Get the configured event retention period for the given Organization.

cURL
GET

/organizations/:id/audit_logs_retention

Parameters

Returns object

Set Retention

Set the event retention period for the given Organization.

cURL
PUT

/organizations/:id/audit_logs_retention

Parameters

Returns object

Organization domain

An organization domain represents an organization’s domain. Domains can be verified to assert that an organization owns the configured domain which is accomplished through DNS TXT record verification.

To automatically respond to changes in the organization domains, use organization domain events.

Example organization domain

Get an Organization Domain

Get the details of an existing organization.

GET

/organization_domains/:id

Parameters

Returns

organization_domain

Create an Organization Domain

Creates a new Organization Domain.

POST

/organization-domains

Parameters

Returns

organization_domain

Verify an Organization Domain

Initiates verification process for an Organization Domain.

POST

/organization-domains/:id/verify

Parameters

Returns

organization_domain

Authentication Factor

An object representing an Authentication Factor.

Example Authentication Factor

authentication_factor

Authentication Challenge

An object representing a Challenge of an Authentication Factor.

Example Authentication Challenge

authentication_challenge

Enroll Factor

Enrolls an Authentication Factor to be used as an additional factor of authentication. The returned ID should be used to create an authentication Challenge.

POST

/auth/factors/enroll

Parameters

Returns

authentication_factor

Challenge Factor

Creates a Challenge for an Authentication Factor.

POST

/auth/factors/:id/challenge

Parameters

Returns

authentication_challenge

Verify Challenge

Verify Authentication Challenge.

POST

/auth/challenges/:id/verify

Parameters

Returns object

Get Factor

Gets an Authentication Factor.

GET

/auth/factors/:id

Parameters

Returns

authentication_factor

Delete Factor

Permanently deletes an Authentication Factor. It cannot be undone.

Request
DELETE

/auth/factors/:id

Parameters

Fine-Grained Authorization

Fine-Grained Authorization (FGA) is a set of APIs designed to help you implement scalable, centralized, fine grained authorization in your application.

Resource Type

Represents a type of resource and its possible relationships in your application. See Resource Types to learn more about relation rules. See JSON Syntax for more examples.

Resource Type
cURL

resource_type

Get a resource type

Get the definition of an existing resource type.

cURL
GET

/fga/v1/resource-types/:type

Parameters

Returns

resource_type

List resource types

Get a list of all your existing resource types matching the criteria specified.

cURL
GET

/fga/v1/resource-types

Parameters

Returns

Create a resource type

Create a new resource type in the current environment.

cURL
POST

/fga/v1/resource-types

Parameters

Returns

resource_type

Update a resource type

Update properties of a resource type.

cURL
PUT

/fga/v1/resource-types

Parameters object

Returns

resource_type

Delete a resource type

Deletes a resource type in the current environment.

Request
cURL
DELETE

/fga/v1/resource-types/:type

Parameters

Apply resource types

Sets resource types in the current environment to match the provided resource types.

This endpoint performs a batch operation which will override your entire schema for the environment. Any existing resource types not included in the request will be deleted.

cURL
PUT

/fga/v1/resource-types

Parameters

Returns

Warrant

Represents a relation between resources in your application.

Warrant

warrant

List warrants

Get a list of all your existing warrants matching the criteria specified.

GET

/fga/v1/warrants

Parameters

Returns

Create a warrant

Creates a new warrant in the current environment.

POST

/fga/v1/warrants

Parameters

Returns object

Delete a warrant

Deletes a warrant in the current environment.

POST

/fga/v1/warrants

Parameters

Returns object

Batch Write Warrants

Executes a batch of warrant writes in the current environment.

POST

/fga/v1/warrants

Parameters

Returns

Resource

Represents a resource in your application.

Resource

resource

Get a resource

Get an existing resource.

GET

/fga/v1/resources/:resource_type/:resource_id

Parameters

Returns

resource

List resources

Get a list of all your existing resources matching the criteria specified.

GET

/fga/v1/resources

Parameters

Returns

Create a resource

Create a new resource in the current environment.

POST

/fga/v1/resources

Parameters

Returns

resource

Update a resource

Update the meta of an existing resource in the current environment.

PUT

/fga/v1/resources/:resource_type/:resource_id

Parameters

Returns

resource

Delete a resource

Deletes a resource in the current environment.

Deleting a resource will also delete all warrants where the resource is the resource or subject of the warrant.

Request
DELETE

/fga/v1/resources/:resource_type/:resource_id

Parameters

Batch write resources

Create or delete up to 100 resources in one request.

Batch create resources

POST

/fga/v1/resources/batch

Parameters

Returns

Batch delete resources

POST

/fga/v1/resources/batch

Parameters

Returns

Policy

Represents a policy that defines the access control rules for your application.

Policy
cURL

policy

Get a policy

Get the definition of an existing policy.

cURL
GET

/fga/v1/policies/:name

Parameters

Returns

policy

List policies

Get a list of all your existing policies matching the criteria specified.

cURL
GET

/fga/v1/policies

Parameters

Returns

Create a policy

Create a new policy in the current environment.

cURL
POST

/fga/v1/policies

Parameters

Returns

policy

Update a policy

Update properties of a policy.

cURL
PUT

/fga/v1/policies

Parameters

Returns

policy

Delete a policy

Deletes a policy in the current environment.

Request
cURL
DELETE

/fga/v1/policies/:name

Parameters

Check

Check if a subject has a particular relation on a resource.

Single Check

POST

/fga/v1/check

Parameters

Returns object

Multiple Checks

POST

/fga/v1/check

Parameters

Returns object

Batch Check

Executes a batch of checks and returns a list of results in a single operation.

POST

/fga/v1/check

Parameters

Returns

Query

Use the Query Language to list the set of subjects that have access to a particular resource or to list the set of resources a particular subject has access to.

GET

/fga/v1/query

Parameters

Returns object

Schema

Represents the authorization model in your FGA environment. Includes resource type definitions and policies that define how authorization checks are processed.

Schema
cURL

Get a schema

Get the authorization model for your current environment.

cURL
GET

/fga/v1/schema

Returns

schema

Apply schema

Sets resource types and policies in the current environment.

This endpoint performs a batch operation which will override your entire schema for the environment. Any existing resource types and policies not included in the request will be deleted.

cURL
POST

/fga/v1/schema

Parameters

Returns

schema

Widgets

Widgets are React components that provide complete functionality for common enterprise app workflows.

Generate a Widget token

Generate a widget token scoped to an organization and user with the specified scopes.

POST

/widgets/token

Parameters

Returns object

Vault

Vault provides centralized encryption and storage of sensitive data such as API keys, database credentials, or personally identifiable information (PII). All data is encrypted using keys automatically provisioned based on the provided context of the object.

Encrypted Object

Represents an encrypted object stored by Vault.

Object

object

Create an object

Create a new object, encrypted with the key(s) matching the provided key context.

POST

/vault/v1/kv

Parameters

Returns

Get an object

Get an existing object. The stored value will be decrypted and returned.

GET

/vault/v1/kv/:id

Parameters

Returns

object

Update an object value

Update the value for an object. The key context of the original object will be used to encrypt the new data.

PUT

/vault/v1/kv/:id

Parameters

Returns

Retrieve metadata

Retrieve metadata about an object. The value itself is not returned.

GET

/vault/v1/kv/:id/metadata

Parameters

Returns

List objects

Get list of object names stored in Vault.

GET

/vault/v1/kv

Parameters

Returns object

Delete an object

Permanently delete an object.

DELETE

/vault/v1/kv/:id

Parameters

Returns

Object Version

Represents a static version of an object stored by Vault.

Object Version

List object versions

Get list of versions for an object stored in Vault.

GET

/vault/v1/kv/:id/versions

Parameters

Returns object

Encryption Key Management

The key management APIs can be used to generate isolated encryption keys for local encryption and decryption operations.

Create a data key

Generate a data key for local encryption based on the provided key context.

The encrypted data key MUST be stored by the application, as it cannot be retrieved after generation.

POST

/vault/v1/keys/data-key

Parameters

Returns object

Decrypt a data key

Decrypt a data key that was previously encrypted using WorkOS Vault.

POST

/vault/v1/keys/decrypt

Parameters

Returns object

Encrypt data

Perform a local encryption option. A data key is generated based on the provided key context and used to encrypt the data. The operation happens locally and neither the plaintext nor encrypted data are sent over the network.

cURL

vault.encrypt()

Parameters

Returns

Decrypt data

Decrypt data that was previously encrypted with Vault. The data key in the ciphertext is decrypted using the Vault API and used to decrypt the remaining data. The decryption operations happen locally and neither the plaintext nor encrypted data are sent over the network.

cURL

vault.decrypt()

Parameters

Returns

WorkOS Connect

WorkOS Connect is a unified interface that simplifies authentication and authorization across customers, partners, and external SaaS tools.

Read more about how Connect integrates with AuthKit here.

Authorize

When authenticating a user for a WorkOS Connect application, this is the endpoint they should be redirected to. If they’re not already logged in, the user will be redirected to the AuthKit login page. For a third-party application, the user will have to authorize the application’s access on their first access.

cURL
GET

/oauth2/authorize

Parameters

Returns

Token

This endpoint is called by WorkOS Connect Applications to get access tokens, ID tokens, and refresh tokens, depending on the grant_type provided when requested.

This endpoint is authenticated by providing the WorkOS Application’s client ID and client secret in the body of the request.

There are four grant types available:

Each is described in greater detail below.

Authorization code grant

Used by WorkOS Connect OAuth Applications to exchange an authorization code for access tokens, ID tokens, and refresh tokens.

cURL
POST

/oauth2/token

Parameters

Returns object

Access token

The access token for WorkOS Connect OAuth Applications contains the following claims.

Decoded access token
JSON

Access token JWT

ID token

The ID token, when requested with the openid scope, contains information about the user’s identity, like name and email address.

Decoded ID token
JSON

ID token JWT

Refresh token grant

Used by WorkOS Connect OAuth Applications to exchange a refresh token for new access tokens and/or ID tokens. The refresh token is provided when the initial oauth2/authorize request is made with the offline_access scope.

The access token and ID tokens issued here are the same as those issued for the initial authorization_code grant.

cURL
POST

/oauth2/token

Parameters

Returns object

Client credentials grant

Used by WorkOS Connect M2M Applications to exchange the app’s credentials for access tokens.

cURL
POST

/oauth2/token

Parameters

Returns object

Access token

The access token for WorkOS Connect M2M Applications contains the following claims.

Decoded access token
JSON

Access token JWT

Token introspection

Indicates whether the given token (access token or refresh token) is valid and active. Additionally, it provides details about the token.

This endpoint is authenticated by provided the WorkOS Application’s client ID and client secret in the body of the request.

cURL
POST

/oauth2/token

Parameters

Returns object

User information

Provides information about the User referenced by the access token’s sub claim. Which claims are returned depends on the scopes originally granted when the access token was issued.

This endpoint is authenticated by providing the previously acquired access token in the Authorization header.

cURL
POST

/oauth2/userinfo

Returns

Metadata

Connect exposes several metadata endpoints in order to be compatible with a wide array of clients that support discovery and automatic configuration.

OpenID configuration

This discovery endpoint provides the standard configuration for OpenID clients to interact with WorkOS Connect.

cURL
GET

/.well-known/openid-configuration

Returns object

OAuth Authorization Server

This endpoint provides RFC 6749-compatible OAuth Authorization Server metadata.

Model Context Protocol (MCP) clients that support the latest version of the specification use this endpoint. Read more here about how to use AuthKit as an authorization server for an MCP server.

cURL
GET

/.well-known/oauth-authorization-server

Returns object

CLI Auth

CLI Auth for WorkOS Connect enables third-party applications to build command-line tools that integrate with your app’s credentials using the OAuth 2.0 Device Authorization Flow.

The CLI Auth flow for Connect involves two main endpoints:

  1. The device authorization URL initiates the flow by obtaining device codes, user codes, and verification URIs.
  2. The device access token URL is where the device exchanges the device code for access and refresh tokens after the user authenticates.

Read more about CLI Auth here.

Authorize device

Initiates the device authorization flow for WorkOS Connect applications. This endpoint implements the OAuth 2.0 Device Authorization Flow and is designed for CLI applications and other devices with limited input capabilities.

This endpoint is used by third-party applications to authenticate users through WorkOS Connect. Users will be prompted to authorize the application’s access to their data as part of the consent flow.

cURL
POST

/oauth2/device_authorization

Parameters

Returns

Device code grant

Exchanges a device code for access and refresh tokens as part of the device authorization flow for WorkOS Connect applications. This endpoint should be polled repeatedly until the user authorizes the request, declines it, or the device code expires.

cURL
POST

/oauth2/token

Parameters

Returns

The returned tokens are similar to those provided by the authorization code grant.

Radar

Radar allows you to detect, verify, and block harmful behavior in real time. The Radar API supports the management of WorkOS Radar block and allow lists as well as standalone Radar use-cases. While Radar is natively integrated with AuthKit, you can also leverage Radar’s risk decisioning engine outside of AuthKit to detect fraudulent sign-in and signup attempts in your own custom authentication flows using the attempts API.

The Radar standalone API is currently in preview, contact us to request access.

Attempts

A Radar attempt represents a sign-in or signup attempt and includes context such as IP address and user agent. The Radar engine assesses attempts for risk and returns a decision that you can use to drive behavior in your application.

Create an Attempt

Evaluates an authentication attempt based on the parameters provided and returns a verdict.

cURL
POST

/radar/attempts

Returns

Update an Attempt

You may optionally inform Radar that an authentication attempt or challenge was successful using this endpoint. Some Radar controls depend on tracking recent successful attempts, such as impossible travel.

cURL
PUT

/radar/attempts/:id

Parameters

Radar lists

Radar supports explicitly blocking and allowing attempts based on attempt attributes. You can manage these lists via the Radar list management APIs

Add Entry

Adds an entry to a Radar list

cURL
POST

/radar/lists/:type/:action

Parameters

Remove Entry

Removes an entry from a Radar list

cURL
DELETE

/radar/lists/:type/:action

Parameters

Magic Link

Deprecated API: Magic Link has been replaced by the AuthKit Magic Auth API.

The Magic Link API can be used to add Passwordless Authentication to your app.

Passwordless SessionDeprecated

An object representing a passwordless authentication session.

Example Passwordless Session

passwordless_session

Create Passwordless SessionDeprecated

Create a Passwordless Session for a Magic Link Connection.

POST

/passwordless/sessions

Parameters

Returns

passwordless_session

Email a Magic LinkDeprecated

Email a user the Magic Link confirmation URL.

POSTSends email

/passwordless/sessions/:id/send

Parameters

Returns object