Agents need context.Give it to them.
Enable agents to work with data from your users' other apps.
Pipes
Integrations for your apps & agents.
Connect to any service in minutes, with pre-built OAuth flows, UI widgets, and more.
One API to rule them all.
Your users connect their tools. Your app gets the access token. It's that easy.
Step 01
export function PipesPage({ authToken }) { return ( <WorkOsWidgets> <Pipes authToken={authToken} /> </WorkOsWidgets> );}User connects via the Widget
Drop in the Widget. Users authorize via OAuth and the refresh token stays in Pipes.
Step 02
const { accessToken } = await workos.pipes.getAccessToken({ provider: 'github', userId: userId, organizationId: organizationId, });You call getAccessToken()
One call returns a valid token, always. Pipes handles expiry, refresh, and concurrency.
Step 03
Tokenya29.a0AfH6SMk...
Providergoogle-drive
StatusFresh
Stored inVault
Credentials stored in Vault
Scoped to the user, stored in Vault, ready to use.
Connect your app to the world.
Popular SaaS apps supported out of the box. Connect a custom app and Pipes handles it the same way via OAuth or API key.
Your app
Supercharge your agents with integrations.
More context makes for smarter products. And smarter products win.
Agents take actions.Keep them safe.
Scoped consent means your agent can only access what was granted.
Credentials are a liability.Move them off your stack.
Credentials are stored encrypted. Revoke access with a single call.
Your agent runs for hours.Can your credentials keep up?
Most integrations assume a human is driving. An agent running overnight needs credentials that refresh automatically
MCP-native interface
Connect your agents to Pipes via MCP. One server, every tool your user authorized.
Survives refresh
Say goodbye to failures from expired credentials. Tokens from Pipes are automatically refreshed.
Human or agent: same primitive
Use the same connection for user or agent integration. One authorization, two actors.
Revocation in one call
When a user disconnects, access stops instantly. No token still sitting somewhere.
A unified platform for every integration.
Say goodbye to fragmented integrations. With Pipes, a single crisp API gets your app (or agent) a token.
import { WorkOS } from '@workos-inc/node';const workos = new WorkOS('sk_example_123456789');const token = await workos.pipes.getAccessToken({ userId: 'user_01EHZNVPK3SFK441A1RGBFSHRT', organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT', provider: 'github',});Keep the trust. Move the risk.
When your app stores a customer's refresh token, you're holding a key to their data. Pipes takes that liability off your stack.
Session-scoped credentials
Credentials tied to a single session. Access expires automatically when it ends.
SOC 2 · HIPAA · GDPR
Compliance posture inherited from the WorkOS platform.
PKCE by default
Pipes always picks the strongest available auth flow.
Vault-backed storage
Every token encrypted at rest via AES-256.
Start with integrations. Scale with WorkOS.
Pipes sits alongside SSO, Directory Sync, Audit Logs, and AuthKit. Same API key, same dashboard, same compliance posture in one managed infrastructure platform.
