WorkOS

WorkOS is the "Enterprise Ready" identity platform for B2B SaaS — providing AuthKit user management, enterprise SSO (SAML/OIDC), Directory Sync (SCIM 2.0), Multi-Factor Authentication, Audit Logs, Admin Portal, Fine-Grained Authorization (FGA, formerly Warrant), Radar bot/fraud protection, and an emerging suite of agent-oriented surfaces (Pipes, MCP Auth, auth.md).

1 APIs 21 Features

AuthenticationIdentity ProviderSSOSAMLOIDCSCIMDirectory SyncAuthorizationFGAAudit LogsMFAB2B SaaSAgentsMCP

APIs

WorkOS API

REST API for AuthKit user management, SSO, Directory Sync, MFA, Audit Logs, Admin Portal, FGA, Radar, Webhooks, Events, Feature Flags, Pipes (agent auth), Widgets, and WorkOS Co...

Features

Tagline: "Your app, Enterprise Ready."

AuthKit: free up to 1M MAU, then $2,500/mo per additional 1M

Single Sign-On: tiered $50-$125 per active SAML/OIDC connection (1-200+ tiers)

Directory Sync (SCIM): tiered $50-$125 per connection mirroring SSO

Audit Logs: $125/mo per SIEM destination + $99/mo per 1M events retained

Radar: 1,000 checks free, then $100/mo per 50K checks

Custom Domain: $99/mo

Scale Support: $1,000/mo; Enterprise custom

REST base URL: https://api.workos.com (staging: api.workos-test.com)

Default rate limit: 600 req/min; auth 60 req/min; Directory Sync 10/sec

50+ identity provider integrations (Okta, Entra, Google Workspace, JumpCloud, OneLogin, PingFederate, etc.)

SCIM 2.0 directory providers: Azure SCIM, Okta SCIM, BambooHR, Workday, HiBob, Rippling, JumpCloud, OneLogin, PingFederate, S/FTP, generic SCIM 2.0

Bearer token auth (sk_test_*/sk_live_*); supports organization-scoped and user-scoped API keys

Sealed sessions, magic auth, passkeys, social, password, enterprise SSO

FGA (formerly Warrant): relationship-based authorization, custom roles, edge agent

Audit Logs stream to Splunk, Datadog, Elastic and other SIEMs

MCP Auth + Resource Indicators (RFC 8707) for per-server scoping

Pipes: human-approved, provider-scoped credentials for AI agents

auth.md open protocol: agents register for services via Markdown at a domain

Self-service Admin Portal (white-label) for IT admins

SOC 2 Type 2, GDPR, HIPAA-eligible

Semantic Vocabularies

Workos Context

18 classes · 5 properties

JSON-LD

API Governance Rules

WorkOS API Rules

13 rules · 4 errors 6 warnings 3 info

SPECTRAL

Resources

Documentation

APIReference

GitHubOrganization

GitHubOrganization

Capabilities

SpectralRules

Sources

aid: workos
name: WorkOS
description: WorkOS is the "Enterprise Ready" identity platform for B2B SaaS — providing AuthKit user management, enterprise SSO (SAML/OIDC), Directory Sync (SCIM 2.0), Multi-Factor Authentication, Audit Logs, Admin Portal, Fine-Grained Authorization (FGA, formerly Warrant), Radar bot/fraud protection, and an emerging suite of agent-oriented surfaces (Pipes, MCP Auth, auth.md).
type: Index
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
  - Authentication
  - Identity Provider
  - SSO
  - SAML
  - OIDC
  - SCIM
  - Directory Sync
  - Authorization
  - FGA
  - Audit Logs
  - MFA
  - B2B SaaS
  - Agents
  - MCP
url: https://raw.githubusercontent.com/api-evangelist/workos/refs/heads/main/apis.yml
created: '2026-03-25'
modified: '2026-05-22'
specificationVersion: '0.19'
apis:
  - aid: workos:workos
    name: WorkOS API
    description: REST API for AuthKit user management, SSO, Directory Sync, MFA, Audit Logs, Admin Portal, FGA, Radar, Webhooks, Events, Feature Flags, Pipes (agent auth), Widgets, and WorkOS Connect. 172 operations across 41 tags; OpenAPI 3.1.1 published by WorkOS at github.com/workos/openapi-spec.
    humanURL: https://workos.com
    baseURL: https://api.workos.com
    tags:
      - Authentication
      - Identity Provider
      - SSO
      - SCIM
      - FGA
      - Audit Logs
      - Agents
    properties:
      - type: Documentation
        url: https://workos.com/docs
      - type: APIReference
        url: https://workos.com/docs/reference
      - type: OpenAPI
        url: https://raw.githubusercontent.com/workos/openapi-spec/main/spec/open-api-spec.yaml
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/workos/main/openapi/workos-openapi.yml
      - type: GitHubRepository
        url: https://github.com/workos/openapi-spec
      - type: StatusPage
        url: https://status.workos.com
      - type: ChangeLog
        url: https://workos.com/changelog
      - type: Pricing
        url: https://workos.com/pricing
      - type: RateLimits
        url: https://workos.com/docs/reference/rate-limits
      - type: Plans
        url: https://raw.githubusercontent.com/api-evangelist/workos/main/plans/workos-plans-pricing.yml
      - type: Capabilities
        url: https://raw.githubusercontent.com/api-evangelist/workos/main/capabilities/shared/workos.yaml
common:
  - type: Website
    url: https://workos.com
  - type: Documentation
    url: https://workos.com/docs
  - type: APIReference
    url: https://workos.com/docs/reference
  - type: GitHubOrganization
    url: https://github.com/workos
  - type: Blog
    url: https://workos.com/blog
  - type: ChangeLog
    url: https://workos.com/changelog
  - type: StatusPage
    url: https://status.workos.com
  - type: Pricing
    url: https://workos.com/pricing
  - type: LinkedIn
    url: https://www.linkedin.com/company/workos-inc
  - type: Features
    data:
      - 'Tagline: "Your app, Enterprise Ready."'
      - 'AuthKit: free up to 1M MAU, then $2,500/mo per additional 1M'
      - 'Single Sign-On: tiered $50-$125 per active SAML/OIDC connection (1-200+ tiers)'
      - 'Directory Sync (SCIM): tiered $50-$125 per connection mirroring SSO'
      - 'Audit Logs: $125/mo per SIEM destination + $99/mo per 1M events retained'
      - 'Radar: 1,000 checks free, then $100/mo per 50K checks'
      - 'Custom Domain: $99/mo'
      - 'Scale Support: $1,000/mo; Enterprise custom'
      - 'REST base URL: https://api.workos.com (staging: api.workos-test.com)'
      - 'Default rate limit: 600 req/min; auth 60 req/min; Directory Sync 10/sec'
      - '50+ identity provider integrations (Okta, Entra, Google Workspace, JumpCloud, OneLogin, PingFederate, etc.)'
      - 'SCIM 2.0 directory providers: Azure SCIM, Okta SCIM, BambooHR, Workday, HiBob, Rippling, JumpCloud, OneLogin, PingFederate, S/FTP, generic SCIM 2.0'
      - 'Bearer token auth (sk_test_*/sk_live_*); supports organization-scoped and user-scoped API keys'
      - 'Sealed sessions, magic auth, passkeys, social, password, enterprise SSO'
      - 'FGA (formerly Warrant): relationship-based authorization, custom roles, edge agent'
      - 'Audit Logs stream to Splunk, Datadog, Elastic and other SIEMs'
      - 'MCP Auth + Resource Indicators (RFC 8707) for per-server scoping'
      - 'Pipes: human-approved, provider-scoped credentials for AI agents'
      - 'auth.md open protocol: agents register for services via Markdown at a domain'
      - 'Self-service Admin Portal (white-label) for IT admins'
      - 'SOC 2 Type 2, GDPR, HIPAA-eligible'
    sources:
      - https://workos.com
      - https://workos.com/pricing
      - https://workos.com/changelog
    updated: '2026-05-22'

  - type: OpenAPI
    name: WorkOS REST API
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/openapi/workos-openapi.yml

  - type: Capabilities
    name: WorkOS Capabilities
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/capabilities/shared/workos.yaml

  - type: Vocabulary
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/vocabulary/workos-vocabulary.yml

  - type: JSONLD
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/json-ld/workos-context.jsonld

  - type: SpectralRules
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/rules/workos-rules.yml

  - type: Plans
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/plans/workos-plans-pricing.yml

  - type: RateLimits
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/rate-limits/workos-rate-limits.yml

  - type: FinOps
    url: https://raw.githubusercontent.com/api-evangelist/workos/main/finops/workos-finops.yml

  # ---------- SDKs (official) ----------
  - name: Node SDK
    url: https://github.com/workos/workos-node
    type: SDK
  - name: Python SDK
    url: https://github.com/workos/workos-python
    type: SDK
  - name: Ruby SDK
    url: https://github.com/workos/workos-ruby
    type: SDK
  - name: Go SDK
    url: https://github.com/workos/workos-go
    type: SDK
  - name: PHP SDK
    url: https://github.com/workos/workos-php
    type: SDK
  - name: .NET SDK
    url: https://github.com/workos/workos-dotnet
    type: SDK
  - name: Kotlin SDK
    url: https://github.com/workos/workos-kotlin
    type: SDK
  - name: Rust SDK
    url: https://github.com/workos/workos-rust
    type: SDK
  - name: Elixir SDK (experimental)
    url: https://github.com/workos/workos-elixir
    type: SDK
  - name: PHP Laravel SDK
    url: https://github.com/workos/workos-php-laravel
    type: SDK

  # ---------- AuthKit framework libraries ----------
  - name: AuthKit (Radix-powered login box)
    url: https://github.com/workos/authkit
    type: SDK
  - name: AuthKit for Next.js
    url: https://github.com/workos/authkit-nextjs
    type: SDK
  - name: AuthKit for React
    url: https://github.com/workos/authkit-react
    type: SDK
  - name: AuthKit for Remix
    url: https://github.com/workos/authkit-remix
    type: SDK
  - name: AuthKit for React Router
    url: https://github.com/workos/authkit-react-router
    type: SDK
  - name: AuthKit for SvelteKit
    url: https://github.com/workos/authkit-sveltekit
    type: SDK
  - name: AuthKit for TanStack Start
    url: https://github.com/workos/authkit-tanstack-start
    type: SDK
  - name: AuthKit JS (vanilla)
    url: https://github.com/workos/authkit-js
    type: SDK
  - name: AuthKit Session
    url: https://github.com/workos/authkit-session
    type: SDK
  - name: AuthKit XMCP
    url: https://github.com/workos/authkit-xmcp
    type: SDK

  # ---------- CLI ----------
  - name: WorkOS CLI (AI-powered AuthKit wizard)
    url: https://github.com/workos/cli
    type: CLI
  - name: WorkOS CLI GitHub Action
    url: https://github.com/workos/cli-action
    type: Tools
  - name: Homebrew Tap
    url: https://github.com/workos/homebrew-tap
    type: Tools

  # ---------- Agent and MCP surfaces ----------
  - name: Pipes MCP Server
    url: https://github.com/workos/pipes-mcp
    type: MCPServer
  - name: mcp.shop (MCP Night demo)
    url: https://github.com/workos/mcp.shop
    type: Tools
  - name: mcp-shop-cloudflare
    url: https://github.com/workos/mcp-shop-cloudflare
    type: Tools
  - name: Vercel MCP Example
    url: https://github.com/workos/vercel-mcp-example
    type: Tools
  - name: auth.md (open protocol for agent service registration)
    url: https://github.com/workos/auth.md
    type: Standard
  - name: Agent Skills (WorkOS Skills repo)
    url: https://github.com/workos/skills
    type: AgentSkill

  # ---------- FGA / Warrant ----------
  - name: Warrant Edge Agent
    url: https://github.com/workos/edge-agent
    type: Tools
  - name: FGA Postgres Row-Level Access Example
    url: https://github.com/workos/fga-row-level-access-control-postgres
    type: Example

  # ---------- Migration / starter kits ----------
  - name: B2B Next.js Starter Kit
    url: https://github.com/workos/next-b2b-starter-kit
    type: StarterKit
  - name: Migrate Clerk Users
    url: https://github.com/workos/migrate-clerk-users
    type: Tools
  - name: Migrate Auth0 Users
    url: https://github.com/workos/migrate-auth0-users
    type: Tools
  - name: WorkOS Migrations
    url: https://github.com/workos/workos-migrations
    type: Tools

  # ---------- Toolchain ----------
  - name: oagen (OpenAPI SDK generator framework)
    url: https://github.com/workos/oagen
    type: Tools
  - name: oagen-emitters
    url: https://github.com/workos/oagen-emitters
    type: Tools

  # ---------- Example apps ----------
  - name: Next.js AuthKit Example
    url: https://github.com/workos/next-authkit-example
    type: Example
  - name: React AuthKit Example
    url: https://github.com/workos/react-authkit-example
    type: Example
  - name: Remix AuthKit Example
    url: https://github.com/workos/remix-authkit-example
    type: Example
  - name: Electron AuthKit Example
    url: https://github.com/workos/electron-authkit-example
    type: Example
  - name: Expo AuthKit Example
    url: https://github.com/workos/expo-authkit-example
    type: Example
  - name: Python AuthKit Example
    url: https://github.com/workos/python-authkit-example
    type: Example
  - name: Ruby AuthKit Example
    url: https://github.com/workos/ruby-authkit-example
    type: Example
  - name: Custom UI AuthKit Example
    url: https://github.com/workos/workos-custom-ui-authkit-example
    type: Example
  - name: Go Example Applications
    url: https://github.com/workos/go-example-applications
    type: Example
  - name: PHP Example Applications
    url: https://github.com/workos/php-example-applications
    type: Example
  - name: Python Django Example Applications
    url: https://github.com/workos/python-django-example-applications
    type: Example
  - name: .NET Example Applications
    url: https://github.com/workos/dotnet-example-applications
    type: Example
  - name: Widgets Examples
    url: https://github.com/workos/widgets-examples
    type: Example
maintainers:
  - FN: Kin Lane
    email: kin@apievangelist.com