Passkeys allow you to log into your account using biometrics instead of a password. They are now available for free to all AuthKit customers.

Every provider does SCIM differently. If you don't pay attention, the results can be catastrophic. Read about these differences, the challenges that arise from them, and how WorkOS can help you overcome them.

Learn how to securely authenticate users accessing your service through a command-line tool, enabling safe, scriptable workflows across terminals, machines, and Docker containers.

Learn why it is important for SAML certificates to expire and how having a plan in place to handle expiration can avoid downtime.

What is SCIM, and why do you need to support it in your SaaS? We’ll discuss the SCIM standard in-depth, how it works, and how you can add SCIM support to your app.

Learn what social logins are, how they work, and how you can integrate them into your app using WorkOS.

Learn about JSON Web Token (JWT) validation, why it’s important, what the best practices are, and how to do it using trusted third-party libraries.

Learn what is user deprovisioning, how it works with SCIM, and how you can implement it with WorkOS.

Universal Login or Universal SSO streamlines user authentication to log employees into multiple apps quickly and securely. Learn how it works.

User provisioning simplifies onboarding, tightens security, and automates user access management.

RBAC associates permissions with roles, which are then assigned to users. ReBAC allows you to model complex relationships. Which is better for your use case?

Google Zanzibar is a globally distributed authorization system that manages permissions at scale. Learn how it works and which open source implementations are right for you.

What is the Okta App Store or Integration Network (OIN), and should you use it?

Learn what authentication tokens are, the different types, and how you can generate and secure them.

Learn why Single Sign-On (SSO) is essential, which are the best practices to follow, and how to add SSO to your app using WorkOS.

With RAG and GenAI applications, how can you ensure users only see results from documents they have permission to access? In this runnable tutorial, we demo using WorkOS Fine-Grained Authorization to secure your documents.

Learn how OTP bots work, their role in bypassing MFA, and the top methods to protect your accounts from these cyber threats.

A guide on how to model your SaaS using organizations and WorkOS.

The Microsoft Entra ID app gallery is a collection of thousands of apps pre-integrated with the Microsoft Identity stack. Learn how this gallery can help, and when it's not the right choice.

Implementing SAML on your own can be a challenge. In this article, we’ll show you an easier way of adding SAML support to any app using the WorkOS SSO API.

SCIM is a widely used protocol, but not many people understand it. This straightforward and comprehensive guide steps through how it works, using real-world examples and API calls and responses.

As apps have become more complex, especially with the rise of user-generated content, the need for a more granular and scalable authorization scheme has become crucial. Unlike other models, Fine-Grained Authorization defines permissions at the resource level, providing precision and the ability to handle millions of authorization requests per second.

High costs, low usage caps, and opaque pricing are common complaints users voice about Auth0. This post provides a detailed breakdown of the pricing models of Auth0 and WorkOS, and how WorkOS delivers more transparent and competitive pricing options for B2B SaaS companies.

On September 10th, 2024, a critical security flaw was disclosed in the Ruby-SAML and OmniAuth-SAML libraries, exposing a vulnerability that allows complete authentication bypass. This flaw, CVE-2024-45409, earned the highest possible score of 10 on GitHub's CVE rubric and a 9.8 NIST base score, making it a "worst-case scenario".

Learn what X.509 certificates are and how to generate them with our comprehensive guide. Easy-to-follow steps included.

A technical guide on how you can migrate your RBAC implementation to Fine-Grained Authorization (FGA) using WorkOS. Learn how to check a user’s access to resources, manage your FGA implementation, and favor performance vs consistency on a per request basis.

Migrate your RBAC implementation to Fine-Grained Authorization (FGA) using WorkOS. Learn what is FGA, how to define resources, relationships, and inheritance rules, and how to test and validate the access model.

Learn what enterprise SSO is, why enterprises need it, how it works, and why you should support it in your SaaS.

Learn what OpenID Connect (OIDC) is, how it works, why you should use it, and how to implement it using WorkOS.

Enterprise Ready Conference, HIPAA compliance, frontend sessions, AuthKit branding customization

Learn what single logout is, its benefits, why it's important, and why it has such limited support.

AuthKit now supports sessions for public clients, like mobile and single-page apps. Use the WorkOS React SDK to keep your users logged in for longer while keeping them safe from attacks.

Learn what sessions are and how you can implement them from scratch or using an auth provider like WorkOS.

Learn what PKCE is, why it's essential for securely authenticating users in mobile and single-page apps, and how you can keep your users safe by using AuthKit and WorkOS.

An in-depth look at fine-grained permissions, their benefits, challenges, use cases, and best practices for implementation.

Learn the most important differences between OAuth vs. OAuth 2.

Learn about the five major types of authentication and understand how they work.

Compare coarse-grained vs. fine-grained access control and find out which is right for you.

Learn what Fine-Grained Access Control is and how it works.

Certificate renewal flow, organization switching APIs, modeling your app docs, provider icons API

Attribute-Based Access Control (ABAC) provides a targeted, more precise way to manage who can see and use different resources and under which conditions.

Learn what authorization is, its different patterns, and best practices.

In this article, we’ll dive into what SAML X.509 certificates are, their role in your SAML Single Sign-On (SSO) connections, and best practices for managing these to ensure there is no downtime for your enterprise customers.

A glossary of terms and definitions for all things related to authentication and authorization.

For high-growth startups, time is the single most important resource. It’s so important that months of delay in shipping SSO and SCIM can result in a potential revenue loss of $7.95M compared to using a pre-built solution. The ROI difference is staggering too: 9% for a homegrown solution vs. 1,954% for a pre-built one. This article explains the methodologies used to calculate these numbers.

Learn what data access control is, why it matters, the various types, when to implement it, and effective strategies for doing so.

SCIM vs SSO: Learn the differences between SCIM and SSO and how they work together in identity and access management.

Learn what Google Zanzibar is, how to implement it, and how it compares to other authorization technologies.

RBAC for AuthKit, Fine-Grained Authorization early access, SCIM role assignment, updated Node SDK, and new Log Streams destination

SCIM provisioning is an important enterprise feature that provides user lifecycle management (ULM) and automated access control. Building this in-house means you must deal with fragmentation issues across onboarding, implementation, and triage, incurring significant engineering cost, delayed time to market, and potential security issues.

Time is invaluable for SaaS startups aiming to become Enterprise Ready quickly. Building complex (yet table stakes) features in-house, like SSO and SCIM, can significantly delay enterprise adoption. In part 1, we will dive into the hidden challenges you will face with a homegrown solution, highlighting just how demanding and time-consuming the process can be.

AuthKit now supports RBAC as part of its core authorization capabilities. RBAC is a common authorization scheme where each user is assigned one or more roles, and each role is assigned a set of permissions that defines which resources and actions the user can access in your application.

When building authorization for enterprise customers, supporting IdP role mapping is a challenging yet important task. This allows organizations to manage their roles and permissions through a single source of truth, the IdP, rather than dealing with unique permissions schemes for each SaaS tool.

Learn all about RBAC, how it works, its benefits, and when to use it.

SCIM plays an important role when selling to larger enterprises with IT teams that need to manage access for thousands of users. This post explains why you should prioritize implementing SCIM and the use cases it unlocks: improved security, automated provisioning and access management, and simplified billing.

Authorization often takes a backseat to authentication, but it becomes critical as applications scale and and require finer access control. This blog series covers the transition from basic role-based access control (RBAC) to more advanced fine-grained authorization (FGA), offering practical guidance for engineers implementing these systems.

Discover the key compliance differences between CCPA and GDPR and how each law affects your business operations.

Developer Week recap, Apple OAuth, User Management with SCIM, IdP role assignment, the Remix example app, and more

Identity linking consolidates duplicate accounts with their own authentication credentials into a single account. While this seems straightforward, it involves a number of considerations around email and domain verification. WorkOS handles these complexities and provides secure identity linking by default.

When we launched User Management along with a free tier of up to 1 million MAUs, we faced several challenges using Heroku: the lack of an SLA, limited rollout functionality, and inadequate data locality options. To address these, we migrated to Kubernetes on EKS, developing a custom platform called Terrace to streamline deployment, secret management, and automated load balancing.

Find out about the common problems with webhooks, like out-of-order events and traffic surges, and how the Events API solves them.

Route-level authentication specifies which pages require authentication, keeping relevant logic together. Middleware-level authentication follows a Zero Trust model and simplifies group route authentication. The choice depends on your application architecture, but an additional authorization layer is needed for complete security.

Can you really adopt Next.js App Router incrementally? At WorkOS, we learned that you can’t really migrate a complex app page by page without a hit to the UX. Instead, we worked out a migration guide that allowed us to test our entire app with App Router while still serving the Pages Router to users—before making the final switch.

A comparison of single-tenant vs multi-tenant architecture: How they work, their pros and cons, and tips to decide which one suits your SaaS best.

Compare OAuth vs SSO to learn what they are and which you should use in your SaaS.

Discover the best three alternatives to SAML SSO: OAuth 2.0, OpenID Connect, and WS-Fed. Understand what each protocol offers and find out which one is the best fit for your needs.

Send your own AuthKit emails, PKCE support for SSO, Events API for filtering orgs, soft deletion support in User Management

Learn how to build a SCIM server for your app with WorkOS.

Learn what an IDaaS is, how it works and why it makes sense to use one.

Authentication (AuthN) is the process of verifying the identity of users or systems before granting access to resources, essential for ensuring security in applications. This blog explores various AuthN methods like passwords, multi-factor authentication, and biometrics, and discusses the trade-offs of building in-house or using third-party providers..

Learn what SaaS authentication is, explore popular SaaS authentication methods, and find out how to choose and implement the right one.

Relationship-Based Access Control (ReBAC) is an authorization model that grants access based on user-resource relationships, offering a more dynamic approach compared to RBAC and ABAC. This blog breaks down how ReBAC works, its benefits and implementation challenges, and when it's the best fit for your app.

Multi-tenancy is a software architecture where multiple users share a single application instance while keeping their data separate, making it cost-efficient and easier to manage. This blog explains multi-tenancy, its advantages and disadvantages, and offers best practices for implementation.

Learn what identity provisioning is, how it works, its benefits, and the protocols that enable it.

GitHub secret scanning partnership, API endpoints for user auth methods and IdP identifiers, and Perplexity Enterprise Pro for all customers

Our roundup of the best 5 open source SSO providers and how to choose the right one.

Perplexity is giving all WorkOS customers 3 free months of Perplexity Enterprise Pro.

Learn about the 4 main types of access control, how they work and how to choose the right one for your company.

Today, we are excited to announce the acquisition of Warrant, the Fine Grained Authorization (FGA) service for developers. This is a major step in WorkOS’ vision to become the world’s best platform for identity, authentication, and authorization.

Learn about deprovisioning user access with SCIM and the differences in deprovisioning strategies amongst major IdPs.

Exploring the differences between SCIM 2.0 and SCIM 1.0, and what's new in the latest version of the protocol

Developer resource for modern day user management, including 101 topics like SSO and MFA as well as more advanced concepts like identity linking, email verification, and JIT provisioning.

Sessions, Roles, Impersonation, streaming to Datadog, new JavaScript runtimes support, and Radix Themes 3.0

Compared to alternatives like screen sharing, written documentation, or shared login credentials, impersonation provides an effective and secure way for your support team to troubleshoot.

The workos-node library now supports JavaScript environments like Deno, Bun, Cloudflare Workers, Vercel, and Node, simplifying API requests across these platforms.

The new Datadog integration now lets you stream WorkOS events and generate comprehensive reports of all end-user logins, offering improved monitoring and debugging.

With Roles, defining access control levels for your users is now a breeze. When a user session is initiated, role information will appear by default.

Session management is the mechanism for securely handling interactions between a user and an application within a specific time frame. Sessions are now available to all WorkOS users for free.

OAuth vs OpenID: Learn how they work, their pros and cons, and when to use each or both.

Exploring the differences between SAML and OAuth, how they function, and how to choose which one to support.

We compare LDAP vs SSO to learn what they are, how they work, and when to use which.

Learn how to sync Active Directory users to any SaaS app using the SCIM protocol.

Test SSO, organization auth policies, profile pictures from OAuth providers, and why Hypercare migrated from Auth0

Test SSO enables developers to perform rigorous end-to-end testing for the SSO integration without having to sign up with an identity provider.

SCIM automates and secures user identity management across systems with TLS encryption and authorization mechanisms. This blog explains SCIM's functionality, security features, and the advantages of automated user provisioning to minimize administrative burden and security risks.

In this article, we're going to unpack everything you need to know about SCIM and SCIM provisioning, dive into how SCIM works, and show you how to start using SCIM for ADFS.

This guide surfaces complexities and implementation details for supporting organization modeling as part of the authentication and authorization layer for apps.

Exploring the differences between JIT and SCIM, how they function, and how to choose which one to support.

A technical deep dive on how AuthKit ensures strong user passwords including best practices and security tips.

Everything you need to know about the automated provisioning of account access.