How to give AI agents their own identity, scope what they can do, and defend your systems when they act autonomously.

How an AI operational finance startup went from founding to Vercel AI Accelerator winner without slowing down for enterprise auth.

Everything you need to know to implement and validate JWTs securely in PHP: from signing to verifying with JWKS, with code examples and best practices for both vanilla PHP and Laravel.

Seven errors that break Entra ID SAML SSO, and how to resolve them.

WorkOS designers use AI to prototype in production, explore wider solution spaces, and design for agents. Here's how our craft is changing.

A practical, security-first comparison of the two browser-delegated OAuth flows that CLIs use, with recommendations for laptops, headless servers, containers, and CI runners.

Implement OAuth 2.0 Device Code and PKCE flows in TypeScript, route users through Okta SSO, and pick the right pattern for headless and local environments, with WorkOS AuthKit.

How WorkOS uses AI-powered code generation to build and maintain SDKs across multiple languages from a single OpenAPI spec.

What to validate, what to avoid, and how to keep your tokens out of trouble.

In a chatbot, prompt injection produces a wrong answer. In an agentic system, it produces a wrong action.

The 2026 guide to SSO, SCIM, MCP, audit logs, RBAC, and the rest of the B2B SaaS enterprise readiness checklist.

A practical comparison of the leading MCP authentication providers across OAuth 2.1 support, enterprise identity, and integration paths.

A detailed glimpse at Project Horizon: an internal code factory at WorkOS.

Authentication in React Router v7 happens in loaders, not useEffect. A complete guide to server-side sessions, protected routes, and enterprise SSO.

A hands-on guide to implementing an MCP server in Python: tools, resources, prompts, transports, and authentication, with a full worked example.

How identity providers learn what your SCIM server can do, through three discovery endpoints.

Email and IDP ID both fail as universal join keys. The fix is sensible defaults with real escape hatches.

How we built a Slack-native AI blog bot on Cloudflare Workers + Durable Workflows — proactive proposals, durable retries, and a multi-model writer pipeline.

How to design an MCP server from a REST API: choosing between tools, resources, and prompts, getting the granularity right, and curating endpoints for the agents that will call them.

Why we start synchronous, when we move to async, and why revocations are different.

Three algorithms compared, a clear default, and the tradeoffs that should make you pick something else.

WorkOS is now a supported provider in Stripe Projects. Add enterprise-grade auth to any project from the CLI with a single command — no signup, no payment wall.

What schema extensions are, how Docker and Notion use them, and how to design your own.

The reasons why IAM controls built for service accounts and API clients don't transfer to AI agents.

Five platforms for teams who've outgrown Firebase Auth's B2B gaps and Google Cloud lock-in.

Authenticate users in your Rust command-line tool with a secure OAuth 2.0 Device Code flow using WorkOS. This tutorial shows how to implement login via the terminal, step by step.

How a new IETF draft extends OAuth so AI agents can act for users with explicit consent and a clean audit trail.

Everything you need to know to implement and validate JWTs securely in Ruby: from creating JWTs, to signing and verifying them with JWKS, handling custom claims, and best practices you should be following.

How OAuth breaks down when AI agents spawn other agents, and what IETF drafts are doing about it.

Agent identity is no longer experimental. NIST's February 2026 announcement made it enterprise-critical.

A practical comparison across features, pricing, reliability, and what enterprise buyers actually grade you on.

What it really takes to sell to the U.S. government, from the teams who have been through it.

AI agents are reading your documentation. Here's what WorkOS did to serve them clean markdown instead of unparseable HTML.

Identity, authorization, and oversight patterns for systems that act on their own.

Master Spring Security authentication from form login and JWT to enterprise SSO, with production-ready patterns across Spring Boot, Quarkus, and Micronaut.

Build a Node app that lets users connect Notion and list their pages with a refreshed access token, without implementing OAuth.

An opinionated checklist for the auth decisions you'll actually have to make.

Picking a library, choosing where to verify, and avoiding the mistakes that quietly break security.

Stytch works, until your enterprise deals outgrow it. Here's what to use instead.

A practical walkthrough of RFC 9449 for engineers: the proof JWT, server-issued nonces, key storage in the browser, and where DPoP fits next to mTLS.

How LLMs leak data, get hijacked, and turn friendly inputs into exploits, and why most of the defenses live outside the model.

The one layer of your app where 'seems to work' isn't good enough.

Everything you need to know to implement and validate JWTs securely in Java: from signing to verifying with JWKS, with code examples and best practices throughout.

Your agent has access to a database, a file system, and an email sender. Each tool is legitimate. The misuse is in the combination.

How a prototype pollution bug in one library and a missing header check in another nearly chained into AWS credential theft.

Master secure authentication in Go, from middleware design and JWTs to session management and enterprise SSO, with production-ready patterns and security best practices.

Harness CEO Jyoti Bansal discusses AI-native software delivery, developer productivity, and where the industry is headed. Interview from HumanX 2026.

WorkOS CEO Michael Grinich interviews Homer Wang of TinyFish at HumanX 2026 about building AI agents and the evolving startup landscape.

WorkOS CEO Michael Grinich interviews Certn's Andrew McLeod on AI-powered background checks, trust infrastructure, and the future of identity verification.

WorkOS CEO Michael Grinich interviews Mazy Dar, founder of Here, on building AI-native video understanding at HumanX 2026.

Michael Grinich interviews Abhi Aiyer from Mastra about building open-source AI agent frameworks, developer tooling, and the evolving agentic ecosystem.

Michael Grinich interviews Ameya Bhatawdekar from Braintrust on AI evaluation, prompt engineering, and building reliable AI products at HumanX 2026.

Ojus Save from Render explains how the platform is evolving cloud infrastructure for AI workloads, GPU access, and developer experience at HumanX 2026.

Watch Saif Gunja's interview with Paul Dhaliwal of Code Conductor at HumanX 2026 on AI-assisted development and production-ready code orchestration.

WorkOS CEO Michael Grinich interviews Temporal co-founder Maxim Fateev on durable execution, AI agent reliability, and why workflows need to survive failures.

Traversal CEO Anish Agarwal explains how autonomous agents troubleshoot production incidents at scale: from world models to L5 autonomy. Interview from HumanX 2026.

AppsFlyer's Eran Dunsky shares how the company integrated AI into their marketing platform, from internal tooling to customer-facing features.

WorkOS CEO Michael Grinich interviews Webflow CEO Linda Tong on AI-powered web development, enterprise adoption, and the future of no-code at HumanX 2026.

Rob Ferguson of Fireworks AI explains why open models are catching up to frontier closed-source AI, and why data (not architecture) is the real moat.

Apollo GraphQL CEO Matt DeBergalis on why GraphQL's semantic layer matters for AI agents, how MCP and GraphQL complement each other, and what enterprise AI adoption really looks like.

Omni CEO Colin Zima talks AI agents in analytics, the three-layer future of software, and why 80% of his team's code is AI-generated.

Dialpad CTO Brian Peterson on mandating AI in engineering, the Jevons Paradox in practice, and why customer service will transform within a year.

Honeycomb CEO Christine Yen on why observability matters more than ever as AI agents reshape how software gets built, debugged, and understood.

Automation Anywhere CPO Peter White on why enterprises want solutions over technology pitches, where AI agents actually deliver, and the reality behind the hype.

Daytona CEO Ivan Burazin explains why every AI agent needs its own computer, how he built an AI with its own identity, and why SaaS is shifting from seats to consumption.

Assembled CEO John Wang explains why AI is growing support teams, not shrinking them, and why orchestration is the real differentiator in customer support.

Cosmo Wolfe explains why AI companies are rethinking pricing, why per-seat models are dying, and what Stripe's Machine Payment Protocol means for agents as buyers.

Augment Code CEO Matt McClernan discusses the rapid shift from AI code completions to agent orchestration at HumanX 2026, interviewed by WorkOS CEO Michael Grinich.

Noam Schwartz of Alice explains why prompt injection is the new SQL injection and what enterprises deploying AI agents need to know about trust and safety.

Three mechanisms guard three different checkpoints in OAuth and OpenID Connect. Here is why none of them is optional.

Why teams outgrow Amazon Cognito and which authentication platforms handle enterprise SSO, multi-tenancy, and directory sync without the glue code.

Slack, Notion, and Linear each take a different approach to per-tenant roles and permissions. Here are the patterns worth stealing for your own app.

Master secure authentication in Node.js from Passport.js and JWTs to enterprise SSO, with production-ready patterns and security best practices.

How attackers turn legitimate consent prompts into persistent backdoors, and what your team can do about it.

A deep dive into the FIDO2/WebAuthn protocol mechanics that tie every passkey to a specific domain, making credential theft physically impossible at the cryptographic layer.

What to use when your B2B auth needs outpace PropelAuth.

30 CVEs in 60 days, a backdoored npm package stealing emails, and a hosting platform flaw that put 3,000 servers at risk. Here's how to secure the supply chain your AI agents depend on.

A complete breakdown of one of the most dangerous JWT vulnerabilities, from the cryptographic mechanics to the defensive code patterns that stop it.

Symmetric vs asymmetric JWT signatures: how each algorithm works, when to use which, and the security tradeoffs every developer should know

A 2026 guide to the leading IAM solutions for SaaS teams, with a breakdown of features, pricing, and trade-offs to help you choose the right provider and start closing enterprise deals faster.

Your users enable multi-factor authentication, use strong passwords, and follow every security best practice you recommend. But none of it matters if an attacker is sitting between them and your login page, relaying traffic in real time and walking away with a valid session cookie.

From forged assertions to memory leaks, SAML's XML foundations keep producing serious bugs. Here's what happened and what you should be doing about it.

Most AI agents run with borrowed sessions and far more access than they need. Here's how to replace that with scoped, revocable credentials and tool-level authorization.

Master secure authentication in Laravel from Breeze and Sanctum to enterprise SSO, with production-ready patterns and security best practices.

API keys, token files, OAuth Device Flow, and Client Credentials compared. A practical guide to choosing the right authentication pattern for your CLI.

How FIDO2 and passkeys use cryptographic domain binding to stop phishing attacks, why SMS and push notification fallbacks destroy your security posture, and what to do about it.

MFA still blocks most automated attacks. But the new generation of AI-powered phishing tools does not send automated attacks. It runs real-time, human-speed session hijacking that MFA was never designed to stop.

A hijacked maintainer account, a hidden trojan, and a two-hour window that put millions of projects at risk. Here's the full story and how to protect yourself.

AI agents don't have phones, fingerprints, or sessions. The identity infrastructure they need looks nothing like what we built for humans.

What they are, how they work, and why modern password security has moved beyond them.

A practical comparison of the leading multi-factor authentication solutions: what they're good at, where they fall short, and how to choose the right one for your stack.

Cookie syncing and credential injection get agents past login screens, but they break every security assumption your app relies on.

How to design AI agents that do less, prove more, and stay within boundaries your security team can actually audit.

How AI agents get hijacked, poisoned, and over-privileged, and why identity is the fix for most of it.

How comparing login timestamps and locations catches credential theft before attackers get in.

Let users sync their GitLab projects in your app, using a fresh access token, without writing any OAuth logic.

Understand why scopes and claims serve different roles in OAuth 2.0 and OpenID Connect, and how to design around each.

A developer's guide to registering redirect URIs per environment, debugging "invalid redirect URI" errors, and knowing when to use impersonation instead.

Authentication doesn't end at login. For modern SaaS applications, the real security perimeter is the token, and attackers know it.

Architecture, auth, ecosystem, and the 2026 roadmap for the protocol that connects AI to everything.