Group your environments by product and give each one its own branding, without separate WorkOS accounts.

A complete guide to social login in React Router v7, covering Google, GitHub, Microsoft, and every provider you will need as you grow.

Organizations are discovering that AI agent costs are invisible by design. The fix starts earlier in the stack than most teams realize.

How SAML attribute mapping works, how to configure it in Okta and Microsoft Entra ID, and how to map user roles, groups, and custom claims to your application.

AI agents are completing real purchases with real money. The fraud model, the liability model, and the authentication model all need to change.

On June 3, 2026, Cloudflare's CEO posted that bots had passed human web traffic for the first time. Here's what that actually means for your app, your API, and your analytics.

The MCP 2026-07-28 release candidate rewrites the protocol's foundation. Here's what's changing, what's breaking, and what your team needs to do before the final spec lands.

When you migrate auth providers, you inherit password hashes you can't decrypt. Here's how to handle every major format.

Store, retrieve, update, and delete sensitive user data using Vault's full CRUD lifecycle (no cryptography expertise required).

How audience-bound tokens keep your MCP servers secure.

What "isolation" actually means at the key level, how to implement it with key context, and what your blast radius looks like when something goes wrong.

Why authentication and API access are two different things in Google OAuth, and what to do about it.

A complete guide to authorization in React Router v7, from roles and permissions to organization-scoped access and enterprise RBAC.

A practitioner breakdown of LLM token theft: what it is, how the abuse works, the signals that catch it, and why traditional tools miss it.

A practical checklist for platform teams securing agents, MCP servers, and coding assistants before the next credential leak

A practical guide to encrypted storage, OAuth connection management, and session-scoped access for autonomous agents

How to scope what an AI agent can do on a user's behalf, and why the answer is never the user's full permission set.

A practical security audit for backend engineers building or inheriting agentic systems, covering identity, token design, delegation, and the patterns that fail in production

What you're actually signing up for when a customer's IdP doesn't speak SCIM.

Everything you need to know to implement and validate JWTs securely in .NET: from token creation and JWKS verification to ASP.NET Core middleware integration, with code examples and best practices throughout.

Prompt injection ends when the session closes. Memory poisoning persists across sessions, activates weeks later, and is nearly invisible to detect.

Why OAuth works the way it does: authorization codes, token expiry, and PKCE explained from first principles.

A four-phase playbook for moving off Auth0, Cognito, Clerk, or Firebase without a 2 AM incident.

Set up roles and permissions, verify session JWTs, and protect your FastAPI routes with dependency injection.

Your existing logging infrastructure is necessary but not sufficient. Here's what's missing and why it matters.

MCP servers have a different attack surface than traditional APIs. Here are the five risks that matter most, grounded in OWASP's agentic AI guidelines, with concrete mitigations for each.

Your route guard does not protect your server functions. A complete guide to authorization in TanStack Start, from roles and permissions to enterprise RBAC and fine-grained access control.

Tools, MCP servers, skills, orchestrators, and why auth runs through all of them.

Key insights from Boris Cherny's Acquired Unplugged interview on building Claude Code, the death of traditional roles, and why the golden age of the generalist is here.

Ben Gilbert and David Rosenthal shared what makes companies endure for generations at Acquired Unplugged, hosted by WorkOS CEO Michael Grinich.

WorkOS skills are now in Claude's plugin marketplace. Here's what that means for how developers discover and adopt API tooling.

A practical guide to migrating auth at scale — the CLI workflow, transparent proxy approach for 15+ SSO connections, and webhook sequencing above 200K users.

A week after we shipped auth.md, developers have published spec-compliant files, partners have endorsed it, and the ecosystem is aligning.

How to build a custom, language-aware SDK generator from an OpenAPI spec using oagen's typed intermediate representation.

Your beforeLoad guard does not protect your server functions. A complete guide to authentication in TanStack Start, from server functions and sessions to enterprise SSO.

When Agent A delegates to Agent B, whose permissions apply? Whose audit trail records the action? And what happens when Agent B is compromised?

Anthropic's acquisition of Stainless means the hosted SDK generator is going away. Here's what to reach for instead.

A practical guide to SSO platforms for engineering teams selling to enterprise, evaluated on the features that actually close deals.

Bearer tokens prove nothing about who holds them. mTLS and DPoP fix that. Token Binding tried and failed, and the reason why matters more than the failure itself.

SSO, SCIM, and admin portals: which platform actually gets you to enterprise-ready without the six-month detour?

A recap of the MCP Night 4 panel with WorkOS, Cloudflare, Sentry, and Chat PRD on how agents are reshaping products, users, and commercialization.

Recap of Rhys Sullivan's MCP Night 4 lightning demo: shipping generative UI from agents into products like PostHog using Executor and code mode.

Evan Bacon's MCP Night 4 lightning demo: npx servesim puts the iOS simulator inside the browser so coding agents can build mobile apps in a loop.

Adi Singh's MCP Night 4 lightning demo: how AgentMail turned its signup flow into a single prompt and why email is the identity layer for agents.

Karen Serfaty, founder of AgentCard, showed how agents can buy things with one-time cards at MCP Night 4. Here's a recap of the lightning demo.

Recap of MCP Night 4 at the Regency Loom: the case for agentic registration, a live demo of Auth.md, and why agent-ready is the new enterprise-ready.

How audience-bound tokens work, and why they're required for secure MCP authorization

A step-by-step guide to migrating homegrown SAML and OAuth/OIDC connections to WorkOS with zero customer downtime

What engineers and founders need to know about designing APIs, tools, and interfaces for agent-driven workflows

Google enforces exact-match redirect URIs with no wildcards and no exceptions. Here's how to handle that cleanly when every customer has their own domain.

Introducing auth.md — an open protocol that lets agents register for your service.

A recap of the WorkOS Applied AI showcase: the team, the tools (WOW, Horizon, Case, Wallaby), and what we've learned shipping AI internally.

Keycloak SCIM vs. WorkOS Directory Sync: A deep dive into features, gaps, and production readiness.

Humans, scripts, and AI agents are all calling your API. Here's how to give each of them secure, scoped credentials without building key management from scratch.

Stolen tokens should be worthless. Here's how to make them so.

How SSO eliminates the manual work of enterprise user onboarding.

What happens to a user's session when they switch organizations, how to scope tokens to prevent cross-tenant leaks, and where most implementations still go wrong.

I tried to reverse-engineer how SSO works from three angles: as the employee logging in, the IT admin managing access, and the developer who needs to support it. Here is what I learned.

Inside Claude Day at WorkOS: 39 teams, a one-day hackathon, and one rule — the non-engineer drives. Here's what we built and what we learned.

Build an authorization model your B2B app won't outgrow: how to go from flat roles to fine-grained, resource-scoped access control without a rewrite.

A developer's guide to Client-Initiated Backchannel Authentication (CIBA) for agentic systems.

User-scoped keys, org-scoped keys, and M2M applications cover most agent scenarios in B2B products, but the right choice depends on who the agent acts for, and how it runs.

How to give AI agents their own identity, scope what they can do, and defend your systems when they act autonomously.

How an AI operational finance startup went from founding to Vercel AI Accelerator winner without slowing down for enterprise auth.

Everything you need to know to implement and validate JWTs securely in PHP: from signing to verifying with JWKS, with code examples and best practices for both vanilla PHP and Laravel.

Seven errors that break Entra ID SAML SSO, and how to resolve them.

WorkOS designers use AI to prototype in production, explore wider solution spaces, and design for agents. Here's how our craft is changing.

A practical, security-first comparison of the two browser-delegated OAuth flows that CLIs use, with recommendations for laptops, headless servers, containers, and CI runners.

Implement OAuth 2.0 Device Code and PKCE flows in TypeScript, route users through Okta SSO, and pick the right pattern for headless and local environments, with WorkOS AuthKit.

How WorkOS uses AI-powered code generation to build and maintain SDKs across multiple languages from a single OpenAPI spec.

What to validate, what to avoid, and how to keep your tokens out of trouble.

In a chatbot, prompt injection produces a wrong answer. In an agentic system, it produces a wrong action.

The 2026 guide to SSO, SCIM, MCP, audit logs, RBAC, and the rest of the B2B SaaS enterprise readiness checklist.

A practical comparison of the leading MCP authentication providers across OAuth 2.1 support, enterprise identity, and integration paths.

A detailed glimpse at Project Horizon: an internal code factory at WorkOS.

Authentication in React Router v7 happens in loaders, not useEffect. A complete guide to server-side sessions, protected routes, and enterprise SSO.

A hands-on guide to implementing an MCP server in Python: tools, resources, prompts, transports, and authentication, with a full worked example.

How identity providers learn what your SCIM server can do, through three discovery endpoints.

How we built a Slack-native AI blog bot on Cloudflare Workers + Durable Workflows — proactive proposals, durable retries, and a multi-model writer pipeline.

FGA Custom Roles, Groups API, Self-serve Change Email API, & more

How to design an MCP server from a REST API: choosing between tools, resources, and prompts, getting the granularity right, and curating endpoints for the agents that will call them.

Why we start synchronous, when we move to async, and why revocations are different.

Three algorithms compared, a clear default, and the tradeoffs that should make you pick something else.

WorkOS is now a supported provider in Stripe Projects. Add enterprise-grade auth to any project from the CLI with a single command — no signup, no payment wall.

What schema extensions are, how Docker and Notion use them, and how to design your own.

The reasons why IAM controls built for service accounts and API clients don't transfer to AI agents.

Five platforms for teams who've outgrown Firebase Auth's B2B gaps and Google Cloud lock-in.

Authenticate users in your Rust command-line tool with a secure OAuth 2.0 Device Code flow using WorkOS. This tutorial shows how to implement login via the terminal, step by step.

How a new IETF draft extends OAuth so AI agents can act for users with explicit consent and a clean audit trail.

Everything you need to know to implement and validate JWTs securely in Ruby: from creating JWTs, to signing and verifying them with JWKS, handling custom claims, and best practices you should be following.

How OAuth breaks down when AI agents spawn other agents, and what IETF drafts are doing about it.

Agent identity is no longer experimental. NIST's February 2026 announcement made it enterprise-critical.

A practical comparison across features, pricing, reliability, and what enterprise buyers actually grade you on.

What it really takes to sell to the U.S. government, from the teams who have been through it.

AI agents are reading your documentation. Here's what WorkOS did to serve them clean markdown instead of unparseable HTML.

Identity, authorization, and oversight patterns for systems that act on their own.

Master Spring Security authentication from form login and JWT to enterprise SSO, with production-ready patterns across Spring Boot, Quarkus, and Micronaut.

Build a Node app that lets users connect Notion and list their pages with a refreshed access token, without implementing OAuth.

An opinionated checklist for the auth decisions you'll actually have to make.

Picking a library, choosing where to verify, and avoiding the mistakes that quietly break security.