OAuth 2.0 just got a major upgrade in how resources describe themselves — find out what RFC 9728 introduces and why it matters.

From expired assertions to signature fails — a survival guide for anyone who's ever screamed at a SAML error message.

How to avoid common pitfalls and build resilient auth systems in on-prem and hybrid setups.

Misconfigured SAML metadata is one of the most overlooked causes of SSO failures. Learn how to spot hidden risks—and fix them before they break your login flow.

Mastra is a batteries‑included TypeScript framework for agentic apps. In this post, we'll use it to build an agentic app that can fetch data from GitHub in less than 5 minutes.

oRPC (OpenAPI Remote Procedure Call) combines the familiarity of RPC with the industry-standard OpenAPI spec so that every request/response is fully typed from client to server. 

Every outbound call from your MCP server carries credentials—API keys, database passwords, OAuth tokens, you name it. If those secrets leak, the blast radius extends far beyond your LLM demo. Learn to secure your MCP secrets.

A deep dive on how pooled connections work in the Elixir DBConnection library.

How to utilize delta conflict-free replicated data types for managing distributed cache or configuration state on an Elixir cluster.

Session management is hard. Refresh tokens make it easier—and safer. This guide breaks down how they work, why you need them, and how to avoid common mistakes (with code included).

IBM Research’s Agent Communication Protocol (ACP) provides autonomous agents with a common “wire format” for talking to each other. But how does it differ from MCP and A2A?

A deep dive into the messy world of SAML signature verification bugs — complete with real examples, cautionary tales, and practical tips to keep your app out of trouble.

Think of MCP as “plug this model into my data” and A2A as “now let several specialised models talk to each other.”

Confused by versioning? This guide breaks down the top strategies to help you pick the right one, keeping your project organized and your users in the loop.

Let’s explore the MCP, ACP and A2A protocols, understand what they do, and highlight how they differ and complement one another.

Until now, plugging your existing user authentication system into MCP servers was tricky. That’s where WorkOS and Cloudflare step in.

ArkType is a TypeScript-first runtime validation library built to erase the boundary between static type safety and runtime enforcement.

Everything you need to know to implement and validate JWTs securely in Python — from signing to verifying with JWKS, with code examples and best practices throughout.

Prisma is one of the most popular Object-Relational Mappers (ORMs) in the TypeScript/JavaScript ecosystem due to its robust type-safety guarantees and seamless integration with frameworks like Next.js.

Iframes might seem convenient, but they come with serious security risks like XSS, session hijacking, and phishing. This article breaks down why iframes can put your site at risk and how to protect it.

Smithery AI is a registry and management platform for Model Context Protocol (MCP) servers.

Confused about which algorithm to use for signing JWTs? We analyze everything about HMAC, RSA, and ECDSA—so you can choose the perfect algorithm for your security needs.

Large language models are reshaping how we build apps—but is your infrastructure ready for them?

Learn how Risk-Based Authentication (RBA) and AI can transform your app’s security, with best practices and insights to protect against evolving threats.

A hands-on guide with patterns, agents, and executable examples

Looking to secure your Ruby on Rails app? Discover the top gems for authentication and authorization that will protect your users. From seamless sign-ins to granular user permissions, these gems have got you covered.

Step-by-step tutorial that walks you through the necessary steps to add Login with LinkedIn to your app using Python and WorkOS.

Spring Launch Week: WorkOS Vault, Connect, and more new features

Step-by-step tutorial that walks you through the necessary steps to add Login with Slack to your app using Node and WorkOS.

Step-by-step tutorial that walks you through the necessary steps to add Login with GitLab to your app using Node and WorkOS.

Learn how credential stuffing and brute force attacks work and how you can defend your systems with advanced protection tools like WorkOS Radar.

Step-by-step tutorial that walks you through the necessary steps to add Login with LinkedIn to your app using Node and WorkOS.

Not sure which authorization model is best for your SaaS app? Our latest article breaks down the top approaches—from simple roles to Fine-Grained Authorization—helping you choose the right fit for your app's security and user management.

Ever wondered why one TypeScript validation library keeps appearing in every major AI platform's documentation?

Over the weekend, security researchers responsibly disclosed CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass Next.js middleware entirely.

More folks are picking up coding than ever before thanks to advancements in AI. Here are the top tips for ensuring a smooth experience.

The rise of AI agents creates a fundamental tension in system design. On one hand, these agents need frictionless access to be effective; on the other, security demands robust controls and limitations.

This article explores what happens when fingerprinting goes beyond the basics—how companies use it, how to stay privacy-compliant, and what’s next.

Learn what WebAuthn is, how it works, its benefits, its challenges, and how you can implement it in your app.

As a self-hostable, open-source automation platform, n8n lets you orchestrate logic, connect services, and scale pipelines with minimal boilerplate.

We just released four new widgets to make your life easier: user profile, user sessions, user security, and organization switcher. They are now available for free to all AuthKit customers.

With AuthKit enterprise logins are now easier than ever. We are announcing the addition of key B2B login providers, like LinkedIn, Slack, Xero, and more, giving your users seamless access to your platform with the credentials they already use.

Expand your WorkOS integration by customizing attributes on users, orgs, and session tokens.

Discover how Vault makes protecting sensitive data easier, faster, and more cost-effective—without the headache.

Learn how to set up a Laravel 12 project with WorkOS AuthKit and deploy it seamlessly to Laravel Cloud, leveraging zero-config hosting and enterprise-grade authentication features.

The Model Context Protocol (MCP) is an open specification that simplifies connecting AI models (like Claude) to external tools and data sources.

Enable 3rd-party authentication via “Sign in with [Your App],” Identity Delegation, and Machine to Machine tokens.

Any service using xml-crypto or a Node.js SAML implementation using it, should update immediately to the latest version. WorkOS customers are safe and were not impacted.

The GAIA (“Generalized AI Agent” benchmark) helps us evaluate AI agent performance across complex tasks

Manus is a fully autonomous AI system designed to run asynchronously in the cloud—no repeated prompts, no babysitting.

Confused by all the token jargon? This article simplifies JWS, JWE, JWK, and JWKS, showing you how each one ensures your data stays secure and trustworthy.

OAuth vulnerabilities can be tricky, but we’re here to help! Learn about common attacks and how to protect your app with simple tips from RFC 9700.

Composio.dev is a developer-focused integration platform that simplifies how AI agents and large language models (LLMs) connect with external applications and services.

Cursor Rules are instructions or system prompts passed to the large language models (LLMs) that Cursor uses. Learn how to leverage them effectively.

Tired of bots wreaking havoc on your website? Learn how JavaScript tagging can help you track suspicious behavior and stop malicious activity in its tracks.

Learn why traditional database encryption just doesn’t cut it anymore and why application-level encryption is the real hero for data security.

Anthropic’s release of Claude Code, built on the 3.7 Sonnet model, marks a significant step in AI-assisted development.

Modern authentication flows use tokens to convey information about a user and whether that user is allowed to interact with specific resources.

Anthropic developed the Model Context Protocol (MCP), an open standard that connects AI assistants to systems where data actually lives—content repositories, business tools, development environments, and more.

In January 2025, the IETF published RFC 9700: Best Current Practice for OAuth 2.0 Security. We read it and summarized the best practices you should follow to keep your OAuth implementation safe.

Choosing between FGA and ABAC can be tricky, but it doesn’t have to be. In this article, we break down both models to help you decide which one works best for your needs.

Want to keep your JWTs safe from attackers? This guide covers the best practices for securely storing your tokens and ensuring your app's security.

Today, I want to share the emotional side of hitting PMF at WorkOS, plus some advice I’ve learned the hard way from growing the company to where it is today.

Learn how to enhance your API's security with granular permissions using OAuth scopes, allowing you to control access precisely and protect user data effectively. This guide covers the basics of OAuth scopes, implementing fine-grained permissions, and best practices for secure API management.

The “aud” claim tells the system which recipient the token is meant for.

Your auth system can issue a JWT with user details, enabling API routes to decode and use claims without extra queries.

Multiple customers, one software instance—sounds tricky, right? Find out how multi-tenancy ensures secure, separate access for everyone and why it matters.

OAuth 2.0 set the standard for delegated authorization, but OpenID Connect (OIDC) compliments this protocol by adding user authentication

API authentication ensures that only authorized requests access protected resources. It’s a mechanism for verifying credentials against predetermined rules to reject unauthorized traffic.

LLMs excel at automating code and content tasks, but their accuracy depends on the context you provide—especially as your codebase evolves. Learn key tools and techniques to keep your AI assistants up to date.

Operator models can use the computer the way humans do. This unlocks new capabilities like shopping, researching and performing tasks on our behalf, but raises important security and compliance ramifications.

Identity and access management have many terms, and it’s not always clear what they mean. Many people are confused about the differences between identity federation and identity delegation. Read this article to understand each one once and for all.

Honeypots are traps you can set up at your website to catch bots. Read how you can implement one and what are the best practices to follow.

This article examines five leading feature toggle providers in 2025—LaunchDarkly, Optimizely, Unleash, Bucket, Split.io, and Eppo—each offering unique benefits for different technical and organizational requirements.

Interest in AI agents is exploding, and they're already transforming how we work and perform research. Learn how.

Keeping data safe, especially sensitive data like PII, is an increasingly difficult project. Read about Data Vaults and EKM and how enterprises can use them to ensure data integrity and confidentiality.

Radix and shadcn-ui are both component libraries for React, but which should you choose?

If you think you’re done when you authenticate a user, think again. Proper session management can make or break your app, both security and UX-wise. We gathered some industry best practices to help you get started.

Authorization rules can be expressed as policies, relationships, or both. Read how each one works, their pros and cons, and find the best for your case.

Keeping your data safe by encrypting them is crucial, but how do you keep the encryption keys safe? Read what EKM and KMS are and how they work together to do exactly that.

AI agent frameworks and platforms empower developers to build software that can reason, remember, and act independently. Which should you choose?

Learn how to use OAuth for secure machine-to-machine communication with the Client Credentials flow.

Large Language Models (LLMs) excel at producing text, but many applications need them to do more: raise GitHub issues, star a repository, or send Twilio messages in real time.

Ensure the right people have the right access. Check out our RBAC best practices guide and avoid common pitfalls.

Step-by-step tutorial that walks you through the necessary steps to add role-based access control (RBAC) to your app using WorkOS and Node.

Bots are everywhere. How can you distinguish the bad from the good, and how can you stop them? Read our guide for practical steps on how to stop bots and protect your app.

When your goal is selling to enterprises, sooner or later, you will have to leave RBAC for a fine-grained authorization model. Read more about why that is and how you can make the move.

Learn what federated identity is, how it works, its pros and cons, and how it differs from SSO and social logins.

Custom Logout URIs, Session Inactivity Timeouts, and AuthKit Next.js SDK v1.0

Do you plan on outsourcing SCIM and you don't know where? Read this article for a list of auth providers that support SCIM and a comparison of the features they offer.

Do you want to add passwordless authentication to your app and don’t know where to start? Read our guide for an overview of the top available methods, their pros and cons, and which one might be the best for you.

Do your emails end up in spam? Read this guide to see what you can do to optimize your email deliverability and avoid the spam folder.

DeepSeek R1 is an open-source LLM for conversational AI, coding, and problem-solving. Here's how to run it locally.

Authentik is an open-source Identity Provider (IdP) that allows you to self-host user authentication, single sign-on (SSO), and access controls.

Which products can help you safeguard your app against bots and hackers and how do they compare? Learn what you should look for and what features each vendor offers.

Ente Auth is a modern, secure, and user-friendly two-factor authentication (2FA) solution designed to safeguard online accounts with minimal hassle.

shadcn-ui is a set of reusable React components focused on accessibility, customization, and developer control. It stands out from typical UI libraries by allowing you to own the code directly, thereby reducing external dependencies and version lock-ins.

Announced just this week, DeepSeek-R1 is positioned as a direct competitor to incumbent LLM creators’ flagship models, promising robust reasoning, mathematics, and coding capabilities.

Read about how failed startups that used Google SSO might be susceptible to leaking sensitive information of employees.

Step-by-step tutorial that walks you through the necessary steps to add SSO to your app using SAML, JumpCloud, Node, and WorkOS.