How much does WorkOS cost?

WorkOS uses a paid pricing model. Starting price: $99/mo (custom domain); connections from ~$125/ea with discounts; 1M MAU free.

What are the main advantages of WorkOS?

Rapid implementation: Users consistently report deploying enterprise-grade SAML and SCIM in days rather than months.. Superior Developer Experience: Renowned for its 'textbook' documentation, modern SDKs, and intuitive API design.. Admin Portal: A pre-built, white-label UI that allows end-customers to configure their own SSO/SCIM settings, drastically reducing support overhead.. Generous Free Tier for AuthKit: Supports up to 1 million monthly active users for standard user management, making it accessible for early-stage startups.. Reliable Support: Frequently cited for providing high-touch assistance, often through shared Slack channels for enterprise customers..

What are the drawbacks of WorkOS?

Per-Connection Pricing: The cost per SSO/SCIM connection (starting around $125/mo) can become expensive for companies with many smaller enterprise clients.. CIAM Gaps: Compared to rivals like Clerk or Supabase, it has historically lacked some granular session management and 'out-of-the-box' UI components for B2C flows.. Platform Lock-in: Migrating complex enterprise configurations (like hundreds of SCIM mappings) away from WorkOS can be technically challenging.. Integration-Heavy: Requires more backend development 'glue' code compared to 'plug-and-play' frontend-only auth solutions..

WorkOS

Unverified verified 22 may 2026

Your app, Enterprise Ready.

Pricing: Paid - $99/mo (custom domain); connections from ~$125/ea with discounts; 1M MAU free Company: WorkOS Founded: 2019 Last verified: 2026-05-22

Visit Website

Updated May 25, 2026

TL;DR

WorkOS is a developer platform that abstracts the complexity of enterprise features like SSO, SCIM provisioning, and audit logs into a unified API. It is designed for B2B SaaS companies that need to sell to large organizations without spending months on custom integrations, offering a unique self-service Admin Portal for customer IT admins.

What Users Actually Pay

No user-reported pricing yet.

Our Take

WorkOS has solidified its position as the go-to 'enterprise-readiness' layer for modern B2B startups. While competitors like Auth0 provide a broader identity platform, WorkOS excels by focusing specifically on the friction of B2B sales cycles—namely SAML and SCIM. Its developer experience is widely considered the industry gold standard, prioritizing clean RESTful design and high-quality SDKs over the 'black box' complexity of legacy systems. The platform’s strongest asset is the Admin Portal, which shifts the burden of SSO configuration from the SaaS provider's customer success team to the enterprise customer’s IT department. This self-service approach is a massive force multiplier for lean engineering teams. However, WorkOS is not without its trade-offs; while its user management (AuthKit) is generous, its enterprise connection pricing can become a significant line item as a startup scales into dozens of enterprise clients. Ultimately, WorkOS is best suited for B2B companies moving 'up-market.' For apps that are purely B2C or have very simple authentication needs, the premium pricing on enterprise connections might be hard to justify compared to more general-purpose auth providers. But for teams where closing a Six-figure Enterprise deal depends on 'checking the SSO box' by Friday, WorkOS is practically unrivaled.

Similar Products

Scalekit

Auth Stack for AI Apps | Start Free

Kinde

Modern auth and billing for engineers. The fully integrated developer platform.

Clerk

More than authentication, Complete User Management

Pros

+ Rapid implementation: Users consistently report deploying enterprise-grade SAML and SCIM in days rather than months.
+ Superior Developer Experience: Renowned for its 'textbook' documentation, modern SDKs, and intuitive API design.
+ Admin Portal: A pre-built, white-label UI that allows end-customers to configure their own SSO/SCIM settings, drastically reducing support overhead.
+ Generous Free Tier for AuthKit: Supports up to 1 million monthly active users for standard user management, making it accessible for early-stage startups.
+ Reliable Support: Frequently cited for providing high-touch assistance, often through shared Slack channels for enterprise customers.

Cons

- Per-Connection Pricing: The cost per SSO/SCIM connection (starting around $125/mo) can become expensive for companies with many smaller enterprise clients.
- CIAM Gaps: Compared to rivals like Clerk or Supabase, it has historically lacked some granular session management and 'out-of-the-box' UI components for B2C flows.
- Platform Lock-in: Migrating complex enterprise configurations (like hundreds of SCIM mappings) away from WorkOS can be technically challenging.
- Integration-Heavy: Requires more backend development 'glue' code compared to 'plug-and-play' frontend-only auth solutions.

Sentiment Analysis

+0.83 — Very PositiveUpdated May 23, 2026

Sentiment has remained stable since last capture. Overall sentiment has seen a slight uptick (from 0.81 to 0.83) driven by strong adoption among high-profile AI startups like Cursor and Perplexity. Developers praise the 'cleanliness' of the API, while minor friction persists around the 'Enterprise Tax' pricing model for high-volume, low-contract-value connections.

Sentiment Over Time

By Source

G2+0.90

25 mentions

Sample quotes (1)

"WorkOS allowed my company to integrate with 10+ identity providers in the time that it would have taken to implement with one of them natively."

Reddit+0.72

45 mentions

Sample quotes (1)

"WorkOS is solid for enterprise SSO, but pricing and per-connection costs made me think twice. ScaleKit felt more straightforward for org-first modeling."

X (Twitter)+0.88

110 mentions

Sample quotes (1)

"Cursor now completely runs on WorkOS. Login times are much faster... and we're not subject to Auth0's customer-hostile and opaque pricing anymore."

Agent Readiness

73/100

WorkOS is exceptionally 'Agent-Ready.' By publishing an open-source OpenAPI 3.1 specification, they allow AI agents to immediately understand and interact with their entire API surface for tasks like user provisioning or organization management. The robust webhook system allows agents to react to real-time events (e.g., a new user joining via SCIM), and the world-class documentation ensures agents can easily troubleshoot or generate boilerplate integration code.

API Surface100

Public APIRESTFree TieropenApi

Protocol Support40

MCP (127 tools)

SDK Availability70

npm: @workos-inc/node (official)npm: @workos-inc/authkit-nextjs (official)npm: workos (official)npm: @convex-dev/workos-authkit (official)npm: @workos/authkit-session (official)npm: @workos/authkit-tanstack-react-start (official)npm: @workos-inc/authkit-react-router (official)npm: @mastra/auth-workos (official)npm: @workos/authkit-sveltekit (official)npm: @convex-dev/workos (official)pypi: workos (official)

Integration Ecosystem50

ZapierWebhooksOktaEntra IDSlackSplunk (Audit Logs)Datadog

Developer Experience100

Docs: excellentSandboxVersioningChangelogStatus Page

Last checked May 23, 2026

MCP Integrations

1 server127 tools1,823 total uses

WorkOSworkos

smitheryVerifiedRemoteHigh match

Enterprise-ready authentication and user management. Manage organizations, users, SSO connections, directory sync, audit logs, fine-grained authorization, and feature flags.

1,823 uses

127 tools

api_keys.validations.createValidate an API key value and return the API key object if valid.
audit_logs.actions.listGet a list of all Audit Log actions in the current environment.
audit_logs.actions.schemas.listGet a list of all schemas for the Audit Logs action identified by `:name`.
audit_logs.actions.schemas.createCreates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the `action` does not exist, it will also be created.
audit_logs.events.createCreate an Audit Log Event. This API supports idempotency which guarantees that performing the same operation multiple times will have the same result as if the operation were performed only once. This is handy in situations where you may need to retry a request due to a failure or prevent accidental duplicate requests from creating more than one resource. To achieve idempotency, you can add `Idempotency-Key` request header to a Create Event request with a unique string as the value. Each subsequent request matching this unique string will return the same response. We suggest using [v4 UUIDs](https://en.wikipedia.org/wiki/Universally_unique_identifier) for idempotency keys to avoid collisions. Idempotency keys expire after 24 hours. The API will generate a new response if you submit a request with an expired key.
audit_logs.exports.createCreate an Audit Log Export. Exports are scoped to a single organization within a specified date range.
audit_logs.exports.getGet an Audit Log Export. The URL will expire after 10 minutes. If the export is needed again at a later time, refetching the export will regenerate the URL.
auth.factors.getGets an Authentication Factor.
auth.factors.deletePermanently deletes an Authentication Factor. It cannot be undone.
authorization.organization_memberships.check.createCheck if an organization membership has a specific permission on a resource. Supports identification by resource_id OR by resource_external_id + resource_type_slug.
authorization.organization_memberships.resources.listReturns all child resources of a parent resource where the organization membership has a specific permission. This is useful for resource discovery—answering "What projects can this user access in this workspace?" You must provide either `parent_resource_id` or both `parent_resource_external_id` and `parent_resource_type_slug` to identify the parent resource.
authorization.organization_memberships.role_assignments.listList all role assignments for an organization membership. This returns all roles that have been assigned to the user on resources, including organization-level and sub-resource roles.
authorization.organization_memberships.role_assignments.createAssign a role to an organization membership on a specific resource.
authorization.organization_memberships.role_assignments.by_organization_membership_id.deleteRemove a role assignment by role slug and resource.
authorization.organization_memberships.role_assignments.deleteRemove a role assignment using its ID.
authorization.organizations.roles.listGet a list of all roles that apply to an organization. This includes both environment roles and organization-specific roles, returned in priority order.
authorization.organizations.roles.createCreate a new custom organization role. When slug is omitted, it is auto-generated from the role name.
authorization.organizations.roles.getRetrieve a role that applies to an organization by its slug. This can return either an environment role or an organization-specific role.
authorization.organizations.roles.updateUpdate an existing custom organization role. Only the fields provided in the request body will be updated.
authorization.organizations.roles.deleteDelete an existing custom organization role.
authorization.organizations.roles.permissions.createAdd a single permission to an organization role. If the permission is already assigned to the role, this operation has no effect.
authorization.organizations.roles.permissions.updateReplace all permissions on a role with the provided list.
authorization.organizations.roles.permissions.deleteRemove a single permission from an organization role by its slug.
authorization.organizations.resources.getRetrieve the details of an authorization resource by its external ID, organization, and resource type. This is useful when you only have the external ID from your system and need to fetch the full resource details.
authorization.organizations.resources.updateUpdate an existing authorization resource using its external ID.
authorization.organizations.resources.deleteDelete an authorization resource by organization, resource type, and external ID. This also deletes all descendant resources.
authorization.organizations.resources.organization_memberships.listReturns all organization memberships that have a specific permission on a resource, using the resource's external ID. This is useful for answering "Who can access this resource?" when you only have the external ID.
authorization.permissions.listGet a list of all permissions in your WorkOS environment.
authorization.permissions.createCreate a new permission in your WorkOS environment. The permission can then be assigned to environment roles and organization roles.
authorization.permissions.getRetrieve a permission by its unique slug.
authorization.permissions.updateUpdate an existing permission. Only the fields provided in the request body will be updated.
authorization.permissions.deleteDelete an existing permission. System permissions cannot be deleted.
authorization.resources.listGet a paginated list of authorization resources.
authorization.resources.createCreate a new authorization resource.
authorization.resources.getRetrieve the details of an authorization resource by its ID.
authorization.resources.updateUpdate an existing authorization resource.
authorization.resources.deleteDelete an authorization resource and all its descendants.
authorization.resources.organization_memberships.listReturns all organization memberships that have a specific permission on a resource instance. This is useful for answering "Who can access this resource?".
authorization.roles.listList all environment roles in priority order.
authorization.roles.createCreate a new environment role.
authorization.roles.getGet an environment role by its slug.
authorization.roles.updateUpdate an existing environment role.
authorization.roles.permissions.createAdd a single permission to an environment role. If the permission is already assigned to the role, this operation has no effect.
authorization.roles.permissions.updateReplace all permissions on an environment role with the provided list.
connect.applications.listList all Connect Applications in the current environment with optional filtering.
connect.applications.createCreate a new Connect Application. Supports both OAuth and Machine-to-Machine (M2M) application types.
connect.applications.getRetrieve details for a specific Connect Application by ID or client ID.
connect.applications.updateUpdate an existing Connect Application. For OAuth applications, you can update redirect URIs. For all applications, you can update the name, description, and scopes.
connect.applications.deleteDelete an existing Connect Application.
connections.listGet a list of all of your existing connections matching the criteria specified.
connections.getGet the details of an existing connection.
connections.deletePermanently deletes an existing connection. It cannot be undone.
directories.listGet a list of all of your existing directories matching the criteria specified.
directories.getGet the details of an existing directory.
directories.deletePermanently deletes an existing directory. It cannot be undone.
directory_groups.listGet a list of all of existing directory groups matching the criteria specified.
directory_groups.getGet the details of an existing Directory Group.
directory_users.listGet a list of all of existing Directory Users matching the criteria specified.
directory_users.getGet the details of an existing Directory User.
events.listList events for the current environment.
feature_flags.listGet a list of all of your existing feature flags matching the criteria specified.
feature_flags.getGet the details of an existing feature flag by its slug.
feature_flags.disable.updateDisables a feature flag in the current environment.
feature_flags.enable.updateEnables a feature flag in the current environment.
feature_flags.targets.createEnables a feature flag for a specific target in the current environment. Currently, supported targets include users and organizations.
feature_flags.targets.deleteRemoves a target from the feature flag's target list in the current environment. Currently, supported targets include users and organizations.
organization_domains.createCreates a new Organization Domain.
organization_domains.getGet the details of an existing organization domain.
organization_domains.deletePermanently deletes an organization domain. It cannot be undone.
organization_domains.verifyInitiates verification process for an Organization Domain.
organizations.listGet a list of all of your existing organizations matching the criteria specified.
organizations.createCreates a new organization in the current environment.
organizations.external_id.getGet the details of an existing organization by an [external identifier](/authkit/metadata/external-identifiers).
organizations.getGet the details of an existing organization.
organizations.updateUpdates an organization in the current environment.
organizations.deletePermanently deletes an organization in the current environment. It cannot be undone.
organizations.audit_log_configuration.getGet the unified view of audit log trail and stream configuration for an organization.
organizations.audit_logs_retention.getGet the configured event retention period for the given Organization.
organizations.audit_logs_retention.updateSet the event retention period for the given Organization.
organizations.api_keys.listGet a list of all API keys for an organization.
organizations.api_keys.createCreate a new API key for an organization.
organizations.feature_flags.listGet a list of all enabled feature flags for an organization.
portal.generate_link.createGenerate a Portal Link scoped to an Organization.
radar.attempts.createAssess a request for risk using the Radar engine and receive a verdict.
radar.attempts.updateYou may optionally inform Radar that an authentication attempt or challenge was successful using this endpoint. Some Radar controls depend on tracking recent successful attempts, such as impossible travel.
radar.lists.createAdd an entry to a Radar list.
radar.lists.deleteRemove an entry from a Radar list.
sso.profile.listExchange an access token for a user's [Profile](/reference/sso/profile). Because this profile is returned in the [Get a Profile and Token endpoint](/reference/sso/profile/get-profile-and-token) your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user's profile.
user_management.email_verification.getGet the details of an existing email verification code that can be used to send an email to a user for verification.
user_management.invitations.listGet a list of all of invitations matching the criteria specified.
user_management.invitations.createSends an invitation email to the recipient.
user_management.invitations.by_token.getRetrieve an existing invitation using the token.
user_management.invitations.getGet the details of an existing invitation.
user_management.invitations.accept.createAccepts an invitation and, if linked to an organization, activates the user's membership in that organization.
user_management.invitations.resend.createResends an invitation email to the recipient. The invitation must be in a pending state.
user_management.invitations.revokeRevokes an existing invitation.
user_management.organization_memberships.listGet a list of all organization memberships matching the criteria specified. At least one of `user_id` or `organization_id` must be provided. By default only active memberships are returned. Use the `statuses` parameter to filter by other statuses.
user_management.organization_memberships.createCreates a new `active` organization membership for the given organization and user. Calling this API with an organization and user that match an `inactive` organization membership will activate the membership with the specified role(s).
user_management.organization_memberships.getGet the details of an existing organization membership.
user_management.organization_memberships.updateUpdate the details of an existing organization membership.
user_management.organization_memberships.deletePermanently deletes an existing organization membership. It cannot be undone.
user_management.organization_memberships.deactivate.updateDeactivates an `active` organization membership. Emits an [organization_membership.updated](/events/organization-membership) event upon successful deactivation. - Deactivating an `inactive` membership is a no-op and does not emit an event. - Deactivating a `pending` membership returns an error. This membership should be [deleted](/reference/authkit/organization-membership/delete) instead. See the [membership management documentation](/authkit/users-organizations/organizations/membership-management) for additional details.
user_management.organization_memberships.reactivate.updateReactivates an `inactive` organization membership, retaining the pre-existing role(s). Emits an [organization_membership.updated](/events/organization-membership) event upon successful reactivation. - Reactivating an `active` membership is a no-op and does not emit an event. - Reactivating a `pending` membership returns an error. The user needs to [accept the invitation](/authkit/invitations) instead. See the [membership management documentation](/authkit/users-organizations/organizations/membership-management) for additional details.
user_management.users.listGet a list of all of your existing users matching the criteria specified.
user_management.users.createCreate a new user in the current environment.
user_management.users.external_id.getGet the details of an existing user by an [external identifier](/authkit/metadata/external-identifiers).
user_management.users.getGet the details of an existing user.
user_management.users.updateUpdates properties of a user. The omitted properties will be left unchanged.
user_management.users.deletePermanently deletes a user in the current environment. It cannot be undone.
user_management.users.email_change.confirm.createConfirms an email change using the one-time code received by the user.
user_management.users.email_change.sendSends an email that contains a one-time code used to change a user's email address.
user_management.users.email_verification.confirm.createVerifies an email address using the one-time code received by the user.
user_management.users.email_verification.sendSends an email that contains a one-time code used to verify a user’s email address.
user_management.users.identities.listGet a list of identities associated with the user. A user can have multiple associated identities after going through [identity linking](/authkit/identity-linking). Currently only OAuth identities are supported. More provider types may be added in the future.
user_management.users.sessions.listGet a list of all active sessions for a specific user.
user_management.users.feature_flags.listGet a list of all enabled feature flags for the provided user. This includes feature flags enabled specifically for the user as well as any organizations that the user is a member of.
user_management.users.authorized_applications.listGet a list of all Connect applications that the user has authorized.
user_management.users.authorized_applications.deleteDelete an existing Authorized Connect Application.
user_management.users.connected_accounts.getRetrieves a user's [connected account](/reference/pipes/connected-account) for a specific provider.
user_management.users.connected_accounts.deleteDisconnects WorkOS's account for the user, including removing any stored access and refresh tokens. The user will need to reauthorize if they want to reconnect. This does not revoke access on the provider side.
user_management.users.data_providers.listRetrieves a list of available providers and the user's connection status for each. Returns all providers configured for your environment, along with the user's [connected account](/reference/pipes/connected-account) information where applicable.
user_management.users.auth_factors.listLists the [authentication factors](/reference/authkit/mfa/authentication-factor) for a user.
user_management.users.auth_factors.createEnrolls a user in a new [authentication factor](/reference/authkit/mfa/authentication-factor).
webhook_endpoints.listGet a list of all of your existing webhook endpoints.
webhook_endpoints.createCreate a new webhook endpoint to receive event notifications.
webhook_endpoints.updateUpdate the properties of an existing webhook endpoint.
webhook_endpoints.deleteDelete an existing webhook endpoint.

Last checked May 25, 2026

[ features ]

Geostrategic Position

Information on which part of the world this product / vendor belongs to, i.e. the country of their headquarters primarily, but also their hosting options etc.

Headquarter Region

Find which geostrategic world region the headquarter is located in. Relevant for compliance questions (e.g., CLOUD Act) or risk of cut-off in case of conflicts. For example, some EU companies are worried about the US and would definitely not host their customer with Chinese or Russian companies.

United States

Hosting Provider

The hosting provider that is used to host this product, if any.

[ Amazon AWS ]

Hosting Locations

The available hosting locations, if you can choose

[ United States ]

Compliance & Security

Security certifications, compliance features, and access control capabilities.

SOC 2

SOC 2 Type I or Type II certification.

Type II

ISO 27001

ISO 27001 information security certification.

GDPR Tools

Built-in tools for GDPR compliance (data export, deletion, consent).

Audit Trail

Complete audit log of all data changes.

[ yes ]

Role-Based Access Control

Granular permissions based on user roles.

[ yes ]

SSO Support

Single Sign-On integration support.

Both

Developer Experience

Tools and abstractions easing agent development and iteration.

Visual Builder

No-code/low-code UI for designing agent workflows.

OpenAI Compatibility

OpenAI API-compatible endpoints or SDKs.

Open Source

Available as open-source with community contributions.

SDK Languages

Programming languages with official SDK support.

[ Python ] [ JavaScript/TypeScript ] [ Other ]

Pre-built UI Components

Ready-to-use, customizable UI elements for auth flows.

[ yes ]

Admin Portal

Self-service admin dashboard for customers to manage users/orgs.

[ yes ]

Framework Integrations

Supported frontend frameworks with dedicated guides/components.

[ React ] [ Next.js ]

Authentication Methods

Core authentication flows and options supported by the platform.

Passwordless Auth

Supports passwordless authentication via magic links, passkeys, or biometrics.

[ yes ]

Social Providers

Supported third-party social login providers.

[ Google ] [ GitHub ] [ Apple ] [ GitLab ] [ LinkedIn ]

MFA Methods

Supported multi-factor authentication methods.

[ SMS ] [ TOTP ]

Bot Detection

Built-in protection against bots and automated attacks during auth.

[ yes ]

Enterprise Integrations

Protocols and tools for integrating with enterprise identity systems.

SCIM Provisioning

Supports SCIM for automated user provisioning and deprovisioning.

[ yes ]

Directory Sync

Supports syncing users/groups from directories like HRIS or IdPs.

[ yes ]

Supported IdPs

Compatible identity providers for federation.

[ Okta ] [ Entra ID/Azure AD ] [ Google Workspace ] [ OneLogin ] [ Ping Identity ] [ Rippling ]

JIT Provisioning

Just-In-Time user provisioning from SAML/OIDC assertions.

[ yes ]

Pricing & Free Tier

Free tier limits and overall pricing structure.

Free Tier MAU Limit

Maximum Monthly Active Users allowed on the free tier.

1000000

Billed Metrics

Key usage metrics that incur costs.

[ Connections ]

Compare With

Compare with Scalekit

Compare with Kinde

Compare with Clerk

Compare with Auth0

Compare with Frontegg

→

Reviews

0 reviews

Write a Review

No reviews yet. Be the first to review WorkOS!