WorkOS
Unclaimed verified 4 jul 2026Your app, Enterprise Ready.
TL;DR
WorkOS is a developer platform that provides essential building blocks to make SaaS applications enterprise-ready with minimal engineering effort. It focuses on high-value features like SSO, SCIM directory sync, and audit logs, differentiating itself by abstracting the complexity of legacy enterprise protocols into modern, developer-friendly APIs.
What Users Actually Pay
No user-reported pricing yet.
Our Take
WorkOS occupies a unique niche in the identity market by positioning itself as the 'Day 2' authentication layer for B2B startups. While competitors like Clerk and Supabase focus on getting users logged in quickly, WorkOS excels when those users need to connect via Okta, Entra ID, or Ping. Its modularity is its greatest strength, allowing developers to keep their existing auth stack while 'bolting on' enterprise features. The platform's developer experience is industry-leading, characterized by polished SDKs and a self-service 'Admin Portal' that offloads the burden of onboarding enterprise customers to the customers' own IT admins. This significantly reduces the time-to-market for startups moving up-market into enterprise sales. However, the 'per-connection' pricing model can be a double-edged sword. While it aligns costs with customer acquisition, it can become prohibitively expensive for companies serving a high volume of small enterprise clients. Furthermore, while WorkOS has expanded into full user management (AuthKit), it still feels most powerful when used as an enterprise integration layer rather than a total replacement for consumer-grade auth providers. Ultimately, WorkOS is best suited for growth-stage B2B SaaS companies whose primary revenue bottleneck is passing enterprise security reviews and supporting complex SAML/SCIM requirements.
Pros
- + Streamlines complex SAML and SCIM integrations that typically take months of development.
- + The 'Admin Portal' provides a white-labeled, self-service onboarding experience for IT admins.
- + Generous free tier for user management (AuthKit) supporting up to 1 million monthly active users.
- + Exceptionally clean and well-structured API documentation with multi-language SDK support.
- + Robust 'Radar' feature for bot protection and fraud detection integrated into the auth flow.
Cons
- - Per-connection pricing ($125/mo per customer) can scale aggressively for certain B2B business models.
- - Purposefully lacks legacy support for SMS-based MFA, which may be a hurdle for some compliance edge cases.
- - Less out-of-the-box UI customization for non-technical users compared to competitors like Clerk.
- - Total cost of ownership can be high once custom domains and premium support add-ons are factored in.
Sentiment Analysis
Sentiment has remained stable since last capture. Sentiment is overwhelmingly positive among developers, particularly regarding the 'Enterprise Ready' positioning and the quality of the API. While some pushback exists on the per-connection pricing model, it is generally accepted as a fair trade-off for the engineering time saved. The recent release of a full OpenAPI spec has further boosted developer sentiment.
Sentiment Over Time
By Source
45 mentions
Sample quotes (1)
- "WorkOS made implementing SSO for our enterprise customers a breeze. What would have taken months was done in days."
120 mentions
Sample quotes (2)
- "Choose WorkOS if your primary motion is selling to enterprise. SSO, SCIM, and the Admin Portal are table stakes, and WorkOS makes all four dramatically easier to ship."
- "WorkOS seems very expensive at $125/mo per connection compared to Clerk's $1 per organization. It really depends on your customer value."
200 mentions
Sample quotes (1)
- "The WorkOS API is now fully described by an open-source OpenAPI specification. This is a massive win for developer velocity and automation."
Agent Readiness
84/100WorkOS is highly optimized for AI agents and autonomous integrations. It provides a comprehensive OpenAPI 3.1 specification on GitHub, making it trivial for LLM-based agents to generate clients or understand endpoint logic. The inclusion of a robust Sandbox (Staging) environment allows agents to test auth flows safely, while the extensive webhook system enables real-time event-driven architectures. The documentation is widely considered the gold standard in the identity space.
Last checked Jul 2, 2026
MCP Integrations
2 servers127 tools9 total usesEnterprise-ready authentication and user management. Manage organizations, users, SSO connections, directory sync, audit logs, fine-grained authorization, and feature flags.
127 tools
api_keys.validations.createValidate an API key value and return the API key object if valid.audit_logs.actions.listGet a list of all Audit Log actions in the current environment.audit_logs.actions.schemas.listGet a list of all schemas for the Audit Logs action identified by `:name`.audit_logs.actions.schemas.createCreates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the `action` does not exist, it will also be created.audit_logs.events.createCreate an Audit Log Event. This API supports idempotency which guarantees that performing the same operation multiple times will have the same result as if the operation were performed only once. This is handy in situations where you may need to retry a request due to a failure or prevent accidental duplicate requests from creating more than one resource. To achieve idempotency, you can add `Idempotency-Key` request header to a Create Event request with a unique string as the value. Each subsequent request matching this unique string will return the same response. We suggest using [v4 UUIDs](https://en.wikipedia.org/wiki/Universally_unique_identifier) for idempotency keys to avoid collisions. Idempotency keys expire after 24 hours. The API will generate a new response if you submit a request with an expired key.audit_logs.exports.createCreate an Audit Log Export. Exports are scoped to a single organization within a specified date range.audit_logs.exports.getGet an Audit Log Export. The URL will expire after 10 minutes. If the export is needed again at a later time, refetching the export will regenerate the URL.auth.factors.getGets an Authentication Factor.auth.factors.deletePermanently deletes an Authentication Factor. It cannot be undone.authorization.organization_memberships.check.createCheck if an organization membership has a specific permission on a resource. Supports identification by resource_id OR by resource_external_id + resource_type_slug.authorization.organization_memberships.resources.listReturns all child resources of a parent resource where the organization membership has a specific permission. This is useful for resource discovery—answering "What projects can this user access in this workspace?" You must provide either `parent_resource_id` or both `parent_resource_external_id` and `parent_resource_type_slug` to identify the parent resource.authorization.organization_memberships.role_assignments.listList all role assignments for an organization membership. This returns all roles that have been assigned to the user on resources, including organization-level and sub-resource roles.authorization.organization_memberships.role_assignments.createAssign a role to an organization membership on a specific resource.authorization.organization_memberships.role_assignments.by_organization_membership_id.deleteRemove a role assignment by role slug and resource.authorization.organization_memberships.role_assignments.deleteRemove a role assignment using its ID.authorization.organizations.roles.listGet a list of all roles that apply to an organization. This includes both environment roles and organization-specific roles, returned in priority order.authorization.organizations.roles.createCreate a new custom organization role. When slug is omitted, it is auto-generated from the role name.authorization.organizations.roles.getRetrieve a role that applies to an organization by its slug. This can return either an environment role or an organization-specific role.authorization.organizations.roles.updateUpdate an existing custom organization role. Only the fields provided in the request body will be updated.authorization.organizations.roles.deleteDelete an existing custom organization role.authorization.organizations.roles.permissions.createAdd a single permission to an organization role. If the permission is already assigned to the role, this operation has no effect.authorization.organizations.roles.permissions.updateReplace all permissions on a role with the provided list.authorization.organizations.roles.permissions.deleteRemove a single permission from an organization role by its slug.authorization.organizations.resources.getRetrieve the details of an authorization resource by its external ID, organization, and resource type. This is useful when you only have the external ID from your system and need to fetch the full resource details.authorization.organizations.resources.updateUpdate an existing authorization resource using its external ID.authorization.organizations.resources.deleteDelete an authorization resource by organization, resource type, and external ID. This also deletes all descendant resources.authorization.organizations.resources.organization_memberships.listReturns all organization memberships that have a specific permission on a resource, using the resource's external ID. This is useful for answering "Who can access this resource?" when you only have the external ID.authorization.permissions.listGet a list of all permissions in your WorkOS environment.authorization.permissions.createCreate a new permission in your WorkOS environment. The permission can then be assigned to environment roles and organization roles.authorization.permissions.getRetrieve a permission by its unique slug.authorization.permissions.updateUpdate an existing permission. Only the fields provided in the request body will be updated.authorization.permissions.deleteDelete an existing permission. System permissions cannot be deleted.authorization.resources.listGet a paginated list of authorization resources.authorization.resources.createCreate a new authorization resource.authorization.resources.getRetrieve the details of an authorization resource by its ID.authorization.resources.updateUpdate an existing authorization resource.authorization.resources.deleteDelete an authorization resource and all its descendants.authorization.resources.organization_memberships.listReturns all organization memberships that have a specific permission on a resource instance. This is useful for answering "Who can access this resource?".authorization.roles.listList all environment roles in priority order.authorization.roles.createCreate a new environment role.authorization.roles.getGet an environment role by its slug.authorization.roles.updateUpdate an existing environment role.authorization.roles.permissions.createAdd a single permission to an environment role. If the permission is already assigned to the role, this operation has no effect.authorization.roles.permissions.updateReplace all permissions on an environment role with the provided list.connect.applications.listList all Connect Applications in the current environment with optional filtering.connect.applications.createCreate a new Connect Application. Supports both OAuth and Machine-to-Machine (M2M) application types.connect.applications.getRetrieve details for a specific Connect Application by ID or client ID.connect.applications.updateUpdate an existing Connect Application. For OAuth applications, you can update redirect URIs. For all applications, you can update the name, description, and scopes.connect.applications.deleteDelete an existing Connect Application.connections.listGet a list of all of your existing connections matching the criteria specified.connections.getGet the details of an existing connection.connections.deletePermanently deletes an existing connection. It cannot be undone.directories.listGet a list of all of your existing directories matching the criteria specified.directories.getGet the details of an existing directory.directories.deletePermanently deletes an existing directory. It cannot be undone.directory_groups.listGet a list of all of existing directory groups matching the criteria specified.directory_groups.getGet the details of an existing Directory Group.directory_users.listGet a list of all of existing Directory Users matching the criteria specified.directory_users.getGet the details of an existing Directory User.events.listList events for the current environment.feature_flags.listGet a list of all of your existing feature flags matching the criteria specified.feature_flags.getGet the details of an existing feature flag by its slug.feature_flags.disable.updateDisables a feature flag in the current environment.feature_flags.enable.updateEnables a feature flag in the current environment.feature_flags.targets.createEnables a feature flag for a specific target in the current environment. Currently, supported targets include users and organizations.feature_flags.targets.deleteRemoves a target from the feature flag's target list in the current environment. Currently, supported targets include users and organizations.organization_domains.createCreates a new Organization Domain.organization_domains.getGet the details of an existing organization domain.organization_domains.deletePermanently deletes an organization domain. It cannot be undone.organization_domains.verifyInitiates verification process for an Organization Domain.organizations.listGet a list of all of your existing organizations matching the criteria specified.organizations.createCreates a new organization in the current environment.organizations.external_id.getGet the details of an existing organization by an [external identifier](/authkit/metadata/external-identifiers).organizations.getGet the details of an existing organization.organizations.updateUpdates an organization in the current environment.organizations.deletePermanently deletes an organization in the current environment. It cannot be undone.organizations.audit_log_configuration.getGet the unified view of audit log trail and stream configuration for an organization.organizations.audit_logs_retention.getGet the configured event retention period for the given Organization.organizations.audit_logs_retention.updateSet the event retention period for the given Organization.organizations.api_keys.listGet a list of all API keys for an organization.organizations.api_keys.createCreate a new API key for an organization.organizations.feature_flags.listGet a list of all enabled feature flags for an organization.portal.generate_link.createGenerate a Portal Link scoped to an Organization.radar.attempts.createAssess a request for risk using the Radar engine and receive a verdict.radar.attempts.updateYou may optionally inform Radar that an authentication attempt or challenge was successful using this endpoint. Some Radar controls depend on tracking recent successful attempts, such as impossible travel.radar.lists.createAdd an entry to a Radar list.radar.lists.deleteRemove an entry from a Radar list.sso.profile.listExchange an access token for a user's [Profile](/reference/sso/profile). Because this profile is returned in the [Get a Profile and Token endpoint](/reference/sso/profile/get-profile-and-token) your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user's profile.user_management.email_verification.getGet the details of an existing email verification code that can be used to send an email to a user for verification.user_management.invitations.listGet a list of all of invitations matching the criteria specified.user_management.invitations.createSends an invitation email to the recipient.user_management.invitations.by_token.getRetrieve an existing invitation using the token.user_management.invitations.getGet the details of an existing invitation.user_management.invitations.accept.createAccepts an invitation and, if linked to an organization, activates the user's membership in that organization.user_management.invitations.resend.createResends an invitation email to the recipient. The invitation must be in a pending state.user_management.invitations.revokeRevokes an existing invitation.user_management.organization_memberships.listGet a list of all organization memberships matching the criteria specified. At least one of `user_id` or `organization_id` must be provided. By default only active memberships are returned. Use the `statuses` parameter to filter by other statuses.user_management.organization_memberships.createCreates a new `active` organization membership for the given organization and user. Calling this API with an organization and user that match an `inactive` organization membership will activate the membership with the specified role(s).user_management.organization_memberships.getGet the details of an existing organization membership.user_management.organization_memberships.updateUpdate the details of an existing organization membership.user_management.organization_memberships.deletePermanently deletes an existing organization membership. It cannot be undone.user_management.organization_memberships.deactivate.updateDeactivates an `active` organization membership. Emits an [organization_membership.updated](/events/organization-membership) event upon successful deactivation. - Deactivating an `inactive` membership is a no-op and does not emit an event. - Deactivating a `pending` membership returns an error. This membership should be [deleted](/reference/authkit/organization-membership/delete) instead. See the [membership management documentation](/authkit/users-organizations/organizations/membership-management) for additional details.user_management.organization_memberships.reactivate.updateReactivates an `inactive` organization membership, retaining the pre-existing role(s). Emits an [organization_membership.updated](/events/organization-membership) event upon successful reactivation. - Reactivating an `active` membership is a no-op and does not emit an event. - Reactivating a `pending` membership returns an error. The user needs to [accept the invitation](/authkit/invitations) instead. See the [membership management documentation](/authkit/users-organizations/organizations/membership-management) for additional details.user_management.users.listGet a list of all of your existing users matching the criteria specified.user_management.users.createCreate a new user in the current environment.user_management.users.external_id.getGet the details of an existing user by an [external identifier](/authkit/metadata/external-identifiers).user_management.users.getGet the details of an existing user.user_management.users.updateUpdates properties of a user. The omitted properties will be left unchanged.user_management.users.deletePermanently deletes a user in the current environment. It cannot be undone.user_management.users.email_change.confirm.createConfirms an email change using the one-time code received by the user.user_management.users.email_change.sendSends an email that contains a one-time code used to change a user's email address.user_management.users.email_verification.confirm.createVerifies an email address using the one-time code received by the user.user_management.users.email_verification.sendSends an email that contains a one-time code used to verify a user’s email address.user_management.users.identities.listGet a list of identities associated with the user. A user can have multiple associated identities after going through [identity linking](/authkit/identity-linking). Currently only OAuth identities are supported. More provider types may be added in the future.user_management.users.sessions.listGet a list of all active sessions for a specific user.user_management.users.feature_flags.listGet a list of all enabled feature flags for the provided user. This includes feature flags enabled specifically for the user as well as any organizations that the user is a member of.user_management.users.authorized_applications.listGet a list of all Connect applications that the user has authorized.user_management.users.authorized_applications.deleteDelete an existing Authorized Connect Application.user_management.users.connected_accounts.getRetrieves a user's [connected account](/reference/pipes/connected-account) for a specific provider.user_management.users.connected_accounts.deleteDisconnects WorkOS's account for the user, including removing any stored access and refresh tokens. The user will need to reauthorize if they want to reconnect. This does not revoke access on the provider side.user_management.users.data_providers.listRetrieves a list of available providers and the user's connection status for each. Returns all providers configured for your environment, along with the user's [connected account](/reference/pipes/connected-account) information where applicable.user_management.users.auth_factors.listLists the [authentication factors](/reference/authkit/mfa/authentication-factor) for a user.user_management.users.auth_factors.createEnrolls a user in a new [authentication factor](/reference/authkit/mfa/authentication-factor).webhook_endpoints.listGet a list of all of your existing webhook endpoints.webhook_endpoints.createCreate a new webhook endpoint to receive event notifications.webhook_endpoints.updateUpdate the properties of an existing webhook endpoint.webhook_endpoints.deleteDelete an existing webhook endpoint.
Your professional network in Claude — search contacts, log notes, and send warm intros.
Last checked Jun 24, 2026
[ features ]
Geostrategic Position
Information on which part of the world this product / vendor belongs to, i.e. the country of their headquarters primarily, but also their hosting options etc.
Find which geostrategic world region the headquarter is located in. Relevant for compliance questions (e.g., CLOUD Act) or risk of cut-off in case of conflicts. For example, some EU companies are worried about the US and would definitely not host their customer with Chinese or Russian companies.
The hosting provider that is used to host this product, if any.
The available hosting locations, if you can choose
Compliance & Security
Security certifications, compliance features, and access control capabilities.
SOC 2 Type I or Type II certification.
ISO 27001 information security certification.
Built-in tools for GDPR compliance (data export, deletion, consent).
Complete audit log of all data changes.
Granular permissions based on user roles.
Single Sign-On integration support.
Developer Experience
Tools and abstractions easing agent development and iteration.
No-code/low-code UI for designing agent workflows.
OpenAI API-compatible endpoints or SDKs.
Available as open-source with community contributions.
Programming languages with official SDK support.
Ready-to-use, customizable UI elements for auth flows.
Self-service admin dashboard for customers to manage users/orgs.
Supported frontend frameworks with dedicated guides/components.
Authentication Methods
Core authentication flows and options supported by the platform.
Supports passwordless authentication via magic links, passkeys, or biometrics.
Supported third-party social login providers.
Supported multi-factor authentication methods.
Built-in protection against bots and automated attacks during auth.
Enterprise Integrations
Protocols and tools for integrating with enterprise identity systems.
Supports SCIM for automated user provisioning and deprovisioning.
Supports syncing users/groups from directories like HRIS or IdPs.
Compatible identity providers for federation.
Just-In-Time user provisioning from SAML/OIDC assertions.
Pricing & Free Tier
Free tier limits and overall pricing structure.
Maximum Monthly Active Users allowed on the free tier.
Key usage metrics that incur costs.
Compare With
Reviews
No reviews yet. Be the first to review WorkOS!