The MCP tool directory.

List all role assignments for an organization membership. This returns all roles that have been assigned to the user on resources, including organization-level and sub-resource roles.

Delete an authorization resource by organization, resource type, and external ID. This also deletes all descendant resources.

Retrieve the details of an authorization resource by its external ID, organization, and resource type. This is useful when you only have the external ID from your system and need to fetch the full resource details.

Returns all organization memberships that have a specific permission on a resource, using the resource's external ID. This is useful for answering "Who can access this resource?" when you only have the external ID.

Update an existing authorization resource using its external ID.

Create a new custom organization role. When slug is omitted, it is auto-generated from the role name.

Delete an existing custom organization role.

Retrieve a role that applies to an organization by its slug. This can return either an environment role or an organization-specific role.

Get a list of all roles that apply to an organization. This includes both environment roles and organization-specific roles, returned in priority order.

Add a single permission to an organization role. If the permission is already assigned to the role, this operation has no effect.

Remove a single permission from an organization role by its slug.

Replace all permissions on a role with the provided list.

Update an existing custom organization role. Only the fields provided in the request body will be updated.

Create a new permission in your WorkOS environment. The permission can then be assigned to environment roles and organization roles.

Delete an existing permission. System permissions cannot be deleted.

Retrieve a permission by its unique slug.

Get a list of all permissions in your WorkOS environment.

Update an existing permission. Only the fields provided in the request body will be updated.

Create a new authorization resource.

Delete an authorization resource and all its descendants.

Retrieve the details of an authorization resource by its ID.

Get a paginated list of authorization resources.

Returns all organization memberships that have a specific permission on a resource instance. This is useful for answering "Who can access this resource?".

Update an existing authorization resource.

Create a new environment role.

Get an environment role by its slug.

List all environment roles in priority order.

Add a single permission to an environment role. If the permission is already assigned to the role, this operation has no effect.

Replace all permissions on an environment role with the provided list.

Update an existing environment role.