WorkOS API

Enterprise authentication infrastructure API providing SAML/OIDC SSO, SCIM Directory Sync, MFA, and a self-serve Admin Portal for B2B SaaS apps to add enterprise identity features without building them from scratch.

Evaluated Mar 06, 2026 (0d ago) vcurrent

Homepage ↗ Repo ↗ Other workos enterprise sso saml oidc scim directory-sync authentication b2b rest-api sdk

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

100

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

API key + PKCE OAuth for user-facing flows. Separate keys per environment (dev/prod). SOC2 Type II, ISO27001. Enterprise SSO (SAML), SCIM, and MFA capabilities. Security is WorkOS's core product — strong posture.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

A B2B SaaS product needs to add enterprise SSO, SCIM, and audit logs to close enterprise deals — WorkOS is purpose-built for this exact use case with a Stripe-quality developer experience.

Avoid When

Your users are consumers or SMBs who won't need SAML SSO or directory sync; the cost and complexity are not justified.

Use Cases

• Adding SAML and OIDC enterprise SSO to a B2B SaaS product to close enterprise deals
• Automating user provisioning and deprovisioning via SCIM Directory Sync from Okta, Azure AD, or Google Workspace
• Embedding a self-serve Admin Portal so customers configure their own SSO connection
• Querying synced directory users and groups programmatically in agent workflows
• Streaming audit log events to SIEM systems for compliance and security monitoring

Not For

• Consumer-facing apps that don't need enterprise SSO or SCIM
• Teams that only need social login — Clerk or Auth0 are better fits
• Applications requiring end-user self-registration UI (WorkOS is B2B identity infrastructure, not a consumer auth platform)

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Yes

OpenAPI Spec ↗

Authentication

Methods: api_key

OAuth: No Scopes: No

Single Secret Key (sk_live_/sk_test_) for all backend API operations — clean and agent-friendly with no token rotation. No granular key scoping. Environment-separated keys for production vs. staging. WorkOS supports both SAML and OIDC for the SSO flows it enables in your product.

Pricing

Model: freemium

Free tier: Yes

Requires CC: No

Standard plan with 1M MAU free is a compelling deal for growing B2B SaaS. The jump to Enterprise pricing for SAML SSO is significant — typical enterprise SaaS customers are willing to pay this. WorkOS is known for startup-friendly terms and no long-term contracts.

Agent Metadata

Pagination

cursor

Idempotent

Partial

Retry Guidance

Documented

Known Gotchas

⚠ Directory Sync events must be consumed via webhooks — polling is not supported; missed events require a full directory re-sync
⚠ SAML assertions are single-use and time-bounded (5 minutes typically) — agents handling SSO callbacks must process immediately
⚠ Admin Portal links expire after a configurable period (default 5 minutes) — generate fresh links on demand, never cache
⚠ Each enterprise customer requires a separately configured SSO connection — org-specific connection IDs must be fetched dynamically
⚠ SCIM provisioning events can arrive out of order during bulk imports — implement idempotent handlers keyed on externalId
⚠ Secret Key has full account access — no per-connection scoping; guard carefully in multi-tenant environments
⚠ Test environment uses sk_test_ keys with test IdP — do not mix test and production connection IDs

Alternatives

auth0-api okta-api clerk-api stytch-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for WorkOS API.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.