Blog — WorkOS

3 min read Original article ↗

Product

All posts

Jul 2, 2026

Step-up authentication: Re-verify users before high-risk operations

AuthKit can now require a user to re-authenticate before a sensitive action without ending their session.

Kesin Ryan Dehejia

Jul 2, 2026

Product

All posts

Jul 1, 2026

WorkOS MCP: Manage your WorkOS account from any AI agent

We are launching a remote MCP server that gives AI agents the same access to WorkOS as your dashboard login.

Jeff Fiddler

Jul 1, 2026

Product

All posts

Jun 30, 2026

API Gateway: Managed auth and security for your API

A managed gateway that handles API key verification, token decoding, and authorization so your backend does not have to.

Cameron Matheson

Jun 30, 2026

Product

All posts

Jun 29, 2026

Projects and per-environment branding: Organize your products and brand them independently

Group your environments by product and give each one its own branding, without separate WorkOS accounts.

Beryl Wang

Jun 29, 2026

Tutorials

All posts

Jun 26, 2026

Social login in React Router v7: Google, GitHub, and Microsoft

A complete guide to social login in React Router v7, covering Google, GitHub, Microsoft, and every provider you will need as you grow.

Maria Paktiti

Jun 26, 2026

Guides

All posts

Jun 22, 2026

The token bill is an identity problem

Organizations are discovering that AI agent costs are invisible by design. The fix starts earlier in the stack than most teams realize.

Maria Paktiti

Jun 22, 2026

Guides

All posts

Jun 19, 2026

SAML attribute mapping: A complete developer guide

How SAML attribute mapping works, how to configure it in Okta and Microsoft Entra ID, and how to map user roles, groups, and custom claims to your application.

Maria Paktiti

Jun 19, 2026

Guides

All posts

Jun 18, 2026

How to secure agentic commerce transactions

AI agents are completing real purchases with real money. The fraud model, the liability model, and the authentication model all need to change.

Maria Paktiti

Jun 18, 2026

Guides

All posts

Jun 18, 2026

AI agents now make up the majority of web traffic: What developers need to change

On June 3, 2026, Cloudflare's CEO posted that bots had passed human web traffic for the first time. Here's what that actually means for your app, your API, and your analytics.

Maria Paktiti

Jun 18, 2026

Guides

All posts

Jun 18, 2026

The biggest MCP spec update ships July 28: What changes for AI agent authentication

The MCP 2026-07-28 release candidate rewrites the protocol's foundation. Here's what's changing, what's breaking, and what your team needs to do before the final spec lands.

Maria Paktiti

Jun 18, 2026

Guides

All posts

Jun 16, 2026

Password hash migration: Formats, salting, and silent rehashing

When you migrate auth providers, you inherit password hashes you can't decrypt. Here's how to handle every major format.

Maria Paktiti

Jun 16, 2026

Tutorials

All posts

Jun 16, 2026

Encrypting PII in a Node.js app with WorkOS Vault

Store, retrieve, update, and delete sensitive user data using Vault's full CRUD lifecycle (no cryptography expertise required).

Maria Paktiti

Jun 16, 2026

Guides

All posts

Jun 16, 2026

How to secure your MCP server with OAuth resource indicators

How audience-bound tokens keep your MCP servers secure.

Maria Paktiti

Jun 16, 2026

Guides

All posts

Jun 15, 2026

Cryptographic key isolation in multi-tenant SaaS

What "isolation" actually means at the key level, how to implement it with key context, and what your blast radius looks like when something goes wrong.

Maria Paktiti

Jun 15, 2026

Guides

All posts

Jun 15, 2026

Your users signed in with Google. That doesn't mean you can call their Google Calendar.

Why authentication and API access are two different things in Google OAuth, and what to do about it.

Maria Paktiti

Jun 15, 2026

Next

1 / 48