# WorkOS (verified) Enterprise-ready authentication and user management. Manage organizations, users, SSO connections, directory sync, audit logs, fine-grained authorization, and feature flags. ## Quick Start ```bash # Connect this server (installs CLI if needed) npx -y @smithery/cli@latest mcp add workos # Browse available tools npx -y @smithery/cli@latest tool list workos # Get full schema for a tool npx -y @smithery/cli@latest tool get workos api_keys.validations.create # Call a tool npx -y @smithery/cli@latest tool call workos api_keys.validations.create '{}' ``` ## Direct MCP Connection Endpoint: `https://workos.run.tools` **Required config:** - `x-bearer` (header) — Your WorkOS API key prefixed with `sk_`. Pass it as a Bearer token: `Authorization: Bearer sk_example_123456789`. **Optional config:** - `x-access_token` (header) — An SSO access token returned from the Get a Profile and Token endpoint. ## Tools (127) - `api_keys.validations.create` — Validate an API key value and return the API key object if valid. - `audit_logs.actions.list` — Get a list of all Audit Log actions in the current environment. - `audit_logs.actions.schemas.list` — Get a list of all schemas for the Audit Logs action identified by `:name`. - `audit_logs.actions.schemas.create` — Creates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the `action` does not exis… - `audit_logs.events.create` — Create an Audit Log Event. - `audit_logs.exports.create` — Create an Audit Log Export. Exports are scoped to a single organization within a specified date range. - `audit_logs.exports.get` — Get an Audit Log Export. The URL will expire after 10 minutes. If the export is needed again at a later time, refetchin… - `auth.factors.get` — Gets an Authentication Factor. - `auth.factors.delete` — Permanently deletes an Authentication Factor. It cannot be undone. - `authorization.organization_memberships.check.create` — Check if an organization membership has a specific permission on a resource. Supports identification by resource_id OR … - `authorization.organization_memberships.resources.list` — Returns all child resources of a parent resource where the organization membership has a specific permission. This is u… - `authorization.organization_memberships.role_assignments.list` — List all role assignments for an organization membership. This returns all roles that have been assigned to the user on… - `authorization.organization_memberships.role_assignments.create` — Assign a role to an organization membership on a specific resource. - `authorization.organization_memberships.role_assignments.by_organization_membership_id.delete` — Remove a role assignment by role slug and resource. - `authorization.organization_memberships.role_assignments.delete` — Remove a role assignment using its ID. - `authorization.organizations.roles.list` — Get a list of all roles that apply to an organization. This includes both environment roles and organization-specific r… - `authorization.organizations.roles.create` — Create a new custom organization role. When slug is omitted, it is auto-generated from the role name. - `authorization.organizations.roles.get` — Retrieve a role that applies to an organization by its slug. This can return either an environment role or an organizat… - `authorization.organizations.roles.update` — Update an existing custom organization role. Only the fields provided in the request body will be updated. - `authorization.organizations.roles.delete` — Delete an existing custom organization role. - `authorization.organizations.roles.permissions.create` — Add a single permission to an organization role. If the permission is already assigned to the role, this operation has … - `authorization.organizations.roles.permissions.update` — Replace all permissions on a role with the provided list. - `authorization.organizations.roles.permissions.delete` — Remove a single permission from an organization role by its slug. - `authorization.organizations.resources.get` — Retrieve the details of an authorization resource by its external ID, organization, and resource type. This is useful w… - `authorization.organizations.resources.update` — Update an existing authorization resource using its external ID. - `authorization.organizations.resources.delete` — Delete an authorization resource by organization, resource type, and external ID. This also deletes all descendant reso… - `authorization.organizations.resources.organization_memberships.list` — Returns all organization memberships that have a specific permission on a resource, using the resource's external ID. T… - `authorization.permissions.list` — Get a list of all permissions in your WorkOS environment. - `authorization.permissions.create` — Create a new permission in your WorkOS environment. The permission can then be assigned to environment roles and organi… - `authorization.permissions.get` — Retrieve a permission by its unique slug. - `authorization.permissions.update` — Update an existing permission. Only the fields provided in the request body will be updated. - `authorization.permissions.delete` — Delete an existing permission. System permissions cannot be deleted. - `authorization.resources.list` — Get a paginated list of authorization resources. - `authorization.resources.create` — Create a new authorization resource. - `authorization.resources.get` — Retrieve the details of an authorization resource by its ID. - `authorization.resources.update` — Update an existing authorization resource. - `authorization.resources.delete` — Delete an authorization resource and all its descendants. - `authorization.resources.organization_memberships.list` — Returns all organization memberships that have a specific permission on a resource instance. This is useful for answeri… - `authorization.roles.list` — List all environment roles in priority order. - `authorization.roles.create` — Create a new environment role. - `authorization.roles.get` — Get an environment role by its slug. - `authorization.roles.update` — Update an existing environment role. - `authorization.roles.permissions.create` — Add a single permission to an environment role. If the permission is already assigned to the role, this operation has n… - `authorization.roles.permissions.update` — Replace all permissions on an environment role with the provided list. - `connect.applications.list` — List all Connect Applications in the current environment with optional filtering. - `connect.applications.create` — Create a new Connect Application. Supports both OAuth and Machine-to-Machine (M2M) application types. - `connect.applications.get` — Retrieve details for a specific Connect Application by ID or client ID. - `connect.applications.update` — Update an existing Connect Application. For OAuth applications, you can update redirect URIs. For all applications, you… - `connect.applications.delete` — Delete an existing Connect Application. - `connections.list` — Get a list of all of your existing connections matching the criteria specified. - `connections.get` — Get the details of an existing connection. - `connections.delete` — Permanently deletes an existing connection. It cannot be undone. - `directories.list` — Get a list of all of your existing directories matching the criteria specified. - `directories.get` — Get the details of an existing directory. - `directories.delete` — Permanently deletes an existing directory. It cannot be undone. - `directory_groups.list` — Get a list of all of existing directory groups matching the criteria specified. - `directory_groups.get` — Get the details of an existing Directory Group. - `directory_users.list` — Get a list of all of existing Directory Users matching the criteria specified. - `directory_users.get` — Get the details of an existing Directory User. - `events.list` — List events for the current environment. --- *Response truncated. Use `npx -y @smithery/cli@latest` for complete data.*