The WorkOS API enables adding Enterprise Ready features to your application. This REST API provides programmatic access and management of SSO, Magic Link, Directory Sync, and Audit Trail resources.
Sign in to see code examples customized with your API keys and data.
https:
WorkOS offers native SDKs in several popular programming languages. Choose one language below to see our API Reference in your application’s language.
npm install @workos-inc/node
WorkOS authenticates your API requests using your account’s API keys. API requests made without authentication or using an incorrect key will return a 401 error. Requests using a valid key but with insufficient permissions will return a 403 error. All API requests must be made over HTTPS. Any requests made over plain HTTP will fail.
curl --request GET \ --url https://api.workos.com/directories \ --header "Authorization: Bearer sk_example_123456789"
You can view and manage your API keys in the WorkOS Dashboard.
API keys can perform any API request to WorkOS. They should be kept secure and private! Be sure to prevent API keys from being made publicly accessible, such as in client-side code, GitHub, unsecured S3 buckets, and so forth. API keys are prefixed with sk\_.
Your Staging Environment comes with an API key already generated for you. Staging API keys may be viewed as often as they are needed and will appear inline throughout our documentation in code examples if you are logged in to your WorkOS account. API requests will be scoped to the provided key’s Environment.
Once you unlock Production access you will need to generate an API Key for it. Production API keys may only be viewed once and will need to be saved in a secure location upon creation of them.
WorkOS uses standard HTTP response codes to indicate the success or failure of your API requests.
2xx – Indicates success.4xx – Indicates an error, normally due to error caused by incorrect or missing request information (e.g. providing an incorrect API key).5xx – Indicates a WorkOS server error.Many top-level resources have support for bulk fetches via "list" API methods. For instance, you can list connections, list directory users, and list directory groups. These list API methods share a common structure, taking at least these four parameters: limit, order, after, and before.
WorkOS utilizes pagination via the after and before parameters. Both parameters take an existing object ID value (see below) and return objects in either descending or ascending order by created_at timestamp.
{ "data": [ { "object": "connection", "id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "GoogleOAuth", "name": "Foo Corp", "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:08:33.155Z" }, { "object": "connection", "id": "conn_01E2NPPCT7XQ2MVVYDHWGK1WN4", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "OktaSAML", "name": "Example Co", "state": "active", "created_at": "2021-06-25T19:09:33.155Z", "updated_at": "2021-06-25T19:10:33.155Z" } ], "list_metadata": { "before": "conn_01E2NPPCT7XQ2MVVYDHWGK1WN4", "after": null } }
list_metadataUpper limit on the number of objects to return, between 1 and 100. The default value is 10.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
An Organization is a top-level resource in WorkOS. Each Connection, Directory, and Audit Trail Event belongs to an Organization. An Organization will usually represent one of your customers.
Organizations can optionally have Organization Domains which are useful to tag any domains that used across all associated Connections and Directories.
{ "object": "organization", "id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "name": "Foo Corp", "allow_profiles_outside_organization": false, "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "id": "org_domain_01EHZNVPK2QXHMVWCEDQEKY69A", "object": "organization_domain", "domain": "foo-corp.com" } ] }
organizationDistinguishes the Organization object.
Unique identifier of the Organization.
The name of the Organization.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.
The timestamp when the Organization was last created.
The timestamp when the Organization was last updated.
List of Organization Domains.
Get the details of an existing organization.
curl --request GET \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789"
{ "id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "object": "organization", "name": "Foo Corporation", "allow_profiles_outside_organization": false, "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "domain": "foo-corp.com", "id": "org_domain_01EHZNVPK2QXHMVWCEDQEKY69A", "object": "organization_domain" }, { "domain": "another-foo-corp-domain.com", "id": "org_domain_01EHZNS0H9W90A90FV79GAB6AB", "object": "organization_domain" } ] }
Get a list of all of your existing organizations matching the criteria specified.
curl --request GET \ --url https://api.workos.com/organizations?domains=foo-corp.com \ --header "Authorization: Bearer sk_example_123456789"
{ "data": [ { "id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "object": "organization", "name": "Foo Corp", "allow_profiles_outside_organization": false, "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "domain": "foo-corp.com", "id": "org_domain_01EHZNVPK2QXHMVWCEDQEKY69A", "object": "organization_domain" }, { "domain": "another-foo-corp-domain.com", "id": "org_domain_01EHZNS0H9W90A90FV79GAB6AB", "object": "organization_domain" } ] } ], "list_metadata": { "before": "org_01EHZNVPK3SFK441A1RGBFSHRT", "after": "org_01EJBGJT2PC6638TN5Y380M40Z" } }
GET/organizationsParametersThe domains of an Organization. Any Organization with a matching domain will be returned.
Upper limit on the number of objects to return, between 1 and 100. The default value is 10.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
ReturnsobjectArray of Organizations in descending order by created_at timestamp.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Creates a new organization in the current environment.
curl --request POST \ --url https://api.workos.com/organizations \ --header "Authorization: Bearer sk_example_123456789" \ -d name="Foo Corp" \ -d domains[]="foo-corp.com"
{ "id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "object": "organization", "name": "Foo Corp", "allow_profiles_outside_organization": false, "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "domain": "foo-corp.com", "id": "org_domain_01EHZNVPK2QXHMVWCEDQEKY69A", "object": "organization_domain" }, { "domain": "another-foo-corp-domain.com", "id": "org_domain_01EHZNS0H9W90A90FV79GAB6AB", "object": "organization_domain" } ] }
POST/organizationsParametersThe name of the Organization.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.
The domains of the Organization.
At least one domain is required unless allow_profiles_outside_organization is true.
ReturnsorganizationUpdates an organization in the current environment.
curl --request PUT \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789" \ -d name="Foo Corporation" -d domains[]="foo-corp.com"
{ "id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "object": "organization", "name": "Foo Corp", "allow_profiles_outside_organization": false, "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "domains": [ { "domain": "foo-corp.com", "id": "org_domain_01EHZNVPK2QXHMVWCEDQEKY69A", "object": "organization_domain" }, { "domain": "another-foo-corp-domain.com", "id": "org_domain_01EHZNS0H9W90A90FV79GAB6AB", "object": "organization_domain" } ] }
PUT/organizations/:idParametersThe name of the Organization.
Whether the Connections within this Organization should allow Profiles that do not have a domain that is present in the set of the Organization's User Email Domains.
The domains of the Organization.
At least one domain is required unless allow_profiles_outside_organization is true.
ReturnsorganizationDeletes an organization in the current environment.
curl --request GET \ --url https://api.workos.com/organizations/org_01EHZNVPK3SFK441A1RGBFSHRT \ --header "Authorization: Bearer sk_example_123456789"
DELETE/organizations/:idParametersUnique identifier of the Organization.
An Organization Domain (also known as a User Email Domain) represents an Organization's domain.
These domains restrict which email addresses are able to sign in through SAML Connections when allow_profiles_outside_organization is false. This is the default behavior for Organizations. See here for more details on this behavior.
The Single Sign-On API has been modeled to meet the OAuth 2.0 framework specification. As a result, authentication flows constructed using the Single Sign-On API replicate the OAuth 2.0 protocol flow.
In the OAuth 2.0 protocol, a redirect URI is the location your user is redirected to once they have successfully authenticated with their Identity Provider.
In Production Environments, the redirect URI to your application must use HTTPS and there should be at least one redirect URI configured and selected as a default for a WorkOS Environment. This can be done from the SSO Configuration page in the WorkOS dashboard. Without a valid redirect URI, users will be unable to sign in.
Redirect URIs that use HTTP and localhost are allowed in Sandbox Environments.
https:/callback? code=01E2RJ4C05B52KKZ8FSRDAP23J&state=dj1kUXc0dzlXZ1hjUQ== state=dj1kUXc0dzlXZ1hjUQ==
Generate an OAuth 2.0 authorization URL.
WorkOS generates an OAuth 2.0 authorization URL that automatically directs a user to their Identity Provider. Once the user authenticates with their Identity Provider, WorkOS then issues a redirect to your Redirect URI to complete the login flow.
To indicate the connection to use for authentication, use one of the following connection selectors: connection, organization, or provider.
These connection selectors are mutually exclusive, and exactly one must be provided.
curl --request GET \ --url "https://api.workos.com/sso/authorize? \
response_type=code& \
client_id=client_123456789& \
redirect_uri=https://your-app.com/callback& \
state=dj1kUXc0dzlXZ1hjUQ==& \
connection=conn_01E4ZCR3C56J083X43JQXF3JK5"
https://api.workos.com/sso/authorize? response_type=code& client_id=client_123456789& redirect_uri=https://your-app.com/callback& connection=conn_01E4ZCR3C56J083X43JQXF3JK5& state=dj1kUXc0dzlXZ1hjUQ==
GET/sso/authorizeThe only valid option for the response_type parameter is code.
The code parameter value initiates an Authorization Code Grant Type. This grant type allows a Developer to exchange an authorization code for an access token during the redirect that takes place after a user has authenticated with an Identity Provider.
This value can be obtained from the SSO Configuration page in the WorkOS dashboard.
The connection connection selector is used to initiate SSO for a Connection.
The value of this parameter should be a WorkOS Connection ID.
For example, the Developer can persist the WorkOS Connection ID with application User or Team identifiers. WorkOS will use the Connection indicated by the connection parameter to direct the user to the corresponding IdP for authentication.
The organization connection selector is used to initiate SSO for an Organization.
The value of this parameter should be a WorkOS Organization ID.
For example, the Developer can persist the WorkOS Organization ID with application User or Team identifiers. WorkOS will use the organization connection selector to determine the appropriate Connection and IdP to direct the user to for authentication.
Note that the Organization must only have a single active SSO Connection, otherwise an ambiguous_connection_selector error code will be returned.
The provider connection selector is used to initiate SSO using an OAuth provider.
Currently, the only supported values for provider are GoogleOAuth and MicrosoftOAuth. Provide the provider parameter when authenticating Google OAuth users, because Google OAuth does not take a user's domain into account when logging in with a "Sign in with Google" button.
Optional parameter that a Developer can choose to include in their authorization URL. If included, then the redirect URI received from WorkOS will contain the exact state that was passed in the authorization URL.
The state parameter can be used to encode arbitrary information to help restore application state between redirects.
Can be used to pre-fill the username/email address field of the IdP sign-in page for the user, if you know their username ahead of time.
Currently, this parameter is only supported for OAuth, and OpenID Connect connection types.
MISSING DESCRIPTION, PLEASE FILL THIS IN
A Profile is an object that represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized and raw attributes.
After receiving the Profile for an authenticated user, use the Profile object attributes to persist relevant data to your application’s user model for the specific, authenticated user.
No Profile attributes can be returned other than the normalized attributes listed below, and the raw attributes returned by an Identity Provider.
{ "object": "profile", "id": "prof_01DMC79VCBZ0NY2099737PSVF1", "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "connection_type": "OktaSAML", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "email": "todd@foo-corp.com", "first_name": "Todd", "last_name": "Rundgren", "idp_id": "00u1a0ufowBJlzPlk357", "raw_attributes": {} }
profileString representing the object's type. Currently the only possible value is profile.
Unique identifier for the user, assigned by WorkOS.
This value can be persisted to the Developer's user model and used as a unique key for identifying a specific user.
Unique identifier for the Connection to which the Profile belongs.
The type of SSO Connection used to authenticate the user. Possible values:
ADFSSAMLAuth0SAMLAzureSAMLCASSAMLCloudflareSAMLCyberArkSAMLClassLinkSAMLDuoSAML
GenericOIDCGenericSAML
GoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLSalesforceSAMLSimpleSamlPhpSAMLVMwareSAMLUnique identifier for the Organization in which the Connection resides.
The user's email address.
The user's first name.
The user's last name.
Unique identifier for the user, assigned by the Identity Provider. Different Identity Providers use different ID formats.
One possible use case for idp_id is associating a user's SSO Profile with any relevant Directory Sync actions related to that user.
Object of key-value pairs containing relevant user data from the Identity Provider.
Raw attributes are an extended set of information one can expect for each user Profile. These raw attributes will vary by Identity Provider and Identity Provider configuration.
Get an access_token along with the user's Profile using the code we passed to your Redirect URI.
curl -X POST "https://api.workos.com/sso/token" \ -d 'client_id=client_123456789' \ -d 'client_secret=sk_example_123456789' \ -d 'grant_type=authorization_code' \ -d 'code=01E2RJ4C05B52KKZ8FSRDAP23J'
{ "access_token": "01DMEK0J53CVMC32CK5SE0KZ8Q", "profile": { "object": "profile", "id": "prof_01DMC79VCBZ0NY2099737PSVF1", "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "connection_type": "okta", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "email": "todd@foo-corp.com", "first_name": "Todd", "last_name": "Rundgren", "idp_id": "00u1a0ufowBJlzPlk357", "raw_attributes": {} } }
POST/sso/tokenThis value can be obtained from the SSO Configuration page in the WorkOS dashboard.
The method by which your application will receive an access token. This value should be authorization_code.
The authorization value which was passed back as a query parameter in the callback to the Redirect URI.
ReturnsobjectAn access token that can be exchanged for a user profile. Access tokens are one-time use and expire 10 minutes after they're created.
String representing the object's type. Currently the only possible value is profile.
Unique identifier for the user, assigned by WorkOS.
This value can be persisted to the Developer's user model and used as a unique key for identifying a specific user.
Unique identifier for the Connection to which the Profile belongs.
The type of SSO Connection used to authenticate the user. Possible values:
ADFSSAMLAuth0SAMLAzureSAMLCASSAMLCloudflareSAMLCyberArkSAMLClassLinkSAMLDuoSAML
GenericOIDCGenericSAML
GoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLSalesforceSAMLSimpleSamlPhpSAMLVMwareSAMLUnique identifier for the Organization in which the Connection resides.
The user's email address.
The user's first name.
The user's last name.
Unique identifier for the user, assigned by the Identity Provider. Different Identity Providers use different ID formats.
One possible use case for idp_id is associating a user's SSO Profile with any relevant Directory Sync actions related to that user.
Object of key-value pairs containing relevant user data from the Identity Provider.
Raw attributes are an extended set of information one can expect for each user Profile. These raw attributes will vary by Identity Provider and Identity Provider configuration.
Exchange an access_token for a user's Profile. Because this profile is returned in the Get a Profile and Token endpoint your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user's profile.
Get an access_token along with the user's Profile using the code we passed to your Redirect URI.
curl --request GET \ --url https://api.workos.com/sso/profile \ --header "Authorization: Bearer 01DMEK0J53CVMC32CK5SE0KZ8Q"
{ "object": "profile", "id": "prof_01DMC79VCBZ0NY2099737PSVF1", "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "connection_type": "OktaSAML", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "email": "todd@foo-corp.com", "first_name": "Todd", "last_name": "Rundgren", "idp_id": "00u1a0ufowBJlzPlk357", "raw_attributes": {} }
GET/sso/profileThe authorization value which was returned along with the profile when calling the Get a Profile and Token endpoint.
ReturnsobjectString representing the object's type. Currently the only possible value is profile.
Unique identifier for the user, assigned by WorkOS.
This value can be persisted to the Developer's user model and used as a unique key for identifying a specific user.
Unique identifier for the Connection to which the Profile belongs.
The type of SSO Connection used to authenticate the user. Possible values:
ADFSSAMLAuth0SAMLAzureSAMLCASSAMLCloudflareSAMLCyberArkSAMLClassLinkSAMLDuoSAML
GenericOIDCGenericSAML
GoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLSalesforceSAMLSimpleSamlPhpSAMLVMwareSAMLUnique identifier for the Organization in which the Connection resides.
The user's email address.
The user's first name.
The user's last name.
Unique identifier for the user, assigned by the Identity Provider. Different Identity Providers use different ID formats.
One possible use case for idp_id is associating a user's SSO Profile with any relevant Directory Sync actions related to that user.
Object of key-value pairs containing relevant user data from the Identity Provider.
Raw attributes are an extended set of information one can expect for each user Profile. These raw attributes will vary by Identity Provider and Identity Provider configuration.
A Connection represents the relationship between WorkOS and any collection of application users. This collection of application users may include personal or enterprise Identity Providers, or passwordless authentication methods like Magic Link. As a layer of abstraction, a WorkOS Connection rests between an application and its users, separating an application from the implementation details required by specific standards like OAuth 2.0 and SAML.
{ "object": "connection", "id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "GoogleOAuth", "name": "Foo Corp", "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" }
connectionString representing the object's type. Currently the only possible value is connection.
Unique identifier for the Connection.
Unique identifier for the Organization in which the Connection resides.
The type of SSO Connection used to authenticate a user.
One possible use case for connection_type is dynamically generating authorization URLs. Possible values:
ADFSSAMLADPOIDCAuth0SAMLAzureSAMLCASSAMLClassLinkSAMLCloudflareSAMLCyberArkSAMLDuoSAMLGenericOIDCDuoSAMLGenericSAMLGoogleOAuthGoogleSAMLJumpCloudSAMLKeycloakSAMLLastPassSAMLMicrosoftOAuthMiniOrangeSAMLNetIqSAMLOktaSAMLOneLoginSAMLOracleSAMLPingFederateSAMLPingOneSAMLSalesforceSAMLSimpleSamlPhpSAMLShibbolethSAMLShibbolethGenericSAMLVMwareSAMLA human-readable name for the Connection. This will most commonly be the Enterprise Client's name.
Indicates whether a Connection is able to authenticate users. Possible values:
draftactiveinactiveThe timestamp when the Connection was created.
The timestamp when the Connection was last updated.
Get the details of an existing connection.
curl --request GET \ --url https://api.workos.com/connections/conn_01E2NPPCT7XQ2MVVYDHWGK1WN4 \ --header "Authorization: Bearer sk_example_123456789"
{ "object": "connection", "id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "GoogleOAuth", "name": "Foo Corp", "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" }
Get a list of all of your existing connections matching the criteria specified.
curl --request GET \ --url https://api.workos.com/connections \ --header "Authorization: Bearer sk_example_123456789"
{ "data": [ { "object": "connection", "id": "conn_01E4ZCR3C56J083X43JQXF3JK5", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "GoogleOAuth", "name": "Foo Corp", "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:08:33.155Z" }, { "object": "connection", "id": "conn_01E2NPPCT7XQ2MVVYDHWGK1WN4", "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY", "connection_type": "OktaSAML", "name": "Example Co", "state": "active", "created_at": "2021-06-25T19:09:33.155Z", "updated_at": "2021-06-25T19:10:33.155Z" } ], "list_metadata": { "before": "conn_01E2NPPCT7XQ2MVVYDHWGK1WN4", "after": null } }
GET/connectionsParametersFilter Connections by their type.
Filter Connections by their associated domain.
Filter Connections by their associated organization.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
Upper limit on the number of objects to return, between 1 and 100. The default value is 10.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
ReturnsobjectAn array of Connections in descending order by created_at timestamp.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Delete an existing connection.
curl --request DELETE \ --url https://api.workos.com/connections/conn_01E2NPPCT7XQ2MVVYDHWGK1WN4 \ --header "Authorization: Bearer sk_example_123456789"
DELETE/connections/:idParametersUnique identifier for the Connection.
Directory Sync allows you to connect with Directory Providers to inform your application of any changes in their users, groups, or access rules.
Using Directory Sync, one integration grants your application the ability to support multiple Directory Providers. Get real-time updates of any changes to your Enterprise Client's access rules, groups, and users by integrating webhooks into your application.
A Directory stores information about an Enterprise Client's employee management system.
Synchronizing with a Directory enables Developers to receive changes to an Enterprise Client's User and Group structure.
Directory Providers vary in implementation details and may require different sets of fields for integration, such as API keys, subdomains, endpoints, usernames, etc. Where available, the WorkOS API will provide these fields when fetching Directory records.
{ "id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "domain": "foo-corp.com", "name": "Foo Corp", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "state": "unlinked", "type": "gsuite directory", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" }
directoryUnique identifier for the Directory.
The URL associated with an Enterprise Client.
The name of the directory.
The unique identifier for the Organization in which the directory resides.
Describes whether the Directory has been successfully connected to an external provider.
linkedunlinkedvalidatingdeletinginvalid_credentialsThe type of external Directory Provider integrated with.
azure scim v2.0bamboohrbreathe hrgeneric scim v1.1generic scim v2.0gsuite directoryjump cloud scim v2.0okta scim v1.1okta scim v2.0onelogin scim v2.0people hrpingfederate scim v2.0workdayThe timestamp when the Directory was created.
The timestamp when the Directory was last updated.
Get the details of an existing directory.
curl --request GET \ --url https://api.workos.com/directories/directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
{ "id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "domain": "foo-corp.com", "name": "Foo Corp", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "state": "unlinked", "type": "gsuite directory", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" }
Get a list of all of your existing directories matching the criteria specified.
curl --request GET \ --url https://api.workos.com/directories?search=WorkOS \ --header "Authorization: Bearer sk_example_123456789"
{ "data": [ { "id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "domain": "foo-corp.com", "name": "Foo Corp", "organization_id": "org_01EHZNVPK3SFK441A1RGBFSHRT", "object": "directory", "state": "unlinked", "type": "gsuite directory", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:08:33.155Z" }, { "id": "directory_01E8CS3GSBEBZ1F1CZAEE3KHDG", "domain": "foo-corp.com", "external_key": "r3NDlInUnAe6i4wG", "name": "Foo Corp", "organization_id": "org_01EHZNVPK3SFK441A1RGBFPANT", "object": "directory", "state": "linked", "type": "okta scim v2.0", "created_at": "2021-06-25T19:09:33.155Z", "updated_at": "2021-06-25T19:10:33.155Z" } ], "list_metadata": { "after": "directory_01E1JJS84MFPPQ3G655FHTKX6Z", "before": "directory_01E1JJS84MFPPQ3G655FHTKX6Z" } }
GET/directoriesParametersThe domain of a Directory.
Searchable text to match against Directory names.
Filter Directories by their associated organization.
Upper limit on the number of objects to return, between 1 and 100. The default value is 10.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
ReturnsobjectArray of Directories in descending order by created_at timestamp.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
Delete an existing directory.
curl --request DELETE \ --url https://api.workos.com/directories/directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
DELETE/directories/:idParametersUnique identifier for the Directory.
A Directory User represents an active Enterprise user.
Developers can receive Webhooks as employees are added, updated or removed, allowing for provisioning and de-provisioning Users within an application.
The data stored for employees vary per Directory provider and may include attributes such as photo URLs, pay groups, supervisors, etc. Where available, the WorkOS API will provide the additional data in the raw_attributes field when fetching Directory User records.
{ "id": "directory_user_01E1JG7J09H96KYP8HM9B0G5SJ", "idp_id": "2836", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "first_name": "Marcelina", "last_name": "Davis", "emails": [ { "primary": true, "type": "work", "value": "marcelina@foo-corp.com" } ], "username": "marcelina@foo-corp.com", "groups": [ { "id": "directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT", "name": "Engineering", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} } ], "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "custom_attributes": { "department": "Engineering" }, "raw_attributes": {} }
directory_userUnique identifier for the Directory User.
Unique identifier for the user, assigned by the Directory Provider. Different Directory Providers use different ID formats.
One possible use case for idp_id is associating the Directory User with their SSO Profile.
The identifier of the Directory the Directory User belongs to.
The identifier for the Organization in which the Directory resides.
The first name of the user.
The last name of the user.
The emails of the user.
The username of the user.
The groups that the user is a member of.
The state of the user.
An object containing the custom attribute mapping for the Directory Provider.
An object containing the data returned from the Directory Provider.
The timestamp when the Directory User was created.
The timestamp when the Directory User was last updated.
Get the details of an existing Directory User.
curl --request GET \ --url https://api.workos.com/directory_users/directory_user_01E1JG7J09H96KYP8HM9B0G5SJ \ --header "Authorization: Bearer sk_example_123456789"
{ "id": "directory_user_01E1JG7J09H96KYP8HM9B0G5SJ", "idp_id": "2836", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "first_name": "Marcelina", "last_name": "Davis", "emails": [ { "primary": true, "type": "work", "value": "marcelina@foo-corp.com" } ], "username": "marcelina@foo-corp.com", "groups": [ { "id": "directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT", "name": "Engineering", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} } ], "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "custom_attributes": { "department": "Engineering" }, "raw_attributes": {} }
Get a list of all of existing Directory Users matching the criteria specified.
curl --request GET \ --url https://api.workos.com/directory_users?directory=directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
{ "data": [ { "id": "directory_user_01E1JJHG3BFJ3FNRRHSFWEBNCS", "idp_id": "1902", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "emails": [ { "primary": true, "type": "work", "value": "jan@foo-corp.com" } ], "first_name": "Jan", "last_name": "Brown", "username": "jan@foo-corp.com", "groups": [ { "id": "directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT", "name": "Engineering", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" } ], "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "custom_attributes": { "department": "Engineering" } }, { "id": "directory_user_01E1JJHG10ANRA2V6PAX3GD7TE", "idp_id": "8953", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "emails": [ { "primary": true, "type": "work", "value": "rosalinda@foo-corp.com" } ], "first_name": "Rosalinda", "last_name": "Swift", "username": "rosalinda@foo-corp.com", "groups": [ { "id": "directory_group_01E64QTDNS0EGJ0FMCVY9BWGZT", "name": "Engineering", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z" } ], "state": "active", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "custom_attributes": { "department": "Engineering" } } ], "object": "list", "list_metadata": { "after": "directory_user_01E4RH82CC8QAP8JTRCTNDSS4C", "before": "directory_user_01E4RH828021B9ZZB8KH8E2Z1W" } }
GET/directory_userParametersUnique identifier of the WorkOS Directory.
This value can be obtained from the WorkOS dashboard or from the WorkOS API.
Unique identifier of the WorkOS Directory Group.
This value can be obtained from the WorkOS API.
Upper limit on the number of objects to return, between 1 and 100. The default value is 10.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
ReturnsobjectArray of Directories Users in descending order by created_at timestamp.
Since these can be bulk processed (ex. 10 updates were batched process), there is a secondary sort on the identifier, i.e. id.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A Directory Group represents an Enterprise organizational unit of users.
Developers can receive Webhooks as groups are added, updated, or removed, allowing for group-based resource access.
At this time, only the Group identifier and name attributes are returned.
{ "id": "directory_group_01E1JJS84MFPPQ3G655FHTKX6Z", "idp_id": "02grqrue4294w24", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "name": "Developers", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} }
directory_groupUnique identifier for the Directory Group.
Unique identifier for the group, assigned by the Directory Provider. Different Directory Providers use different ID formats.
The identifier of the Directory the Directory Group belongs to.
The identifier for the Organization in which the Directory resides.
The name of the Directory Group.
The timestamp when the Directory Group was created.
The timestamp when the Directory Group was last updated.
An object containing the data returned from the Directory Provider.
Get the details of an existing Directory Group.
curl --request GET \ --url https://api.workos.com/directory_groups/directory_group_01E1JJS84MFPPQ3G655FHTKX6Z \ --header "Authorization: Bearer sk_example_123456789"
{ "id": "directory_group_01E1JJS84MFPPQ3G655FHTKX6Z", "idp_id": "02grqrue4294w24", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "name": "Developers", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} }
Get a list of all of existing directory groups matching the criteria specified.
curl --request GET \ --url https://api.workos.com/directory_groups?directory=directory_01ECAZ4NV9QMV47GW873HDCX74 \ --header "Authorization: Bearer sk_example_123456789"
{ "id": "wh_34FKJ843CVE8F7BXQSPFH0M53V", "data": [ { "id": "directory_group_01E1JJS84MFPPQ3G655FHTKX6Z", "idp_id": "02grqrue4294w24", "directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74", "organization_id": "org_01EZTR6WYX1A0DSE2CYMGXQ24Y", "name": "Developers", "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "raw_attributes": {} } ], "list_metadata": { "after": "directory_group_01E1JJS84MFPPQ3G655FHTKX6Z", "before": "directory_group_01E1JJS84MFPPQ3G655FHTKX6Z" } }
GET/directory_groupsParametersUnique identifier of the WorkOS Directory.
This value can be obtained from the WorkOS dashboard or from the WorkOS API.
Unique identifier of the WorkOS Directory User.
This value can be obtained from the WorkOS API.
Upper limit on the number of objects to return, between 1 and 100. The default value is 10.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
Order the results by the created_at timestamp. Supported values are "asc" and "desc" for ascending and descending order respectively.
ReturnsobjectUnique identifier for the Directory Group.
Array of Directory Groups in descending order by created_at timestamp.
A cursor to use for pagination. after is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include after=obj_123 to fetch a new batch of objects after obj_123.
A cursor to use for pagination. before is an object ID that defines your place in the list. For example, if you make a list request and receive 100 objects, ending with obj_123, your subsequent call can include before=obj_123 to fetch a new batch of objects before obj_123.
The Admin Portal is a standalone application where your users can configure and manage WorkOS resources such as Connections and Directories that are scoped to their Organization.
A Portal Link is a temporary endpoint to initiate an Admin Portal session. It expires five minutes after issuance.
{ "link": "https://id.workos.com/portal/launch?secret=JteZqfJZqUcgWGaYCC6iI0gW0" }
portal_linkAn ephemeral link to initiate the Admin Portal.
Generate a Portal Link scoped to an Organization.
curl --request POST \ --url https://api.workos.com/portal/generate_link \ --header "Authorization: Bearer sk_example_123456789" \ -d organization="org_01EHZNVPK3SFK441A1RGBFSHRT" \ -d intent="sso"
{ "link": "https://id.workos.com/portal/launch?secret=JteZqfJZqUcgWGaYCC6iI0gW0" }
POST/portal/generate_linkParametersAn Organization identifier.
The intent of the Admin Portal.
sso - Launch Admin Portal for creating SSO connectionsdsync - Launch Admin Portal for creating directory sync connectionsThe URL to which WorkOS should send users when they click on the link to return to your website.
Returnsportal_linkThe Magic Link API can be used to add Passwordless Authentication to your app.
An object representing a passwordless authentication session.
{ "object": "passwordless_session", "id": "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C", "email": "marcelina@foo-corp.com", "expires_at": "2020-08-13T05:50:00.000Z", "link": "https://auth.workos.com/passwordless/4TeRexuejWCKs9rrFOIuLRYEr/confirm" }
passwordless_sessionString representing the object's type. Currently, the only possible value is passwordless_session.
The unique ID of the session.
The email address of the user for the session.
The ISO-8601 datetime at which the session expires.
The link for the user to authenticate with. You can use this link to send a custom email to the user, or send an email using Email a Magic Link to the user.
Once a user has authenticated with the link, WorkOS issues a redirect to the Environment's default redirect URI, with a code parameter and, if provided during session creation, a state parameter.
Code can then be exchanged for an access token and user Profile. To perform this exchange, the Developer should make aPOST request to the /sso/token endpoint.
If the link has expired, WorkOS will issue a redirect with an error query parameter and value of access_denied.
Create a Passwordless Session for a Magic Link Connection.
curl --request POST \ --url https://api.workos.com/passwordless/sessions \ --header "Authorization: Bearer sk_example_123456789" \ -d email="marcelina@foo-corp.com" \ -d type="MagicLink"
{ "object": "passwordless_session", "id": "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C", "email": "marcelina@foo-corp.com", "expires_at": "2020-08-13T05:50:00.000Z", "link": "https://auth.workos.com/passwordless/4TeRexuejWCKs9rrFOIuLRYEr/confirm" }
POST/passwordless/sessionsParametersThe email of the user to authenticate.
The type of Passwordless Session to create. Currently, the only supported value is MagicLink.
Value containing the ID of a specific Connection.
This can be used to create a Passwordless Session for a specific Connection rather than relying on the domain from the email to determine the Organization and Connection.
Optional parameter that a developer can choose to include in their authorization URL. If included, it will override the default Redirect URI set in the dashboard. This is the location your user will be redirected to once the session has been completed successfully.
The number of seconds the Passwordless Session should live before expiring.
This value must be between 300 (5 minutes) and 86400 (24 hours), inclusive.
Optional parameter that a developer can choose to include in their authorization URL. If included, then the redirect URI received from WorkOS will contain the exact state that was passed in the authorization URL.
The state parameter can be used to encode arbitrary information to help restore application state between redirects.
Returnspasswordless_sessionEmail a user the Magic Link confirmation URL.
curl --request POST \ --url https://api.workos.com/passwordless/sessions/passwordless_session_01EG1BHJMVYMFBQYZTTC0N73CR/send \ --header "Authorization: Bearer sk_example_123456789"
{ "success": true }
POST/passwordless/sessions/:id/sendParametersThe unique identifier of the Passwordless Session to send an email for.
ReturnsobjectA confirmation that the Magic Link was sent.
The multi-factor authentication (MFA) API can be used to add additional factors of authentication to existing authentication strategies.
The API currently supports both time-based one-time passwords (TOTP) and SMS factors.
An object representing an Authentication Factor.
{ "object": "authentication_factor", "id": "auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ", "created_at": "2022-02-15T15:14:19.392Z", "updated_at": "2022-02-15T15:14:19.392Z", "type": "totp", "totp": { "qr_code": "data:image/png;base64,{base64EncodedPng}", "secret": "NAGCCFS3EYRB422HNAKAKY3XDUORMSRF", "uri": "otpauth://totp/FooCorp:alan.turing@foo-corp.com?secret=NAGCCFS3EYRB422HNAKAKY3XDUORMSRF&issuer=FooCorp" } }
authentication_factorString representing the object's type. Currently, the only possible value is authentication_factor.
The unique ID of the Factor.
The timestamp when the Factor was created.
The timestamp when the Factor was last updated.
The type the Factor. Can be either totp or sms.
Base64 encoded image containing scannable QR code.
TOTP secret that can be manually entered into some authenticator apps in place of scanning QR code.
The otpauth URI that is encoded the provided qr_code.
Phone number that the Factor was enrolled with.
An object representing a Challenge of an Authentication Factor.
{ "object": "authentication_challenge", "id": "auth_challenge_01FVYZWQTZQ5VB6BC5MPG2EYC5", "created_at": "2022-02-15T15:26:53.274Z", "updated_at": "2022-02-15T15:26:53.274Z", "expires_at": "2022-02-15T15:36:53.279Z", "authentication_factor_id": "auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ" }
authentication_challengeString representing the object's type. Currently, the only possible value is authentication_challenge.
The unique ID of the Authentication Challenge.
The timestamp when the Challenge was created.
The timestamp when the Challenge was last updated.
The timestamp when the Challenge will expire. Does not apply to totp factors.
The unique ID of the Authentication Factor the Challenge belongs to.
Enrolls an Authentication Factor to be used as an additional factor of authentication. The returned ID should can later be used to create an authentication Challenge.
curl --request POST \ --url https://api.workos.com/auth/factors/enroll \ --header "Authorization: Bearer sk_example_123456789" \ -d type="totp" \ -d totp_issuer="Foo Corp" \ -d totp_user="alan.turing@foo-corp.com"
{ "object": "authentication_factor", "id": "auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ", "created_at": "2022-02-15T15:14:19.392Z", "updated_at": "2022-02-15T15:14:19.392Z", "type": "totp", "totp": { "qr_code": "data:image/png;base64,{base64EncodedPng}", "secret": "NAGCCFS3EYRB422HNAKAKY3XDUORMSRF", "uri": "otpauth://totp/FooCorp:alan.turing@foo-corp.com?secret=NAGCCFS3EYRB422HNAKAKY3XDUORMSRF&issuer=FooCorp" } }
POST/auth/factors/enrollParametersThe type of factor you wish to enroll.
totpsmsAn identifier for the organization issuing the challenge. Should be the name of your application or company. Required when type is totp.
An identifier for the user. Used by authenticator apps to label connections. Required when type is totp.
A valid phone number for an SMS enabled device. Required when type is sms.
Returnsauthentication_factorCreates a Challenge for an Authentication Factor.
curl --request POST \ --url https://api.workos.com/auth/factors/auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ/challenge \ --header "Authorization: Bearer sk_example_123456789" \ -d authentication_factor_id="auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ"
{ "object": "authentication_challenge", "id": "auth_challenge_01FVYZWQTZQ5VB6BC5MPG2EYC5", "created_at": "2022-02-15T15:26:53.274Z", "updated_at": "2022-02-15T15:26:53.274Z", "expires_at": "2022-02-15T15:36:53.279Z", "authentication_factor_id": "auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ" }
POST/auth/factors/:id/challengeParametersThe unique ID of the Authentication Factor to be challenged.
Optional template for SMS messages. Only applicable for sms Factors. Use the {{code}} token to inject the one-time code into the message. E.g., "Your Foo Corp one-time code is {{code}}."
Returnsauthentication_challengeVerify Authentication Challenge.
curl --request POST \ --url https://api.workos.com/auth/challenges/auth_challenge_01FVYZWQTZQ5VB6BC5MPG2EYC5/verify \ --header "Authorization: Bearer sk_example_123456789" \ -d code="123456"
{ "challenge": { "object": "authentication_challenge", "id": "auth_challenge_01FVYZWQTZQ5VB6BC5MPG2EYC5", "created_at": "2022-02-15T15:26:53.274Z", "updated_at": "2022-02-15T15:26:53.274Z", "expires_at": "2022-02-15T15:36:53.279Z", "authentication_factor_id": "auth_factor_01FVYZ5QM8N98T9ME5BCB2BBMJ" }, "valid": true }
POST/auth/challenges/:id/verifyParametersThe unique ID of the authentication Challenge.
The 6 digit code to be verified.
ReturnsobjectThe relevant Authentication Challenge.
Indicates whether the code was correct.