LoginSign Up
← Back to all sparks
W

WorkOS

INFRA · APIS
Velocity5.0

WorkOS keeps shipping fine-grained identity primitives — for both humans and agents.

b2b-identitymcp-authfine-grained-authzdeveloper-platformfeature-flagsdirectory-sync
Current state
The cadence is steady and surgical: small, well-scoped releases across auth (user-scoped API keys, change-email API), authorization (FGA custom roles scoped to resource types, Groups API), admin operability (IT contacts, dashboard metadata editing), and directory enrichment. The recent MCP Auth resource-indicator support and a Node SDK feature-flags runtime client show the platform leaning toward agent/AI use cases and into developer tooling.
Where it's heading
WorkOS is widening the identity surface in two directions at once. For humans, it's filling in long-tail B2B IAM gaps — granular API key scoping, self-serve email change, group-level org memberships, custom roles per resource. For agents, it's quietly building MCP Auth as a first-class control point. The two threads will meet at the application authorization layer, where the same FGA model can decide what a user or an agent is allowed to do.
Prediction
Expect more MCP Auth surface area (token binding, scoped scopes, audit) and continued FGA depth — likely policy-language ergonomics or relationship-based filtering. Feature flags will likely gain server-side targeting and richer SDK coverage beyond Node.

Recent moves

  1. 2d ago

    User Scoped API Keys

    API keys can now be scoped to individual users inside an org, narrowing blast radius and making key attribution per-actor. A natural granularity step for B2B environments where org-level keys were too coarse.

  2. 6d ago

    Feature Flags Runtime Client

    Node SDK gains an in-memory runtime client for feature flags. Removes a round-trip-per-evaluation pattern and signals WorkOS treating feature flags as a first-class platform product, not a side feature.

  3. 8d ago

    Resource indicators for MCP Auth

    MCP Auth now supports per-server access control via OAuth resource indicators. Tightens token audience binding for agents talking to multiple MCP servers — the kind of standards-aligned plumbing that matters when MCP becomes mainstream.

  4. 27d ago

    IT Contacts

    Admin Portal now models multiple IT contacts per org rather than a single org admin. Reflects the reality that enterprise IAM rollouts involve more than one buyer-side stakeholder.

  5. 29d ago

    Groups API

    New Groups API lets customers cluster organization memberships — a missing primitive between user and organization that matters for hierarchy-heavy customers like agencies and holding companies.

  6. 1mo ago

    FGA Custom Roles

    FGA custom roles can now be bound to specific resource types like workspaces or projects rather than only being global. A real expressivity step for fine-grained authorization, edging closer to ReBAC ergonomics.