{"name":"WorkOS","slug":"workos","category":"auth","type":"cloud","website":"https://workos.com","pricing":"freemium","pricing_tiers":["Free up to 1M MAU","Pay-as-you-go after","Custom Enterprise"],"open_source":false,"self_hosted":false,"sdk_languages":["javascript","typescript","python","go","ruby","java"],"frameworks":["langchain","vercel-ai"],"agent_features":{"agent_sdk":false,"token_delegation":true,"human_in_the_loop":null,"fga":true,"mcp_support":null,"async_authorization":null},"compliance":["soc2","gdpr","hipaa"],"best_for":"Enterprise SSO, M2M authentication, and fine-grained authorization for B2B agent products","limitations":"No dedicated agent SDK; FGA is strong but relatively new; async authz patterns require custom integration","verified_by":"editorial","last_verified":"2026-04-17","source_urls":{"changelog":"https://workos.com/changelog","pricing":"https://workos.com/pricing","docs":"https://workos.com/docs"},"feature_labels":{"agent_sdk":"Dedicated SDK for agentic workflows — agent sessions, token lifecycle, and authorization requests","token_delegation":"Issue scoped tokens an agent can use downstream without exposing user credentials","human_in_the_loop":"Pause agent execution and require explicit user approval before proceeding","fga":"Fine-Grained Authorization — relationship-based or attribute-based access control, not just role-based","mcp_support":"Native OAuth/OIDC authorization layer for Model Context Protocol servers","async_authorization":"Non-blocking approval workflows — agent continues and gets notified when approval is granted"},"comparisons":[{"slug":"auth0-vs-workos","title":"Auth0 vs WorkOS","vs":"auth0"},{"slug":"clerk-vs-workos","title":"Clerk vs WorkOS","vs":"clerk"},{"slug":"cognito-vs-workos","title":"Amazon Cognito vs WorkOS","vs":"cognito"},{"slug":"descope-vs-workos","title":"Descope vs WorkOS","vs":"descope"},{"slug":"firebase-auth-vs-workos","title":"Firebase Auth vs WorkOS","vs":"firebase-auth"},{"slug":"keycloak-vs-workos","title":"Keycloak vs WorkOS","vs":"keycloak"},{"slug":"ory-vs-workos","title":"Ory vs WorkOS","vs":"ory"},{"slug":"stytch-vs-workos","title":"Stytch vs WorkOS","vs":"stytch"},{"slug":"supabase-auth-vs-workos","title":"Supabase Auth vs WorkOS","vs":"supabase-auth"}],"body":"# WorkOS\n\nWorkOS is built for selling to enterprises. Its core strengths are SSO (SAML, OIDC), SCIM provisioning, and a fine-grained authorization product (AuthKit FGA). For AI agents operating in B2B SaaS contexts — where enterprise customers need to control exactly what the agent can access — WorkOS is a strong fit.\n\nM2M (machine-to-machine) authentication is well-supported, which maps to agent-to-agent or agent-to-API scenarios. Token delegation is available through standard OAuth flows.\n\nWorkOS doesn't have a dedicated agent SDK, so integration into agentic frameworks requires more custom work compared to Auth0 AI or Descope. The FGA product is capable but newer than alternatives like SpiceDB (Ory) or Auth0 FGA.\n\n**Agent-specific features:**\n- M2M authentication for agent-to-service calls\n- FGA via AuthKit (relationship-based authorization)\n- Enterprise SSO for B2B agent products\n- Standard OAuth token delegation"}