We're working on multi-app support. The large majority of our customers only have 1 app (ChatGPT, Claude, Cursor, etc.) but this isn't the case for developers building lots of side projects.
Also working on shipping an agent-friendly Dashboard. Stay tuned :)
Would love to hear any more feedback: mg@workos.com
WorkOS powers auth for OpenAI, Anthropic, Cursor, Vercel, Perplexity, Clay, Webflow, Granola, and a bunch of others. Free up to 1m users, you pay for enterprise features.
I'm the founder and happy to help. We've differentiated by focusing on "b2b auth" via SAML/SCIM, but today we do everything else. We also have products for feature flags, encryption, bot blocking, MCP auth, etc.
This is awesome - I had heard the name floating around but didn't realize how permissive your free tier was. I'm using Clerk for my new project https://thoughtprint.space/ but might switch it over to WorkOS.
Recently I moved to WorkOS for modulus.so. love your product.
MCP auth and feature flags are two feature that got me in. I also like that it's flexible enough for me to write custom logic in auth flow - which a lot of providers tries to abstract.
The author of the initial comment mentioned that customers of contract work prefer code which is 100% theirs, purpose-written, not a dependency, even vendored.
We use WorkOS to support some of our offerings but not for our own corporate identity/authentication. I’m not close to the project so I don’t have experience using WorkOS but definitely curious about replacing Okta.
Hmm, since Chromium is working on adding browser-local AI features, I wonder if this one day could be a security check (for links opened from the outside of the browser). E.g. the browser detected that you clicked on a new-tab link, and the page looks like a commonly known site, then the AI detects that the URL isn't "x.com" and gives a heads-up warning. At least for the top 1000 most common sites, this could prevent a lot of phishing attacks.
This is exactly how not to defend against phishing. The meaningful defense is to foreclose on it entirely, not to just get super good at spotting fakes.
So, in that case the browser (correctly) did not autofill? Is that a common occurrence for legit traffic from X? And no complaint about the website's identity from the browser -- the expected "lock" icon left of the URL?
As long as people are used to companies just buying new domains for the hell of it, yes. Just look at the amount of domains Microsoft uses for signing in! My password manager currently holds 8 of them. Eight! Who can be blamed for thinking it’s the password managers fault?
I think we have the most advanced RBAC system. You can even map roles from custom IdP groups via SCIM.
More info here: https://workos.com/guides/user-provisioning-scim
reply