workos 5.21.0 → 5.23.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44c2f0a70f0a653685d6e7a8ca2601b64c4a1ff43276680ff52d0fcd2c80f5b3
-  data.tar.gz: 1d3aa7e958196efbe79018014e2ffd5be229dc93812a60725d05a958afcd1c20
+  metadata.gz: 840052dd55f646d6ae09f2c0e0a4c91a6686d0f4fcb3b9da66b13fa3e4f835eb
+  data.tar.gz: cb5807f1a8b0b1fe28f21e5c8cfa84fd3c75e68bf7e743f9f95a5ac1787efd55
 SHA512:
-  metadata.gz: f51ad812297b13109f943a23d15592991b14f2d1c18ba91505c4227fffc64c2ac7912c32df163e974eb95a1f8069b3289f33b1bf783c18e757ba56e7869717d7
-  data.tar.gz: 5a5428749ac62c22f4fa33db0ad5a491e262c01e445a8318210d09e654e6123a17dec582e9d8b54f09913f123679f1ebe8bc57a2fec7d032f690acf28d77b8a4
+  metadata.gz: fccea79a69343e4deeb1f25e076dfc19febbd5a540bd0e9e55ad6f4859ef3332a300e1f023e74c8bad7c16fe1c2b7266eb8bc5dfd600ddb0d40e036ff48d739f
+  data.tar.gz: b49a2c19e2360811203f8b07806a198bd7b9307dc654b72fb266311ff7fbf881b0cb142159a67144c25057d340e3d4fdd11bba1fc42e509bf05fcf427dcd9a48

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.21.0)
+    workos (5.23.0)
       encryptor (~> 3.0)
       jwt (~> 2.8)
 

data/lib/workos/organization.rb

@@ -12,6 +12,7 @@ module WorkOS
       :domains,
       :stripe_customer_id,
       :name,
+      :external_id,
       :allow_profiles_outside_organization,
       :created_at,
       :updated_at,
@@ -22,6 +23,7 @@ module WorkOS
 
       @id = hash[:id]
       @name = hash[:name]
+      @external_id = hash[:external_id]
       @allow_profiles_outside_organization = hash[:allow_profiles_outside_organization]
       @domains = hash[:domains]
       @stripe_customer_id = hash[:stripe_customer_id]
@@ -33,6 +35,7 @@ module WorkOS
       {
         id: id,
         name: name,
+        external_id: external_id,
         allow_profiles_outside_organization: allow_profiles_outside_organization,
         domains: domains,
         stripe_customer_id: stripe_customer_id,

data/lib/workos/organizations.rb

@@ -75,6 +75,7 @@ module WorkOS
       # @option domain_data [String] domain The domain that belongs to the organization.
       # @option domain_data [String] state The state of the domain. "verified" or "pending"
       # @param [String] name A unique, descriptive name for the organization
+      # @param [String] external_id The organization's external ID.
       # @param [String] idempotency_key An idempotency key
       # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
       #   within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
@@ -85,11 +86,13 @@ module WorkOS
         domain_data: nil,
         domains: nil,
         name:,
+        external_id: nil,
         allow_profiles_outside_organization: nil,
         idempotency_key: nil
       )
         body = { name: name }
         body[:domain_data] = domain_data if domain_data
+        body[:external_id] = external_id if external_id
 
         if domains
           warn_deprecation '`domains` is deprecated. Use `domain_data` instead.'
@@ -123,22 +126,26 @@ module WorkOS
       # @option domain_data [String] state The state of the domain. "verified" or "pending"
       # @param [String] stripe_customer_id The Stripe customer ID associated with this organization.
       # @param [String] name A unique, descriptive name for the organization
+      # @param [String] external_id The organization's external ID.
       # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
       #   within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       #   Deprecated: If you need to allow sign-ins from any email domain, contact suppport@workos.com.
       # @param [Array<String>] domains List of domains that belong to the organization.
       #   Deprecated: Use domain_data instead.
+      # rubocop:disable Metrics/ParameterLists
       def update_organization(
         organization:,
         stripe_customer_id: nil,
         domain_data: nil,
         domains: nil,
         name: nil,
+        external_id: :not_set,
         allow_profiles_outside_organization: nil
       )
         body = { name: name }
         body[:domain_data] = domain_data if domain_data
         body[:stripe_customer_id] = stripe_customer_id if stripe_customer_id
+        body[:external_id] = external_id if external_id != :not_set
 
         if domains
           warn_deprecation '`domains` is deprecated. Use `domain_data` instead.'
@@ -162,6 +169,7 @@ module WorkOS
 
         WorkOS::Organization.new(response.body)
       end
+      # rubocop:enable Metrics/ParameterLists
 
       # Delete an Organization
       #

data/lib/workos/session.rb

@@ -51,6 +51,7 @@ module WorkOS
         role: decoded['role'],
         permissions: decoded['permissions'],
         entitlements: decoded['entitlements'],
+        feature_flags: decoded['feature_flags'],
         user: session[:user],
         impersonator: session[:impersonator],
         reason: nil,

data/lib/workos/sso.rb

@@ -120,8 +120,9 @@ module WorkOS
           code: code,
         }
 
-        response = client.request(post_request(path: '/sso/token', body: body))
-        check_and_raise_profile_and_token_error(response: response)
+        response = execute_request(
+          request: post_request(path: '/sso/token', body: body),
+        )
 
         WorkOS::ProfileAndToken.new(response.body)
       end
@@ -229,28 +230,6 @@ module WorkOS
         raise ArgumentError, "#{provider} is not a valid value." \
           " `provider` must be in #{PROVIDERS}"
       end
-
-      def check_and_raise_profile_and_token_error(response:)
-        begin
-          body = JSON.parse(response.body)
-          return if body['access_token'] && body['profile']
-
-          message = body['message']
-          error = body['error']
-          error_description = body['error_description']
-          request_id = response['x-request-id']
-        rescue StandardError
-          message = 'Something went wrong'
-        end
-
-        raise APIError.new(
-          message: message,
-          error: error,
-          error_description: error_description,
-          http_status: nil,
-          request_id: request_id,
-        )
-      end
     end
   end
 end

data/lib/workos/user_management.rb

@@ -182,6 +182,7 @@ module WorkOS
       # @param [String] first_name The user's first name.
       # @param [String] last_name The user's last name.
       # @param [Boolean] email_verified Whether the user's email address was previously verified.
+      # @param [String] external_id The user's external ID.
       # @param [String] password_hash The user's hashed password.
       # @option [String] password_hash_type The algorithm originally used to hash the password.
       #
@@ -193,6 +194,7 @@ module WorkOS
         first_name: nil,
         last_name: nil,
         email_verified: nil,
+        external_id: nil,
         password_hash: nil,
         password_hash_type: nil
       )
@@ -204,9 +206,10 @@ module WorkOS
             first_name: first_name,
             last_name: last_name,
             email_verified: email_verified,
+            external_id: external_id,
             password_hash: password_hash,
             password_hash_type: password_hash_type,
-          },
+          }.compact,
           auth: true,
         )
 
@@ -231,14 +234,14 @@ module WorkOS
       # @return [WorkOS::User]
       def update_user(
         id:,
-        email: nil,
-        first_name: nil,
-        last_name: nil,
-        email_verified: nil,
-        external_id: nil,
-        password: nil,
-        password_hash: nil,
-        password_hash_type: nil
+        email: :not_set,
+        first_name: :not_set,
+        last_name: :not_set,
+        email_verified: :not_set,
+        external_id: :not_set,
+        password: :not_set,
+        password_hash: :not_set,
+        password_hash_type: :not_set
       )
         request = put_request(
           path: "/user_management/users/#{id}",
@@ -251,7 +254,7 @@ module WorkOS
             password: password,
             password_hash: password_hash,
             password_hash_type: password_hash_type,
-          },
+          }.reject { |_, v| v == :not_set },
           auth: true,
         )
 
@@ -643,7 +646,7 @@ module WorkOS
             body: {
               email: email,
               invitation_token: invitation_token,
-            },
+            }.compact,
             auth: true,
           ),
         )
@@ -697,7 +700,7 @@ module WorkOS
               totp_issuer: totp_issuer,
               totp_user: totp_user,
               totp_secret: totp_secret,
-            },
+            }.compact,
             auth: true,
           ),
         )
@@ -928,7 +931,7 @@ module WorkOS
             user_id: user_id,
             organization_id: organization_id,
             role_slug: role_slug,
-          },
+          }.compact,
           auth: true,
         )
 
@@ -1093,7 +1096,7 @@ module WorkOS
               expires_in_days: expires_in_days,
               inviter_user_id: inviter_user_id,
               role_slug: role_slug,
-            },
+            }.compact,
             auth: true,
           ),
         )

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.21.0'
+  VERSION = '5.23.0'
 end

data/spec/lib/workos/organizations_spec.rb

@@ -33,6 +33,21 @@ describe WorkOS::Organizations do
           end
         end
 
+        context 'with external_id' do
+          it 'creates an organization with external_id' do
+            VCR.use_cassette 'organization/create_with_external_id' do
+              organization = described_class.create_organization(
+                name: 'Test Organization with External ID',
+                external_id: 'ext_org_123',
+              )
+
+              expect(organization.id).to start_with('org_')
+              expect(organization.name).to eq('Test Organization with External ID')
+              expect(organization.external_id).to eq('ext_org_123')
+            end
+          end
+        end
+
         context 'with domains' do
           it 'creates an organization and warns' do
             VCR.use_cassette 'organization/create_with_domains' do
@@ -310,6 +325,43 @@ describe WorkOS::Organizations do
         end
       end
     end
+    context 'with an external_id' do
+      it 'updates the organization' do
+        VCR.use_cassette 'organization/update_with_external_id' do
+          organization = described_class.update_organization(
+            organization: 'org_01K0SQV0S6EPWK2ZDEFD1CP1JC',
+            name: 'Test Organization',
+            external_id: 'ext_org_456',
+          )
+
+          expect(organization.id).to eq('org_01K0SQV0S6EPWK2ZDEFD1CP1JC')
+          expect(organization.name).to eq('Test Organization')
+          expect(organization.external_id).to eq('ext_org_456')
+        end
+      end
+    end
+
+    context 'can set external_id to null explicitly' do
+      it 'includes external_id null in request body' do
+        original_method = described_class.method(:put_request)
+        allow(described_class).to receive(:put_request) do |kwargs|
+          original_method.call(**kwargs)
+        end
+
+        VCR.use_cassette 'organization/update_with_external_id_null' do
+          described_class.update_organization(
+            organization: 'org_01K0SQV0S6EPWK2ZDEFD1CP1JC',
+            name: 'Test Organization',
+            external_id: nil,
+          )
+        end
+
+        # Verify the spy captured the right call
+        expect(described_class).to have_received(:put_request).with(
+          hash_including(body: hash_including(external_id: nil)),
+        )
+      end
+    end
   end
 
   describe '.delete_organization' do

data/spec/lib/workos/session_spec.rb

@@ -174,6 +174,7 @@ describe WorkOS::Session do
                              organization_id: 'org_id',
                              role: 'role',
                              permissions: ['read'],
+                             feature_flags: nil,
                              entitlements: nil,
                              user: 'user',
                              impersonator: 'impersonator',
@@ -209,6 +210,43 @@ describe WorkOS::Session do
                                role: 'role',
                                permissions: ['read'],
                                entitlements: ['billing'],
+                               feature_flags: nil,
+                               user: 'user',
+                               impersonator: 'impersonator',
+                               reason: nil,
+                             })
+      end
+    end
+
+    describe 'with feature flags' do
+      let(:payload) do
+        {
+          sid: 'session_id',
+          org_id: 'org_id',
+          role: 'role',
+          permissions: ['read'],
+          feature_flags: ['new_feature_enabled'],
+          exp: Time.now.to_i + 3600,
+        }
+      end
+
+      it 'includes feature flags in the result' do
+        session = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+        allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+        result = session.authenticate
+        expect(result).to eq({
+                               authenticated: true,
+                               session_id: 'session_id',
+                               organization_id: 'org_id',
+                               role: 'role',
+                               permissions: ['read'],
+                               entitlements: nil,
+                               feature_flags: ['new_feature_enabled'],
                                user: 'user',
                                impersonator: 'impersonator',
                                reason: nil,

data/spec/lib/workos/sso_spec.rb

@@ -416,10 +416,73 @@ describe WorkOS::SSO do
         expect do
           described_class.profile_and_token(**args)
         end.to raise_error(
-          WorkOS::APIError,
-          'error: some error, error_description: some error description - request ID: request-id',
+          WorkOS::UnprocessableEntityError,
+          'Status 422, some error - request ID: request-id',
         )
       end
+
+      it 'raises an exception with proper error object attributes' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::UnprocessableEntityError)
+      end
+
+      it 'includes proper error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::UnprocessableEntityError => e
+          e
+        end
+
+        expect(error.http_status).to eq(422)
+        expect(error.request_id).to eq('request-id')
+        expect(error.error).to eq('some error')
+        expect(error.message).to include('some error')
+      end
+    end
+
+    context 'with detailed field validation errors' do
+      before do
+        stub_request(:post, 'https://api.workos.com/sso/token').
+          with(headers: headers, body: request_body).
+          to_return(
+            headers: { 'X-Request-ID' => 'request-id' },
+            status: 422,
+            body: {
+              "message": 'Validation failed',
+              "code": 'invalid_request_parameters',
+              "errors": [
+                {
+                  "field": 'code',
+                  "code": 'missing_required_parameter',
+                  "message": 'The code parameter is required',
+                }
+              ],
+            }.to_json,
+          )
+      end
+
+      it 'raises an exception with detailed field errors' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::UnprocessableEntityError)
+      end
+
+      it 'includes detailed field error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::UnprocessableEntityError => e
+          e
+        end
+
+        expect(error.http_status).to eq(422)
+        expect(error.request_id).to eq('request-id')
+        expect(error.code).to eq('invalid_request_parameters')
+        expect(error.errors).not_to be_nil
+        expect(error.errors).to include('code: missing_required_parameter')
+        expect(error.message).to include('Validation failed')
+        expect(error.message).to include('(code: missing_required_parameter)')
+      end
     end
 
     context 'with an expired code' do
@@ -440,11 +503,31 @@ describe WorkOS::SSO do
         expect do
           described_class.profile_and_token(**args)
         end.to raise_error(
-          WorkOS::APIError,
-          "error: invalid_grant, error_description: The code '01DVX3C5Z367SFHR8QNDMK7V24'" \
+          WorkOS::InvalidRequestError,
+          "Status 400, error: invalid_grant, error_description: The code '01DVX3C5Z367SFHR8QNDMK7V24'" \
           ' has expired or is invalid. - request ID: request-id',
         )
       end
+
+      it 'raises an exception with proper error object attributes' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::InvalidRequestError)
+      end
+
+      it 'includes proper error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::InvalidRequestError => e
+          e
+        end
+
+        expect(error.http_status).to eq(400)
+        expect(error.request_id).to eq('request-id')
+        expect(error.error).to eq('invalid_grant')
+        expect(error.error_description).to eq("The code '01DVX3C5Z367SFHR8QNDMK7V24' has expired or is invalid.")
+        expect(error.message).to include('invalid_grant')
+      end
     end
   end
 

data/spec/lib/workos/user_management_spec.rb

@@ -338,6 +338,42 @@ describe WorkOS::UserManagement do
         end
       end
 
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@example.com', first_name: 'John' })
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email_verified)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email": "test@example.com"}'),
+        )
+
+        described_class.create_user(
+          email: 'test@example.com',
+          first_name: 'John',
+        )
+      end
+
+      it 'creates a user with external_id' do
+        VCR.use_cassette 'user_management/create_user_with_external_id' do
+          user = described_class.create_user(
+            email: 'external@example.com',
+            first_name: 'External',
+            last_name: 'User',
+            external_id: 'ext_user_123',
+          )
+
+          expect(user.first_name).to eq('External')
+          expect(user.last_name).to eq('User')
+          expect(user.email).to eq('external@example.com')
+          expect(user.external_id).to eq('ext_user_123')
+        end
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/create_user_invalid' do
@@ -382,6 +418,49 @@ describe WorkOS::UserManagement do
         end
       end
 
+      it 'only sends non-nil values in request body' do
+        # Mock the request to inspect what's being sent
+        expect(described_class).to receive(:put_request) do |options|
+          # Verify that the body only contains non-nil values
+          body = options[:body]
+          expect(body).to eq({ email_verified: true })
+          expect(body).not_to have_key(:first_name)
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email)
+
+          # Return a mock request object
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email_verified": true}'),
+        )
+
+        described_class.update_user(
+          id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+          email_verified: true,
+        )
+      end
+
+      it 'can set external_id to null explicitly' do
+        original_method = described_class.method(:put_request)
+        allow(described_class).to receive(:put_request) do |kwargs|
+          original_method.call(**kwargs)
+        end
+
+        VCR.use_cassette 'user_management/update_user_external_id_null' do
+          described_class.update_user(
+            id: 'user_01K0SR53HJ58M957MYAB6TDZ9X',
+            first_name: 'John',
+            external_id: nil,
+          )
+        end
+
+        expect(described_class).to have_received(:put_request).with(
+          hash_including(body: hash_including(external_id: nil)),
+        )
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/update_user/invalid' do
@@ -778,6 +857,28 @@ describe WorkOS::UserManagement do
           expect(authentication_response.authentication_challenge.id).to eq('auth_challenge_01H96FETXGTW1QMBSBT2T36PW0')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ type: 'totp', totp_issuer: 'Test App' })
+          expect(body).not_to have_key(:totp_user)
+          expect(body).not_to have_key(:totp_secret)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response',
+                 body: '{"authentication_factor": {"id": "test"}, "authentication_challenge": {"id": "test"}}',),
+        )
+
+        described_class.enroll_auth_factor(
+          user_id: 'user_123',
+          type: 'totp',
+          totp_issuer: 'Test App',
+        )
+      end
     end
 
     context 'with an incorrect user id' do
@@ -1444,6 +1545,27 @@ describe WorkOS::UserManagement do
           expect(invitation.email).to eq('test@workos.com')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@workos.com', organization_id: 'org_123' })
+          expect(body).not_to have_key(:expires_in_days)
+          expect(body).not_to have_key(:inviter_user_id)
+          expect(body).not_to have_key(:role_slug)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_invitation"}'),
+        )
+
+        described_class.send_invitation(
+          email: 'test@workos.com',
+          organization_id: 'org_123',
+        )
+      end
     end
 
     context 'with an invalid payload' do

data/spec/support/fixtures/vcr_cassettes/organization/create_with_external_id.yml

@@ -0,0 +1,83 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/organizations
+    body:
+      encoding: UTF-8
+      string: '{"name":"Test Organization with External ID","external_id":"ext_org_123"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.4; arm64-darwin24; v5.20.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Tue, 22 Jul 2025 18:55:20 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '286'
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 963526d76e29aafd-YYZ
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"11e-Op9TWXVRjSmUm44yQl7F4OmXvVQ"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - 56c9630e-4889-4c81-989b-5a0399cdfcc2
+      X-Xss-Protection:
+      - '0'
+      Report-To:
+      - '{"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=RvRh6EQA2egPx6JdFhsw.m.1RATK00LOdPev9hq3f8A-1753210520-1.0.1.1-Uchst_eeyl0_BAQRRODtUIhYDUBNZKYADoELB62ZrhleV2Q.J_Wdk59lUFdfwSqAAX2vWrW_nejregFofyr3sox0aNmZolb8G_7Nzpy2RD9uyKH4l3OgsDbo.LRttnqfDPXocdCCB9G61E4QJ8Q1ug"}],"group":"cf-csp-endpoint","max_age":86400}'
+      Content-Security-Policy-Report-Only:
+      - script-src 'none'; connect-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=RvRh6EQA2egPx6JdFhsw.m.1RATK00LOdPev9hq3f8A-1753210520-1.0.1.1-Uchst_eeyl0_BAQRRODtUIhYDUBNZKYADoELB62ZrhleV2Q.J_Wdk59lUFdfwSqAAX2vWrW_nejregFofyr3sox0aNmZolb8G_7Nzpy2RD9uyKH4l3OgsDbo.LRttnqfDPXocdCCB9G61E4QJ8Q1ug;
+        report-to cf-csp-endpoint
+      Set-Cookie:
+      - _cfuvid=PQ8Lx7_xKyiAL1Mx.Ib3Gjf0xXL4n9.aJfbpov473xY-1753210520423-0.0.1.1-604800000;
+        path=/; domain=.workos.com; HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: UTF-8
+      string: '{"object":"organization","id":"org_01K0SQV0S6EPWK2ZDEFD1CP1JC","name":"Test
+        Organization with External ID","allow_profiles_outside_organization":false,"created_at":"2025-07-22T18:55:20.355Z","updated_at":"2025-07-22T18:55:20.355Z","domains":[],"metadata":{},"external_id":"ext_org_123"}'
+    http_version:
+  recorded_at: Tue, 22 Jul 2025 18:55:20 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/organization/update_with_external_id.yml

@@ -0,0 +1,78 @@
+---
+http_interactions:
+- request:
+    method: put
+    uri: https://api.workos.com/organizations/org_01K0SQV0S6EPWK2ZDEFD1CP1JC
+    body:
+      encoding: UTF-8
+      string: '{"name":"Test Organization","external_id":"ext_org_456"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.4; arm64-darwin24; v5.20.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Tue, 22 Jul 2025 18:59:20 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 96352cb1598936bf-YYZ
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"10d-7PesLGj94PWb6A5HO530ZxGdEf4"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - fdca4330-1a27-4bd5-9e78-75e58eefb233
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - _cfuvid=hbA98zPccWnkbrQxoYNYNSHeQq3brYDB.grPijC_WV4-1753210760158-0.0.1.1-604800000;
+        path=/; domain=.workos.com; HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: ASCII-8BIT
+      string: '{"object":"organization","id":"org_01K0SQV0S6EPWK2ZDEFD1CP1JC","name":"Test
+        Organization","allow_profiles_outside_organization":false,"created_at":"2025-07-22T18:55:20.355Z","updated_at":"2025-07-22T18:59:20.064Z","domains":[],"metadata":{},"external_id":"ext_org_456"}'
+    http_version:
+  recorded_at: Tue, 22 Jul 2025 18:59:20 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/organization/update_with_external_id_null.yml

@@ -0,0 +1,78 @@
+---
+http_interactions:
+- request:
+    method: put
+    uri: https://api.workos.com/organizations/org_01K0SQV0S6EPWK2ZDEFD1CP1JC
+    body:
+      encoding: UTF-8
+      string: '{"name":"Test Organization","external_id":null}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.4; arm64-darwin24; v5.22.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Wed, 23 Jul 2025 14:19:40 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 963bd06b7d9fac70-YYZ
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"104-iVnG8ziU2vR/dhIQFse9HLEGA6c"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - f38969a5-158e-4ed5-b165-a7789d1b0a07
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - _cfuvid=7pLWC5qh1CKmolFiECCkKsRg3QAx7aM07F6bX4r6VMU-1753280380885-0.0.1.1-604800000;
+        path=/; domain=.workos.com; HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: ASCII-8BIT
+      string: '{"object":"organization","id":"org_01K0SQV0S6EPWK2ZDEFD1CP1JC","name":"Test
+        Organization","allow_profiles_outside_organization":false,"created_at":"2025-07-22T18:55:20.355Z","updated_at":"2025-07-23T14:19:40.831Z","domains":[],"metadata":{},"external_id":null}'
+    http_version:
+  recorded_at: Wed, 23 Jul 2025 14:19:40 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/create_user_with_external_id.yml

@@ -0,0 +1,77 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/user_management/users
+    body:
+      encoding: UTF-8
+      string: '{"email":"external@example.com","password":null,"first_name":"External","last_name":"User","email_verified":null,"external_id":"ext_user_123","password_hash":null,"password_hash_type":null}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.4; arm64-darwin24; v5.20.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Tue, 22 Jul 2025 19:00:50 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '326'
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 96352ee9395c36b3-YYZ
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"146-upR+rp+FopOrmNrHPnshQZCSTFg"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - 0ca01f80-ab79-4dac-ac38-85013ee190fc
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - _cfuvid=eS3jraDP_ZTVdNpNKtpQG80hPBRXhXcHuq1V_QbAQjY-1753210850912-0.0.1.1-604800000;
+        path=/; domain=.workos.com; HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: UTF-8
+      string: '{"object":"user","id":"user_01K0SR53HJ58M957MYAB6TDZ9X","email":"external@example.com","email_verified":false,"first_name":"External","last_name":"User","profile_picture_url":null,"metadata":{},"last_sign_in_at":null,"created_at":"2025-07-22T19:00:50.852Z","updated_at":"2025-07-22T19:00:50.852Z","external_id":"ext_user_123"}'
+    http_version:
+  recorded_at: Tue, 22 Jul 2025 19:00:50 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/update_user_external_id_null.yml

@@ -0,0 +1,77 @@
+---
+http_interactions:
+- request:
+    method: put
+    uri: https://api.workos.com/user_management/users/user_01K0SR53HJ58M957MYAB6TDZ9X
+    body:
+      encoding: UTF-8
+      string: '{"first_name":"John","external_id":null}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.4; arm64-darwin24; v5.22.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Wed, 23 Jul 2025 14:19:37 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 963bd0578b723987-YYZ
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"138-cAQWhb1gyLa/WXSej+rjaxcQD5k"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - e32c5c22-9dba-480d-9b70-cb985f8de386
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - _cfuvid=0ljO.TFpHbzOeVWd7XzlanO5UxaeU_RBUAsoWNtWaF0-1753280377738-0.0.1.1-604800000;
+        path=/; domain=.workos.com; HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: ASCII-8BIT
+      string: '{"object":"user","id":"user_01K0SR53HJ58M957MYAB6TDZ9X","email":"external@example.com","email_verified":false,"first_name":"John","last_name":"User","profile_picture_url":null,"metadata":{},"last_sign_in_at":null,"created_at":"2025-07-22T19:00:50.852Z","updated_at":"2025-07-23T14:19:37.660Z","external_id":null}'
+    http_version:
+  recorded_at: Wed, 23 Jul 2025 14:19:37 GMT
+recorded_with: VCR 5.0.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.21.0
+  version: 5.23.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-07 00:00:00.000000000 Z
+date: 2025-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -266,6 +266,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/organization/create_with_domains.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_duplicate_idempotency_key_and_different_payload.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_duplicate_idempotency_key_and_payload.yml
+- spec/support/fixtures/vcr_cassettes/organization/create_with_external_id.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_idempotency_key.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_without_domains.yml
 - spec/support/fixtures/vcr_cassettes/organization/delete.yml
@@ -275,6 +276,8 @@ files:
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/list_organization_roles.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_with_external_id.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_with_external_id_null.yml
 - spec/support/fixtures/vcr_cassettes/organization/update_with_stripe_customer_id.yml
 - spec/support/fixtures/vcr_cassettes/organization/update_without_name.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
@@ -324,6 +327,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/user_management/create_password_reset/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/create_user_invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/create_user_valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/create_user_with_external_id.yml
 - spec/support/fixtures/vcr_cassettes/user_management/deactivate_organization_membership.yml
 - spec/support/fixtures/vcr_cassettes/user_management/delete_organization_membership/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/delete_organization_membership/valid.yml
@@ -374,6 +378,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/email.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/update_user_external_id_null.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user_password/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user_password/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/verify_email/invalid_code.yml
@@ -491,6 +496,7 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/organization/create_with_domains.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_duplicate_idempotency_key_and_different_payload.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_duplicate_idempotency_key_and_payload.yml
+- spec/support/fixtures/vcr_cassettes/organization/create_with_external_id.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_with_idempotency_key.yml
 - spec/support/fixtures/vcr_cassettes/organization/create_without_domains.yml
 - spec/support/fixtures/vcr_cassettes/organization/delete.yml
@@ -500,6 +506,8 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/list_organization_roles.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_with_external_id.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_with_external_id_null.yml
 - spec/support/fixtures/vcr_cassettes/organization/update_with_stripe_customer_id.yml
 - spec/support/fixtures/vcr_cassettes/organization/update_without_name.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
@@ -549,6 +557,7 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/user_management/create_password_reset/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/create_user_invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/create_user_valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/create_user_with_external_id.yml
 - spec/support/fixtures/vcr_cassettes/user_management/deactivate_organization_membership.yml
 - spec/support/fixtures/vcr_cassettes/user_management/delete_organization_membership/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/delete_organization_membership/valid.yml
@@ -599,6 +608,7 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/email.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/update_user_external_id_null.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user_password/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/update_user_password/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/verify_email/invalid_code.yml