workos 5.31.1 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e37c10b9ae34685d2545d670ca866dbda73c22df75fc1a2e8d79c159d3a2c7
-  data.tar.gz: a6f6e36847db549930e7a18ae58e9e95a9c249eb7a93e4466f14109e50e7fddd
+  metadata.gz: 2c2b3e2f56e5f5ffc2d59d27eb6613c018b24ec57ff270ed9e95730a46aafdc6
+  data.tar.gz: 6e001f5af6046daf9b640f570cd7318767fc106e90cdf3c9e7f8a3b0c11d1b3b
 SHA512:
-  metadata.gz: 37ce63e77ccf9dd05b0d85837c5e1334ae155cd9beb0500d9b3faa3dd985c9638f54f77ff5cd1f350e3d283db23ac16f7a08bd972f308852a6f5eb4c63ebfa79
-  data.tar.gz: 77b058f1b59efe3a390817173d8a4b45557d41f95385196af8c999e4130ddc83a7a306b68714a7c5c2f7cc695db2e21192599792bce156918bce435a0b2d9b7f
+  metadata.gz: aa0bdfff2eb4de65c9bd5679be9f44b36df9eafd5eb8d3826f490d435825f61f3df32768e77b8954df538a3e3af2963aaba3fe23c89148b7f7619d83ea349c46
+  data.tar.gz: 6ae668143797a324cea0db2d9d779fe803c13f9defc62d707bb7b4419ba931a71d12ff5dd4bdc17da5c6c284623b1484a111817a1294e1f02f0e1e741dd15781

data/.github/workflows/lint-pr-title.yml

@@ -0,0 +1,20 @@
+name: Lint PR Title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/.github/workflows/release-please.yml

@@ -0,0 +1,25 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.SDK_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@v4
+        with:
+          token: ${{ steps.generate-token.outputs.token }}

data/.github/workflows/release.yml

@@ -1,53 +1,16 @@
 name: Release
 
 on:
-  pull_request:
-    types: [closed]
-    branches: [main]
+  release:
+    types: [published]
 
 defaults:
   run:
     shell: bash
 
 jobs:
-  create-release:
-    name: Create GitHub Release
-    if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'version-bump')
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    outputs:
-      version: ${{ steps.get-version.outputs.version }}
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ vars.SDK_BOT_APP_ID }}
-          private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-
-      - name: Get version from version.rb
-        id: get-version
-        run: |
-          VERSION=$(grep "VERSION = " lib/workos/version.rb | sed "s/.*VERSION = '\(.*\)'/\1/")
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-      - name: Create Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: v${{ steps.get-version.outputs.version }}
-          name: v${{ steps.get-version.outputs.version }}
-          generate_release_notes: true
-          token: ${{ steps.generate-token.outputs.token }}
-
   publish:
     name: Publish to RubyGems
-    needs: create-release
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -72,5 +35,6 @@ jobs:
 
       - name: Publish to RubyGems
         run: |
+          VERSION="${GITHUB_REF_NAME#v}"
           bundle exec rake build
-          gem push pkg/workos-${{ needs.create-release.outputs.version }}.gem --host https://rubygems.org
+          gem push pkg/workos-${VERSION}.gem --host https://rubygems.org

data/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "6.1.0"
+}

data/CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+## [6.1.0](https://github.com/workos/workos-ruby/compare/workos-v6.0.0...workos/v6.1.0) (2026-02-10)
+
+
+### Features
+
+* add support for totp_secret ([#300](https://github.com/workos/workos-ruby/issues/300)) ([c0a26bf](https://github.com/workos/workos-ruby/commit/c0a26bf745fb49ebaac7c5241e99d51188b886bb))
+* Include Feature Flags decoded from the JWT in the payload of a Session ([#386](https://github.com/workos/workos-ruby/issues/386)) ([31a0e79](https://github.com/workos/workos-ruby/commit/31a0e7901247652182dcaad95e131357b93d0d71))
+* **workos-ruby:** Add `connection` to `authorization_url` ([#78](https://github.com/workos/workos-ruby/issues/78)) ([c3a0e8e](https://github.com/workos/workos-ruby/commit/c3a0e8e4031a3ee888d925c11f1fd2fb152f0a16))
+
+
+### Bug Fixes
+
+* add `invitation_token` parameter to authentication methods ([#438](https://github.com/workos/workos-ruby/issues/438)) ([d24e3dc](https://github.com/workos/workos-ruby/commit/d24e3dc2995de26970415e4570a7ed810d432715))

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    workos (5.31.1)
+    workos (6.1.0)
       encryptor (~> 3.0)
-      jwt (~> 2.8)
+      jwt (~> 3.1)
 
 GEM
   remote: https://rubygems.org/
@@ -11,7 +11,7 @@ GEM
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
     bigdecimal (3.1.7)
     crack (1.0.0)
       bigdecimal
@@ -20,7 +20,7 @@ GEM
     encryptor (3.0.0)
     hashdiff (1.1.0)
     json (2.9.1)
-    jwt (2.10.2)
+    jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.3)
     parallel (1.26.3)

data/lib/workos/authentication_response.rb

@@ -31,13 +31,17 @@ module WorkOS
       @oauth_tokens = json[:oauth_tokens] ? WorkOS::OAuthTokens.new(json[:oauth_tokens].to_json) : nil
       @sealed_session =
         if session && session[:seal_session]
-          WorkOS::Session.seal_data({
-                                      access_token: access_token,
-                                      refresh_token: refresh_token,
-                                      user: user.to_json,
-                                      organization_id: organization_id,
-                                      impersonator: impersonator.to_json,
-                                    }, session[:cookie_password],)
+          WorkOS::Session.seal_data(
+            {
+              access_token: access_token,
+              refresh_token: refresh_token,
+              user: user.to_json,
+              organization_id: organization_id,
+              impersonator: impersonator.to_json,
+            },
+            session[:cookie_password],
+            encryptor: session[:encryptor],
+          )
         end
     end
     # rubocop:enable Metrics/AbcSize

data/lib/workos/encryptors/aes_gcm.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'encryptor'
+require 'securerandom'
+require 'json'
+require 'base64'
+
+module WorkOS
+  module Encryptors
+    # Default encryptor using AES-256-GCM.
+    # Implements the encryptor interface: #seal(data, key) and #unseal(sealed_data, key)
+    class AesGcm
+      # Encrypts and seals data using AES-256-GCM
+      # @param data [Hash] The data to seal
+      # @param key [String] The encryption key
+      # @return [String] Base64-encoded sealed data
+      def seal(data, key)
+        iv = SecureRandom.random_bytes(12)
+
+        encrypted_data = Encryptor.encrypt(
+          value: JSON.generate(data),
+          key: key,
+          iv: iv,
+          algorithm: 'aes-256-gcm',
+        )
+        Base64.encode64(iv + encrypted_data)
+      end
+
+      # Decrypts and unseals data using AES-256-GCM
+      # @param sealed_data [String] The sealed data to unseal
+      # @param key [String] The decryption key
+      # @return [Hash] The unsealed data with symbolized keys
+      def unseal(sealed_data, key)
+        decoded_data = Base64.decode64(sealed_data)
+        iv = decoded_data[0..11]
+        encrypted_data = decoded_data[12..]
+
+        decrypted_data = Encryptor.decrypt(
+          value: encrypted_data,
+          key: key,
+          iv: iv,
+          algorithm: 'aes-256-gcm',
+        )
+
+        JSON.parse(decrypted_data, symbolize_names: true)
+      end
+    end
+  end
+end

data/lib/workos/encryptors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # Encryptors module provides pluggable encryption implementations for session data.
+  # The default encryptor is AesGcm, which uses AES-256-GCM encryption.
+  module Encryptors
+    autoload :AesGcm, 'workos/encryptors/aes_gcm'
+  end
+end

data/lib/workos/refresh_authentication_response.rb

@@ -22,13 +22,17 @@ module WorkOS
         end
       @sealed_session =
         if session && session[:seal_session]
-          WorkOS::Session.seal_data({
-                                      access_token: access_token,
-                                      refresh_token: refresh_token,
-                                      user: user.to_json,
-                                      organization_id: organization_id,
-                                      impersonator: impersonator.to_json,
-                                    }, session[:cookie_password],)
+          WorkOS::Session.seal_data(
+            {
+              access_token: access_token,
+              refresh_token: refresh_token,
+              user: user.to_json,
+              organization_id: organization_id,
+              impersonator: impersonator.to_json,
+            },
+            session[:cookie_password],
+            encryptor: session[:encryptor],
+          )
         end
     end
     # rubocop:enable Metrics/AbcSize

data/lib/workos/session.rb

@@ -12,11 +12,14 @@ module WorkOS
   # The Session class provides helper methods for working with WorkOS sessions
   # This class is not meant to be instantiated in a user space, and is instantiated internally but exposed.
   class Session
-    attr_accessor :jwks, :jwks_algorithms, :user_management, :cookie_password, :session_data, :client_id
+    attr_accessor :jwks, :jwks_algorithms, :user_management, :cookie_password, :session_data, :client_id, :encryptor
 
-    def initialize(user_management:, client_id:, session_data:, cookie_password:)
+    def initialize(user_management:, client_id:, session_data:, cookie_password:, encryptor: nil)
       raise ArgumentError, 'cookiePassword is required' if cookie_password.nil? || cookie_password.empty?
 
+      @encryptor = encryptor || WorkOS::Encryptors::AesGcm.new
+      validate_encryptor!(@encryptor)
+
       @user_management = user_management
       @cookie_password = cookie_password
       @session_data = session_data
@@ -30,13 +33,14 @@ module WorkOS
 
     # Authenticates the user based on the session data
     # @param include_expired [Boolean] If true, returns decoded token data even when expired (default: false)
+    # @param block [Proc] Optional block to call to extract additional claims from the decoded JWT
     # @return [Hash] A hash containing the authentication response and a reason if the authentication failed
     # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
-    def authenticate(include_expired: false)
+    def authenticate(include_expired: false, &claim_extractor)
       return { authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' } if @session_data.nil?
 
       begin
-        session = Session.unseal_data(@session_data, @cookie_password)
+        session = Session.unseal_data(@session_data, @cookie_password, encryptor: @encryptor)
       rescue StandardError
         return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
       end
@@ -59,7 +63,7 @@ module WorkOS
         return { authenticated: false, reason: 'INVALID_JWT' } if expired && !include_expired
 
         # Return full data for valid tokens or when include_expired is true
-        {
+        result = {
           authenticated: !expired,
           session_id: decoded['sid'],
           organization_id: decoded['org_id'],
@@ -72,6 +76,8 @@ module WorkOS
           impersonator: session[:impersonator],
           reason: expired ? 'INVALID_JWT' : nil,
         }
+        result.merge!(claim_extractor.call(decoded)) if block_given?
+        result
       rescue JWT::DecodeError
         { authenticated: false, reason: 'INVALID_JWT' }
       rescue StandardError => e
@@ -89,7 +95,7 @@ module WorkOS
       cookie_password = options.nil? || options[:cookie_password].nil? ? @cookie_password : options[:cookie_password]
 
       begin
-        session = Session.unseal_data(@session_data, cookie_password)
+        session = Session.unseal_data(@session_data, cookie_password, encryptor: @encryptor)
       rescue StandardError
         return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
       end
@@ -101,7 +107,7 @@ module WorkOS
           client_id: @client_id,
           refresh_token: session[:refresh_token],
           organization_id: options.nil? || options[:organization_id].nil? ? nil : options[:organization_id],
-          session: { seal_session: true, cookie_password: cookie_password },
+          session: { seal_session: true, cookie_password: cookie_password, encryptor: @encryptor },
         )
 
         @session_data = auth_response.sealed_session
@@ -134,43 +140,34 @@ module WorkOS
       @user_management.get_logout_url(session_id: auth_response[:session_id], return_to: return_to)
     end
 
-    # Encrypts and seals data using AES-256-GCM
+    # Encrypts and seals data using the provided encryptor (defaults to AES-256-GCM)
     # @param data [Hash] The data to seal
     # @param key [String] The key to use for encryption
+    # @param encryptor [Object] Optional encryptor that responds to #seal(data, key)
     # @return [String] The sealed data
-    def self.seal_data(data, key)
-      iv = SecureRandom.random_bytes(12)
-
-      encrypted_data = Encryptor.encrypt(
-        value: JSON.generate(data),
-        key: key,
-        iv: iv,
-        algorithm: 'aes-256-gcm',
-      )
-      Base64.encode64(iv + encrypted_data) # Combine IV with encrypted data and encode as base64
+    def self.seal_data(data, key, encryptor: nil)
+      enc = encryptor || WorkOS::Encryptors::AesGcm.new
+      enc.seal(data, key)
     end
 
-    # Decrypts and unseals data using AES-256-GCM
+    # Decrypts and unseals data using the provided encryptor (defaults to AES-256-GCM)
     # @param sealed_data [String] The sealed data to unseal
     # @param key [String] The key to use for decryption
+    # @param encryptor [Object] Optional encryptor that responds to #unseal(sealed_data, key)
     # @return [Hash] The unsealed data
-    def self.unseal_data(sealed_data, key)
-      decoded_data = Base64.decode64(sealed_data)
-      iv = decoded_data[0..11] # Extract the IV (first 12 bytes)
-      encrypted_data = decoded_data[12..-1] # Extract the encrypted data
-
-      decrypted_data = Encryptor.decrypt(
-        value: encrypted_data,
-        key: key,
-        iv: iv,
-        algorithm: 'aes-256-gcm',
-      )
-
-      JSON.parse(decrypted_data, symbolize_names: true) # Parse the decrypted JSON string back to original data
+    def self.unseal_data(sealed_data, key, encryptor: nil)
+      enc = encryptor || WorkOS::Encryptors::AesGcm.new
+      enc.unseal(sealed_data, key)
     end
 
     private
 
+    def validate_encryptor!(enc)
+      return if enc.respond_to?(:seal) && enc.respond_to?(:unseal)
+
+      raise ArgumentError, 'encryptor must respond to #seal(data, key) and #unseal(sealed_data, key)'
+    end
+
     # Creates a JWKS set from a remote JWKS URL
     # @param uri [URI] The URI of the JWKS
     # @return [JWT::JWK::Set] The JWKS set

data/lib/workos/user_management.rb

@@ -42,14 +42,16 @@ module WorkOS
       # @param [String] client_id The WorkOS client ID for the environment
       # @param [String] session_data The sealed session data
       # @param [String] cookie_password The password used to seal the session
+      # @param [Object] encryptor Optional custom encryptor that responds to #seal and #unseal
       #
       # @return WorkOS::Session
-      def load_sealed_session(client_id:, session_data:, cookie_password:)
+      def load_sealed_session(client_id:, session_data:, cookie_password:, encryptor: nil)
         WorkOS::Session.new(
           user_management: self,
           client_id: client_id,
           session_data: session_data,
           cookie_password: cookie_password,
+          encryptor: encryptor,
         )
       end
 
@@ -296,16 +298,19 @@ module WorkOS
       # @param [String] client_id The WorkOS client ID for the environment
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [String] invitation_token The token of an Invitation, if required.
       # @param [Hash] session An optional hash that determines whether the session should be sealed and
       # the optional cookie password.
       #
       # @return WorkOS::AuthenticationResponse
+      # rubocop:disable Metrics/ParameterLists
       def authenticate_with_password(
         email:,
         password:,
         client_id:,
         ip_address: nil,
         user_agent: nil,
+        invitation_token: nil,
         session: nil
       )
         validate_session(session)
@@ -320,6 +325,7 @@ module WorkOS
               password: password,
               ip_address: ip_address,
               user_agent: user_agent,
+              invitation_token: invitation_token,
               grant_type: 'password',
             },
           ),
@@ -327,6 +333,7 @@ module WorkOS
 
         WorkOS::AuthenticationResponse.new(response.body, session)
       end
+      # rubocop:enable Metrics/ParameterLists
 
       # Authenticate a user using OAuth or an organization's SSO connection.
       #
@@ -335,6 +342,7 @@ module WorkOS
       # @param [String] client_id The WorkOS client ID for the environment
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [String] invitation_token The token of an Invitation, if required.
       # @param [Hash] session An optional hash that determines whether the session should be sealed and
       # the optional cookie password.
       #
@@ -344,6 +352,7 @@ module WorkOS
         client_id:,
         ip_address: nil,
         user_agent: nil,
+        invitation_token: nil,
         session: nil
       )
         validate_session(session)
@@ -357,6 +366,7 @@ module WorkOS
               client_secret: WorkOS.config.key!,
               ip_address: ip_address,
               user_agent: user_agent,
+              invitation_token: invitation_token,
               grant_type: 'authorization_code',
             },
           ),
@@ -413,6 +423,7 @@ module WorkOS
       # @param [String] link_authorization_code Used to link an OAuth profile to an existing user,
       # after having completed a Magic Code challenge.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [String] invitation_token The token of an Invitation, if required.
       # @param [Hash] session An optional hash that determines whether the session should be sealed and
       # the optional cookie password.
       #
@@ -425,6 +436,7 @@ module WorkOS
         ip_address: nil,
         user_agent: nil,
         link_authorization_code: nil,
+        invitation_token: nil,
         session: nil
       )
         validate_session(session)
@@ -441,6 +453,7 @@ module WorkOS
               user_agent: user_agent,
               grant_type: 'urn:workos:oauth:grant-type:magic-auth:code',
               link_authorization_code: link_authorization_code,
+              invitation_token: invitation_token,
             },
           ),
         )

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.31.1'
+  VERSION = '6.1.0'
 end

data/lib/workos.rb

@@ -56,6 +56,7 @@ module WorkOS
   autoload :DirectorySync, 'workos/directory_sync'
   autoload :DirectoryUser, 'workos/directory_user'
   autoload :EmailVerification, 'workos/email_verification'
+  autoload :Encryptors, 'workos/encryptors'
   autoload :Event, 'workos/event'
   autoload :Events, 'workos/events'
   autoload :Factor, 'workos/factor'

data/release-please-config.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "release-type": "ruby",
+      "package-name": "workos",
+      "version-file": "lib/workos/version.rb",
+      "changelog-path": "CHANGELOG.md",
+      "include-component-in-tag": false
+    }
+  }
+}

data/spec/lib/workos/encryptors/aes_gcm_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+RSpec.describe WorkOS::Encryptors::AesGcm do
+  subject(:encryptor) { described_class.new }
+
+  let(:key) { 'a' * 32 }
+  let(:data) { { access_token: 'tok_123', user: { id: 'user_01' } } }
+
+  describe '#seal' do
+    it 'returns a base64-encoded string' do
+      sealed = encryptor.seal(data, key)
+      expect(sealed).to be_a(String)
+      expect { Base64.decode64(sealed) }.not_to raise_error
+    end
+
+    it 'produces different output each time (random IV)' do
+      sealed1 = encryptor.seal(data, key)
+      sealed2 = encryptor.seal(data, key)
+      expect(sealed1).not_to eq(sealed2)
+    end
+  end
+
+  describe '#unseal' do
+    it 'round-trips data correctly' do
+      sealed = encryptor.seal(data, key)
+      unsealed = encryptor.unseal(sealed, key)
+      expect(unsealed).to eq(data)
+    end
+
+    it 'returns hash with symbolized keys' do
+      sealed = encryptor.seal({ 'string_key' => 'value' }, key)
+      unsealed = encryptor.unseal(sealed, key)
+      expect(unsealed.keys.first).to be_a(Symbol)
+    end
+
+    it 'raises error with wrong key' do
+      sealed = encryptor.seal(data, key)
+      expect { encryptor.unseal(sealed, 'b' * 32) }.to raise_error(OpenSSL::Cipher::CipherError)
+    end
+  end
+end

data/spec/lib/workos/session_spec.rb

@@ -5,8 +5,8 @@ describe WorkOS::Session do
   let(:cookie_password) { 'test_very_long_cookie_password__' }
   let(:session_data) { 'test_session_data' }
   let(:jwks_url) { 'https://api.workos.com/sso/jwks/client_123' }
-  let(:jwks_hash) { '{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","n":"test_n","e":"AQAB","kid":"sso_oidc_key_pair_123","x5c":["test"],"x5t#S256":"test"}]}' } # rubocop:disable all
   let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), { kid: 'sso_oidc_key_pair_123', use: 'sig', alg: 'RS256' }) }
+  let(:jwks_hash) { { keys: [jwk.export] }.to_json }
 
   before do
     allow(Net::HTTP).to receive(:get).and_return(jwks_hash)
@@ -222,6 +222,29 @@ describe WorkOS::Session do
                            })
     end
 
+    it 'merges custom claims from claim_extractor block' do
+      custom_payload = payload.merge(custom_claim: 'custom_value', another_claim: 123)
+      custom_access_token = JWT.encode(custom_payload, jwk.signing_key, jwk[:alg], { kid: jwk[:kid] })
+      custom_session_data = WorkOS::Session.seal_data({
+                                                        access_token: custom_access_token,
+                                                        user: 'user',
+                                                        impersonator: 'impersonator',
+                                                      }, cookie_password,)
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: custom_session_data,
+        cookie_password: cookie_password,
+      )
+      allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+      result = session.authenticate do |jwt|
+        { my_custom_claim: jwt['custom_claim'], my_other_claim: jwt['another_claim'] }
+      end
+      expect(result[:authenticated]).to be true
+      expect(result[:my_custom_claim]).to eq('custom_value')
+      expect(result[:my_other_claim]).to eq(123)
+    end
+
     describe 'with entitlements' do
       let(:payload) do
         {
@@ -385,4 +408,68 @@ describe WorkOS::Session do
       end
     end
   end
+
+  describe 'custom encryptor' do
+    let(:user_management) { instance_double('UserManagement') }
+    let(:custom_encryptor) do
+      Class.new do
+        def seal(data, _key)
+          "CUSTOM:#{JSON.generate(data)}"
+        end
+
+        def unseal(sealed_data, _key)
+          json = sealed_data.sub('CUSTOM:', '')
+          JSON.parse(json, symbolize_names: true)
+        end
+      end.new
+    end
+
+    before do
+      allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
+    end
+
+    it 'uses custom encryptor for seal_data' do
+      sealed = WorkOS::Session.seal_data({ foo: 'bar' }, 'key', encryptor: custom_encryptor)
+      expect(sealed).to start_with('CUSTOM:')
+    end
+
+    it 'uses custom encryptor for unseal_data' do
+      sealed = 'CUSTOM:{"foo":"bar"}'
+      unsealed = WorkOS::Session.unseal_data(sealed, 'key', encryptor: custom_encryptor)
+      expect(unsealed).to eq({ foo: 'bar' })
+    end
+
+    it 'accepts custom encryptor in initialize' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+        encryptor: custom_encryptor,
+      )
+      expect(session.encryptor).to eq(custom_encryptor)
+    end
+
+    it 'defaults to AesGcm encryptor when none provided' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      expect(session.encryptor).to be_a(WorkOS::Encryptors::AesGcm)
+    end
+
+    it 'raises ArgumentError for invalid encryptor' do
+      expect do
+        WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+          encryptor: Object.new,
+        )
+      end.to raise_error(ArgumentError, /must respond to/)
+    end
+  end
 end

data/spec/lib/workos/user_management_spec.rb

@@ -588,6 +588,28 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_password(
+          email: 'test@workos.app',
+          password: 'password123',
+          client_id: 'client_123',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_code' do
@@ -671,6 +693,27 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_code(
+          code: '01H93ZZHA0JBHFJH9RR11S83YN',
+          client_id: 'client_123',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_refresh_token' do
@@ -735,6 +778,28 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_magic_auth(
+          code: '452079',
+          client_id: 'client_123',
+          email: 'test@workos.com',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_organization_selection' do

data/workos.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'encryptor', '~> 3.0'
-  spec.add_dependency 'jwt', '~> 2.8'
+  spec.add_dependency 'jwt', '~> 3.1'
 
   spec.add_development_dependency 'bundler', '>= 2.0.1'
   spec.add_development_dependency 'rake'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.31.1
+  version: 6.1.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-03 00:00:00.000000000 Z
+date: 2026-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.8'
+        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.8'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -133,13 +133,16 @@ files:
 - ".github/pull_request_template.md"
 - ".github/renovate.json"
 - ".github/workflows/ci.yml"
+- ".github/workflows/lint-pr-title.yml"
+- ".github/workflows/release-please.yml"
 - ".github/workflows/release.yml"
-- ".github/workflows/version-bump.yml"
 - ".gitignore"
+- ".release-please-manifest.json"
 - ".rspec"
 - ".rubocop.yml"
 - ".rubocop_todo.yml"
 - ".ruby-version"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -166,6 +169,8 @@ files:
 - lib/workos/directory_sync.rb
 - lib/workos/directory_user.rb
 - lib/workos/email_verification.rb
+- lib/workos/encryptors.rb
+- lib/workos/encryptors/aes_gcm.rb
 - lib/workos/errors.rb
 - lib/workos/event.rb
 - lib/workos/events.rb
@@ -205,12 +210,14 @@ files:
 - lib/workos/webhook.rb
 - lib/workos/webhooks.rb
 - lib/workos/widgets.rb
+- release-please-config.json
 - spec/lib/workos/audit_logs_spec.rb
 - spec/lib/workos/cache_spec.rb
 - spec/lib/workos/client.rb
 - spec/lib/workos/configuration_spec.rb
 - spec/lib/workos/directory_sync_spec.rb
 - spec/lib/workos/directory_user_spec.rb
+- spec/lib/workos/encryptors/aes_gcm_spec.rb
 - spec/lib/workos/event_spec.rb
 - spec/lib/workos/mfa_spec.rb
 - spec/lib/workos/organizations_spec.rb
@@ -451,6 +458,7 @@ test_files:
 - spec/lib/workos/configuration_spec.rb
 - spec/lib/workos/directory_sync_spec.rb
 - spec/lib/workos/directory_user_spec.rb
+- spec/lib/workos/encryptors/aes_gcm_spec.rb
 - spec/lib/workos/event_spec.rb
 - spec/lib/workos/mfa_spec.rb
 - spec/lib/workos/organizations_spec.rb

data/.github/workflows/version-bump.yml

@@ -1,80 +0,0 @@
-name: Version Bump
-
-on:
-  workflow_dispatch:
-    inputs:
-      bump_type:
-        description: "Version bump type"
-        required: true
-        type: choice
-        options:
-          - patch
-          - minor
-          - major
-
-jobs:
-  bump-version:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Generate token
-        id: generate-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ vars.SDK_BOT_APP_ID }}
-          private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-
-      - name: Configure Git
-        run: |
-          git config user.name "workos-bot[bot]"
-          git config user.email "workos-bot[bot]@users.noreply.github.com"
-
-      - name: Read current version
-        id: current-version
-        run: |
-          CURRENT_VERSION=$(grep "VERSION = " lib/workos/version.rb | sed "s/.*VERSION = '\(.*\)'/\1/")
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
-
-      - name: Bump version
-        id: bump-version
-        run: |
-          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
-          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
-
-          case "${{ github.event.inputs.bump_type }}" in
-            major)
-              NEW_VERSION="$((MAJOR + 1)).0.0"
-              ;;
-            minor)
-              NEW_VERSION="$MAJOR.$((MINOR + 1)).0"
-              ;;
-            patch)
-              NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
-              ;;
-          esac
-
-          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-
-      - name: Update version in version.rb
-        run: |
-          sed -i "s/VERSION = '.*'/VERSION = '${{ steps.bump-version.outputs.new_version }}'/" lib/workos/version.rb
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          commit-message: "v${{ steps.bump-version.outputs.new_version }}"
-          title: "v${{ steps.bump-version.outputs.new_version }}"
-          body: |
-            Bumps version from ${{ steps.current-version.outputs.version }} to ${{ steps.bump-version.outputs.new_version }}.
-
-            This PR was automatically created by the version-bump workflow.
-          branch: version-bump-${{ steps.bump-version.outputs.new_version }}
-          labels: version-bump