workos 7.1.2 → 8.0.1

data/lib/workos/base_client.rb

@@ -134,7 +134,8 @@ module WorkOS
       attempt = 0
 
       loop do
-        log(:debug, "request start", method: request.method, path: request.path, attempt: attempt + 1)
+        loggable_path = redact_path(request.path)
+        log(:debug, "request start", method: request.method, path: loggable_path, attempt: attempt + 1)
         http = connection_for(base, timeout)
         response = http.request(request)
         return response if response.is_a?(Net::HTTPSuccess)
@@ -142,11 +143,11 @@ module WorkOS
         if attempt < retries && retryable?(response)
           attempt += 1
           inject_retry_idempotency_key(request)
-          log(:info, "request retry", method: request.method, path: request.path, attempt: attempt + 1, status: response.code.to_i)
+          log(:info, "request retry", method: request.method, path: loggable_path, attempt: attempt + 1, status: response.code.to_i)
           sleep(retry_delay(response, attempt))
           next
         end
-        log(:warn, "request error", method: request.method, path: request.path, status: response.code.to_i, request_id: response["x-request-id"] || response["X-Request-Id"])
+        log(:warn, "request error", method: request.method, path: loggable_path, status: response.code.to_i, request_id: response["x-request-id"] || response["X-Request-Id"])
         handle_error_response(response)
       rescue Net::OpenTimeout, Net::ReadTimeout,
         Errno::ECONNRESET, Errno::ECONNREFUSED,
@@ -155,11 +156,11 @@ module WorkOS
         if attempt < retries
           attempt += 1
           inject_retry_idempotency_key(request)
-          log(:info, "request retry", method: request.method, path: request.path, attempt: attempt + 1, error: e.class.name)
+          log(:info, "request retry", method: request.method, path: loggable_path, attempt: attempt + 1, error: e.class.name)
           sleep(retry_delay(nil, attempt))
           next
         end
-        log(:warn, "connection error", method: request.method, path: request.path, error: e.class.name, message: e.message)
+        log(:warn, "connection error", method: request.method, path: loggable_path, error: e.class.name, message: e.message)
         raise WorkOS::APIConnectionError.new(message: e.message)
       end
     end
@@ -179,6 +180,71 @@ module WorkOS
 
     private
 
+    # Redact path segments that carry bearer-equivalent tokens (e.g.
+    # `/user_management/invitations/by_token/<token>`,
+    # `/user_management/magic_auth/<token>`, password-reset / email-
+    # verification token paths) before the path is written to a logger.
+    # The WorkOS API exposes a small number of "by_token" endpoints whose
+    # path segments are themselves authentication material; redacting them
+    # here means the SDK never emits the token in its own log/retry/error
+    # messages even when the host application configures verbose logging.
+    REDACTED_TOKEN_PREFIXES = %w[
+      /user_management/invitations/by_token
+      /user_management/magic_auth
+      /user_management/password_reset
+      /user_management/email_verification
+    ].freeze
+    private_constant :REDACTED_TOKEN_PREFIXES
+
+    # Query-string keys whose values are bearer-equivalent or otherwise
+    # sensitive and should never appear in SDK log lines. Defense-in-depth
+    # for any path that flows through execute_request with a sensitive
+    # query parameter (most WorkOS-issued tokens are path segments or POST
+    # bodies, but a few flows — e.g. authorize/logout redirects — surface
+    # them in the query string).
+    REDACTED_QUERY_KEYS = %w[
+      token
+      code
+      code_challenge
+      code_verifier
+      session_id
+      refresh_token
+      access_token
+    ].freeze
+    private_constant :REDACTED_QUERY_KEYS
+
+    def redact_path(path)
+      return path if path.nil? || path.empty?
+
+      # Strip query string for the prefix match; reattach (scrubbed) after.
+      path_only, query = path.split("?", 2)
+      REDACTED_TOKEN_PREFIXES.each do |prefix|
+        next unless path_only.start_with?("#{prefix}/")
+
+        # Replace every segment after the matched prefix with "[REDACTED]".
+        remainder = path_only[(prefix.length + 1)..]
+        next if remainder.nil? || remainder.empty?
+
+        redacted = remainder.split("/").map { "[REDACTED]" }.join("/")
+        path_only = "#{prefix}/#{redacted}"
+        break
+      end
+      query ? "#{path_only}?#{redact_query(query)}" : path_only
+    end
+
+    def redact_query(query)
+      return query if query.nil? || query.empty?
+
+      query.split("&").map { |pair|
+        key, value = pair.split("=", 2)
+        if value && !value.empty? && REDACTED_QUERY_KEYS.include?(key)
+          "#{key}=[REDACTED]"
+        else
+          pair
+        end
+      }.join("&")
+    end
+
     def append_query(path, params)
       return path unless params.is_a?(Hash) && !params.empty?
 

data/lib/workos/client.rb

@@ -4,10 +4,6 @@
 
 module WorkOS
   class Client < BaseClient
-    def api_keys
-      @api_keys ||= WorkOS::ApiKeys.new(self)
-    end
-
     def multi_factor_auth
       @multi_factor_auth ||= WorkOS::MultiFactorAuth.new(self)
     end
@@ -48,6 +44,10 @@ module WorkOS
       @organizations ||= WorkOS::Organizations.new(self)
     end
 
+    def api_keys
+      @api_keys ||= WorkOS::ApiKeys.new(self)
+    end
+
     def groups
       @groups ||= WorkOS::Groups.new(self)
     end

data/lib/workos/connect.rb

@@ -43,14 +43,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::ApplicationsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param organization_id [String, nil] Filter Connect Applications by organization ID.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::ConnectApplication>]
     def list_applications(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       organization_id: nil,
       request_options: {}

data/lib/workos/directory_sync/directory_user.rb

@@ -13,6 +13,7 @@ module WorkOS
       email: :email,
       first_name: :first_name,
       last_name: :last_name,
+      name: :name,
       emails: :emails,
       job_title: :job_title,
       username: :username,
@@ -43,6 +44,7 @@ module WorkOS
       :email,
       :first_name,
       :last_name,
+      :name,
       :state,
       :custom_attributes,
       :role,
@@ -88,6 +90,7 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @name = hash[:name]
       @emails = (hash[:emails] || []).map { |item| item ? WorkOS::DirectoryUserEmail.new(item) : nil }
       @job_title = hash[:job_title]
       @username = hash[:username]

data/lib/workos/directory_sync/directory_user_with_groups.rb

@@ -13,6 +13,7 @@ module WorkOS
       email: :email,
       first_name: :first_name,
       last_name: :last_name,
+      name: :name,
       emails: :emails,
       job_title: :job_title,
       username: :username,
@@ -35,7 +36,7 @@ module WorkOS
     # @!attribute raw_attributes
     #   @deprecated The raw attributes received from the directory provider.
     # @!attribute groups
-    #   @deprecated The directory groups the user belongs to. Use the List Directory Groups endpoint with a user filter instead.
+    #   @deprecated The directory groups the user belongs to. Deprecated: starting May 1, 2026, this field returns an empty array by default for newly created teams. Existing teams currently depending on this field should migrate to the new access pattern for better throughput performance — the field is unbounded by user, so users with many group memberships produce large, slow response payloads. Use the List Directory Groups endpoint with a `user` filter to fetch a user's group memberships.
 
     attr_accessor \
       :object,
@@ -46,6 +47,7 @@ module WorkOS
       :email,
       :first_name,
       :last_name,
+      :name,
       :state,
       :custom_attributes,
       :role,
@@ -98,6 +100,7 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @name = hash[:name]
       @emails = (hash[:emails] || []).map { |item| item ? WorkOS::DirectoryUserWithGroupsEmail.new(item) : nil }
       @job_title = hash[:job_title]
       @username = hash[:username]

data/lib/workos/directory_sync/dsync_user_updated_data.rb

@@ -13,6 +13,7 @@ module WorkOS
       email: :email,
       first_name: :first_name,
       last_name: :last_name,
+      name: :name,
       emails: :emails,
       job_title: :job_title,
       username: :username,
@@ -44,6 +45,7 @@ module WorkOS
       :email,
       :first_name,
       :last_name,
+      :name,
       :state,
       :custom_attributes,
       :role,
@@ -90,6 +92,7 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @name = hash[:name]
       @emails = (hash[:emails] || []).map { |item| item ? WorkOS::DsyncUserUpdatedDataEmail.new(item) : nil }
       @job_title = hash[:job_title]
       @username = hash[:username]

data/lib/workos/directory_sync.rb

@@ -14,7 +14,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::DirectoriesOrder, nil] Order the results by the creation time.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time.
     # @param organization_id [String, nil] Filter Directories by their associated organization.
     # @param search [String, nil] Searchable text to match against Directory names.
     # @param domain [String, nil] (deprecated) Filter Directories by their associated domain.
@@ -23,7 +23,7 @@ module WorkOS
     def list_directories(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       organization_id: nil,
       search: nil,
@@ -106,7 +106,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::DirectoryGroupsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param directory [String, nil] Unique identifier of the WorkOS Directory. This value can be obtained from the WorkOS dashboard or from the WorkOS API.
     # @param user [String, nil] Unique identifier of the WorkOS Directory User. This value can be obtained from the WorkOS API.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
@@ -114,7 +114,7 @@ module WorkOS
     def list_groups(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       directory: nil,
       user: nil,
@@ -177,7 +177,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::DirectoryUsersOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param directory [String, nil] Unique identifier of the WorkOS Directory. This value can be obtained from the WorkOS dashboard or from the WorkOS API.
     # @param group [String, nil] Unique identifier of the WorkOS Directory Group. This value can be obtained from the WorkOS API.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
@@ -185,7 +185,7 @@ module WorkOS
     def list_users(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       directory: nil,
       group: nil,

data/lib/workos/encryptors/aes_gcm.rb

@@ -14,8 +14,14 @@ module WorkOS
   module Encryptors
     class AesGcm
       SEAL_VERSION = 0x01
+      # Minimum cookie_password byte length. AES-256-GCM derives a 32-byte
+      # key from the password via SHA-256; a passphrase shorter than the
+      # output it derives to provides less than the full keyspace and makes
+      # offline brute-force feasible. See README + V7_MIGRATION_GUIDE.md.
+      MIN_KEY_BYTES = 32
 
       def seal(data, key)
+        validate_key!(key)
         json = data.is_a?(String) ? data : JSON.generate(data)
         cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
         cipher.key = derive_key(key)
@@ -26,13 +32,16 @@ module WorkOS
       end
 
       def unseal(sealed, key)
+        validate_key!(key)
         raw = Base64.decode64(sealed.to_s)
-        decode_v7(raw, key)
-      rescue ArgumentError, OpenSSL::Cipher::CipherError => original_error
         begin
-          decode_old(raw, key)
-        rescue ArgumentError, OpenSSL::Cipher::CipherError
-          raise original_error
+          decode_v7(raw, key)
+        rescue ArgumentError, OpenSSL::Cipher::CipherError => original_error
+          begin
+            decode_old(raw, key)
+          rescue ArgumentError, OpenSSL::Cipher::CipherError
+            raise original_error
+          end
         end
       end
 
@@ -83,6 +92,11 @@ module WorkOS
       def derive_key(passphrase)
         Digest::SHA256.digest(passphrase.to_s)
       end
+
+      def validate_key!(key)
+        raise ArgumentError, "cookie_password is required" if key.nil? || key.to_s.empty?
+        raise ArgumentError, "cookie_password must be at least #{MIN_KEY_BYTES} bytes" if key.to_s.bytesize < MIN_KEY_BYTES
+      end
     end
   end
 end

data/lib/workos/events.rb

@@ -14,7 +14,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::EventsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param events [Array<String>, nil] Filter events by one or more event types (e.g. `dsync.user.created`).
     # @param range_start [String, nil] ISO-8601 date string to filter events created after this date.
     # @param range_end [String, nil] ISO-8601 date string to filter events created before this date.
@@ -24,7 +24,7 @@ module WorkOS
     def list_events(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       events: nil,
       range_start: nil,

data/lib/workos/feature_flags.rb

@@ -14,13 +14,13 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::FeatureFlagsOrder, nil] Order the results by the creation time.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::Flag>]
     def list_feature_flags(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -154,14 +154,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::OrganizationsFeatureFlagsOrder, nil] Order the results by the creation time.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::Flag>]
     def list_organization_feature_flags(
       organization_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -201,14 +201,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::UserManagementUsersFeatureFlagsOrder, nil] Order the results by the creation time.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::Flag>]
     def list_user_feature_flags(
       user_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )

data/lib/workos/groups.rb

@@ -15,14 +15,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::GroupsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::Group>]
     def list_organization_groups(
       organization_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )
@@ -161,7 +161,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::GroupsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::UserOrganizationMembershipBaseListData>]
     def list_group_organization_memberships(
@@ -169,7 +169,7 @@ module WorkOS
       group_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )

data/lib/workos/multi_factor_auth.rb

@@ -136,14 +136,14 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::UserManagementMultiFactorAuthenticationOrder, nil] Order the results by the creation time.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
     # @return [WorkOS::Types::ListStruct<WorkOS::AuthenticationFactor>]
     def list_user_auth_factors(
       userland_user_id:,
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       request_options: {}
     )

data/lib/workos/organizations.rb

@@ -14,7 +14,7 @@ module WorkOS
     # @param before [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `before="obj_123"` to fetch a new batch of objects before `"obj_123"`.
     # @param after [String, nil] An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with `"obj_123"`, your subsequent call can include `after="obj_123"` to fetch a new batch of objects after `"obj_123"`.
     # @param limit [Integer, nil] Upper limit on the number of objects to return, between `1` and `100`.
-    # @param order [WorkOS::Types::OrganizationsOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
+    # @param order [WorkOS::Types::PaginationOrder, nil] Order the results by the creation time. Supported values are `"asc"` (ascending), `"desc"` (descending), and `"normal"` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.
     # @param domains [Array<String>, nil] The domains of an Organization. Any Organization with a matching domain will be returned.
     # @param search [String, nil] Searchable text for an Organization. Matches against the organization name.
     # @param request_options [Hash] (see WorkOS::Types::RequestOptions)
@@ -22,7 +22,7 @@ module WorkOS
     def list_organizations(
       before: nil,
       after: nil,
-      limit: nil,
+      limit: 10,
       order: "desc",
       domains: nil,
       search: nil,

data/lib/workos/session.rb

@@ -21,8 +21,16 @@ module WorkOS
   # @example Build a logout URL
   #   url = session.get_logout_url(return_to: "https://app.example.com")
   class Session
+    # Minimum cookie_password byte length. AES-256-GCM derives a 32-byte
+    # key from the password via SHA-256; a passphrase shorter than the
+    # output it derives to provides less than the full keyspace and makes
+    # offline brute-force feasible. Require callers to supply at least 32
+    # bytes of high-entropy secret. See README + V7_MIGRATION_GUIDE.md.
+    MIN_COOKIE_PASSWORD_BYTES = 32
+
     def initialize(manager, seal_data:, cookie_password:)
       raise ArgumentError, "cookie_password is required" if cookie_password.nil? || cookie_password.empty?
+      raise ArgumentError, "cookie_password must be at least #{MIN_COOKIE_PASSWORD_BYTES} bytes" if cookie_password.bytesize < MIN_COOKIE_PASSWORD_BYTES
       @manager = manager
       @client = manager.client
       @seal_data = seal_data
@@ -57,7 +65,7 @@ module WorkOS
         return SessionManager::AuthError.new(authenticated: false, reason: SessionManager::INVALID_JWT)
       end
 
-      is_expired = decoded["exp"] && decoded["exp"] < Time.now.to_i
+      is_expired = decoded["exp"].nil? || decoded["exp"] < Time.now.to_i
 
       SessionManager::AuthSuccess.new(
         authenticated: !is_expired,
@@ -77,6 +85,11 @@ module WorkOS
 
     def refresh(organization_id: nil, cookie_password: nil)
       effective_password = cookie_password || @cookie_password
+      # Validate up front so a caller-supplied short password raises ArgumentError
+      # (matching Session#initialize) instead of being swallowed by the
+      # unseal_data rescue and surfacing as INVALID_SESSION_COOKIE.
+      raise ArgumentError, "cookie_password is required" if effective_password.nil? || effective_password.empty?
+      raise ArgumentError, "cookie_password must be at least #{MIN_COOKIE_PASSWORD_BYTES} bytes" if effective_password.bytesize < MIN_COOKIE_PASSWORD_BYTES
 
       session = begin
         @manager.unseal_data(@seal_data, effective_password)
@@ -105,17 +118,20 @@ module WorkOS
         impersonator: auth_response["impersonator"]
       )
 
-      # Decode before mutating session state so a malformed access_token
-      # doesn't leave the Session half-updated.
-      decoded = @manager.decode_jwt(auth_response["access_token"])
-
+      # Persist the new seal/password BEFORE decoding the JWT, so a transient
+      # JWKS fetch error (or any decode failure on the freshly-minted token)
+      # leaves the Session with a usable sealed cookie that the caller can
+      # re-#authenticate against, rather than half-updated state.
       @seal_data = sealed
       @cookie_password = effective_password
+
+      decoded = @manager.decode_jwt(auth_response["access_token"])
+
       SessionManager::RefreshSuccess.new(
         authenticated: true,
         sealed_session: sealed,
         session_id: decoded["sid"],
-        organization_id: decoded["org_id"],
+        organization_id: auth_response["organization_id"] || decoded["org_id"],
         role: decoded["role"],
         roles: decoded["roles"],
         permissions: decoded["permissions"],
@@ -127,7 +143,12 @@ module WorkOS
     rescue WorkOS::AuthenticationError, WorkOS::InvalidRequestError => e
       SessionManager::RefreshError.new(authenticated: false, reason: e.message)
     rescue JWT::DecodeError => e
-      SessionManager::RefreshError.new(authenticated: false, reason: e.message)
+      # The refresh token was already rotated server-side before decode failed,
+      # so @seal_data holds the freshly-minted cookie. Surface it on the error
+      # struct so the caller can write the rotated cookie back to the browser
+      # and recover on a subsequent #authenticate, rather than re-sending the
+      # now-revoked refresh token.
+      SessionManager::RefreshError.new(authenticated: false, reason: e.message, sealed_session: @seal_data)
     end
 
     # Build the WorkOS session-logout URL for the currently authenticated session.

data/lib/workos/session_manager.rb

@@ -107,7 +107,7 @@ module WorkOS
       :roles, :permissions, :entitlements, :user, :impersonator, :feature_flags,
       keyword_init: true
     )
-    RefreshError = Struct.new(:authenticated, :reason, keyword_init: true)
+    RefreshError = Struct.new(:authenticated, :reason, :sealed_session, keyword_init: true)
 
     # Failure reason constants
     NO_SESSION_COOKIE_PROVIDED = "no_session_cookie_provided"
@@ -150,12 +150,14 @@ module WorkOS
     # H06 — Raw seal: encrypt arbitrary data with a key string.
     # Delegates to the configured encryptor (default: AES-256-GCM).
     def seal_data(data, key)
+      validate_cookie_password!(key)
       @encryptor.seal(data, key)
     end
 
     # H06 — Raw unseal: returns parsed JSON (Hash) or raw string if not JSON.
     # Delegates to the configured encryptor (default: AES-256-GCM).
     def unseal_data(sealed, key)
+      validate_cookie_password!(key)
       @encryptor.unseal(sealed, key)
     end
 
@@ -164,11 +166,20 @@ module WorkOS
       payload = {"access_token" => access_token, "refresh_token" => refresh_token}
       payload["user"] = user if user
       payload["impersonator"] = impersonator if impersonator
+      # Delegates to seal_data, which calls validate_cookie_password!; no need
+      # to validate here too.
       seal_data(payload, cookie_password)
     end
 
     # Verify an access-token JWT against the WorkOS JWKS for this client.
     # Used by Session#authenticate; exposed publicly for advanced cases.
+    #
+    # NOTE on iss/aud/required_claims: this method intentionally does not
+    # enforce iss, aud, or required_claims. workos-node's `jose` call and
+    # workos-php's `isset($exp) && $exp < time()` accept exp-less tokens, and
+    # cross-SDK parity is required for the planned coordinated hardening of
+    # these claims. See commit 9ce069f for the rationale behind dropping the
+    # required_claims: ['exp'] tightening that was considered here.
     def decode_jwt(access_token, verify_expiration: true)
       jwks = fetch_jwks
       JWT.decode(
@@ -182,6 +193,18 @@ module WorkOS
       ).first
     end
 
+    private
+
+    # Validate a cookie_password is non-empty and at least the minimum
+    # byte length required by Session::MIN_COOKIE_PASSWORD_BYTES (32).
+    # Defense-in-depth — Session#initialize enforces the same invariant
+    # on the load path; this guards the inline #seal_data / #unseal_data
+    # entry points.
+    def validate_cookie_password!(key)
+      raise ArgumentError, "cookie_password is required" if key.nil? || key.empty?
+      raise ArgumentError, "cookie_password must be at least #{Session::MIN_COOKIE_PASSWORD_BYTES} bytes" if key.bytesize < Session::MIN_COOKIE_PASSWORD_BYTES
+    end
+
     # Cached JWKS fetch (5-minute TTL, thread-safe).
     def fetch_jwks(now: Time.now)
       @jwks_mutex.synchronize do

data/lib/workos/sso/profile.rb

@@ -14,6 +14,7 @@ module WorkOS
       email: :email,
       first_name: :first_name,
       last_name: :last_name,
+      name: :name,
       role: :role,
       roles: :roles,
       groups: :groups,
@@ -31,6 +32,7 @@ module WorkOS
       :email,
       :first_name,
       :last_name,
+      :name,
       :role,
       :roles,
       :groups,
@@ -48,6 +50,7 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @name = hash[:name]
       @role = hash[:role] ? WorkOS::SlimRole.new(hash[:role]) : nil
       @roles = (hash[:roles] || []).map { |item| item ? WorkOS::SlimRole.new(item) : nil }
       @groups = hash[:groups] || []