@workos/mcp-docs-server 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (568) hide show
  1. package/.docs/organized/changelogs/workos-platform.json +125 -125
  2. package/.docs/organized/docs/admin-portal/custom-branding.mdx +2 -4
  3. package/.docs/organized/docs/admin-portal/example-apps.mdx +11 -11
  4. package/.docs/organized/docs/admin-portal/index.mdx +39 -33
  5. package/.docs/organized/docs/audit-logs/admin-portal.mdx +1 -1
  6. package/.docs/organized/docs/audit-logs/editing-events.mdx +1 -1
  7. package/.docs/organized/docs/audit-logs/exporting-events.mdx +1 -1
  8. package/.docs/organized/docs/audit-logs/index.mdx +17 -2
  9. package/.docs/organized/docs/audit-logs/log-streams.mdx +325 -1
  10. package/.docs/organized/docs/audit-logs/metadata-schema.mdx +1 -1
  11. package/.docs/organized/docs/authkit/_navigation.mdx +108 -0
  12. package/.docs/organized/docs/{user-management → authkit}/actions.mdx +3 -4
  13. package/.docs/organized/docs/authkit/add-ons/google-analytics.mdx +79 -0
  14. package/.docs/organized/docs/authkit/add-ons/segment.mdx +77 -0
  15. package/.docs/organized/docs/authkit/add-ons/stripe.mdx +103 -0
  16. package/.docs/organized/docs/authkit/api-keys.mdx +99 -0
  17. package/.docs/organized/docs/{user-management → authkit}/branding.mdx +220 -2
  18. package/.docs/organized/docs/authkit/cli-auth.mdx +76 -0
  19. package/.docs/organized/docs/authkit/cli-installer.mdx +157 -0
  20. package/.docs/organized/docs/authkit/connect/m2m.mdx +65 -0
  21. package/.docs/organized/docs/authkit/connect/oauth.mdx +88 -0
  22. package/.docs/organized/docs/authkit/connect/standalone.mdx +179 -0
  23. package/.docs/organized/docs/authkit/connect.mdx +65 -0
  24. package/.docs/organized/docs/authkit/custom-email-providers.mdx +141 -0
  25. package/.docs/organized/docs/{user-management → authkit}/custom-emails.mdx +15 -15
  26. package/.docs/organized/docs/authkit/directory-provisioning.mdx +89 -0
  27. package/.docs/organized/docs/{user-management → authkit}/domain-verification.mdx +5 -6
  28. package/.docs/organized/docs/{user-management → authkit}/email-password.mdx +2 -2
  29. package/.docs/organized/docs/authkit/email-verification.mdx +31 -0
  30. package/.docs/organized/docs/{user-management → authkit}/example-apps.mdx +3 -3
  31. package/.docs/organized/docs/authkit/hosted-ui.mdx +165 -0
  32. package/.docs/organized/docs/{user-management → authkit}/identity-linking.mdx +9 -9
  33. package/.docs/organized/docs/{user-management → authkit}/impersonation.mdx +8 -8
  34. package/.docs/organized/docs/{user-management → authkit}/index.mdx +141 -74
  35. package/.docs/organized/docs/{user-management → authkit}/invitations.mdx +4 -4
  36. package/.docs/organized/docs/{user-management → authkit}/invite-only-signup.mdx +3 -3
  37. package/.docs/organized/docs/authkit/jit-provisioning.mdx +42 -0
  38. package/.docs/organized/docs/{user-management → authkit}/jwt-templates.mdx +37 -3
  39. package/.docs/organized/docs/authkit/landing.mdx +22 -0
  40. package/.docs/organized/docs/{user-management → authkit}/magic-auth.mdx +3 -5
  41. package/.docs/organized/docs/{user-management → authkit}/mcp.mdx +46 -9
  42. package/.docs/organized/docs/{user-management → authkit}/metadata.mdx +9 -9
  43. package/.docs/organized/docs/{user-management → authkit}/mfa.mdx +2 -2
  44. package/.docs/organized/docs/{user-management → authkit}/migrations.mdx +4 -4
  45. package/.docs/organized/docs/{user-management → authkit}/modeling-your-app.mdx +11 -11
  46. package/.docs/organized/docs/{user-management → authkit}/organization-policies.mdx +3 -4
  47. package/.docs/organized/docs/authkit/overview.mdx +46 -0
  48. package/.docs/organized/docs/{user-management → authkit}/passkeys.mdx +3 -3
  49. package/.docs/organized/docs/authkit/pipes.mdx +75 -0
  50. package/.docs/organized/docs/{user-management → authkit}/radar.mdx +39 -4
  51. package/.docs/organized/docs/authkit/roles-and-permissions.mdx +208 -0
  52. package/.docs/organized/docs/{user-management → authkit}/sessions.mdx +32 -20
  53. package/.docs/organized/docs/{user-management → authkit}/social-login.mdx +16 -2
  54. package/.docs/organized/docs/{user-management → authkit}/sso-with-contractors.mdx +3 -4
  55. package/.docs/organized/docs/{user-management → authkit}/sso.mdx +2 -2
  56. package/.docs/organized/docs/authkit/users-organizations.mdx +107 -0
  57. package/.docs/organized/docs/custom-domains/admin-portal.mdx +0 -2
  58. package/.docs/organized/docs/custom-domains/authkit.mdx +0 -2
  59. package/.docs/organized/docs/custom-domains/email.mdx +2 -2
  60. package/.docs/organized/docs/deprecations/_navigation.mdx +8 -0
  61. package/.docs/organized/docs/deprecations/raw-attributes.mdx +136 -0
  62. package/.docs/organized/docs/directory-sync/attributes.mdx +50 -31
  63. package/.docs/organized/docs/directory-sync/example-apps.mdx +11 -11
  64. package/.docs/organized/docs/directory-sync/identity-provider-role-assignment.mdx +23 -26
  65. package/.docs/organized/docs/directory-sync/index.mdx +4 -2
  66. package/.docs/organized/docs/directory-sync/quick-start.mdx +3 -3
  67. package/.docs/organized/docs/directory-sync/understanding-events.mdx +2 -2
  68. package/.docs/organized/docs/domain-verification/api.mdx +8 -8
  69. package/.docs/organized/docs/domain-verification/index.mdx +3 -3
  70. package/.docs/organized/docs/email.mdx +49 -5
  71. package/.docs/organized/docs/events/data-syncing/events-api.mdx +3 -3
  72. package/.docs/organized/docs/events/data-syncing/index.mdx +2 -3
  73. package/.docs/organized/docs/events/data-syncing/webhooks.mdx +4 -4
  74. package/.docs/organized/docs/events/index.mdx +419 -33
  75. package/.docs/organized/docs/feature-flags/_navigation.mdx +10 -0
  76. package/.docs/organized/docs/feature-flags/index.mdx +80 -0
  77. package/.docs/organized/docs/feature-flags/slack-notifications.mdx +58 -0
  78. package/.docs/organized/docs/fga/_navigation.mdx +34 -54
  79. package/.docs/organized/docs/fga/access-checks.mdx +109 -0
  80. package/.docs/organized/docs/fga/assignments.mdx +124 -0
  81. package/.docs/organized/docs/fga/authkit-integration.mdx +92 -0
  82. package/.docs/organized/docs/fga/high-cardinality-entities.mdx +172 -0
  83. package/.docs/organized/docs/fga/idp-role-assignment.mdx +66 -0
  84. package/.docs/organized/docs/fga/index.mdx +94 -29
  85. package/.docs/organized/docs/fga/migration-openfga.mdx +306 -0
  86. package/.docs/organized/docs/fga/migration-oso.mdx +372 -0
  87. package/.docs/organized/docs/fga/migration-spicedb.mdx +364 -0
  88. package/.docs/organized/docs/fga/quick-start.mdx +283 -98
  89. package/.docs/organized/docs/fga/resource-discovery.mdx +78 -0
  90. package/.docs/organized/docs/fga/resource-types.mdx +165 -0
  91. package/.docs/organized/docs/fga/resources.mdx +179 -59
  92. package/.docs/organized/docs/fga/roles-and-permissions.mdx +122 -0
  93. package/.docs/organized/docs/fga/standalone-integration.mdx +176 -0
  94. package/.docs/organized/docs/glossary.mdx +7 -3
  95. package/.docs/organized/docs/integrations/access-people-hr.mdx +1 -1
  96. package/.docs/organized/docs/integrations/adp-oidc.mdx +1 -1
  97. package/.docs/organized/docs/integrations/apple.mdx +112 -69
  98. package/.docs/organized/docs/integrations/auth0-directory-sync.mdx +3 -1
  99. package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx +3 -1
  100. package/.docs/organized/docs/integrations/auth0-saml.mdx +3 -1
  101. package/.docs/organized/docs/integrations/bamboohr.mdx +4 -4
  102. package/.docs/organized/docs/integrations/breathe-hr.mdx +1 -1
  103. package/.docs/organized/docs/integrations/bubble.mdx +1 -1
  104. package/.docs/organized/docs/integrations/cas-saml.mdx +2 -2
  105. package/.docs/organized/docs/integrations/classlink-saml.mdx +2 -2
  106. package/.docs/organized/docs/integrations/clever-oidc.mdx +94 -0
  107. package/.docs/organized/docs/integrations/cloudflare-saml.mdx +35 -2
  108. package/.docs/organized/docs/integrations/cyberark-saml.mdx +2 -2
  109. package/.docs/organized/docs/integrations/cyberark-scim.mdx +1 -1
  110. package/.docs/organized/docs/integrations/duo-saml.mdx +2 -2
  111. package/.docs/organized/docs/integrations/entra-id-oidc.mdx +198 -0
  112. package/.docs/organized/docs/integrations/entra-id-saml.mdx +3 -3
  113. package/.docs/organized/docs/integrations/entra-id-scim.mdx +5 -1
  114. package/.docs/organized/docs/integrations/fourth.mdx +2 -2
  115. package/.docs/organized/docs/integrations/github-oauth.mdx +80 -33
  116. package/.docs/organized/docs/integrations/gitlab-oauth.mdx +86 -31
  117. package/.docs/organized/docs/integrations/google-directory-sync.mdx +5 -1
  118. package/.docs/organized/docs/integrations/google-oauth.mdx +87 -70
  119. package/.docs/organized/docs/integrations/google-oidc.mdx +142 -0
  120. package/.docs/organized/docs/integrations/google-saml.mdx +3 -3
  121. package/.docs/organized/docs/integrations/hibob.mdx +17 -4
  122. package/.docs/organized/docs/integrations/intuit-oauth.mdx +128 -0
  123. package/.docs/organized/docs/integrations/jumpcloud-saml.mdx +2 -2
  124. package/.docs/organized/docs/integrations/jumpcloud-scim.mdx +5 -1
  125. package/.docs/organized/docs/integrations/keycloak-saml.mdx +2 -2
  126. package/.docs/organized/docs/integrations/lastpass-saml.mdx +2 -2
  127. package/.docs/organized/docs/integrations/linkedin-oauth.mdx +69 -30
  128. package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx +2 -2
  129. package/.docs/organized/docs/integrations/microsoft-oauth.mdx +95 -38
  130. package/.docs/organized/docs/integrations/miniorange-saml.mdx +2 -2
  131. package/.docs/organized/docs/integrations/net-iq-saml.mdx +2 -2
  132. package/.docs/organized/docs/integrations/next-auth.mdx +1 -1
  133. package/.docs/organized/docs/integrations/oidc.mdx +37 -24
  134. package/.docs/organized/docs/integrations/okta-oidc.mdx +149 -0
  135. package/.docs/organized/docs/integrations/okta-saml.mdx +3 -3
  136. package/.docs/organized/docs/integrations/okta-scim.mdx +6 -2
  137. package/.docs/organized/docs/integrations/onelogin-saml.mdx +2 -2
  138. package/.docs/organized/docs/integrations/onelogin-scim.mdx +1 -1
  139. package/.docs/organized/docs/integrations/oracle-saml.mdx +2 -2
  140. package/.docs/organized/docs/integrations/pingfederate-saml.mdx +2 -2
  141. package/.docs/organized/docs/integrations/pingfederate-scim.mdx +1 -1
  142. package/.docs/organized/docs/integrations/pingone-saml.mdx +2 -2
  143. package/.docs/organized/docs/integrations/rippling-saml.mdx +2 -2
  144. package/.docs/organized/docs/integrations/rippling-scim.mdx +1 -1
  145. package/.docs/organized/docs/integrations/sailpoint-scim.mdx +77 -0
  146. package/.docs/organized/docs/integrations/salesforce-oauth.mdx +116 -0
  147. package/.docs/organized/docs/integrations/salesforce-saml.mdx +4 -4
  148. package/.docs/organized/docs/integrations/saml.mdx +43 -23
  149. package/.docs/organized/docs/integrations/scim.mdx +36 -24
  150. package/.docs/organized/docs/integrations/sftp.mdx +59 -36
  151. package/.docs/organized/docs/integrations/shibboleth-generic-saml.mdx +1 -1
  152. package/.docs/organized/docs/integrations/shibboleth-unsolicited-saml.mdx +1 -1
  153. package/.docs/organized/docs/integrations/simple-saml-php.mdx +2 -2
  154. package/.docs/organized/docs/integrations/slack-oauth.mdx +53 -49
  155. package/.docs/organized/docs/integrations/supabase-authkit.mdx +46 -0
  156. package/.docs/organized/docs/integrations/{supabase.mdx → supabase-sso.mdx} +6 -4
  157. package/.docs/organized/docs/integrations/vercel-oauth.mdx +120 -0
  158. package/.docs/organized/docs/integrations/vmware-saml.mdx +2 -2
  159. package/.docs/organized/docs/integrations/workday.mdx +1 -1
  160. package/.docs/organized/docs/integrations/xero-oauth.mdx +77 -32
  161. package/.docs/organized/docs/magic-link/example-apps.mdx +11 -11
  162. package/.docs/organized/docs/magic-link/index.mdx +2 -0
  163. package/.docs/organized/docs/mfa/example-apps.mdx +2 -2
  164. package/.docs/organized/docs/mfa/index.mdx +2 -2
  165. package/.docs/organized/docs/mfa/ux/enrollment.mdx +1 -1
  166. package/.docs/organized/docs/mfa/ux/sign-in.mdx +1 -1
  167. package/.docs/organized/docs/migrate/_navigation.mdx +21 -1
  168. package/.docs/organized/docs/migrate/auth0.mdx +5 -5
  169. package/.docs/organized/docs/migrate/aws-cognito.mdx +5 -5
  170. package/.docs/organized/docs/migrate/better-auth.mdx +282 -0
  171. package/.docs/organized/docs/migrate/clerk.mdx +9 -11
  172. package/.docs/organized/docs/migrate/descope.mdx +290 -0
  173. package/.docs/organized/docs/migrate/firebase.mdx +4 -4
  174. package/.docs/organized/docs/migrate/other-services.mdx +25 -6
  175. package/.docs/organized/docs/migrate/standalone-sso.mdx +14 -14
  176. package/.docs/organized/docs/migrate/stytch.mdx +363 -0
  177. package/.docs/organized/docs/migrate/supabase.mdx +255 -0
  178. package/.docs/organized/docs/on-prem-deployment.mdx +1 -1
  179. package/.docs/organized/docs/pipes/_navigation.mdx +12 -0
  180. package/.docs/organized/docs/pipes/index.mdx +75 -0
  181. package/.docs/organized/docs/pipes/providers.mdx +9 -0
  182. package/.docs/organized/docs/rbac/_navigation.mdx +16 -0
  183. package/.docs/organized/docs/rbac/configuration.mdx +80 -0
  184. package/.docs/organized/docs/rbac/idp-role-assignment.mdx +79 -0
  185. package/.docs/organized/docs/rbac/index.mdx +24 -0
  186. package/.docs/organized/docs/rbac/integration.mdx +59 -0
  187. package/.docs/organized/docs/rbac/organization-roles.mdx +38 -0
  188. package/.docs/organized/docs/rbac/quick-start.mdx +52 -0
  189. package/.docs/organized/docs/reference/_navigation.mdx +437 -284
  190. package/.docs/organized/docs/reference/admin-portal/portal-link/index.mdx +1 -1
  191. package/.docs/organized/docs/reference/admin-portal/provider-icons/index.mdx +3 -3
  192. package/.docs/organized/docs/reference/{api-keys.mdx → api-authentication/index.mdx} +3 -3
  193. package/.docs/organized/docs/reference/audit-logs/configuration/index.mdx +97 -0
  194. package/.docs/organized/docs/reference/audit-logs/{create-event.mdx → event/create.mdx} +12 -2
  195. package/.docs/organized/docs/reference/audit-logs/event/index.mdx +92 -0
  196. package/.docs/organized/docs/reference/audit-logs/{create-export.mdx → export/create.mdx} +1 -1
  197. package/.docs/organized/docs/reference/audit-logs/{get-export.mdx → export/get.mdx} +1 -1
  198. package/.docs/organized/docs/reference/audit-logs/{audit-log-export.mdx → export/index.mdx} +11 -12
  199. package/.docs/organized/docs/reference/audit-logs/{get-retention.mdx → retention/get.mdx} +1 -1
  200. package/.docs/organized/docs/reference/audit-logs/retention/index.mdx +25 -0
  201. package/.docs/organized/docs/reference/audit-logs/{set-retention.mdx → retention/set.mdx} +1 -1
  202. package/.docs/organized/docs/reference/audit-logs/{create-schema.mdx → schema/create.mdx} +1 -1
  203. package/.docs/organized/docs/reference/audit-logs/{audit-log-schema.mdx → schema/index.mdx} +5 -6
  204. package/.docs/organized/docs/reference/audit-logs/{list-actions.mdx → schema/list-actions.mdx} +2 -1
  205. package/.docs/organized/docs/reference/audit-logs/{list-schemas.mdx → schema/list.mdx} +1 -1
  206. package/.docs/organized/docs/reference/authkit/api-keys/create-for-organization.mdx +40 -0
  207. package/.docs/organized/docs/reference/authkit/api-keys/delete.mdx +23 -0
  208. package/.docs/organized/docs/reference/authkit/api-keys/index.mdx +275 -0
  209. package/.docs/organized/docs/reference/authkit/api-keys/list-for-organization.mdx +41 -0
  210. package/.docs/organized/docs/reference/authkit/api-keys/validate.mdx +77 -0
  211. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/code.mdx +138 -18
  212. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/email-verification.mdx +10 -10
  213. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/error-codes.mdx +3 -3
  214. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/index.mdx +64 -17
  215. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/get-authorization-url/pkce.mdx +2 -2
  216. package/.docs/organized/docs/reference/authkit/authentication/get-authorization-url/redirect-uri.mdx +47 -0
  217. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/index.mdx +19 -11
  218. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/magic-auth.mdx +9 -9
  219. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/organization-selection.mdx +9 -9
  220. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/password.mdx +8 -8
  221. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-and-seal-session-data.mdx +3 -3
  222. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/refresh-token.mdx +17 -17
  223. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/session-cookie.mdx +7 -3
  224. package/.docs/organized/docs/reference/{user-management → authkit}/authentication/totp.mdx +10 -10
  225. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/email-verification-required-error.mdx +3 -3
  226. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/index.mdx +1 -3
  227. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-challenge-error.mdx +3 -3
  228. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/mfa-enrollment-error.mdx +3 -3
  229. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-authentication-required-error.mdx +3 -3
  230. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/organization-selection-error.mdx +3 -4
  231. package/.docs/organized/docs/reference/{user-management → authkit}/authentication-errors/sso-required-error.mdx +3 -3
  232. package/.docs/organized/docs/reference/authkit/cli-auth/device-authorization.mdx +61 -0
  233. package/.docs/organized/docs/reference/authkit/cli-auth/device-code.mdx +57 -0
  234. package/.docs/organized/docs/reference/authkit/cli-auth/error-codes.mdx +31 -0
  235. package/.docs/organized/docs/reference/authkit/cli-auth/index.mdx +22 -0
  236. package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/get.mdx +8 -8
  237. package/.docs/organized/docs/reference/{user-management → authkit}/email-verification/index.mdx +9 -11
  238. package/.docs/organized/docs/reference/{user-management → authkit}/identity/index.mdx +6 -9
  239. package/.docs/organized/docs/reference/{user-management → authkit}/identity/list.mdx +5 -6
  240. package/.docs/organized/docs/reference/authkit/index.mdx +13 -0
  241. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/accept.mdx +5 -5
  242. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/find-by-token.mdx +8 -8
  243. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/get.mdx +8 -9
  244. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/index.mdx +10 -15
  245. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/list.mdx +10 -11
  246. package/.docs/organized/docs/reference/authkit/invitation/resend.mdx +109 -0
  247. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/revoke.mdx +8 -8
  248. package/.docs/organized/docs/reference/{user-management → authkit}/invitation/send.mdx +23 -13
  249. package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url-from-session-cookie.mdx +2 -2
  250. package/.docs/organized/docs/reference/{user-management → authkit}/logout/get-logout-url.mdx +8 -8
  251. package/.docs/organized/docs/reference/{user-management → authkit}/logout/index.mdx +4 -5
  252. package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/create.mdx +10 -10
  253. package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/get.mdx +9 -10
  254. package/.docs/organized/docs/reference/{user-management → authkit}/magic-auth/index.mdx +10 -15
  255. package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-challenge.mdx +9 -10
  256. package/.docs/organized/docs/reference/{user-management → authkit}/mfa/authentication-factor.mdx +11 -11
  257. package/.docs/organized/docs/reference/{user-management → authkit}/mfa/enroll-auth-factor.mdx +19 -15
  258. package/.docs/organized/docs/reference/authkit/mfa/index.mdx +11 -0
  259. package/.docs/organized/docs/reference/{user-management → authkit}/mfa/list-auth-factors.mdx +9 -9
  260. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/create.mdx +27 -10
  261. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/deactivate.mdx +10 -10
  262. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/delete.mdx +8 -8
  263. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/get.mdx +8 -8
  264. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/index.mdx +107 -14
  265. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/list.mdx +10 -10
  266. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/reactivate.mdx +11 -11
  267. package/.docs/organized/docs/reference/{user-management → authkit}/organization-membership/update.mdx +25 -9
  268. package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/create.mdx +8 -8
  269. package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/get.mdx +8 -8
  270. package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/index.mdx +10 -12
  271. package/.docs/organized/docs/reference/{user-management → authkit}/password-reset/reset-password.mdx +8 -8
  272. package/.docs/organized/docs/reference/authkit/session/index.mdx +128 -0
  273. package/.docs/organized/docs/reference/authkit/session/list.mdx +110 -0
  274. package/.docs/organized/docs/reference/authkit/session/revoke.mdx +73 -0
  275. package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/authenticate.mdx +22 -6
  276. package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/get-logout-url.mdx +5 -5
  277. package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/index.mdx +2 -2
  278. package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/load-sealed-session.mdx +4 -4
  279. package/.docs/organized/docs/reference/{user-management → authkit}/session-helpers/refresh.mdx +18 -6
  280. package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/access-token.mdx +16 -8
  281. package/.docs/organized/docs/reference/authkit/session-tokens/index.mdx +5 -0
  282. package/.docs/organized/docs/reference/{user-management → authkit}/session-tokens/jwks.mdx +8 -8
  283. package/.docs/organized/docs/reference/authkit/session-tokens/refresh-token.mdx +8 -0
  284. package/.docs/organized/docs/reference/{user-management → authkit}/user/create.mdx +36 -17
  285. package/.docs/organized/docs/reference/{user-management → authkit}/user/delete.mdx +8 -9
  286. package/.docs/organized/docs/reference/{user-management → authkit}/user/get-by-external-id.mdx +16 -4
  287. package/.docs/organized/docs/reference/{user-management → authkit}/user/get.mdx +8 -8
  288. package/.docs/organized/docs/reference/{user-management → authkit}/user/index.mdx +25 -15
  289. package/.docs/organized/docs/reference/{user-management → authkit}/user/list.mdx +9 -12
  290. package/.docs/organized/docs/reference/{user-management → authkit}/user/update.mdx +43 -20
  291. package/.docs/organized/docs/reference/{client-libraries.mdx → client-libraries/index.mdx} +2 -2
  292. package/.docs/organized/docs/reference/directory-sync/directory/index.mdx +1 -1
  293. package/.docs/organized/docs/reference/directory-sync/directory-group/index.mdx +1 -24
  294. package/.docs/organized/docs/reference/directory-sync/directory-user/index.mdx +1 -29
  295. package/.docs/organized/docs/reference/directory-sync/directory-user/list.mdx +1 -1
  296. package/.docs/organized/docs/reference/directory-sync/index.mdx +1 -1
  297. package/.docs/organized/docs/reference/domain-verification/create.mdx +35 -0
  298. package/.docs/organized/docs/reference/domain-verification/delete.mdx +55 -0
  299. package/.docs/organized/docs/reference/domain-verification/get.mdx +29 -0
  300. package/.docs/organized/docs/reference/domain-verification/index.mdx +57 -1
  301. package/.docs/organized/docs/reference/domain-verification/verify.mdx +29 -0
  302. package/.docs/organized/docs/reference/{errors.mdx → errors/index.mdx} +1 -1
  303. package/.docs/organized/docs/reference/events/list.mdx +5 -4
  304. package/.docs/organized/docs/reference/feature-flags/flag/disable.mdx +33 -0
  305. package/.docs/organized/docs/reference/feature-flags/flag/enable.mdx +33 -0
  306. package/.docs/organized/docs/reference/feature-flags/flag/get.mdx +32 -0
  307. package/.docs/organized/docs/reference/feature-flags/flag/index.mdx +116 -0
  308. package/.docs/organized/docs/reference/feature-flags/flag/list.mdx +67 -0
  309. package/.docs/organized/docs/reference/feature-flags/index.mdx +123 -0
  310. package/.docs/organized/docs/reference/feature-flags/targeting/add.mdx +43 -0
  311. package/.docs/organized/docs/reference/feature-flags/targeting/index.mdx +23 -0
  312. package/.docs/organized/docs/reference/feature-flags/targeting/list-for-organization.mdx +132 -0
  313. package/.docs/organized/docs/reference/feature-flags/targeting/list-for-user.mdx +94 -0
  314. package/.docs/organized/docs/reference/feature-flags/targeting/remove.mdx +43 -0
  315. package/.docs/organized/docs/reference/fga/access-check/check.mdx +102 -0
  316. package/.docs/organized/docs/reference/fga/access-check/index.mdx +6 -0
  317. package/.docs/organized/docs/reference/fga/access-check/list-memberships-by-external-id.mdx +143 -0
  318. package/.docs/organized/docs/reference/fga/access-check/list-memberships.mdx +127 -0
  319. package/.docs/organized/docs/reference/fga/access-check/list-resources.mdx +152 -0
  320. package/.docs/organized/docs/reference/fga/index.mdx +14 -2
  321. package/.docs/organized/docs/reference/fga/resource/create.mdx +74 -88
  322. package/.docs/organized/docs/reference/fga/resource/delete-by-external-id.mdx +78 -0
  323. package/.docs/organized/docs/reference/fga/resource/delete.mdx +38 -62
  324. package/.docs/organized/docs/reference/fga/resource/get-by-external-id.mdx +60 -0
  325. package/.docs/organized/docs/reference/fga/resource/get.mdx +15 -63
  326. package/.docs/organized/docs/reference/fga/resource/index.mdx +74 -73
  327. package/.docs/organized/docs/reference/fga/resource/list.mdx +90 -131
  328. package/.docs/organized/docs/reference/fga/resource/update-by-external-id.mdx +81 -0
  329. package/.docs/organized/docs/reference/fga/resource/update.mdx +29 -85
  330. package/.docs/organized/docs/reference/fga/role-assignment/create.mdx +89 -0
  331. package/.docs/organized/docs/reference/fga/role-assignment/delete-by-id.mdx +59 -0
  332. package/.docs/organized/docs/reference/fga/role-assignment/delete.mdx +90 -0
  333. package/.docs/organized/docs/reference/fga/role-assignment/index.mdx +106 -0
  334. package/.docs/organized/docs/reference/fga/role-assignment/list.mdx +86 -0
  335. package/.docs/organized/docs/reference/index.mdx +21 -12
  336. package/.docs/organized/docs/reference/magic-link/passwordless-session/index.mdx +1 -1
  337. package/.docs/organized/docs/reference/mfa/{challenge-factor.mdx → challenge/create.mdx} +1 -1
  338. package/.docs/organized/docs/reference/mfa/{authentication-challenge.mdx → challenge/index.mdx} +11 -14
  339. package/.docs/organized/docs/reference/mfa/{verify-challenge.mdx → challenge/verify.mdx} +10 -12
  340. package/.docs/organized/docs/reference/mfa/{delete-factor.mdx → factor/delete.mdx} +1 -1
  341. package/.docs/organized/docs/reference/mfa/{enroll-factor.mdx → factor/enroll.mdx} +1 -1
  342. package/.docs/organized/docs/reference/mfa/{get-factor.mdx → factor/get.mdx} +1 -1
  343. package/.docs/organized/docs/reference/mfa/{authentication-factor.mdx → factor/index.mdx} +11 -12
  344. package/.docs/organized/docs/reference/organization/create.mdx +1 -6
  345. package/.docs/organized/docs/reference/organization/get-by-external-id.mdx +1 -1
  346. package/.docs/organized/docs/reference/organization/index.mdx +5 -5
  347. package/.docs/organized/docs/reference/organization/update.mdx +1 -1
  348. package/.docs/organized/docs/reference/{pagination.mdx → pagination/index.mdx} +1 -3
  349. package/.docs/organized/docs/reference/pipes/access-token/get.mdx +174 -0
  350. package/.docs/organized/docs/reference/pipes/access-token/index.mdx +44 -0
  351. package/.docs/organized/docs/reference/pipes/connected-account/delete.mdx +42 -0
  352. package/.docs/organized/docs/reference/pipes/connected-account/get-authorize-url.mdx +49 -0
  353. package/.docs/organized/docs/reference/pipes/connected-account/get.mdx +42 -0
  354. package/.docs/organized/docs/reference/pipes/connected-account/index.mdx +69 -0
  355. package/.docs/organized/docs/reference/pipes/index.mdx +8 -0
  356. package/.docs/organized/docs/reference/pipes/provider/index.mdx +70 -0
  357. package/.docs/organized/docs/reference/pipes/provider/list.mdx +47 -0
  358. package/.docs/organized/docs/reference/radar/attempts/index.mdx +1 -1
  359. package/.docs/organized/docs/reference/radar/lists/index.mdx +1 -1
  360. package/.docs/organized/docs/reference/rate-limits/index.mdx +56 -0
  361. package/.docs/organized/docs/reference/roles/index.mdx +12 -262
  362. package/.docs/organized/docs/reference/roles/organization-role/add-permission.mdx +75 -0
  363. package/.docs/organized/docs/reference/roles/organization-role/create.mdx +95 -0
  364. package/.docs/organized/docs/reference/roles/organization-role/delete.mdx +47 -0
  365. package/.docs/organized/docs/reference/roles/organization-role/get.mdx +55 -0
  366. package/.docs/organized/docs/reference/roles/organization-role/index.mdx +148 -0
  367. package/.docs/organized/docs/reference/roles/organization-role/list.mdx +68 -0
  368. package/.docs/organized/docs/reference/roles/organization-role/remove-permission.mdx +68 -0
  369. package/.docs/organized/docs/reference/roles/organization-role/set-permissions.mdx +79 -0
  370. package/.docs/organized/docs/reference/roles/organization-role/update.mdx +85 -0
  371. package/.docs/organized/docs/reference/roles/permission/create.mdx +101 -0
  372. package/.docs/organized/docs/reference/roles/permission/delete.mdx +38 -0
  373. package/.docs/organized/docs/reference/roles/permission/get.mdx +45 -0
  374. package/.docs/organized/docs/reference/roles/permission/index.mdx +128 -0
  375. package/.docs/organized/docs/reference/roles/permission/list.mdx +91 -0
  376. package/.docs/organized/docs/reference/roles/permission/update.mdx +80 -0
  377. package/.docs/organized/docs/reference/roles/role/add-permission.mdx +63 -0
  378. package/.docs/organized/docs/reference/roles/role/create.mdx +103 -0
  379. package/.docs/organized/docs/reference/roles/role/get.mdx +52 -0
  380. package/.docs/organized/docs/reference/roles/role/index.mdx +135 -0
  381. package/.docs/organized/docs/reference/roles/role/list.mdx +56 -0
  382. package/.docs/organized/docs/reference/roles/role/set-permissions.mdx +67 -0
  383. package/.docs/organized/docs/reference/roles/role/update.mdx +78 -0
  384. package/.docs/organized/docs/reference/sso/connection/index.mdx +2 -2
  385. package/.docs/organized/docs/reference/sso/get-authorization-url/error-codes.mdx +5 -3
  386. package/.docs/organized/docs/reference/sso/get-authorization-url/index.mdx +24 -2
  387. package/.docs/organized/docs/reference/sso/get-authorization-url/redirect-uri.mdx +25 -1
  388. package/.docs/organized/docs/reference/sso/index.mdx +1 -1
  389. package/.docs/organized/docs/reference/sso/logout/authorize.mdx +0 -1
  390. package/.docs/organized/docs/reference/sso/logout/index.mdx +1 -2
  391. package/.docs/organized/docs/reference/sso/logout/redirect.mdx +0 -1
  392. package/.docs/organized/docs/reference/sso/profile/get-profile-and-token.mdx +13 -1
  393. package/.docs/organized/docs/reference/sso/profile/index.mdx +25 -24
  394. package/.docs/organized/docs/reference/{testing.mdx → testing/index.mdx} +1 -1
  395. package/.docs/organized/docs/reference/vault/key/create-data-key.mdx +29 -0
  396. package/.docs/organized/docs/reference/vault/key/decrypt-data-key.mdx +20 -0
  397. package/.docs/organized/docs/reference/vault/key/decrypt-data.mdx +24 -0
  398. package/.docs/organized/docs/reference/vault/key/encrypt-data.mdx +20 -0
  399. package/.docs/organized/docs/reference/vault/object/create.mdx +17 -0
  400. package/.docs/organized/docs/reference/vault/object/delete.mdx +12 -0
  401. package/.docs/organized/docs/reference/vault/object/get-by-name.mdx +61 -0
  402. package/.docs/organized/docs/reference/vault/object/get.mdx +11 -0
  403. package/.docs/organized/docs/reference/vault/object/index.mdx +50 -4
  404. package/.docs/organized/docs/reference/vault/object/list.mdx +40 -1
  405. package/.docs/organized/docs/reference/vault/object/update.mdx +18 -0
  406. package/.docs/organized/docs/reference/vault/object/version.mdx +15 -2
  407. package/.docs/organized/docs/reference/vault/object/versions.mdx +13 -0
  408. package/.docs/organized/docs/reference/widgets/get-token.mdx +8 -5
  409. package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/create.mdx +55 -0
  410. package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/delete.mdx +28 -0
  411. package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/index.mdx +60 -0
  412. package/.docs/organized/docs/reference/workos-connect/applications/client-secrets/list.mdx +52 -0
  413. package/.docs/organized/docs/reference/workos-connect/applications/create.mdx +79 -0
  414. package/.docs/organized/docs/reference/workos-connect/applications/delete.mdx +28 -0
  415. package/.docs/organized/docs/reference/workos-connect/applications/get.mdx +59 -0
  416. package/.docs/organized/docs/reference/workos-connect/applications/index.mdx +40 -0
  417. package/.docs/organized/docs/reference/workos-connect/applications/list.mdx +49 -0
  418. package/.docs/organized/docs/reference/workos-connect/applications/m2m.mdx +52 -0
  419. package/.docs/organized/docs/reference/workos-connect/applications/oauth.mdx +85 -0
  420. package/.docs/organized/docs/reference/workos-connect/applications/update.mdx +59 -0
  421. package/.docs/organized/docs/reference/workos-connect/authorize/index.mdx +29 -1
  422. package/.docs/organized/docs/reference/workos-connect/cli-auth/authorize-device/index.mdx +81 -0
  423. package/.docs/organized/docs/reference/workos-connect/cli-auth/device-code-grant.mdx +74 -0
  424. package/.docs/organized/docs/reference/workos-connect/cli-auth/index.mdx +23 -0
  425. package/.docs/organized/docs/reference/workos-connect/index.mdx +1 -1
  426. package/.docs/organized/docs/reference/workos-connect/introspection/index.mdx +8 -3
  427. package/.docs/organized/docs/reference/workos-connect/metadata/index.mdx +1 -1
  428. package/.docs/organized/docs/reference/workos-connect/metadata/oauth-authorization-server/index.mdx +1 -1
  429. package/.docs/organized/docs/reference/workos-connect/standalone/complete.mdx +68 -0
  430. package/.docs/organized/docs/reference/workos-connect/standalone/index.mdx +9 -0
  431. package/.docs/organized/docs/reference/workos-connect/standalone/user-consent-options.mdx +41 -0
  432. package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/access-token.mdx +6 -0
  433. package/.docs/organized/docs/reference/workos-connect/token/authorization-code-grant/id-token.mdx +1 -1
  434. package/.docs/organized/docs/reference/workos-connect/token/{authorization-code-grant/index.mdx → authorization-code-grant.mdx} +23 -2
  435. package/.docs/organized/docs/reference/workos-connect/token/client-credentials-grant/access-token.mdx +1 -1
  436. package/.docs/organized/docs/reference/workos-connect/token/{client-credentials-grant/index.mdx → client-credentials-grant.mdx} +2 -2
  437. package/.docs/organized/docs/reference/workos-connect/token/index.mdx +5 -4
  438. package/.docs/organized/docs/reference/workos-connect/token/refresh-token-grant.mdx +1 -1
  439. package/.docs/organized/docs/reference/workos-connect/userinfo/index.mdx +2 -2
  440. package/.docs/organized/docs/sdks/authkit-js.mdx +14 -0
  441. package/.docs/organized/docs/sdks/authkit-nextjs.mdx +14 -0
  442. package/.docs/organized/docs/sdks/authkit-react-router.mdx +14 -0
  443. package/.docs/organized/docs/sdks/authkit-react.mdx +14 -0
  444. package/.docs/organized/docs/sdks/authkit-remix.mdx +14 -0
  445. package/.docs/organized/docs/sdks/authkit-tanstack-start.mdx +14 -0
  446. package/.docs/organized/docs/sso/_navigation.mdx +8 -2
  447. package/.docs/organized/docs/sso/attributes.mdx +15 -3
  448. package/.docs/organized/docs/sso/domains.mdx +8 -6
  449. package/.docs/organized/docs/sso/example-apps.mdx +2 -2
  450. package/.docs/organized/docs/sso/identity-provider-role-assignment.mdx +30 -30
  451. package/.docs/organized/docs/sso/index.mdx +7 -6
  452. package/.docs/organized/docs/sso/it-team-faq.mdx +1 -1
  453. package/.docs/organized/docs/sso/jit-provisioning.mdx +2 -3
  454. package/.docs/organized/docs/sso/launch-checklist.mdx +2 -2
  455. package/.docs/organized/docs/sso/login-flows.mdx +3 -3
  456. package/.docs/organized/docs/sso/redirect-uris.mdx +22 -11
  457. package/.docs/organized/docs/sso/saml-security.mdx +1 -1
  458. package/.docs/organized/docs/sso/sign-in-consent.mdx +59 -0
  459. package/.docs/organized/docs/sso/signing-certificates.mdx +7 -7
  460. package/.docs/organized/docs/sso/single-logout.mdx +0 -1
  461. package/.docs/organized/docs/sso/ux/sessions.mdx +99 -0
  462. package/.docs/organized/docs/sso/ux/sign-in.mdx +1 -1
  463. package/.docs/organized/docs/vault/_navigation.mdx +2 -0
  464. package/.docs/organized/docs/vault/byok.mdx +140 -0
  465. package/.docs/organized/docs/vault/index.mdx +1 -1
  466. package/.docs/organized/docs/widgets/_navigation.mdx +48 -0
  467. package/.docs/organized/docs/widgets/admin-portal-domain-verification.mdx +24 -0
  468. package/.docs/organized/docs/widgets/admin-portal-sso-connection.mdx +20 -0
  469. package/.docs/organized/docs/widgets/api-keys.mdx +28 -0
  470. package/.docs/organized/docs/widgets/audit-log-streaming.mdx +25 -0
  471. package/.docs/organized/docs/widgets/directory-sync.mdx +23 -0
  472. package/.docs/organized/docs/widgets/index.mdx +12 -0
  473. package/.docs/organized/docs/widgets/localization.mdx +111 -0
  474. package/.docs/organized/docs/widgets/organization-switcher.mdx +47 -0
  475. package/.docs/organized/docs/widgets/pipes.mdx +27 -0
  476. package/.docs/organized/docs/widgets/quick-start.mdx +38 -0
  477. package/.docs/organized/docs/widgets/styling/css-customization.mdx +100 -0
  478. package/.docs/organized/docs/widgets/styling/index.mdx +29 -0
  479. package/.docs/organized/docs/widgets/styling/theme-customization.mdx +51 -0
  480. package/.docs/organized/docs/widgets/tokens.mdx +17 -0
  481. package/.docs/organized/docs/widgets/user-management.mdx +28 -0
  482. package/.docs/organized/docs/widgets/user-profile.mdx +30 -0
  483. package/.docs/organized/docs/widgets/user-security.mdx +31 -0
  484. package/.docs/organized/docs/widgets/user-sessions.mdx +26 -0
  485. package/LICENSE +21 -0
  486. package/README.md +14 -1
  487. package/dist/prepare.js +1 -1
  488. package/dist/prepare.js.map +1 -1
  489. package/package.json +2 -1
  490. package/.docs/organized/docs/dashboard.mdx +0 -244
  491. package/.docs/organized/docs/demo/_navigation.mdx +0 -26
  492. package/.docs/organized/docs/demo/accordion.mdx +0 -34
  493. package/.docs/organized/docs/demo/checklist.mdx +0 -33
  494. package/.docs/organized/docs/demo/code-block.mdx +0 -185
  495. package/.docs/organized/docs/demo/definition-list.mdx +0 -35
  496. package/.docs/organized/docs/demo/index.mdx +0 -7
  497. package/.docs/organized/docs/demo/punctuation.mdx +0 -37
  498. package/.docs/organized/docs/demo/replacements.mdx +0 -26
  499. package/.docs/organized/docs/demo/table.mdx +0 -26
  500. package/.docs/organized/docs/demo/tabs.mdx +0 -17
  501. package/.docs/organized/docs/fga/identity-provider-sessions.mdx +0 -68
  502. package/.docs/organized/docs/fga/local-development.mdx +0 -155
  503. package/.docs/organized/docs/fga/modeling/abac.mdx +0 -107
  504. package/.docs/organized/docs/fga/modeling/blocklist.mdx +0 -84
  505. package/.docs/organized/docs/fga/modeling/conditional-roles.mdx +0 -99
  506. package/.docs/organized/docs/fga/modeling/custom-roles.mdx +0 -90
  507. package/.docs/organized/docs/fga/modeling/entitlements.mdx +0 -127
  508. package/.docs/organized/docs/fga/modeling/managed-service-provider.mdx +0 -131
  509. package/.docs/organized/docs/fga/modeling/org-roles-and-permissions.mdx +0 -95
  510. package/.docs/organized/docs/fga/modeling/policy-context.mdx +0 -231
  511. package/.docs/organized/docs/fga/modeling/public-access.mdx +0 -61
  512. package/.docs/organized/docs/fga/modeling/shareable-content.mdx +0 -106
  513. package/.docs/organized/docs/fga/modeling/superusers.mdx +0 -74
  514. package/.docs/organized/docs/fga/modeling/user-groups.mdx +0 -92
  515. package/.docs/organized/docs/fga/operations-usage.mdx +0 -104
  516. package/.docs/organized/docs/fga/playground.mdx +0 -12
  517. package/.docs/organized/docs/fga/policies.mdx +0 -462
  518. package/.docs/organized/docs/fga/query-language.mdx +0 -112
  519. package/.docs/organized/docs/fga/schema-management.mdx +0 -224
  520. package/.docs/organized/docs/fga/schema.mdx +0 -388
  521. package/.docs/organized/docs/fga/warrant-tokens.mdx +0 -44
  522. package/.docs/organized/docs/fga/warrants.mdx +0 -92
  523. package/.docs/organized/docs/reference/fga/batch-check.mdx +0 -277
  524. package/.docs/organized/docs/reference/fga/check.mdx +0 -563
  525. package/.docs/organized/docs/reference/fga/policy/create.mdx +0 -27
  526. package/.docs/organized/docs/reference/fga/policy/delete.mdx +0 -18
  527. package/.docs/organized/docs/reference/fga/policy/get.mdx +0 -23
  528. package/.docs/organized/docs/reference/fga/policy/index.mdx +0 -52
  529. package/.docs/organized/docs/reference/fga/policy/list.mdx +0 -41
  530. package/.docs/organized/docs/reference/fga/policy/update.mdx +0 -26
  531. package/.docs/organized/docs/reference/fga/query.mdx +0 -375
  532. package/.docs/organized/docs/reference/fga/resource/batch-write.mdx +0 -175
  533. package/.docs/organized/docs/reference/fga/resource-type/apply.mdx +0 -35
  534. package/.docs/organized/docs/reference/fga/resource-type/create.mdx +0 -24
  535. package/.docs/organized/docs/reference/fga/resource-type/delete.mdx +0 -22
  536. package/.docs/organized/docs/reference/fga/resource-type/get.mdx +0 -23
  537. package/.docs/organized/docs/reference/fga/resource-type/index.mdx +0 -68
  538. package/.docs/organized/docs/reference/fga/resource-type/list.mdx +0 -36
  539. package/.docs/organized/docs/reference/fga/resource-type/update.mdx +0 -23
  540. package/.docs/organized/docs/reference/fga/schema/apply.mdx +0 -42
  541. package/.docs/organized/docs/reference/fga/schema/get.mdx +0 -24
  542. package/.docs/organized/docs/reference/fga/schema/index.mdx +0 -39
  543. package/.docs/organized/docs/reference/fga/warrant/batch-write.mdx +0 -226
  544. package/.docs/organized/docs/reference/fga/warrant/create.mdx +0 -215
  545. package/.docs/organized/docs/reference/fga/warrant/delete.mdx +0 -212
  546. package/.docs/organized/docs/reference/fga/warrant/index.mdx +0 -186
  547. package/.docs/organized/docs/reference/fga/warrant/list.mdx +0 -282
  548. package/.docs/organized/docs/reference/idempotency.mdx +0 -21
  549. package/.docs/organized/docs/reference/organization-domain.mdx +0 -189
  550. package/.docs/organized/docs/reference/rate-limits.mdx +0 -50
  551. package/.docs/organized/docs/reference/roles/list-for-organization.mdx +0 -152
  552. package/.docs/organized/docs/reference/user-management/access-token/index.mdx +0 -13
  553. package/.docs/organized/docs/reference/user-management/authentication/get-authorization-url/redirect-uri.mdx +0 -23
  554. package/.docs/organized/docs/reference/user-management/index.mdx +0 -13
  555. package/.docs/organized/docs/reference/user-management/mfa/index.mdx +0 -5
  556. package/.docs/organized/docs/reference/user-management/session-tokens/index.mdx +0 -5
  557. package/.docs/organized/docs/reference/user-management/session-tokens/refresh-token.mdx +0 -8
  558. package/.docs/organized/docs/user-management/_navigation.mdx +0 -87
  559. package/.docs/organized/docs/user-management/authkit.mdx +0 -69
  560. package/.docs/organized/docs/user-management/connect.mdx +0 -110
  561. package/.docs/organized/docs/user-management/directory-provisioning.mdx +0 -78
  562. package/.docs/organized/docs/user-management/email-verification.mdx +0 -29
  563. package/.docs/organized/docs/user-management/entitlements.mdx +0 -46
  564. package/.docs/organized/docs/user-management/jit-provisioning.mdx +0 -36
  565. package/.docs/organized/docs/user-management/overview.mdx +0 -46
  566. package/.docs/organized/docs/user-management/roles-and-permissions.mdx +0 -155
  567. package/.docs/organized/docs/user-management/users-organizations.mdx +0 -91
  568. package/.docs/organized/docs/user-management/widgets.mdx +0 -190
package/.docs/organized/docs/fga/migration-openfga.mdx ADDED
@@ -0,0 +1,306 @@
1
+ ---
2
+ title: Migrate from OpenFGA
3
+ description: >-
4
+ Map your OpenFGA authorization model to WorkOS FGA resource types, roles, and
5
+ permissions.
6
+ showNextPage: true
7
+ originalPath: .tmp-workos-clone/packages/docs/content/fga/migration-openfga.mdx
8
+ ---
9
+
10
+ ## Overview
11
+
12
+ This guide helps you migrate from OpenFGA to WorkOS FGA. While both systems are inspired by Google's Zanzibar paper, they take different approaches. OpenFGA uses relation-based access control (ReBAC) with explicit tuple storage, while WorkOS FGA uses hierarchical role-based access control (RBAC) with automatic permission inheritance.
13
+
14
+ ---
15
+
16
+ ## Key differences
17
+
18
+ | OpenFGA Concept | WorkOS FGA Equivalent |
19
+ | --------------------------- | ----------------------------------- |
20
+ | Types | Resource Types |
21
+ | Relations | Roles + Permissions |
22
+ | Tuples | Role Assignments |
23
+ | User sets | Organization Memberships |
24
+ | Computed relations (`from`) | Native hierarchical inheritance |
25
+ | Contextual tuples | Check conditions in app code |
26
+ | `but not` exclusions | Permission exclusions (coming soon) |
27
+
28
+ ### Architecture shift
29
+
30
+ OpenFGA requires a schema DSL and explicit tuples for every relationship. WorkOS FGA simplifies this:
31
+
32
+ 1. **Permissions flow down automatically** — A role at a parent level grants access to all children without additional tuples
33
+ 2. **Roles are scoped to resource types** — Each resource type has its own set of roles
34
+ 3. **Single parent per resource instance** — Each resource instance has exactly one parent, creating predictable traversal paths
35
+ 4. **No schema DSL** — Configure resource types, roles, and permissions in the Dashboard
36
+ 5. **Native WorkOS integration** — Works seamlessly with AuthKit, SSO, Directory Sync, and IdP role assignment
37
+
38
+ ### WorkOS product integration
39
+
40
+ Unlike standalone authorization systems, WorkOS FGA integrates natively with the WorkOS identity platform (although it [can be used standalone](/fga/standalone-integration)):
41
+
42
+ - **AuthKit Integration** — Organization-level roles and permissions are embedded in access tokens for instant JWT-based checks
43
+ - **IdP Role Assignment** — Map identity provider groups (Okta, Azure AD, Google Workspace) directly to organization-level roles
44
+ - **Directory Sync** — Automatically provision and deprovision users with appropriate role assignments when group memberships change
45
+ - **SSO** — Enterprise SSO users get role assignments based on IdP group membership during authentication
46
+
47
+ ---
48
+
49
+ ## Step 1: Map types to resource types
50
+
51
+ Extract domain objects from your OpenFGA `type` definitions. These become resource types in WorkOS FGA.
52
+
53
+ **Create resource types for:**
54
+
55
+ - Business containers: organizations, workspaces, projects, environments
56
+ - Shareable entities: apps, pipelines, repositories, dashboards
57
+
58
+ **Exclude:**
59
+
60
+ - `type user` — Use Organization Memberships as subjects instead
61
+ - `type group` — User groups are coming soon; for now, assign roles directly to users
62
+
63
+ ### Example
64
+
65
+ ```text
66
+ # OpenFGA
67
+ type user
68
+ type organization
69
+ type workspace
70
+ type project
71
+
72
+ # WorkOS FGA Resource Types
73
+ organization (built-in)
74
+ └── workspace
75
+ └── project
76
+ ```
77
+
78
+ Navigate to **Authorization > Resource Types** in the [Dashboard](/fga/resource-types/creating-and-managing-resource-types/using-the-dashboard) to create your hierarchy.
79
+
80
+ ---
81
+
82
+ ## Step 2: Establish hierarchy
83
+
84
+ Map OpenFGA parent relations to WorkOS FGA parent-child resource type relationships.
85
+
86
+ ### OpenFGA pattern
87
+
88
+ ```text
89
+ type workspace
90
+ relations
91
+ define viewer: [user]
92
+
93
+ type project
94
+ relations
95
+ define parent: [workspace]
96
+ define viewer: viewer from parent
97
+ ```
98
+
99
+ ### WorkOS FGA equivalent
100
+
101
+ Create a `project` resource type with `workspace` as its parent. The parent relationship is defined at the resource type level.
102
+
103
+ When you register individual project resources instances via the API, they automatically inherit from their workspace. Permissions flow down this hierarchy without explicit tuples.
104
+
105
+ ---
106
+
107
+ ## Step 3: Translate relations to roles
108
+
109
+ OpenFGA relations like `viewer`, `editor`, and `admin` become roles scoped to resource types.
110
+
111
+ ### OpenFGA pattern
112
+
113
+ ```text
114
+ type project
115
+ relations
116
+ define viewer: [user]
117
+ define editor: [user] or viewer
118
+ define owner: [user] or editor
119
+ ```
120
+
121
+ ### WorkOS FGA equivalent
122
+
123
+ Create roles on the `project` resource type:
124
+
125
+ | Role | Permissions |
126
+ | ------ | ------------------------------------------------ |
127
+ | viewer | `project:view` |
128
+ | editor | `project:view`, `project:edit` |
129
+ | owner | `project:view`, `project:edit`, `project:manage` |
130
+
131
+ The `or` unions in OpenFGA become multiple permissions bundled into a single role.
132
+
133
+ > **Permission slug convention:** Permission slugs are arbitrary text, but we recommend the pattern `{resource-type}:{action}` for clarity. Each permission must be explicitly scoped to a resource type in the Dashboard—[see more about permissions](/fga/roles-and-permissions). When a role includes permissions scoped to child resource types (like `project:view` on a workspace role), it grants that permission on all child resources of that type.
134
+
135
+ ---
136
+
137
+ ## Step 4: Handle computed relations
138
+
139
+ OpenFGA computed relations using the `from` keyword are replaced by native hierarchical inheritance.
140
+
141
+ ### OpenFGA pattern
142
+
143
+ ```text
144
+ type workspace
145
+ relations
146
+ define viewer: [user]
147
+
148
+ type project
149
+ relations
150
+ define parent: [workspace]
151
+ define viewer: viewer from parent
152
+ ```
153
+
154
+ ### WorkOS FGA equivalent
155
+
156
+ Create a `workspace` resource type with a role that includes child-type permissions:
157
+
158
+ | Role (on workspace) | Permissions |
159
+ | ------------------- | -------------------------------- |
160
+ | viewer | `workspace:view`, `project:view` |
161
+
162
+ When you assign `workspace:viewer` to a user, they automatically get `project:view` on all projects within that workspace. No explicit per-project tuples needed.
163
+
164
+ ---
165
+
166
+ ## Step 5: Map grant patterns
167
+
168
+ | OpenFGA Pattern | WorkOS FGA Equivalent |
169
+ | -------------------------- | ------------------------------------------------ |
170
+ | Direct user tuple | Role assignment on resource |
171
+ | `[type#relation]` usersets | Role includes child-type permissions (automatic) |
172
+ | `or` unions | Multiple permissions in a role |
173
+ | `and` intersections | Check both conditions in app code |
174
+ | `but not` exclusions | Permission exclusions (coming soon) |
175
+
176
+ ### Contextual tuples
177
+
178
+ OpenFGA contextual tuples allow passing runtime context with permission checks. With WorkOS FGA, handle these checks in your application code instead. This keeps the check interface simple and puts conditional logic next to the data it depends on.
179
+
180
+ ```javascript
181
+ // Check time-based access in your app
182
+ const now = new Date();
183
+ const accessWindow = await getAccessWindow(resourceId);
184
+
185
+ if (now < accessWindow.start || now > accessWindow.end) {
186
+ return { authorized: false };
187
+ }
188
+
189
+ // Then check FGA permissions
190
+ const { authorized } = await workos.authorization.check({
191
+ organizationMembershipId,
192
+ permissionSlug: 'project:view',
193
+ resourceExternalId: resourceId,
194
+ resourceTypeSlug: 'project',
195
+ });
196
+ ```
197
+
198
+ ---
199
+
200
+ ## High-cardinality entities
201
+
202
+ Not everything belongs in FGA. We recommend using FGA for lower-cardinality resources (organizations, workspaces, projects) and handling high-cardinality entities (files, messages, comments) in your application.
203
+
204
+ Syncing millions of entities into FGA creates reconciliation overhead, race conditions, and consistency challenges. Instead, check access at the parent container level and filter entities in your application.
205
+
206
+ For detailed guidance on this pattern, including interceptor examples for nested entities, see [High-Cardinality Entities](/fga/high-cardinality-entities).
207
+
208
+ ---
209
+
210
+ ## Migration steps
211
+
212
+ 1. **Define resource types** in the WorkOS Dashboard matching your OpenFGA types
213
+ 2. **Define permissions** for each type (e.g., `view`, `edit`, `manage`)
214
+ 3. **Create roles** that bundle permissions, including child-type permissions for inheritance
215
+ 4. **Register resources** via API when entities are created in your app
216
+ 5. **Migrate tuples** to role assignments on specific resources
217
+ 6. **Replace OpenFGA checks** with WorkOS FGA `check` API calls
218
+
219
+ ### API migration
220
+
221
+ **OpenFGA Check:**
222
+
223
+ ```javascript
224
+ const { allowed } = await fga.check({
225
+ user: 'user:alice',
226
+ relation: 'viewer',
227
+ object: 'project:budget',
228
+ });
229
+ ```
230
+
231
+ **WorkOS FGA Check:**
232
+
233
+ ```javascript
234
+ const { authorized } = await workos.authorization.check({
235
+ organizationMembershipId: 'om_01HXYZ', // available in a session token or via the API
236
+ permissionSlug: 'project:view',
237
+ resourceTypeSlug: 'project',
238
+ resourceExternalId: 'budget',
239
+ });
240
+ ```
241
+
242
+ ---
243
+
244
+ ## Example migration
245
+
246
+ ### OpenFGA schema
247
+
248
+ ```text
249
+ type user
250
+
251
+ type organization
252
+ relations
253
+ define admin: [user]
254
+ define member: [user] or admin
255
+
256
+ type workspace
257
+ relations
258
+ define parent_org: [organization]
259
+ define viewer: [user] or member from parent_org
260
+ define editor: [user] or viewer
261
+ define admin: [user] or admin from parent_org
262
+
263
+ type project
264
+ relations
265
+ define parent_workspace: [workspace]
266
+ define viewer: [user] or viewer from parent_workspace
267
+ define editor: [user] or editor from parent_workspace
268
+ ```
269
+
270
+ ### WorkOS FGA equivalent
271
+
272
+ **Resource type hierarchy:**
273
+
274
+ ```text
275
+ organization (built-in)
276
+ └── workspace
277
+ └── project
278
+ ```
279
+
280
+ **Roles for `workspace`:**
281
+
282
+ | Role | Permissions |
283
+ | ------ | ------------------------------------------------------------------ |
284
+ | viewer | `workspace:view`, `project:view` |
285
+ | editor | `workspace:view`, `workspace:edit`, `project:view`, `project:edit` |
286
+ | admin | All workspace and project permissions |
287
+
288
+ **Roles for `project`:**
289
+
290
+ | Role | Permissions |
291
+ | ------ | ------------------------------ |
292
+ | viewer | `project:view` |
293
+ | editor | `project:view`, `project:edit` |
294
+
295
+ Organization members get `workspace:viewer` through an organization-level role. Workspace editors automatically get `project:edit` on all child projects through inheritance.
296
+
297
+ ---
298
+
299
+ ## Next steps
300
+
301
+ - [Resource Types](/fga/resource-types) — Design your hierarchy
302
+ - [Roles and Permissions](/fga/roles-and-permissions) — Configure inheritance patterns
303
+ - [AuthKit Integration](/fga/authkit-integration) — Embed permissions in access tokens
304
+ - [IdP Role Assignment](/fga/idp-role-assignment) — Map IdP groups to roles
305
+ - [Assignments](/fga/assignments) — Migrate your tuples to role assignments
306
+ - [Access Checks](/fga/access-checks) — Replace OpenFGA check calls
package/.docs/organized/docs/fga/migration-oso.mdx ADDED
@@ -0,0 +1,372 @@
1
+ ---
2
+ title: Migrate from Oso Cloud
3
+ description: >-
4
+ Map your Oso Cloud Polar policies to WorkOS FGA resource types, roles, and
5
+ permissions.
6
+ showNextPage: true
7
+ originalPath: .tmp-workos-clone/packages/docs/content/fga/migration-oso.mdx
8
+ ---
9
+
10
+ ## Overview
11
+
12
+ This guide helps you migrate from Oso Cloud to WorkOS FGA. Oso Cloud uses the Polar language to define authorization policies with explicit fact storage. WorkOS FGA takes a different approach: hierarchical role-based access control with automatic permission inheritance configured through a Dashboard.
13
+
14
+ ---
15
+
16
+ ## Key differences
17
+
18
+ | Oso Cloud Concept | WorkOS FGA Equivalent |
19
+ | -------------------- | --------------------------------- |
20
+ | `resource` blocks | Resource Types |
21
+ | `roles` array | Roles |
22
+ | `permissions` array | Permissions |
23
+ | `relations` | Parent-child hierarchy |
24
+ | `has_role` facts | Role Assignments |
25
+ | `has_relation` facts | Resource registration with parent |
26
+ | `actor User {}` | Organization Memberships |
27
+ | Local Authorization | App-side traversal (see below) |
28
+ | Polar DSL | Dashboard configuration |
29
+
30
+ ### Architecture shift
31
+
32
+ Oso Cloud requires you to write Polar policies and manage facts. WorkOS FGA simplifies this:
33
+
34
+ 1. **Permissions flow down automatically** — A role at a parent level grants access to all children without additional facts
35
+ 2. **Roles are scoped to resource types** — Each resource type has its own set of roles
36
+ 3. **Single parent per resource instance** — Each resource instance has exactly one parent, creating predictable traversal paths
37
+ 4. **No policy DSL** — Configure resource types, roles, and permissions in the Dashboard
38
+ 5. **Native WorkOS integration** — Works seamlessly with AuthKit, SSO, Directory Sync, and IdP role assignment
39
+
40
+ ### WorkOS product integration
41
+
42
+ Unlike standalone authorization systems, WorkOS FGA integrates natively with the WorkOS identity platform (although it [can be used standalone](/fga/standalone-integration)):
43
+
44
+ - **AuthKit Integration** — Organization-level roles and permissions are embedded in access tokens for instant JWT-based checks
45
+ - **IdP Role Assignment** — Map identity provider groups (Okta, Azure AD, Google Workspace) directly to organization-level roles
46
+ - **Directory Sync** — Automatically provision and deprovision users with appropriate role assignments when group memberships change
47
+ - **SSO** — Enterprise SSO users get role assignments based on IdP group membership during authentication
48
+
49
+ ---
50
+
51
+ ## Polar syntax reference
52
+
53
+ Key patterns in Oso Polar:
54
+
55
+ - `roles = [...]` — Define available roles on a resource
56
+ - `permissions = [...]` — Define available permissions
57
+ - `relations = {...}` — Define relationships to other resources
58
+ - `"permission" if "role"` — Grant permission to role
59
+ - `"role" if "role"` — Role inheritance
60
+ - `role if role on "relation"` — Inherit roles from related resource
61
+
62
+ ---
63
+
64
+ ## Step 1: Map resources to resource types
65
+
66
+ Extract `resource` blocks from your Polar policy. These become resource types in WorkOS FGA.
67
+
68
+ **Create resource types for:**
69
+
70
+ - Business containers: organizations, workspaces, projects, environments
71
+ - Shareable entities: apps, pipelines, repositories, dashboards
72
+
73
+ **Exclude:**
74
+
75
+ - `actor User {}` — Use Organization Memberships as subjects instead
76
+ - `actor Group {}` — User groups are coming soon; for now, assign roles directly to users
77
+
78
+ ### Example
79
+
80
+ ```text
81
+ # Oso Cloud
82
+ actor User {}
83
+ resource Organization {}
84
+ resource Workspace {}
85
+ resource Project {}
86
+
87
+ # WorkOS FGA Resource Types
88
+ organization (built-in)
89
+ └── workspace
90
+ └── project
91
+ ```
92
+
93
+ Navigate to **Authorization > Resource Types** in the [Dashboard](/fga/resource-types/creating-and-managing-resource-types/using-the-dashboard) to create your hierarchy.
94
+
95
+ ---
96
+
97
+ ## Step 2: Establish hierarchy
98
+
99
+ Map Oso `relations` to WorkOS FGA parent-child resource type relationships.
100
+
101
+ ### Oso Cloud pattern
102
+
103
+ ```text
104
+ resource Project {
105
+ relations = { workspace: Workspace };
106
+ }
107
+ ```
108
+
109
+ ### WorkOS FGA equivalent
110
+
111
+ Create a `workspace` resource type with `organization` as its parent. Create a `project` resource type with `workspace` as its parent. The parent relationship is defined at the resource type level.
112
+
113
+ When you register individual project resources instances via the API, you specify the parent workspace. Permissions flow down this hierarchy without explicit facts.
114
+
115
+ ---
116
+
117
+ ## Step 3: Convert roles and permissions
118
+
119
+ Oso `roles` and `permissions` arrays map directly to WorkOS FGA roles and permissions.
120
+
121
+ ### Oso Cloud pattern
122
+
123
+ ```text
124
+ resource Project {
125
+ roles = ["viewer", "editor", "admin"];
126
+ permissions = ["read", "write", "manage"];
127
+
128
+ "read" if "viewer";
129
+ "write" if "editor";
130
+ "manage" if "admin";
131
+ "viewer" if "editor";
132
+ "editor" if "admin";
133
+ }
134
+ ```
135
+
136
+ ### WorkOS FGA equivalent
137
+
138
+ Create roles on the `project` resource type:
139
+
140
+ | Role | Permissions |
141
+ | ------ | ------------------------------------------------- |
142
+ | viewer | `project:read` |
143
+ | editor | `project:read`, `project:write` |
144
+ | admin | `project:read`, `project:write`, `project:manage` |
145
+
146
+ The role inheritance (`"viewer" if "editor"`) becomes permissions bundled into roles. Higher-privilege roles include all permissions from lower-privilege roles.
147
+
148
+ > **Permission slug convention:** Permission slugs are arbitrary text, but we recommend the pattern `{resource-type}:{action}` for clarity. Each permission must be explicitly scoped to a resource type in the Dashboard—[see more about permissions](/fga/roles-and-permissions). When a role includes permissions scoped to child resource types (like `project:read` on a workspace role), it grants that permission on all child resources of that type.
149
+
150
+ ---
151
+
152
+ ## Step 4: Handle role inheritance via relations
153
+
154
+ Oso's `role if role on "relation"` pattern is replaced by native hierarchical inheritance.
155
+
156
+ ### Oso Cloud pattern
157
+
158
+ ```text
159
+ resource Workspace {
160
+ roles = ["viewer", "editor"];
161
+ }
162
+
163
+ resource Project {
164
+ permissions = ["read", "write"];
165
+ relations = { workspace: Workspace };
166
+ role if role on "workspace";
167
+ }
168
+ ```
169
+
170
+ ### WorkOS FGA equivalent
171
+
172
+ Create a `workspace` resource type with roles that include child-type permissions:
173
+
174
+ | Role (on workspace) | Permissions |
175
+ | ------------------- | -------------------------------------------------------------------- |
176
+ | viewer | `workspace:read`, `project:read` |
177
+ | editor | `workspace:read`, `workspace:write`, `project:read`, `project:write` |
178
+
179
+ When you assign `workspace:viewer` to a user, they automatically get `project:read` on all projects within that workspace. No explicit per-project facts needed.
180
+
181
+ ---
182
+
183
+ ## Step 5: Map permission patterns
184
+
185
+ | Oso Cloud Pattern | WorkOS FGA Equivalent |
186
+ | -------------------------------------- | --------------------------------------------- |
187
+ | `"permission" if "role"` | Permission included in role |
188
+ | `"role" if "role"` | Higher role includes lower role's permissions |
189
+ | `role if role on "relation"` | Native inheritance (automatic) |
190
+ | `"permission" if "role" on "relation"` | Include permission in parent role |
191
+ | Custom Polar rules | Check conditions in app code |
192
+ | `and` expressions | Check multiple conditions in app code |
193
+ | `not` expressions | Permission exclusions (coming soon) |
194
+
195
+ ---
196
+
197
+ ## Replacing Local Authorization
198
+
199
+ Oso's Local Authorization generates SQL queries that you run against your database. WorkOS FGA takes a different approach: keep high-cardinality data in your database and traverse to FGA-managed resources in your application code.
200
+
201
+ ### Why this approach?
202
+
203
+ - **Simpler architecture** — No SQL generation or policy-database mapping configuration
204
+ - **Clearer boundaries** — FGA handles coarse-grained access, your app handles fine-grained filtering
205
+ - **Better performance** — Single parent traversal path, no complex joins
206
+ - **No config drift** — Authorization logic lives in your code, not a separate YAML file
207
+
208
+ ### Example: file access via parent project
209
+
210
+ Instead of configuring Local Authorization mappings, look up the parent resource and check access there:
211
+
212
+ ```typescript
213
+ async function canUserAccessFile(
214
+ organizationMembershipId: string,
215
+ fileId: string,
216
+ ): Promise<boolean> {
217
+ // 1. Look up the file to find its parent project
218
+ const file = await db.files.findUnique({ where: { id: fileId } });
219
+ if (!file) return false;
220
+
221
+ // 2. Check access at the project level (FGA-managed)
222
+ const { authorized } = await workos.authorization.check({
223
+ organizationMembershipId,
224
+ permissionSlug: 'project:view',
225
+ resourceTypeSlug: 'project',
226
+ resourceExternalId: file.projectId,
227
+ });
228
+
229
+ return authorized;
230
+ }
231
+ ```
232
+
233
+ This replaces Oso's Local Authorization YAML configuration:
234
+
235
+ ```yaml
236
+ # Oso Local Authorization config (no longer needed)
237
+ facts:
238
+ has_relation(File:_, parent, Project:_):
239
+ query: SELECT id, project_id FROM files
240
+ has_role(User:_, String:_, Project:_):
241
+ query: SELECT user_id, role, project_id FROM project_memberships
242
+
243
+ sql_types:
244
+ File: UUID
245
+ Project: UUID
246
+ ```
247
+
248
+ With this approach, traversal logic lives in your application code where it's easier to test, debug, and version alongside your business logic.
249
+
250
+ ---
251
+
252
+ ## High-cardinality entities
253
+
254
+ Not everything belongs in FGA. We recommend using FGA for lower-cardinality resources (organizations, workspaces, projects) and handling high-cardinality entities (files, messages, comments) in your application.
255
+
256
+ Syncing millions of entities into FGA creates reconciliation overhead, race conditions, and consistency challenges. Instead, check access at the parent container level and filter entities in your application.
257
+
258
+ For detailed guidance on this pattern, see [High-Cardinality Entities](/fga/high-cardinality-entities).
259
+
260
+ ---
261
+
262
+ ## Migration steps
263
+
264
+ 1. **Analyze Polar policy** — Identify resource blocks, roles, permissions, and relations
265
+ 2. **Define resource types** in the WorkOS Dashboard matching your resources
266
+ 3. **Define permissions** for each type (e.g., `read`, `write`, `manage`)
267
+ 4. **Create roles** that bundle permissions, including child-type permissions for inheritance
268
+ 5. **Register resources** via API when entities are created in your app
269
+ 6. **Migrate facts** — Convert `has_role` to role assignments, `has_relation` to resource registration
270
+ 7. **Replace Oso checks** with WorkOS FGA `check` API calls
271
+ 8. **Replace Local Authorization** with app-side traversal for high-cardinality entities
272
+
273
+ ### API migration
274
+
275
+ **Oso Cloud authorize (JavaScript):**
276
+
277
+ ```javascript
278
+ const authorized = await oso.authorize({ type: 'User', id: 'alice' }, 'read', {
279
+ type: 'Project',
280
+ id: 'proj_123',
281
+ });
282
+ ```
283
+
284
+ **WorkOS FGA Check (JavaScript):**
285
+
286
+ ```javascript
287
+ const { authorized } = await workos.authorization.check({
288
+ organizationMembershipId: 'om_01HXYZ', // available in a session token or via the API
289
+ permissionSlug: 'project:read',
290
+ resourceTypeSlug: 'project',
291
+ resourceExternalId: 'proj_123',
292
+ });
293
+ ```
294
+
295
+ ---
296
+
297
+ ## Example migration
298
+
299
+ ### Oso Cloud policy
300
+
301
+ ```text
302
+ actor User {}
303
+
304
+ resource Organization {
305
+ roles = ["admin", "member"];
306
+ permissions = ["manage", "read"];
307
+
308
+ "read" if "member";
309
+ "manage" if "admin";
310
+ "member" if "admin";
311
+ }
312
+
313
+ resource Workspace {
314
+ roles = ["viewer", "editor"];
315
+ permissions = ["read", "write"];
316
+ relations = { organization: Organization };
317
+
318
+ role if role on "organization";
319
+ "viewer" if "member" on "organization";
320
+ "editor" if "admin" on "organization";
321
+ "read" if "viewer";
322
+ "write" if "editor";
323
+ }
324
+
325
+ resource Project {
326
+ relations = { workspace: Workspace };
327
+
328
+ "read" if "viewer" on "workspace";
329
+ "write" if "editor" on "workspace";
330
+ }
331
+ ```
332
+
333
+ ### WorkOS FGA equivalent
334
+
335
+ **Resource type hierarchy:**
336
+
337
+ ```text
338
+ organization (built-in)
339
+ └── workspace
340
+ └── project
341
+ ```
342
+
343
+ **Roles for `organization`:**
344
+
345
+ | Role | Permissions |
346
+ | ------ | ---------------------------------------------------------------------------------- |
347
+ | member | `organization:read`, `workspace:read`, `project:read` |
348
+ | admin | All member permissions + `organization:manage`, `workspace:write`, `project:write` |
349
+
350
+ **Roles for `workspace`:**
351
+
352
+ | Role | Permissions |
353
+ | ------ | -------------------------------------------------------------------- |
354
+ | viewer | `workspace:read`, `project:read` |
355
+ | editor | `workspace:read`, `workspace:write`, `project:read`, `project:write` |
356
+
357
+ **Key insights:**
358
+
359
+ - `role if role on "organization"` — Replaced by org roles including workspace/project permissions
360
+ - `"viewer" if "member" on "organization"` — Org member role includes workspace:read
361
+ - No explicit Polar rules needed — Inheritance happens automatically
362
+
363
+ ---
364
+
365
+ ## Next steps
366
+
367
+ - [Resource Types](/fga/resource-types) — Design your hierarchy
368
+ - [Roles and Permissions](/fga/roles-and-permissions) — Configure inheritance patterns
369
+ - [AuthKit Integration](/fga/authkit-integration) — Embed permissions in access tokens
370
+ - [IdP Role Assignment](/fga/idp-role-assignment) — Map IdP groups to roles
371
+ - [Assignments](/fga/assignments) — Migrate your facts to role assignments
372
+ - [Access Checks](/fga/access-checks) — Replace Oso authorize calls