@workos/mcp-docs-server 0.1.0 → 0.2.0

package/.docs/organized/docs/fga/standalone-integration.mdx

@@ -0,0 +1,176 @@
+---
+title: Standalone Integration
+description: >-
+  Use FGA with your own authentication system by managing users, organizations,
+  and memberships via API.
+showNextPage: true
+originalPath: .tmp-workos-clone/packages/docs/content/fga/standalone-integration.mdx
+---
+
+## Introduction
+
+FGA works with any authentication system. While [AuthKit](/fga/authkit-integration) provides built-in user management, you can integrate FGA standalone by managing users, organizations, and organization memberships through the API.
+
+Use standalone integration when you have an existing authentication system, are migrating from another identity provider, or need programmatic control over user provisioning.
+
+---
+
+## Core concepts
+
+FGA authorization is built on three entities:
+
+**Users** represent individuals in your application. Each has a unique ID, email, and profile information.
+
+**Organizations** represent your customers or tenants. They serve as the root of your resource hierarchy.
+
+**Organization memberships** connect users to organizations and assign an organization-level role. Every membership must have at least one role—this determines baseline permissions within the organization.
+
+The organization membership role is always scoped to the organization itself, not to specific resources. For resource-level access control, use [role assignments](/fga/assignments) on individual resources.
+
+If you want to grant access exclusively through resource-level roles, configure the default organization role to have no permissions. Users will start with no access and only gain permissions through explicit resource role assignments.
+
+---
+
+## Creating organizations
+
+Organizations are the tenants in your application. Create one for each customer:
+
+<CodeBlock file="create-organization" />
+
+The `external_id` maps to your internal customer identifier—typically the primary key from your database.
+
+| Parameter     | Description                                     |
+| ------------- | ----------------------------------------------- |
+| `name`        | Display name for the organization (required)    |
+| `external_id` | Your internal identifier for this customer      |
+| `domain_data` | Email domains associated with this organization |
+| `metadata`    | Custom key-value pairs for your application     |
+
+---
+
+## Creating users
+
+Create users in WorkOS to establish their identity for authorization:
+
+<CodeBlock file="create-user" />
+
+| Parameter        | Description                                |
+| ---------------- | ------------------------------------------ |
+| `email`          | User's email address (required)            |
+| `first_name`     | User's first name                          |
+| `last_name`      | User's last name                           |
+| `email_verified` | Set to `true` if you've verified the email |
+| `external_id`    | Your internal user identifier              |
+| `password`       | Password for email/password authentication |
+| `password_hash`  | Pre-hashed password for migrations         |
+| `metadata`       | Custom key-value pairs                     |
+
+---
+
+## Creating organization memberships
+
+Organization memberships connect users to organizations and assign their organization-level role:
+
+<CodeBlock file="create-membership" />
+
+The `role_slug` determines the user's organization-level permissions. If omitted, the user receives the default role configured in your environment. This role applies to the organization as a whole—for resource-specific access, use [role assignments](/fga/assignments).
+
+If you've enabled [multiple roles](/authkit/roles-and-permissions/multiple-roles), assign several roles at once with `role_slugs`:
+
+```javascript
+const membership = await workos.userManagement.createOrganizationMembership({
+  userId: 'user_01HXYZ',
+  organizationId: 'org_01HXYZ',
+  roleSlugs: ['admin', 'billing'],
+});
+```
+
+---
+
+## Using FGA with standalone users
+
+Once you've created users and memberships, FGA works as documented in other guides. The organization membership ID is the subject for all authorization operations.
+
+### Creating resources
+
+Register resources as your application entities are created:
+
+<CodeBlock file="standalone-create-resource" />
+
+### Assigning resource roles
+
+Grant users roles on specific resources:
+
+<CodeBlock file="standalone-assign-role" />
+
+### Checking permissions
+
+Check whether a user can perform an action on a resource:
+
+<CodeBlock file="standalone-check-permission" />
+
+---
+
+## User lifecycle
+
+Sync WorkOS records as users move through your application's lifecycle. Use the `external_id` field to map your internal IDs to WorkOS entities.
+
+### When a user signs up
+
+Create the WorkOS user and organization membership when a user signs up in your application:
+
+<CodeBlock file="standalone-user-signup" />
+
+### When organization roles change
+
+Update the organization membership when a user's role changes:
+
+<CodeBlock file="standalone-role-change" />
+
+### When resource access changes
+
+Create or remove role assignments when a user's access to specific resources changes:
+
+<CodeBlock file="standalone-resource-access" />
+
+### When a user is removed
+
+Delete the organization membership or user when they leave:
+
+```javascript
+// Remove from one organization
+await workos.userManagement.deleteOrganizationMembership('om_01HXYZ');
+
+// Or delete the user entirely (removes all memberships)
+await workos.userManagement.deleteUser('user_01HXYZ');
+```
+
+---
+
+## Managing entities
+
+For complete API documentation on managing users, organizations, and memberships, see the API reference:
+
+- [Users](/reference/authkit/user) – create, update, list, and delete users
+- [Organizations](/reference/organization) – create, update, list, and delete organizations
+- [Organization Memberships](/reference/authkit/organization-membership) – create, update, deactivate, and delete memberships
+
+---
+
+## Viewing users in the dashboard
+
+Users created via API appear in the WorkOS Dashboard. Navigate to **Users** to see all users in your environment, or **Organizations** to view members of a specific organization.
+
+![Dashboard showing users](https://images.workoscdn.com/images/54fa6e6c-4c6f-4959-9301-344aeb4eeac8.png?auto=format&fit=clip&q=80)
+
+View a user's resource-scoped role assignments by navigating to their organization membership.
+
+![FGA role assignments](https://images.workoscdn.com/images/c9a27787-a97c-4e8b-ac86-05cba25374ae.png?auto=format&fit=clip&q=50)
+
+---
+
+## Migrating from another system
+
+To migrate from another identity provider, export your users and import them into WorkOS using the APIs described above. You can import password hashes so users keep their existing credentials, and use a dual-write strategy to handle new signups during migration.
+
+See the [migration guides](/migrate/other-services) for detailed steps, including provider-specific guides for [Auth0](/migrate/auth0), [Firebase](/migrate/firebase), [Clerk](/migrate/clerk), and [others](/migrate).

package/.docs/organized/docs/glossary.mdx

@@ -1,6 +1,6 @@
 ---
 title: Glossary
-description: "Terminology and concepts used in\_the\_WorkOS documentation."
+description: Terminology and concepts used in the WorkOS documentation.
 breadcrumb:
   title: Home
   url: /
@@ -51,6 +51,10 @@ In the context of a Directory Sync integration, a Bearer Token is generated by W
 
 <GlossaryMarker>C</GlossaryMarker>
 
+## CIMD
+
+Client ID Metadata Document (CIMD) is the mechanism through which an MCP client identifies itself to an authorization server. You can use WorkOS and AuthKit to implement authentication for an MCP server you develop. As part of that, you’ll enable CIMD in the WorkOS Dashboard under _Connect_ → _Configuration_.
+
 ## Client ID
 
 The client ID is a public identifier for your application that maps to a specific WorkOS environment.
@@ -131,9 +135,9 @@ JSON Web Tokens are an open, industry standard method for representing claims se
 
 <GlossaryMarker>O</GlossaryMarker>
 
-## Logout URI
+## Sign-out redirect
 
-An allowlisted location a user will be redirected to after their session has been ended by the Logout API.
+An allowlisted location a user is redirected to after they sign out via the Logout API.
 
 ## OAuth 2.0
 

package/.docs/organized/docs/integrations/access-people-hr.mdx

@@ -1,6 +1,6 @@
 ---
 title: Access People HR
-description: "Learn about syncing your user list with\_Access People HR."
+description: Learn about syncing your user list with Access People HR.
 icon: access-people-hr
 breadcrumb:
   title: Integrations

package/.docs/organized/docs/integrations/adp-oidc.mdx

@@ -1,6 +1,6 @@
 ---
 title: ADP OpenID Connect
-description: "Learn how to configure a connection to\_ADP via\_OIDC."
+description: Learn how to configure a connection to ADP via OIDC.
 icon: adp
 breadcrumb:
   title: Integrations

package/.docs/organized/docs/integrations/apple.mdx

@@ -1,6 +1,6 @@
 ---
 title: Apple
-description: Learn how to set up Sign in with Apple.
+description: Learn how to set up “Sign in with Apple”
 icon: apple
 breadcrumb:
   title: Integrations
@@ -10,9 +10,9 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/apple.mdx
 
 ## Introduction
 
-To configure your global Apple integration you'll need two pieces of information from WorkOS: a [Redirect URI](/glossary/redirect-uri) and an outbound email domain for Apple's Private Relay email service.
+The “Sign in with Apple” integration allows your users to authenticate using their Apple ID credentials.
 
-You'll also need four pieces of information from an active Apple Developer Account: an Apple Team ID, Apple Service ID, Apple Private Key and Private Key ID.
+The configuration process involves obtaining credentials from your Apple Developer account and configuring them in the WorkOS Dashboard. You may also set up Private Email Relay for users who choose to hide their email addresses.
 
 ---
 
@@ -28,142 +28,185 @@ Please note that when you are using WorkOS default credentials, Apple's authenti
 
 ## What WorkOS provides
 
-Navigate to the Authentication section of the [WorkOS dashboard](https://dashboard.workos.com/). Scroll down to the Apple OAuth section and find the following values in the configuration:
+When setting up “Sign in with Apple”, WorkOS provides two key pieces of information that need to be configured in your Apple Developer account:
 
-- Redirect URI
-- outbound email domains
+- [Redirect URI](/glossary/redirect-uri): The endpoint where Apple will send authentication responses after successful login
+- **Outbound Email Domains**: Registered domains for Apple's Private Relay email service
 
-![A screenshot showing the Sign in with Apple Redirect URI in the WorkOS dashboard.](https://images.workoscdn.com/images/fe6d452c-1e18-4272-a04c-efc27ee80305.png?auto=format&fit=clip&q=80)
+These are available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **OAuth providers** sub-tab. Locate the **Sign in with Apple** section.
 
-After the authentication process has completed and a authorization code is granted, the user will be sent to the Redirect URI.
+![Open the Sign in with Apple configuration dialog](https://images.workoscdn.com/images/b9abf389-f950-49b2-8cf3-2c47e9b810bf.png?auto=format&fit=clip&q=50)
 
-Outbound email domains are registered with Apple's Private Relay email service. Apple requires outbound email domains and/or email addresses to be registered with Private Relay to deliver email to those users. For more information, see Apple's documentation on [Private Relay](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service).
+Click **Enable**. The **Sign in with Apple** configuration dialog will open. Locate the **Redirect URI** and **Outbound email domains**.
 
-These values will be used later in the guide.
+![Sign in with Apple Redirect URI in the WorkOS dashboard.](https://images.workoscdn.com/images/54680256-09bc-478f-ab0f-5889c1d846be.png?auto=format&fit=clip&q=50)
+
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your Apple Developer account. **Outbound email domains** are registered with Apple's Private Relay email service to deliver email to users who choose to hide their email addresses.
 
 ---
 
-## What you’ll need
+## What you'll need
 
-In order to integrate you'll need an active Apple Developer account. From that Apple Developer account you'll need:
+You will need to obtain four pieces of information from your Apple Developer account:
 
-- A Team ID
-- A Service ID
-- A private key ID
-- The private key contents
+- **Apple Team ID**: Your organization's unique identifier in the Apple Developer program
+- **Apple Service ID**: Application identifier for “Sign in with Apple”
+- **Apple Private Key**: Authentication key file for secure communication
+- **Private Key ID**: Identifier for the private key
 
-Follow these steps to retrieve these values and configure your integration with Apple.
+The following sections will guide you through generating these credentials in your Apple Developer account.
 
 ---
 
-### (1) Retrieve the Apple Team ID
+## (1) Retrieve your Apple Team ID
+
+Sign in to the [certificates, identifiers, and profiles](https://developer.apple.com/account/resources/certificates/list) section of your Apple Developer account.
 
-Sign in to the [certificates, identifiers, and profiles](https://developer.apple.com/account/resources/certificates/list) section of your Apple Developer account. The landing page will have your name, company name, and your Team ID. Note the Team ID value for later.
+The landing page will display your name, company name, and Team ID. Note the Team ID value as you'll need it later.
 
-![A screenshot showing the Team ID in the Apple Developer dashboard.](https://images.workoscdn.com/images/2edd45b9-7e84-45fa-8da2-3c6dcd5607a1.png?auto=format&fit=clip&q=80)
+![Team ID in the Apple Developer dashboard.](https://images.workoscdn.com/images/2edd45b9-7e84-45fa-8da2-3c6dcd5607a1.png?auto=format&fit=clip&q=80)
 
 > The Team ID is sensitive and will only be used by the server to communicate with Apple. It should not be shared with the client.
 
-### (2) Register an App ID
+---
+
+## (2) Register an App ID
 
 > Skip this step if you already have an App ID.
 
-Click on _Identifiers_ on the sidebar, then click on the + button to create a new identifier.
+Click on **Identifiers** in the sidebar, then click the + button to create a new identifier.
 
-![A screenshot showing the Identifiers page in the Apple Developer dashboard. The Create Identifier plus button is highlighted.](https://images.workoscdn.com/images/54be9c35-f7c9-4119-9765-64299d42ff23.png?auto=format&fit=clip&q=80)
+![Identifiers page in the Apple Developer dashboard with Create Identifier plus button highlighted.](https://images.workoscdn.com/images/54be9c35-f7c9-4119-9765-64299d42ff23.png?auto=format&fit=clip&q=80)
 
-On the next page, select _App IDs_ and click _Continue_.
+On the next page, select **App IDs** and click **Continue**.
 
-![A screenshot showing the first step in the Identifier creation wizard. App IDs is selected.](https://images.workoscdn.com/images/a028e2b5-9443-4208-aa0c-175056ac55b5.png?auto=format&fit=clip&q=80)
+![First step in the Identifier creation wizard with App IDs selected.](https://images.workoscdn.com/images/a028e2b5-9443-4208-aa0c-175056ac55b5.png?auto=format&fit=clip&q=80)
 
-Next, select _App_ and click _Continue_.
+Next, select **App** and click **Continue**.
 
-![A screenshot showing the second step in the Identifier creation wizard. App is selected.](https://images.workoscdn.com/images/baff59f5-f060-4faf-9761-678321cc496a.png?auto=format&fit=clip&q=80)
+![Second step in the Identifier creation wizard with App selected.](https://images.workoscdn.com/images/baff59f5-f060-4faf-9761-678321cc496a.png?auto=format&fit=clip&q=80)
 
 On the next page, fill in a description and a bundle ID. The bundle ID should be unique and in reverse domain notation, e.g., `com.example.myapp`.
 
-Also, check the _Sign in with Apple_ box in the Capabilities section. There is no need to update anything in the _Edit_ modal.
+Also check the **Sign in with Apple** box in the Capabilities section. There is no need to update anything in the **Edit** modal.
 
-![A screenshot showing the third step in the Identifier creation wizard. A placeholder Description and Bundle ID have been entered.](https://images.workoscdn.com/images/ef85061d-ff63-4d5a-8fad-a9cbefeb6786.png?auto=format&fit=clip&q=80)
+![Third step in the Identifier creation wizard with placeholder Description and Bundle ID entered.](https://images.workoscdn.com/images/ef85061d-ff63-4d5a-8fad-a9cbefeb6786.png?auto=format&fit=clip&q=80)
 
-![A screenshot showing the third step in the Identifier creation wizard. The Sign in with Apple checkbox has been checked.](https://images.workoscdn.com/images/9f184ccb-40d8-4410-9250-b8ab56600452.png?auto=format&fit=clip&q=80)
+![Third step in the Identifier creation wizard with Sign in with Apple checkbox checked.](https://images.workoscdn.com/images/9f184ccb-40d8-4410-9250-b8ab56600452.png?auto=format&fit=clip&q=80)
 
-Then click _Continue_. Review your selections and click _Register_.
+Then click **Continue**. Review your selections and click **Register**.
 
-### (3) Register a Service ID
+---
+
+## (3) Register a Service ID
 
-Next we need to create a linked Service ID. Click on _Identifiers_ on the sidebar, then click on the + button.
+Next you need to create a linked Service ID. Click on **Identifiers** in the sidebar, then click the + button.
 
-![A screenshot showing the Identifiers page in the Apple Developer dashboard. The Create Identifier plus button is highlighted.](https://images.workoscdn.com/images/4a129d31-33c8-4976-8340-d59fc6618b67.png?auto=format&fit=clip&q=80)
+![Identifiers page in the Apple Developer dashboard with Create Identifier plus button highlighted.](https://images.workoscdn.com/images/4a129d31-33c8-4976-8340-d59fc6618b67.png?auto=format&fit=clip&q=80)
 
-On the next page, select _Services IDs_ and click _Continue_.
+On the next page, select **Services IDs** and click **Continue**.
 
-![A screenshot showing the first step in the Identifier creation wizard. Services IDs is selected.](https://images.workoscdn.com/images/2496cf53-f593-4eda-a2f9-14d6728b0c5d.png?auto=format&fit=clip&q=80)
+![First step in the Identifier creation wizard with Services IDs selected.](https://images.workoscdn.com/images/2496cf53-f593-4eda-a2f9-14d6728b0c5d.png?auto=format&fit=clip&q=80)
 
 Enter a description and a Service ID. The Service ID should be unique and in reverse domain notation, e.g. `com.example.myapp`.
 
-![A screenshot showing the second step in the Identifier creation wizard. A placeholder Description and Service ID have been entered.](https://images.workoscdn.com/images/dbf69235-951c-4f1d-97b2-3a1c6854c758.png?auto=format&fit=clip&q=80)
+![Second step in the Identifier creation wizard with placeholder Description and Service ID entered.](https://images.workoscdn.com/images/dbf69235-951c-4f1d-97b2-3a1c6854c758.png?auto=format&fit=clip&q=80)
+
+Click **Continue**. Note the Service ID as you'll need it later, then click **Register** to create the service.
+
+Now you'll configure your new service for “Sign in with Apple”. First select the new service from the list of Service IDs.
+
+![Identifiers page in the Apple Developer dashboard with the newly created Service ID highlighted.](https://images.workoscdn.com/images/478f799f-298e-4dee-9b6d-ff75d02fd9f5.png?auto=format&fit=clip&q=80)
+
+Check the **Sign in with Apple** box and click **Configure**.
+
+![Service ID Edit page with Sign in with Apple checkbox checked.](https://images.workoscdn.com/images/8c3e92fe-f5fc-403e-b7ee-fa215ad61ccf.png?auto=format&fit=clip&q=80)
+
+Ensure the App ID you created earlier is selected in the dropdown. Then enter `api.workos.com` in the **Domains and Subdomains** field and paste the **Redirect URI** from the WorkOS Dashboard in the **Return URLs** field.
+
+![Service ID Sign in with Apple edit modal with placeholder values in the inputs.](https://images.workoscdn.com/images/574617e5-4e3c-41a9-8704-dfa47bf504e2.png?auto=format&fit=clip&q=80)
 
-Click _Continue_. Note the Service ID for later and click _Register_ to create the service.
+Click **Done** and then **Continue**. Review your changes and click **Save**.
 
-Now we will configure our new service for Sign in with Apple. First select the new service from the list of Service IDs.
+---
+
+## (4) Register a private key
 
-![A screenshot showing the Identifiers page in the Apple Developer dashboard. The Service ID we just created is highlighted.](https://images.workoscdn.com/images/478f799f-298e-4dee-9b6d-ff75d02fd9f5.png?auto=format&fit=clip&q=80)
+Click on **Keys** in the sidebar, then click the + button to create a new key.
 
-Check the _Sign in with Apple_ box and click _Configure_.
+![Keys page in the Apple Developer dashboard with Create Key plus button highlighted.](https://images.workoscdn.com/images/ebeffde4-091d-4b2c-a9f9-fede59d6674a.png?auto=format&fit=clip&q=80)
 
-![A screenshot showing the Service ID Edit page. The Sign in with Apple checkbox is checked.](https://images.workoscdn.com/images/8c3e92fe-f5fc-403e-b7ee-fa215ad61ccf.png?auto=format&fit=clip&q=80)
+On the next page, enter a human-readable **Key Name**. Then check the **Sign in with Apple** box and click **Configure**.
 
-Ensure the App ID we created earlier is selected in the dropdown. Then enter `api.workos.com` in the _Domains and Subdomains_ field and paste the Return URI from the WorkOS dashboard in the _Return URLs_ field.
+![First step in the Key creation wizard.](https://images.workoscdn.com/images/264d1e39-ccae-4d32-80da-af2d5813723c.png?auto=format&fit=clip&q=80)
 
-![A screenshot showing the Service ID Sign in with Apple edit modal. Placeholder values have been placed in the inputs.](https://images.workoscdn.com/images/574617e5-4e3c-41a9-8704-dfa47bf504e2.png?auto=format&fit=clip&q=80)
+In the **Configure** dialog, select the App ID you created earlier and click **Save**.
 
-Click _Done_ and then _Continue_. Review your changes and click _Save_.
+![Key Configure dialog with App ID from the previous step selected.](https://images.workoscdn.com/images/d1442a7c-47a3-412c-956b-415a11acda9b.png?auto=format&fit=clip&q=80)
 
-### (4) Register a private key
+Click **Continue**. Review your changes and click **Register** to create your key.
 
-Click on _Keys_ on the sidebar, then click on the + button to create a new key.
+![Download Your Key page.](https://images.workoscdn.com/images/eb032a3d-4d2a-44be-a2f5-292e901fae16.png?auto=format&fit=clip&q=80)
 
-![A screenshot showing the Keys page in the Apple Developer dashboard. The Create Key plus button is highlighted.](https://images.workoscdn.com/images/ebeffde4-091d-4b2c-a9f9-fede59d6674a.png?auto=format&fit=clip&q=80)
+Make sure to download your new private key and note the Key ID as you'll need both later.
+
+---
 
-On the next page, enter a human-readable _Key Name_. Then check the _Sign in with Apple_ box and click _Configure_.
+## (5) Configure Apple credentials in WorkOS
 
-![A screenshot showing the first step in the Key creation wizard.](https://images.workoscdn.com/images/264d1e39-ccae-4d32-80da-af2d5813723c.png?auto=format&fit=clip&q=80)
+Now you have all the required credentials:
 
-In the _Configure_ dialog, select the App ID we created earlier and click _Save_.
+- Apple Team ID
+- Apple Service ID
+- Private Key ID
+- The downloaded private key file
 
-![A screenshot showing the Key Configure dialog. The App ID from the previous step is selected.](https://images.workoscdn.com/images/d1442a7c-47a3-412c-956b-415a11acda9b.png?auto=format&fit=clip&q=80)
+Return to the [WorkOS Dashboard](https://dashboard.workos.com). In the **Sign in with Apple** configuration dialog, toggle **Enable** on. Select **Your app's credentials**. Paste the credentials from Apple that you generated in the previous steps into their respective fields.
+
+![Sign in with Apple configuration modal in the WorkOS dashboard filled out with information from earlier steps.](https://images.workoscdn.com/images/cfedc298-8666-4f38-ab71-f6ed777b44c1.png?auto=format&fit=clip&q=80)
+
+---
 
-Click _Continue_. Review your changes and click _Register_ to create your key.
+## (6) Set up Private Email Relay
 
-![A screenshot showing the Download Your Key page.](https://images.workoscdn.com/images/eb032a3d-4d2a-44be-a2f5-292e901fae16.png?auto=format&fit=clip&q=80)
+Sign in with Apple users can opt to hide their email address when signing in. In order for emails to be sent to those users, you need to configure Private Email Relay.
 
-Make sure to download your new private key. Also note the Key ID for later.
+Copy the **Outbound Email Domains** from the **Sign in with Apple** configuration modal in the WorkOS Dashboard.
 
-### (5) Provide credentials to WorkOS
+![Sign in with Apple configuration modal in the WorkOS dashboard with outbound email domains control highlighted.](https://images.workoscdn.com/images/8c4ae9a5-1b27-49c7-90f7-31a3010ee2b5.png?auto=format&fit=clip&q=80)
 
-Navigate back to the _Authentication_ section in the [WorkOS dashboard](https://dashboard.workos.com), and click on _Edit_ under _Sign in with Apple_.
+Open your Apple Developer account and click on **Services** in the sidebar. Then click on **Configure** under **Sign in with Apple for Email Communication**.
 
-Toggle _Enabled_ on and provide the credentials from Apple that you generated in the previous steps.
+![Services page in the Apple Developer dashboard with Sign in with Apple Configure button highlighted.](https://images.workoscdn.com/images/cc81ae18-450d-417f-9e22-6392b335e437.png?auto=format&fit=clip&q=80)
+
+Click the + button next to **Email Sources** and enter the outbound email domains from the WorkOS Dashboard in the **Domains and Subdomains** text box. Then click **Next** and **Register**.
+
+![Modal to register Email Sources with domains from the WorkOS dashboard in the Domains and Subdomains text box.](https://images.workoscdn.com/images/021882c4-e299-44b8-9a44-fcf22f3be150.png?auto=format&fit=clip&q=80)
+
+![New domains with green check marks next to them.](https://images.workoscdn.com/images/fa3e78e6-688d-46a8-b4e7-1f6c788da4f6.png?auto=format&fit=clip&q=80)
+
+You are now ready to start authenticating with “Sign in with Apple”. Your users will see the option to “Sign in with Apple” when visiting your [AuthKit](/authkit) domain. Alternatively if you're using the [standalone SSO API](/reference/sso/get-authorization-url), you can initiate “Sign in with Apple” by passing `AppleOAuth` as the `provider`.
+
+---
 
-![A screenshot showing the Sign in with Apple configuration modal in the WorkOS dashboard. It has been filled out with information from earlier in this guide.](https://images.workoscdn.com/images/cfedc298-8666-4f38-ab71-f6ed777b44c1.png?auto=format&fit=clip&q=80)
+## Frequently asked questions
 
-### (6) Set up Private Email Relay
+### How is the WorkOS “Sign in with Apple” integration different from implementing regular Apple OAuth flow?
 
-Sign in with Apple users can opt to hide their email address when signing in. In order for emails to be sent to those users, we need to configure Private Email Relay.
+It's the same Apple OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to “Sign in with Apple”, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
-On the _Sign in with Apple_ modal, copy the list of outbound email domains.
+### What is the provider query parameter and how is it used in the Apple OAuth integration?
 
-![A screenshot showing Sign in with Apple configuration modal in the WorkOS dashboard. The outbound email domains control is highlighted.](https://images.workoscdn.com/images/8c4ae9a5-1b27-49c7-90f7-31a3010ee2b5.png?auto=format&fit=clip&q=80)
+You can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/sso/get-authorization-url) to support global Apple OAuth for any domain. The `provider` query parameter should be set to `AppleOAuth`.
 
-Then open your Apple Developer account and click on _Services_ on the sidebar. Then click on _Configure_ under _Sign in with Apple for Email Communication_.
+### Why do I need to configure Private Email Relay?
 
-![A screenshot showing the Services page in the Apple Developer dashboard. The Sign in with Apple Configure button is highlighted.](https://images.workoscdn.com/images/cc81ae18-450d-417f-9e22-6392b335e437.png?auto=format&fit=clip&q=80)
+“Sign in with Apple” allows users to hide their real email address from your app. When a user chooses this option, Apple generates a unique, random email address that forwards to their real email. To send emails to these users, you need to register your sending domains with Apple's Private Email Relay service.
 
-Click the + button next to _Email Sources_ and enter the outbound email domains from the WorkOS dashboard in the _Domains and Subdomains_ text box. Then click _Next_ and _Register_.
+### What happens if I don't set up Private Email Relay?
 
-![A screenshot showing the modal to register Email Sources. The domains from the WorkOS dashboard are in the Domains and Subdomains text box.](https://images.workoscdn.com/images/021882c4-e299-44b8-9a44-fcf22f3be150.png?auto=format&fit=clip&q=80)
+If you don't configure Private Email Relay, you won't be able to send emails to users who choose to hide their email address. Those users will still be able to sign in, but any emails you attempt to send to their relay address will not be delivered.
 
-![A screenshot showing the new domains with green check marks next to them.](https://images.workoscdn.com/images/fa3e78e6-688d-46a8-b4e7-1f6c788da4f6.png?auto=format&fit=clip&q=80)
+### Can I use the same App ID for multiple services?
 
-You are now ready to start authenticating with Sign in with Apple. Your users will see the option to Sign in with Apple when visiting your [AuthKit](/user-management) domain. Alternatively if you're using the [standalone SSO API](reference/sso/get-authorization-url), you can initiate Sign in with Apple by passing `AppleOAuth` as the `provider`.
+Yes, you can use the same App ID for multiple Services IDs. This is useful if you have multiple applications or environments that need to use “Sign in with Apple”.

package/.docs/organized/docs/integrations/auth0-directory-sync.mdx

@@ -8,11 +8,13 @@ breadcrumb:
 originalPath: .tmp-workos-clone/packages/docs/content/integrations/auth0-directory-sync.mdx
 ---
 
+> Looking to migrate from Auth0 to WorkOS? Check out the [full migration guide](/migrate/auth0).
+
 ## Introduction
 
 This guide will walk you through the steps to enable WorkOS Directory Sync for your Auth0 applications. If you are new to automated user provisioning and deprovisioning, the [Directory Sync](/directory-sync) introduction is a good place to learn the basics.
 
-> The Auth0 Directory Sync integration is in feature preview. Reach out to [WorkOS support](mailto:support@workos.com?subject=Auth0%20Directory%20Sync%20Integration) if you want early access.
+> The Auth0 Directory Sync integration is in feature preview. Reach out to [WorkOS support](mailto:support@workos.com?subject=Auth0%20Directory%20Sync%20Integration) if you want early access.
 
 ## (1) Configure Auth0 API access
 

package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx

@@ -9,6 +9,8 @@ originalPath: >-
   .tmp-workos-clone/packages/docs/content/integrations/auth0-enterprise-connection.mdx
 ---
 
+> Looking to migrate from Auth0 to WorkOS? Check out the [full migration guide](/migrate/auth0).
+
 ## Introduction
 
 This guide outlines the steps to make WorkOS SSO connections available to Auth0 applications without requiring changes to your existing Auth0 application code.
@@ -89,4 +91,4 @@ As you create [organizations](/reference/organization), WorkOS will keep the Aut
 
 When users enter their email address into the Auth0 Universal Login, which matches a domain associated with a WorkOS organization, Auth0 redirects users to their WorkOS-enabled IdP sign-in page for their organization. Once the authentication process is complete with the IdP, WorkOS redirects to your Auth0 app callback URL.
 
-> Since email domains are used to route users to the correct IdP when using Auth0, WorkOS will enforce that [organization domains](/reference/organization-domain) are unique, and therefore a domain cannot be assigned to more than one organization.
+> Since email domains are used to route users to the correct IdP when using Auth0, WorkOS will enforce that [organization domains](/reference/domain-verification) are unique, and therefore a domain cannot be assigned to more than one organization.

package/.docs/organized/docs/integrations/auth0-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: Auth0
-description: "Learn how to configure a connection to\_Auth0 via SAML."
+description: Learn how to configure a connection to Auth0 via SAML.
 icon: auth0
 breadcrumb:
   title: Integrations
@@ -8,6 +8,8 @@ breadcrumb:
 originalPath: .tmp-workos-clone/packages/docs/content/integrations/auth0-saml.mdx
 ---
 
+> Looking to migrate from Auth0 to WorkOS? Check out the [full migration guide](/migrate/auth0).
+
 ## Introduction
 
 Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.

package/.docs/organized/docs/integrations/bamboohr.mdx

@@ -1,6 +1,6 @@
 ---
 title: BambooHR
-description: "Learn about syncing your user list with\_BambooHR."
+description: Learn about syncing your user list with BambooHR.
 icon: bamboohr
 breadcrumb:
   title: Integrations
@@ -41,13 +41,13 @@ You will now see your BambooHR directory sync has created successfully with an [
 
 ---
 
-## (2) Retrieve the details from an organization IT Admin
+## (2) Retrieve the details from an organization IT admin
 
-To generate an API key, an IT Admin should log into BambooHR and click their name in the upper right-hand corner of the BambooHR console. Select "API Keys" from the list.
+To generate an API key, an IT admin should log into BambooHR and click their name in the upper right-hand corner of the BambooHR console. Select "API Keys" from the list.
 
 ![A screenshot showing where to find the "API Keys" option in the BambooHR Dashboard.](https://images.workoscdn.com/images/6165e109-527d-4960-adc2-b7882262e526.png?auto=format&fit=clip&q=80)
 
-Next, the IT Admin should click “Add New Key”.
+Next, the IT admin should click “Add New Key”.
 
 ![A screenshot showing where to find the "Add New Key" in the BambooHR Dashboard.](https://images.workoscdn.com/images/eb6b50be-6a2c-478b-aa3f-0d7b69240ddd.png?auto=format&fit=clip&q=80)
 

package/.docs/organized/docs/integrations/breathe-hr.mdx

@@ -1,6 +1,6 @@
 ---
 title: Breathe HR
-description: "Learn about syncing your user list with\_Breathe HR."
+description: Learn about syncing your user list with Breathe HR.
 icon: breathe-hr
 breadcrumb:
   title: Integrations

package/.docs/organized/docs/integrations/bubble.mdx

@@ -46,7 +46,7 @@ To configure SSO, you will need:
 
 - An active SSO connection, which can be configured manually or by using the [Admin Portal](/admin-portal).
 - A [connection](/reference/sso/connection) ID or [organization](/reference/organization) ID associated with the user logging in. If WorkOS does not handle user management on your application’s behalf, it is necessary to keep track of the association between your users and their WorkOS connection or organization IDs in your database.
-- [Redirect URI](glossary/redirect-uri), which is the URL to redirect the user to when they are authorized. This is provided by Bubble in the **Plugins** tab.
+- [Redirect URI](/glossary/redirect-uri), which is the URL to redirect the user to when they are authorized. This is provided by Bubble in the **Plugins** tab.
 
 Navigate to the **Workflow** page in your application and add a new event. Select the action that will trigger the workflow to start. In this case, the workflow is triggered when the submit button is clicked.