@workos/mcp-docs-server 0.1.0 → 0.2.0

package/.docs/organized/docs/integrations/github-oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: GitHub OAuth
-description: Learn how to set up OAuth with GitHub.
+description: Learn how to set up OAuth with GitHub
 icon: github
 breadcrumb:
   title: Integrations
@@ -10,76 +10,123 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/github-oauth.
 
 ## Introduction
 
-To configure your global GitHub OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a GitHub Client ID, and a GitHub Client Secret.
+The GitHub OAuth integration allows your users to authenticate using their GitHub credentials. WorkOS supports both **GitHub OAuth Apps** and **GitHub Apps** for authentication.
+
+The configuration process involves creating an OAuth application or GitHub App in GitHub and configuring the client credentials in the WorkOS Dashboard.
+
+---
+
+## Testing with default credentials in the staging environment
+
+WorkOS provides a default GitHub Client ID and Client Secret combination, which allows you to quickly enable and test GitHub OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `GitHubOAuth`, and WorkOS will automatically use the default credentials until you add your own GitHub Client ID and Client Secret to the configuration in the WorkOS Dashboard.
+
+> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own GitHub Client ID and Client Secret.
+
+Please note that when you are using WorkOS default credentials, GitHub's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its GitHub Client ID and Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
 
 ---
 
 ## What WorkOS provides
 
-WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+When setting up GitHub OAuth, WorkOS provides one key piece of information that needs to be configured in your GitHub OAuth application:
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where GitHub will send authentication responses after successful login
 
-Open your [WorkOS Dashboard](https://dashboard.workos.com) and browse to the _Authentication_ section on the left hand navigation bar. Scroll down to the _GitHub OAuth_ section and click _Edit_.
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **OAuth providers** sub-tab. Locate the **GitHub** section.
 
-![A screenshot showing the GitHub OAuth section in the WorkOS Dashboard.](https://images.workoscdn.com/images/c5085d51-1007-4e96-984b-67ce572eb35a.png?auto=format&fit=clip&q=80)
+![Open the GitHub configuration dialog](https://images.workoscdn.com/images/b4ddb4d0-39f2-4e58-bc15-f3857f63415b.png?auto=format&fit=clip&q=50)
 
-In the modal, you’ll see the Redirect URI as well as the fields you’ll populate later with information from GitHub. This URI will be used as part of the registration process later in the GitHub developer settings page.
+Click **Manage**. The **GitHub OAuth** configuration dialog will open. Locate the **Redirect URI**.
 
-![A screenshot showing the GitHub OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/a5b49e2c-330d-43c4-864d-6929b1a31b1f.png?auto=format&fit=clip&q=80)
+![GitHub OAuth Redirect URI in the WorkOS Dashboard](https://images.workoscdn.com/images/18629339-63d6-4b60-b5d5-7e75f7745de5.png?auto=format&fit=clip&q=50)
+
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your GitHub OAuth application as the authorization callback URL.
 
 ---
 
-## Testing with default credentials in the Staging environment
+## What you'll need
 
-WorkOS provides a default GitHub Client ID/GitHub Client Secret combination, which allows you to quickly enable and test GitHub OAuth. WorkOS will automatically use the default credentials, until you add your own GitHub Client ID and GitHub Client Secret to the Configuration in the WorkOS Dashboard.
+You will need to obtain two pieces of information from a GitHub OAuth application:
 
-> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own GitHub Client ID and GitHub Client Secret.
+- **GitHub Client ID**: Application identifier from GitHub
+- **GitHub Client Secret**: Authentication secret for the application
 
-Please note that when you are using WorkOS default credentials, GitHub's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its GitHub Client ID and GitHub Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, etc.
+The following sections will guide you through creating an OAuth application in your GitHub account and generating these credentials.
 
 ---
 
-## What you’ll need
+## (1) Create the GitHub OAuth Application or GitHub App
+
+Sign in to GitHub and navigate to [**Developer settings**](https://github.com/settings/developers). You can create either an **OAuth App** or a **GitHub App**.
+
+### Option A: OAuth App
+
+Select **OAuth Apps** and create a new OAuth app. Be sure to at least enable the `user:email` scope, as this is required to retrieve the user's email address from GitHub, which is necessary for authentication. You can optionally configure additional scopes as needed.
+
+![The New OAuth App button in GitHub](https://images.workoscdn.com/images/d8991483-a60e-4bc6-985f-2053d8b3c2c9.png?auto=format&fit=clip&q=80)
+
+> You can also register a new application under a GitHub Organization, which may be more appropriate if it is maintained by a team of developers. You can also [transfer ownership](https://docs.github.com/en/apps/oauth-apps/maintaining-oauth-apps/transferring-ownership-of-an-oauth-app) of your GitHub OAuth application to a GitHub organization later.
 
-In order to integrate you’ll need the GitHub Client ID and the GitHub Client Secret.
+### Option B: GitHub App
 
-These are a pair of credentials provided by GitHub that you’ll use to authenticate your application via the OAuth protocol. To obtain them:
+Select **GitHub Apps** and create a new GitHub App. GitHub Apps offer more granular permissions and can provide refresh tokens with expiration for improved security. For more information, see GitHub's documentation on [differences between GitHub Apps and OAuth Apps](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps).
+
+> When using a GitHub App, OAuth scopes are not applicable. Instead, permissions are configured directly on the GitHub App. Be sure to set the **Email addresses** account permission to **Read-only**, as this is required to retrieve the user's email address from GitHub. The access token is limited to the permissions that both your app and the user have.
 
 ---
 
-### (1) Create the GitHub OAuth Application
+## (2) Configure the application
 
-Log in to your GitHub account and go to the [_Developer Settings_](https://github.com/settings/developers) page in your GitHub settings dashboard and click on _Register a new application_.
+Fill out the application form. For the **Authorization callback URL** (OAuth App) or **Callback URL** (GitHub App), enter the **Redirect URI** from the WorkOS Dashboard.
 
-> You can also register a new application under a GitHub Organization, which may be more appropriate if it is maintained by a team of developers. You can also [transfer ownership](https://docs.github.com/en/apps/oauth-apps/maintaining-oauth-apps/transferring-ownership-of-an-oauth-app) of your GitHub OAuth application to a GitHub organization later.
+Click **Register application** (OAuth App) or **Create GitHub App** (GitHub App).
+
+![The GitHub form to create a new OAuth application.](https://images.workoscdn.com/images/6282967b-eee8-4937-8ec8-a1f25d7ec873.png?auto=format&fit=clip&q=80)
+
+You'll be given a Client ID. Note this value as you'll need it for the WorkOS configuration.
+
+Click **Generate a new client secret** to generate a new client secret. Note that this value is only temporarily available, so make sure to save it before proceeding.
+
+![The Client ID and Client Secret in GitHub](https://images.workoscdn.com/images/ba3c133b-3492-4b5b-b10c-69717ca3e50c.png?auto=format&fit=clip&q=80)
+
+---
+
+## (3) Configure GitHub credentials in WorkOS
 
-![A screenshot showing the GitHub page to register a new OAuth application.](https://images.workoscdn.com/images/d8991483-a60e-4bc6-985f-2053d8b3c2c9.png?auto=format&fit=clip&q=80)
+Now that you have the **GitHub Client ID** and **GitHub Client Secret** from the previous step return to the [WorkOS Dashboard](https://dashboard.workos.com/).
 
-Start by filling out the form with relevant details about your application, like the application name and description.
+In the **GitHub OAuth** configuration dialog, select **Your app's credentials**. Paste the credentials from GitHub into their respective fields in the WorkOS Dashboard.
 
-For _Authorization callback URL_, use the Redirect URI in the GitHub OAuth configuration modal in the WorkOS Dashboard.
+![Where to enter the GitHub Client ID and GitHub Client Secret in the WorkOS Dashboard](https://images.workoscdn.com/images/01d06b09-d622-4815-8757-c3b6825b790b.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing the GitHub form to create a new OAuth application.](https://images.workoscdn.com/images/6282967b-eee8-4937-8ec8-a1f25d7ec873.png?auto=format&fit=clip&q=80)
+Click **Save** to complete the configuration.
 
-Finally, click on _Register application_.
+You're now able to authenticate users with GitHub OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global GitHub OAuth for any domain. The `provider` query parameter should be set to `GitHubOAuth`.
+
+---
 
-### (2) Generate client credentials
+## Configure Additional OAuth Scopes (Optional)
 
-On the next page, you will see the GitHub _Client ID_ for your new OAuth application.
+> This section only applies to GitHub OAuth Apps. GitHub Apps do not use OAuth scopes — permissions are configured directly on the GitHub App in GitHub's settings.
 
-Click on _Generate a new client secret_ to generate a new GitHub Client Secret. Note that this value is only temporarily available, so make sure to save it before proceeding.
+WorkOS will request the OAuth scopes that are required for authentication by default. You can optionally configure your integration to request additional OAuth scopes as needed.
 
-![A screenshot showing OAuth client credentials in the GitHub developer settings](https://images.workoscdn.com/images/ba3c133b-3492-4b5b-b10c-69717ca3e50c.png?auto=format&fit=clip&q=80)
+When the **Return GitHub OAuth tokens** option is selected, the access token from GitHub will be included in the response from the [Authenticate with code API](/reference/authkit/authentication/code). For GitHub Apps, the response will also include a refresh token and expiration when available.
 
-In the next step, you will provide both the GitHub Client ID and Client Secret to the WorkOS dashboard.
+![A screenshot showing GitHub OAuth scopes configuration in the WorkOS Dashboard](https://images.workoscdn.com/images/9cfbd37c-f1cc-436d-8e61-0ccce2612bc6.png?auto=format&fit=clip&q=50)
 
-### (3) Provide client credentials to WorkOS
+Any scopes configured here will be included on every GitHub OAuth request. To specify additional scopes dynamically, use the `provider_scopes` query parameter on the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url).
+
+For more information, see GitHub's OAuth scopes [documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps).
+
+---
 
-Go back to the _Authentication_ section in the WorkOS Dashboard, and click on _Edit_ under _GitHub OAuth_.
+## Frequently asked questions
 
-Toggle _Enabled_ on and provide the client credentials from GitHub that you generated in the previous step.
+### How is the WorkOS GitHub OAuth integration different from implementing regular GitHub OAuth flow?
 
-Finally, click _Save_.
+It's the same GitHub OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to GitHub OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
-![A screenshot showing GitHub client credentials entered in the WorkOS dashboard](https://images.workoscdn.com/images/53ed79ff-0000-401f-b1f5-24dca73e6106.png?auto=format&fit=clip&q=80)
+### What is the provider query parameter and how is it used in the GitHub OAuth integration?
 
-You are now ready to start authenticating with GitHub OAuth. Your users will see the option to sign-in with GitHub when visiting your [AuthKit](/user-management) domain. Or, you can initiate sign-in with GitHub through the [standalone SSO API](reference/sso/get-authorization-url) by passing `GitHubOAuth` as the `provider`.
+You can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/sso/get-authorization-url) to support global GitHub OAuth for any domain. The `provider` query parameter should be set to `GitHubOAuth`.

package/.docs/organized/docs/integrations/gitlab-oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: GitLab OAuth
-description: Learn how to set up OAuth with GitLab.
+description: Learn how to set up OAuth with GitLab
 icon: gitlab
 breadcrumb:
   title: Integrations
@@ -10,72 +10,127 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/gitlab-oauth.
 
 ## Introduction
 
-To configure your global GitLab OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a GitLab Client ID, and a GitLab Client Secret.
+The GitLab OAuth integration allows your users to authenticate using their GitLab credentials.
+
+The configuration process involves creating an OAuth application in GitLab and configuring the client credentials in your WorkOS Dashboard.
 
 ---
 
 ## What WorkOS provides
 
-WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+When setting up GitLab OAuth, WorkOS provides one key piece of information that needs to be configured in your GitLab OAuth application:
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where GitLab will send authentication responses after successful login
 
-Open your [WorkOS Dashboard](https://dashboard.workos.com) and browse to the _Authentication_ section on the left hand navigation bar. Scroll down to the _GitLab OAuth_ section and click _Enable_.
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **OAuth providers** sub-tab. Locate the **GitLab** section.
 
-![A screenshot showing the GitLab OAuth section in the WorkOS Dashboard.](https://images.workoscdn.com/images/7aff1321-8587-4d8e-a574-aef1fc5236c0.png?auto=format&fit=clip&q=80)
+![The GitLab OAuth section in the WorkOS Dashboard](https://images.workoscdn.com/images/37e84a18-3d18-4fc9-a122-63589ab4ddf0.png?auto=format&fit=clip&q=50)
 
-In the modal, you’ll see the Redirect URI as well as the fields you’ll populate later with information from GitLab. This URI will be used as part of the registration process later in the GitLab developer settings page.
+Click **Enable**. The **GitLab OAuth** configuration dialog will open. Locate the **Redirect URI**.
 
-![A screenshot showing the GitLab OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/b90f07a6-9db5-4c19-9597-edbae8d01acc.png?auto=format&fit=clip&q=80)
+![The GitLab OAuth configuration modal in the WorkOS Dashboard](https://images.workoscdn.com/images/3ec9c4c3-1fc1-4ef6-a2fb-eeca07701d33.png?auto=format&fit=clip&q=50)
+
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your GitLab OAuth application as the redirect URI.
 
 ---
 
-## What you’ll need
+## What you'll need
+
+You will need to obtain two pieces of information from a GitLab OAuth application:
 
-In order to integrate you’ll need the GitLab Client ID and the GitLab Client Secret.
+- **GitLab Client ID**: Application identifier from GitLab (called Application ID in GitLab)
+- **GitLab Client Secret**: Authentication secret for the application (called Secret in GitLab)
 
-These are a pair of credentials provided by GitLab that you’ll use to authenticate your application via the OAuth protocol. To obtain them:
+The following sections will guide you through creating an OAuth application in your GitLab account and generating these credentials.
 
 ---
 
-### (1) Create the GitLab OAuth Application
+## (1) Create the GitLab OAuth application
 
-Log in to your [GitLab account](https://gitlab.com) and create a new application.
+Log in to your [GitLab account](https://gitlab.com) and navigate to your user settings.
 
-On the left sidebar, select your avatar. Select _Edit profile_.
+In the left navigation menu, select your avatar. Click **Edit profile**. Select **Applications**. Click **Add new application**.
 
-On the left sidebar, select _Applications_. Select _Add new application_.
+![GitLab page to register a new OAuth application.](https://images.workoscdn.com/images/ad782ab8-74ad-4787-91fe-685e0f466509.png?auto=format&fit=clip&q=80)
 
 > You can also register a new application under a group, which may be more appropriate if it is maintained by a team of developers, or instance-wide if you have a dedicated GitLab instance. For more on this see the [GitLab docs](https://docs.gitlab.com/integration/oauth_provider/).
 
-![A screenshot showing the GitLab page to register a new OAuth application.](https://images.workoscdn.com/images/ad782ab8-74ad-4787-91fe-685e0f466509.png?auto=format&fit=clip&q=80)
+---
+
+## (2) Configure the GitLab OAuth application
+
+Fill out the form with relevant details about your application, including the application name.
+
+For **Redirect URI**, enter the **Redirect URI** from the GitLab OAuth configuration in the WorkOS Dashboard.
+
+![GitLab form to create a new OAuth application.](https://images.workoscdn.com/images/7c86fdf4-c635-46c5-977c-965b85a322fd.png?auto=format&fit=clip&q=80)
+
+The **Confidential** flag is enabled by default. It should be exclusively used by a trusted backend server that can securely store the client secret. For native-mobile, single-page, or other JavaScript applications, disable this flag.
+
+Select the **openid**, **profile**, and **email** scopes for this app to allow the application to read user profile information, then click **Save application**.
+
+---
+
+## (3) Generate client credentials
+
+On the next page, you will see the GitLab **Application ID** and **Secret** for your new OAuth application.
+
+![OAuth client credentials in the GitLab application settings.](https://images.workoscdn.com/images/b7ce3a64-673a-476f-8a3c-cf63c76bf88e.png?auto=format&fit=clip&q=80)
 
-Fill out the form with relevant details about your application, like the application name.
+Note the **Application ID** and **Secret** values as you'll need them for the WorkOS configuration.
 
-For _Redirect URI_, use the Redirect URI from the GitLab OAuth configuration modal in the WorkOS Dashboard.
+---
+
+## (4) Configure GitLab credentials in WorkOS
+
+Now that you have the **GitLab Client ID** (Application ID) and **GitLab Client Secret** (Secret) from the previous step, return to the [WorkOS Dashboard](https://dashboard.workos.com).
+
+In the **GitLab OAuth** configuration dialog, enable the integration. Paste the credentials from GitLab into their respective fields in the WorkOS Dashboard.
+
+![Where to enter GitLab client credentials in the WorkOS dashboard.](https://images.workoscdn.com/images/6e9b410d-33bf-485f-b1c4-6a16fbeaa946.png?auto=format&fit=clip&q=80)
+
+Click **Save** to complete the configuration.
+
+You are now ready to start authenticating with GitLab OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global GitLab OAuth for any domain. The `provider` query parameter should be set to `GitLabOAuth`.
+
+---
+
+## Configure Additional OAuth Scopes (Optional)
+
+WorkOS will request the OAuth scopes that are required for authentication by default. You can optionally configure your integration to request additional OAuth scopes as needed.
+
+When the **Return GitLab OAuth tokens** option is selected, the access token and refresh token from GitLab will be included in the response from the [Authenticate with code API](/reference/authkit/authentication/code).
 
-![A screenshot showing the GitLab form to create a new OAuth application.](https://images.workoscdn.com/images/7c86fdf4-c635-46c5-977c-965b85a322fd.png?auto=format&fit=clip&q=80)
+![A screenshot showing GitLab OAuth scopes configuration in the WorkOS Dashboard](https://images.workoscdn.com/images/8d4803a8-f436-45cb-974e-eaa79522181e.png?auto=format&fit=clip&q=50)
 
-The _Confidential_ flag is enabled by default. It should be exclusively used by a trusted backend server that can securely store the client secret. For native-mobile, single-page, or other JavaScript applications, disable this flag.
+Any scopes configured here will be included on every GitLab OAuth request. To specify additional scopes dynamically, use the `provider_scopes` query parameter on the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url).
 
-Select the scopes for this app and click on _Save application_.
+Any additional scopes that you plan to request must also be configured on the Application settings page in GitLab. For more information, see GitLab's OAuth scopes [documentation](https://docs.gitlab.com/integration/oauth_provider).
+
+![A screenshot showing GitLab OAuth scopes configuration in GitLab Application Settings](https://images.workoscdn.com/images/25d9971d-55b1-473b-9d7d-d8e42e893725.png?auto=format&fit=clip&q=50)
+
+> IMPORTANT: Your users will see an error during sign-in if the scopes included on an authorization request are not included in the scopes configured on the Application settings page in GitLab. Changes to scopes should be tested in a staging environment before applying them to production.
+
+---
 
-### (2) Generate client credentials
+## Frequently asked questions
 
-On the next page, you will see the GitLab _Application ID_ and _Secret_ for your new OAuth application.
+### How is the WorkOS GitLab OAuth integration different from implementing regular GitLab OAuth flow?
 
-![A screenshot showing OAuth client credentials in the GitLab application settings](https://images.workoscdn.com/images/b7ce3a64-673a-476f-8a3c-cf63c76bf88e.png?auto=format&fit=clip&q=80)
+It's the same GitLab OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to GitLab OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
-Copy the _Application ID_ and _Secret_ and click _Continue_.
+### What is the provider query parameter and how is it used in the GitLab OAuth integration?
 
-In the next step, you will provide both the GitLab Application ID and Secret to the WorkOS dashboard.
+You can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/sso/get-authorization-url) to support global GitLab OAuth for any domain. The `provider` query parameter should be set to `GitLabOAuth`.
 
-### (3) Provide client credentials to WorkOS
+### What scopes are required for GitLab OAuth?
 
-Go back to the _Authentication_ section in the WorkOS Dashboard, and click on _Edit_ under _GitLab OAuth_.
+The **openid**, **profile**, and **email** scopes are required to allow the application to read user profile information necessary for authentication. This scope provides access to the user's basic profile data.
 
-Toggle _Enabled_ on and provide the client credentials from GitLab that you generated in the previous step.
+### Can I register the GitLab OAuth application under a group or organization?
 
-Finally, click _Save_.
+Yes, you can register a new application under a GitLab group, which may be more appropriate if it is maintained by a team of developers. You can also register it instance-wide if you have a dedicated GitLab instance. See the [GitLab documentation](https://docs.gitlab.com/integration/oauth_provider/) for more details.
 
-![A screenshot where to enter GitLab client credentials in the WorkOS dashboard](https://images.workoscdn.com/images/6e9b410d-33bf-485f-b1c4-6a16fbeaa946.png?auto=format&fit=clip&q=80)
+### What is the difference between Confidential and non-Confidential applications in GitLab?
 
-You are now ready to start authenticating with GitLab OAuth. Your users will see the option to sign-in with GitLab when visiting your [AuthKit](/user-management) domain.
+The **Confidential** flag should be used for applications that can securely store the client secret, typically backend servers. For native mobile apps, single-page applications, or other JavaScript applications that cannot securely store secrets, you should disable this flag.

package/.docs/organized/docs/integrations/google-directory-sync.mdx

@@ -1,6 +1,6 @@
 ---
 title: Google Directory Sync
-description: "Learn about syncing your user list with\_Google\_Workspace."
+description: Learn about syncing your user list with Google Workspace.
 icon: google
 breadcrumb:
   title: Integrations
@@ -84,3 +84,7 @@ Google Workspace directories are synced approximately every 30 minutes starting
 ### Does Google Directory Sync support nested groups?
 
 Yes, nested groups (groups within groups) are supported in Google Directory Sync. This feature is currently available in a restricted preview. Contact [WorkOS support](mailto:support@workos.com) for additional details.
+
+### What is the `idp_id` for directory groups from Google Workspace?
+
+Google Workspace provides a unique identifier for each group, which is persisted as the `idp_id` for [directory groups](/reference/directory-sync/directory-group) in WorkOS.