@workos/mcp-docs-server 0.1.0

package/.docs/organized/docs/integrations/next-auth.mdx

@@ -0,0 +1,257 @@
+---
+title: NextAuth.js
+description: "Create a Next.js application with WorkOS\_SSO and NextAuth.js."
+icon: next-auth
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/next-auth.mdx
+---
+
+## Introduction
+
+In this guide, you’ll learn how to use WorkOS to add Single Sign-On (SSO) to a Next.js app that uses [NextAuth.js](https://next-auth.js.org/) for handling authentication. You can check out the [complete source code](https://github.com/workos/workos-next-auth) of this guide on GitHub.
+
+## Before getting started
+
+To get the most out of this guide, you’ll need:
+
+- A [WorkOS account](https://dashboard.workos.com/)
+- An IdP (e.g. Okta) account
+
+## (1) Install sample application
+
+In your a terminal, browse to the directory of your choice and run the following command to clone the starter project:
+
+```bash title="Clone the Sample App"
+git clone -b start-branch https://github.com/workos-inc/workos-next-auth
+```
+
+And install the dependencies
+
+```bash title="Install the Dependencies"
+npm install
+```
+
+This is a basic Next.js app built using TypeScript and styled using TailwindCSS.
+
+## (2) Configuring the environment variables
+
+In the project’s root folder, rename the `.env.example` file to `.env`. You can find down below the values for the WorkOS client ID and API key.
+
+```plain title=".env"
+WORKOS_API_KEY='sk_example_123456789'
+WORKOS_CLIENT_ID='client_123456789'
+```
+
+As a best practice, your WorkOS API key should be kept secret and set as an environment variable on process start. The SDK is able to read the key automatically if you store it in an environment variable named `WORKOS_API_KEY`; otherwise, you will need to set it manually. The [Client ID](/glossary/client-id) should also be set dynamically based on the release environment.
+
+## (3) SSO Setup with WorkOS
+
+The first step is to create an organization, which can be done using the dashboard or [via the API](/reference/organization/create). By default, WorkOS creates a demo organization called “foo-corp.com” which you can use for testing purposes.
+
+Take note of the “Organization ID” which can be found in the organization’s detailed view. You’re going to need it to make SSO work.
+
+![A screenshot highlighting the "Organization ID" in the WorkOS dashboard.](https://images.workoscdn.com/images/af4ef014-f6c4-44b2-b7cc-ccf2db24bde5.png?auto=format&fit=clip&q=50)
+
+## (4) Configure redirect URIs
+
+In the “Configuration” tab in the dashboard, add `http://localhost:3000/api/auth/callback/workos` to the list of redirect URIs to test the SSO login flow locally. You’ll also need to add the domain of your application when deploying to production.
+
+![A screenshot highlighting the redirect URIs in the "Configuration" tab in the WorkOS dashboard.](https://images.workoscdn.com/images/7005a351-b083-4a08-a096-cb227c21caa5.png?auto=format&fit=clip&q=50)
+
+## (5) Create an API endpoint
+
+The next step is to create a `pages/api/auth/[...nextauth].ts` file which will contain all of your NextAuth.js configurations:
+
+```js title="pages/api/auth/[...nextAuth].ts"
+import NextAuth from 'next-auth';
+import WorkOSProvider from 'next-auth/providers/workos';
+
+export default NextAuth({
+  providers: [
+    WorkOSProvider({
+      clientId: process.env.WORKOS_CLIENT_ID,
+      clientSecret: process.env.WORKOS_API_KEY,
+      client: {
+        token_endpoint_auth_method: 'client_secret_post',
+      },
+    }),
+  ],
+  pages: {
+    signIn: '/login',
+  },
+  debug: true,
+  secret: process.env.SECRET,
+});
+```
+
+You’re first configuring WorkOS by passing the necessary options to the `WorkOSProvider()` function. You’re then defining a custom login page using the pages option which will be located at `/login`.
+
+You then need to wrap the global `App` component with `SessionProvider` from `NextAuth.js`. Add the following code to the `pages/_app.tsx` file:
+
+```js title="pages/_app.tsx"
+import '../styles/index.css';
+import type { AppProps } from 'next/app';
+import { SessionProvider } from 'next-auth/react';
+
+export default function App({
+  Component,
+  pageProps: { session, ...pageProps },
+}: AppProps) {
+  return (
+    <SessionProvider session={session}>
+      <Component {...pageProps} />
+    </SessionProvider>
+  );
+}
+```
+
+## (6) Creating a custom login page
+
+In this step, you’ll create a custom login page. To do that, create a new file located at `pages/login.tsx` and add the following code to it:
+
+```js title="pages/login.tsx"
+import React from 'react';
+import { useForm } from 'react-hook-form';
+import Head from 'next/head';
+import { signIn, signOut, useSession } from 'next-auth/react';
+
+const Login = () => {
+  const {
+    register,
+    handleSubmit,
+    formState: { errors },
+  } = useForm();
+
+  const { data: session } = useSession();
+
+  const onSubmit = async ({ team }) => {
+    // TODO: send a request to the get-organization endpoint and return the
+    // organizationId from your database
+    const organization = 'ORGANIZATION_ID';
+    signIn('workos', undefined, {
+      organization,
+    });
+  };
+
+  return (
+    <>
+      <Head>
+        <title>Next Enterprise | Login</title>
+        <meta name="description" content="Generated by create next app" />
+        <link rel="icon" href="/favicon.ico" />
+      </Head>
+      {session && (
+        <div className="py-32 flex flex-col items-center justify-center px-8">
+          <p>Signed in as {session.user.email}</p>
+          <br />
+          <button
+            onClick={() => signOut()}
+            className="max-w-sm flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500"
+          >
+            Sign out
+          </button>
+        </div>
+      )}
+      {!session && (
+        <div className="py-32 flex flex-col items-center justify-center px-8">
+          <div className="sm:mx-auto sm:w-full sm:max-w-md">
+            <svg
+              className="mx-auto h-12 w-auto"
+              xmlns="http://www.w3.org/2000/svg"
+              fill="none"
+              viewBox="0 0 35 32"
+            >
+              <path
+                fill="#2563eb"
+                d="M15.258 26.865a4.043 4.043 0 01-1.133 2.917A4.006 4.006 0 0111.253 31a3.992 3.992 0 01-2.872-1.218 4.028 4.028 0 01-1.133-2.917c.009-.698.2-1.382.557-1.981.356-.6.863-1.094 1.47-1.433-.024.109.09-.055 0 0l1.86-1.652a8.495 8.495 0 002.304-5.793c0-2.926-1.711-5.901-4.17-7.457.094.055-.036-.094 0 0A3.952 3.952 0 017.8 7.116a3.975 3.975 0 01-.557-1.98 4.042 4.042 0 011.133-2.918A4.006 4.006 0 0111.247 1a3.99 3.99 0 012.872 1.218 4.025 4.025 0 011.133 2.917 8.521 8.521 0 002.347 5.832l.817.8c.326.285.668.551 1.024.798.621.33 1.142.826 1.504 1.431a3.902 3.902 0 01-1.504 5.442c.033-.067-.063.036 0 0a8.968 8.968 0 00-3.024 3.183 9.016 9.016 0 00-1.158 4.244zM19.741 5.123c0 .796.235 1.575.676 2.237a4.01 4.01 0 001.798 1.482 3.99 3.99 0 004.366-.873 4.042 4.042 0 00.869-4.386 4.02 4.02 0 00-1.476-1.806 3.994 3.994 0 00-5.058.501 4.038 4.038 0 00-1.175 2.845zM23.748 22.84c-.792 0-1.567.236-2.226.678a4.021 4.021 0 00-1.476 1.806 4.042 4.042 0 00.869 4.387 3.99 3.99 0 004.366.873A4.01 4.01 0 0027.08 29.1a4.039 4.039 0 00-.5-5.082 4 4 0 00-2.832-1.18zM34 15.994c0-.796-.235-1.574-.675-2.236a4.01 4.01 0 00-1.798-1.483 3.99 3.99 0 00-4.367.873 4.042 4.042 0 00-.869 4.387 4.02 4.02 0 001.476 1.806 3.993 3.993 0 002.226.678 4.003 4.003 0 002.832-1.18A4.04 4.04 0 0034 15.993z M5.007 11.969c-.793 0-1.567.236-2.226.678a4.021 4.021 0 00-1.476 1.807 4.042 4.042 0 00.869 4.386 4.001 4.001 0 004.366.873 4.011 4.011 0 001.798-1.483 4.038 4.038 0 00-.5-5.08 4.004 4.004 0 00-2.831-1.181z"
+              />
+            </svg>
+            <h2 className="mt-6 text-center text-3xl font-extrabold text-gray-900">
+              Continue using enterprise SSO
+            </h2>
+          </div>
+
+          <div className="mt-8 sm:mx-auto w-full max-w-sm">
+            <div className="bg-white py-8 px-4 shadow sm:rounded-lg sm:px-10">
+              <form className="space-y-6" onSubmit={handleSubmit(onSubmit)}>
+                <div>
+                  <label
+                    htmlFor="team"
+                    className="block text-sm font-medium text-gray-700"
+                  >
+                    Team name
+                  </label>
+                  <div className="mt-1">
+                    <input
+                      {...register('team', { required: true })}
+                      id="team"
+                      name="team"
+                      type="text"
+                      placeholder="team name"
+                      className="appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm"
+                    />
+                  </div>
+                </div>
+
+                <div>
+                  <button
+                    type="submit"
+                    className="w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500"
+                  >
+                    Sign in
+                  </button>
+                </div>
+              </form>
+            </div>
+          </div>
+        </div>
+      )}
+    </>
+  );
+};
+
+export default Login;
+```
+
+Next, start the development server by running the following command:
+
+```bash title="Start Server"
+npm run dev
+```
+
+The application will be running at `http://localhost:3000/login` and you’ll be able to see the following page:
+
+![A screenshot showing the landing page of the example application.](https://images.workoscdn.com/images/af8ddee4-e7f1-49a1-9e7c-05e190b31d6e.png?auto=format&fit=clip&q=50)
+
+## (7) Testing the Single Sign-On flow
+
+You should persist The Organization ID in your application’s database and associate it with your enterprise customer. Then when a user tries to log in, you first check if they’re an enterprise customer and then use the `signIn()` function from NextAuth.js to start the login flow.
+
+To test the login flow, hardcode the Organization ID in the form submission handler.
+
+```js title="pages/login.tsx"
+// code above unchanged
+
+const onSubmit = async ({ team }) => {
+  // TODO: create an endpoint that returns the
+  // organizationId from your database
+  /* +diff-start */
+  const organization = 'ORGANIZATION_ID';
+  /* +diff-end */
+  signIn('workos', undefined, {
+    organization,
+  });
+};
+
+// code below unchanged
+```
+
+If you type anything in the login form and click submit, you’ll be redirected to Okta. You’ll then need to use your IdP login credentials.
+
+After you complete the login process you’ll see the logged-in user’s email and a “Sign out” button
+
+![A screenshot showing the example application with a successfully logged in user.](https://images.workoscdn.com/images/7fd5daef-1cd9-401d-9884-3130b7b3a095.png?auto=format&fit=clip&q=50)
+
+If you’re interested in setting up a different Identity Provider, check out the [full list of tutorials](/sso) for setting up an SSO connection.

package/.docs/organized/docs/integrations/oidc.mdx

@@ -0,0 +1,64 @@
+---
+title: OpenID Connect
+description: Learn how to configure a new generic OIDC connection.
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/oidc.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [connection](/glossary/connection). Often, the information required to create a connection will differ by Identity Provider.
+
+To create an OpenID Connect (OIDC) connection, you’ll need four pieces of information: a [Redirect URI](/glossary/redirect-uri), a [Client ID](/glossary/client-id), a [Client Secret](/glossary/client-secret), and a [Discovery Endpoint](/glossary/discovery-endpoint).
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the Redirect URI. It’s readily available in your connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/). The Redirect URI is the location an Identity Provider redirects its authentication response to.
+
+![A screenshot showing the Redirect URI of a OIDC connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/8ad61f1a-b7af-452d-85fd-18455d545b23.png?auto=format&fit=clip&q=50)
+
+---
+
+## What you’ll need
+
+In order to integrate you’ll need the Client ID, Client Secret, as well as the Discovery Endpoint.
+
+Normally, this information will come from the organization's IT Management team when they set up your application’s OpenID Connect configuration in their Identity Provider admin dashboard. But, should that not be the case during your setup, here’s how to obtain them.
+
+---
+
+## (1) Create an Application with your IdP
+
+For SSO to properly function with your Identity Provider, you’ll need to create and configure your OpenID Connect application to support the authorization code grant type and have the redirect URI from WorkOS listed as your login redirect URI.
+
+---
+
+## (2) Add claims to the ID token
+
+Add the `sub`, `email`, `given_name`, and `family_name` claims to the user ID token in your OIDC provider settings. These claims map to the `idp_id`, `email`, `first_name`, and `last_name` attributes in the user profile returned by WorkOS. If the `given_name` claim is not available, the `name` claim will be mapped to the `first_name` attribute instead. For many providers, these claims are included by default, but for other providers you will need to add these claims.
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, add the `groups` claim to the user ID token in your OIDC provider settings. This claim should map to a user’s group membership.
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (3) Provide your Client Credentials
+
+After creating an OpenID Connect application, a Client ID and Client Secret will be provisioned for you by your Identity Provider. Enter these in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+
+---
+
+## (4) Add Discovery Endpoint
+
+Your Identity Provider’s Discovery Endpoint contains important configuration information. Enter this in your connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/). Your Connection will then be verified and good to go!
+
+The OIDC discovery endpoint will always end with `/.well-known/openid-configuration` as described in the [OpenID Provider Configuration Request documentation](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).
+
+You can confirm that the discovery endpoint is correct by entering it in a browser window. If there is a JSON object with metadata about the connection returned, the endpoint is correct.

package/.docs/organized/docs/integrations/okta-saml.mdx

@@ -0,0 +1,144 @@
+---
+title: Okta SAML
+description: "Learn how to configure a connection to\_Okta via SAML."
+icon: okta
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/okta-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create an Okta Connection, you’ll need three pieces of information: an [ACS URL](/glossary/acs-url), an [SP Entity ID](/glossary/sp-entity-id), and an [IdP Metadata URL](/glossary/idp-metadata).
+
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure an Okta Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+
+![A screenshot showing where to find "Manually Configure Connection" in the WorkOS Dashboard.](https://images.workoscdn.com/images/9270090d-4f59-4b7b-95e9-1132a6bee872.png?auto=format&fit=clip&q=50)
+
+Select “Okta” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+
+![A screenshot showing "Create Connection" details in the WorkOS Dashboard.](https://images.workoscdn.com/images/287303da-4bbd-433b-bdd2-06f5002dd5ca.png?auto=format&fit=clip&q=50)
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the ACS URL and the SP Entity ID. It’s readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/get-started).
+
+![A screenshot showing where to find the ACS URL and SP Entity ID in the WorkOS Dashboard.](https://images.workoscdn.com/images/ad4ef355-6ea7-4e27-9762-91309c34dc2d.png?auto=format&fit=clip&q=50)
+
+The ACS URL is the location an Identity Provider redirects its authentication response to. In Okta’s case, it needs to be set by the organization when configuring your application in their Okta instance.
+
+The SP Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization's Okta instance.
+
+Specifically, the ACS URL will need to be set as the “Single Sign-On URL” and the SP Entity ID will need to be set as the “Audience URI (SP Entity ID)” in the “Configure SAML” step of the Okta “Edit SAML Integration” wizard:
+
+![A screenshot showing where to place the WorkOS Single Sign-On URL and SP Entity ID in the Okta Dashboard.](https://images.workoscdn.com/images/52be9941-9e43-4f70-a65e-d4cd8883579c.png?auto=format&fit=clip&q=50)
+
+## What you’ll need
+
+Next, provide the [IdP Metadata URL](/glossary/idp-metadata). Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their Okta admin dashboard. But, should that not be the case during your setup, the next steps will show you how to obtain it.
+
+---
+
+## (1) Log in
+
+Log in to [Okta](https://login.okta.com), go to the admin dashboard, and select “Applications” in the navigation bar.
+
+![A screenshot showing how to navigate to existing applications in the Okta Dashboard.](https://images.workoscdn.com/images/b4f8bd68-3265-4ef6-8916-1f9e7eb241a1.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Select or create your application
+
+If your application is already created, select it from the list of applications and move to Step 7.
+
+![A screenshot showing existing applications in the Okta Dashboard.](https://images.workoscdn.com/images/f763ab3c-0ffc-49b7-8212-f988d0738e94.png?auto=format&fit=clip&q=50)
+
+If you haven’t created a SAML application in Okta, select “Create App Integration”.
+
+![A screenshot showing how to select "Create App Integration" in the Okta Dashboard.](https://images.workoscdn.com/images/cf63d4f1-3929-4426-a0df-959bbd06ce13.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Initial SAML Application Setup
+
+Select “Create New App”, then select “SAML 2.0” as a Sign on method, then click “Next”.
+
+![A screenshot showing the sign-in method selection in the Okta Dashboard.](https://images.workoscdn.com/images/036519d9-1d5a-462f-8d36-e87b618a3e94.png?auto=format&fit=clip&q=50)
+
+Enter a descriptive App name, then click “Next”.
+
+![A screenshot showing App name creation in the Okta Dashboard.](https://images.workoscdn.com/images/facbcbea-3ce0-421e-9725-e05e49bc056a.png?auto=format&fit=clip&q=50)
+
+---
+
+## (4) Configure SAML Application
+
+Input the ACS URL from your WorkOS Dashboard as the “Single Sign-On URL” and input the SP Entity ID from your WorkOS Dashboard as the “Audience URI (SP Entity ID)”.
+
+![A screenshot showing where to place the WorkOS Single Sign-On URL and SP Entity ID in the Okta Dashboard.](https://images.workoscdn.com/images/52be9941-9e43-4f70-a65e-d4cd8883579c.png?auto=format&fit=clip&q=50)
+
+Scroll down to the “Attribute Statements” section and use the “Add Another” button to add the following key-value pairs.
+
+- `id` → `user.id`
+- `email` → `user.email`
+- `firstName` → `user.firstName`
+- `lastName` → `user.lastName`
+
+![A screenshot showing the "Attribute Statements" configuration in the Okta Dashboard.](https://images.workoscdn.com/images/93f6811f-9f56-47a2-bfa0-d4babc91f66e.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.
+
+Scroll down to the Group Attribute Statements configuration. The Name should be set to `groups`, and you can define a filter to map the necessary Okta groups. To map all groups, filter by matching the regex `.*`, as shown in the screenshot below. You can preview the SAML Assertion to check that all attributes have been mapped correctly. Then, click “Next”.
+
+![A screenshot showing the "Groups Attribute Statement" configuration in the Okta Dashboard.](https://images.workoscdn.com/images/723c0734-a8cc-4903-a90d-273dfe282886.png?auto=format&fit=clip&q=50)
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (5) Submit Application Feedback
+
+Select “I’m an Okta customer adding an internal app” from the options menu. Complete the form with any comments and select “Finish”.
+
+![A screenshot showing where to submit application feedback in the Okta Dashboard.](https://images.workoscdn.com/images/734d5229-1913-4cfb-b366-295104da4123.png?auto=format&fit=clip&q=50)
+
+---
+
+## (6) Add Users to SAML Application
+
+To give users permission to authenticate via this SAML app, you will need to assign individual users and/or groups of users to the Okta app.
+
+Click on the “Assignments” tab, and select either “Assign to People” or “Assign to Groups”.
+
+![A screenshot showing the Okta Application "Assignments" tab in the Okta Dashboard.](https://images.workoscdn.com/images/a8380fe9-9e90-48ff-b665-8313311c28d1.png?auto=format&fit=clip&q=50)
+
+Find the individual user(s) and/or group(s) that you would like to assign to the app, and click “Assign” next to them. Click “Done” when you are finished.
+
+![A screenshot showing the selecting of groups to add to the Application in the Okta Dashboard.](https://images.workoscdn.com/images/c4fddfdc-35b2-4a4f-9d84-1a7e94968d24.png?auto=format&fit=clip&q=50)
+
+---
+
+## (7) Upload Metadata URL
+
+Click on the “Sign On” tab of the SAML app you just created.
+
+Click the “Actions” dropdown for the correct certificate and select “View IdP Metadata."
+
+![A screenshot showing the "View IdP Metadata" selection in the Okta Dashboard.](https://images.workoscdn.com/images/e98e855e-6733-4f6e-96da-5c993cebd21b.png?auto=format&fit=clip&q=50&w=2048)
+
+A separate tab will open. Copy the link in the browser.
+
+![A screenshot of the IdP Metadata XML URL in the Okta Dashboard.](https://images.workoscdn.com/images/eab81ff3-8037-4cd6-94ef-b00962084ad0.png?auto=format&fit=clip&q=50)
+
+Back in the WorkOS Dashboard, click on “Edit Metadata Configuration” in the “Identity Provider Configuration” section of the Connection. Input the Metadata URL and click “Save Metadata Configuration”. Your Connection will then be linked and good to go!
+
+![A screenshot showing where to place the Okta IdP Metadata URL in the WorkOS Dashboard.](https://images.workoscdn.com/images/a08a0c17-d510-4410-91cb-4477cfe310c8.png?auto=format&fit=clip&q=50)