Self-serve SSO and multi-project orgs reshape enterprise auth
June 22–28, 2026
WorkOS launched multiple Projects, Clerk enabled self-serve SSO for customer IT admins, and better-auth shipped a major OAuth provider restructuring — enterprise-grade auth capabilities moved further into developer tooling this week.
Enterprise configurations go self-serve
The week's most significant shift came from Clerk's self-serve SSO, which lets customer IT admins configure their own enterprise SSO connections — supporting Okta, Google Workspace, Microsoft Entra ID, and custom SAML — directly from an OrganizationProfile security tab. This removes the burden of managing per-customer SSO setup from your team. Across Clerk's JavaScript SDK, the @clerk/shared and @clerk/ui packages now handle expired organization domains in the self-serve flow gracefully, triggering re-verification instead of blocking. The @clerk/eslint-plugin also shipped a breaking change to its require-auth-protection rule: globs now resolve from the project root rather than app/, so projects using src/app/ must update their patterns.
WorkOS introduced multiple Projects within a single organization, each with its own API keys, users, directory sync configs, and audit logs — plus per-environment branding (logo, colors, custom domain). This pairs naturally with their new waitlist management feature, which lets teams gate sign-ups for beta launches directly through AuthKit.
better-auth restructures its OAuth foundation
Better Auth v1.7.0-rc.0 is the second pre-release toward 1.7 and brings deeper changes. The OAuth provider gains back-channel logout (revoking tokens on session end), explicit OAuth resource modeling, and the MCP module ships as its own package with renamed APIs (requireMcpAuth, createMcpResourceClient). Two-factor enablement now returns a discriminated response accepting an OTP method. The default trusted-proxy behavior also changes to ignore x-forwarded headers, and PKCE S256 is now enforced for Electron auth.
Across v1.7.0-beta.10 and v1.6.22, several important fixes landed: rate limiting now runs before plugin handlers, unproven credentials are revoked after magic link or email OTP sign-in, and account lockout is enforced after repeated two-factor failures. Session permission revocations now take effect immediately even with cookie caching enabled, and server-side OAuth requests refuse to follow redirect responses.
Clerk's platform updates: cross-tab stability and iOS alignment
@clerk/clerk-js v6.22.0 fixed a subtle cross-tab broadcast failure that was evicting freshly cached session tokens — now a failed broadcast no longer discards valid tokens, reducing unnecessary getToken() network requests. On the Expo side, @clerk/expo v3.6.0 aligns iOS native module registration with Expo Modules (matching Android), and deprecates native Google Sign-In in favor of the separate @clerk/expo-google-signin package coming in the next major version. Version 3.6.1 added native theme color support for SSO button configurations. The iOS SDK 1.2.6 gates Apple sign-in transfer by sign-up mode and renders a development mode indicator natively.
The @clerk/ui package v1.23.0 fixes a frustrating bug where the self-serve SSO configuration wizard lost its place when organization data refetched mid-flow — the wizard now stays on its current step. It also adds drag-to-upload support in AvatarUploader and improves Tab element focus ring visibility for keyboard navigation.
Maintenance across the ecosystem
A wave of dependency bumps rolled through Clerk's SDKs this week, with @clerk/shared moving to v4.22.0 across nearly every package. Clerk also published corrected Electron passkeys platform packages after a build issue, and better-auth v1.6.21 added a Zod v4 compatibility patch for device authorization alongside SSO URL validation hardening. WorkOS's waitlist rounds out a week where auth tooling focused less on flashy new primitives and more on making enterprise configuration something you can hand off to customers.
Releases covered
- better-auth v1.7.0-rc.0 overhauls OAuth provider, renames MCP APIs, and adds back-channel logout
- Better Auth v1.7.0-beta.10 enforces rate limiting before plugins and revokes unproven credentials on magic link sign-in
- better-auth v1.6.22 fixes unproven credential revocation and wrong-org subscription actions
- better-auth v1.6.21 fixes OAuth state, 2FA lockout, and session permission changes
- Clerk adds self-serve SSO for customer IT admins
- @clerk/shared v4.22.0 handles expired organization domains in self-serve SSO
- Clerk JavaScript SDK @clerk/ui@1.23.0 fixes SSO wizard state loss and adds drag-to-upload
- @clerk/eslint-plugin 0.2.0 changes glob matching to project root
- @clerk/clerk-js@6.22.0 prevents cross-tab broadcast from dropping session tokens
- Clerk Expo v3.6.0 aligns iOS native module with Expo Modules, deprecates Google Sign-In
- Clerk Expo SDK v3.6.1 adds native theme colors for SSO buttons
- Clerk iOS SDK 1.2.6 gates Apple sign-in by sign-up mode, adds native dev indicator
- Clerk JavaScript SDK publishes corrected Electron passkeys platform packages