Browsers, bots, and billing
June 29 – July 5, 2026
WorkOS shipped a browser-facing GraphQL API and an MCP server for AI management, Auth0 pushed SCIM provisioning to downstream apps via Event Streams, and Clerk added account credits UI and OAuth token revocation.
Data to the frontend and the agent
WorkOS had its most consequential week in months with two entirely new surfaces for interacting with its platform — one for browsers, one for AI agents.
The Widgets API is a session-aware GraphQL API that lets the browser query WorkOS data directly using short-lived, origin-pinned tokens. Until now, pulling user details or roles into a custom UI meant either using WorkOS's prebuilt React Widgets (fast but inflexible) or writing your own backend proxy to call the REST API. The Widgets API eliminates that proxy: a coding agent can introspect the schema and write queries without any docs, and you can build an experience that fetches a user's details, roles, and sessions from a single POST on the client. It currently covers user management, sessions, and profile data.
On the same day, WorkOS launched the Management MCP Server, a Model Context Protocol server that lets Claude and other AI assistants manage WorkOS resources through natural language — user management, organizations, directory sync, audit logs, and role-based access control. Where the Widgets API is read-first and browser-oriented, the MCP server is write-capable and assistant-oriented; together they offer two complementary paths into WorkOS data without writing REST boilerplate.
Step-up auth and outbound SCIM
WorkOS also shipped step-up authentication, the long-requested feature that forces re-authentication or additional verification before sensitive operations — changing a password, updating a payment method, accessing an admin panel. It's configurable per-endpoint and protects accounts even when a session token is compromised.
Over at Auth0, the Outbound SCIM Action template for Event Streams pushes user.created, user.updated, and user.deleted events to any SCIM 2.0-compliant downstream application without requiring infrastructure. It's a ready-to-copy Action template with built-in fault tolerance and template-driven attribute mapping — essentially a zero-infrastructure path to provisioning downstream HR or IT systems from Auth0 user events.
Clerk broadens billing and backend surface
Clerk's Thursday drop was dominated by the @clerk/backend@3.9.0 release, which added clerkClient.oauthApplications.revokeToken() for revoking OAuth application tokens and hardened organizations.deleteOrganization() with validation that prevents issuing a DELETE request to the collection endpoint when no ID is provided. M2M JWT verification now rejects tokens with mismatched categories.
The JS SDK also picked up account credits UI: payers with an existing credit balance now see an account credits section and credit history page in the billing tab. This is supported across clerk-js, Clerk UI, and the localizations package — the pattern of shipping a new billing feature to all three simultaneously has become routine for Clerk. The next backend minor release, @clerk/backend@3.10.0, added an experimental clerkClient.emails.create() method for sending transactional emails, supporting address- or user-based recipients, subject, and HTML or text content.
A dozen framework packages (Next.js, Nuxt, Astro, Fastify, Hono, Express, React Router, TanStack Start, Remix, Vue, and Chrome Extension) rolled up these backend changes in patch bumps, and the Electron package auto-allowlisted custom schemes for renderer redirect protocols. Better Auth, meanwhile, shipped v1.7.0-rc.1 with Yandex OAuth support and fixes to auth migrate.