WorkOS

Several additions landed across AuthKit, the Admin Portal, and the SDK ecosystem over the past few months.

Per-user API key scoping arrived — organizations can now generate API keys tied to individual users, alongside existing org-level keys.¹ Admins create and revoke them through the updated API Keys widget.

Resource indicators tightened MCP auth — when an MCP client requests a token for a specific server, AuthKit now issues a token locked to that server.² A token issued for one MCP server cannot be used with another, drawing cleaner access boundaries across multi-server environments.

The Rust SDK shipped — async-first, with strongly typed resource APIs, a builder-based client, structured error handling, and stream-based auto-pagination.³ Helpers cover AuthKit, SSO, PKCE, webhook verification, JWKS, and Vault local crypto. Install via cargo add workos.

Feature Flags gained a runtime client — the Node SDK now includes an in-memory flag client that stays in sync without a network call per evaluation.⁴ Flag state is available synchronously from anywhere in the service, and the client emits events on state changes.

Environment management came to the dashboard — users can create staging and production environments, rename them, and switch between them through the environment selector dropdown.⁵

SCIM token rotation is now self-serve — IT admins can view and rotate SCIM directory bearer tokens directly from the Admin Portal without involving a developer.⁶

On the developer tooling front, a browser-based JWT Debugger launched for decoding and verifying tokens client-side, and an open-source OpenAPI spec was published covering every endpoint across AuthKit, SSO, Directory Sync, Audit Logs, and FGA.⁷⁸