productivity
WorkOS MCP, CLI, and Lua Integration for AI Agents
WorkOS integration docs for AI agents: MCP gateway setup, WorkOS CLI commands, Lua API reference, credentials, and function schemas.WorkOS for agents
Credentials can be configured manually in web or CLI hosts.
Use this integration from Lua code mode, the headless integrations CLI, or the KosmoKrator MCP gateway. The same package metadata powers all three surfaces.
Agent Surfaces
Machine-Readable Metadata
Function Catalog
| Function | Type | Parameters | Description |
|---|---|---|---|
workos.workos_api_keys_validate_api_key | Write write | 0 | Validate an API key value and return the API key object if valid. |
workos.workos_api_keys_delete | Write write | 0 | Permanently deletes an API key. This action cannot be undone. Once deleted, any requests using this API key will fail authentication. |
workos.workos_audit_log_validators_list | Read read | 0 | Get a list of all Audit Log actions in the current environment. |
workos.workos_audit_log_validator_versions_create | Write write | 0 | Creates a new Audit Log schema used to validate the payload of incoming Audit Log Events. If the `action` does not exist, it will also be created. |
workos.workos_audit_log_validator_versions_schemas | Read read | 0 | Get a list of all schemas for the Audit Logs action identified by `:name`. |
workos.workos_audit_log_events_create | Write write | 0 | Create an Audit Log Event. This API supports idempotency which guarantees that performing the same operation multiple times will have the same result as if the operation were pe... |
workos.workos_audit_log_exports_exports | Write write | 0 | Create an Audit Log Export. Exports are scoped to a single organization within a specified date range. |
workos.workos_audit_log_exports_export | Read read | 0 | Get an Audit Log Export. The URL will expire after 10 minutes. If the export is needed again at a later time, refetching the export will regenerate the URL. |
workos.workos_authentication_challenges_verify | Write write | 0 | Verifies an Authentication Challenge. |
workos.workos_authentication_factors_create | Write write | 0 | Enrolls an Authentication Factor to be used as an additional factor of authentication. The returned ID should be used to create an authentication Challenge. |
workos.workos_authentication_factors_get | Read read | 0 | Gets an Authentication Factor. |
workos.workos_authentication_factors_delete | Write write | 0 | Permanently deletes an Authentication Factor. It cannot be undone. |
workos.workos_authentication_factors_challenge | Write write | 0 | Creates a Challenge for an Authentication Factor. |
workos.workos_external_auth_complete_login | Write write | 0 | Completes an external authentication flow and returns control to AuthKit. This endpoint is used with [Standalone Connect](/authkit/connect/standalone) to bridge your existing au... |
workos.workos_authorization_check | Write write | 0 | Check if an organization membership has a specific permission on a resource. Supports identification by resource_id OR by resource_external_id + resource_type_slug. |
workos.workos_authorization_list_resources_for_membership | Read read | 0 | Returns all child resources of a parent resource where the organization membership has a specific permission. This is useful for resource discovery—answering "What projects ca... |
workos.workos_authorization_list_effective_permissions | Read read | 0 | Returns all permissions the organization membership effectively has on a resource, including permissions inherited through roles assigned to ancestor resources. |
workos.workos_authorization_list_effective_permissions_by_external_id | Read read | 0 | Returns all permissions the organization membership effectively has on a resource identified by its external ID, including permissions inherited through roles assigned to ancest... |
workos.workos_authorization_role_assignments_list_role_assignments | Write write | 0 | List all role assignments for an organization membership. This returns all roles that have been assigned to the user on resources, including organization-level and sub-resource ... |
workos.workos_authorization_role_assignments_assign_role | Write write | 0 | Assign a role to an organization membership on a specific resource. |
workos.workos_authorization_role_assignments_remove_role_by_criteria | Write write | 0 | Remove a role assignment by role slug and resource. |
workos.workos_authorization_role_assignments_remove_role_by_id | Write write | 0 | Remove a role assignment using its ID. |
workos.workos_authorization_organization_roles_create | Write write | 0 | Create a new custom role for this organization. |
workos.workos_authorization_organization_roles_list | Read read | 0 | Get a list of all roles that apply to an organization. This includes both environment roles and custom roles, returned in priority order. |
workos.workos_authorization_organization_roles_get | Read read | 0 | Retrieve a role that applies to an organization by its slug. This can return either an environment role or a custom role. |
workos.workos_authorization_organization_roles_update | Write write | 0 | Update an existing custom role. Only the fields provided in the request body will be updated. |
workos.workos_authorization_organization_roles_delete | Write write | 0 | Delete an existing custom role. |
workos.workos_authorization_organization_role_permissions_set_permissions | Write write | 0 | Replace all permissions on a custom role with the provided list. |
workos.workos_authorization_organization_role_permissions_add_permission | Write write | 0 | Add a single permission to a custom role. If the permission is already assigned to the role, this operation has no effect. |
workos.workos_authorization_organization_role_permissions_remove_permission | Write write | 0 | Remove a single permission from a custom role by its slug. |
workos.workos_authorization_resources_by_external_id_get_by_external_id | Read read | 0 | Retrieve the details of an authorization resource by its external ID, organization, and resource type. This is useful when you only have the external ID from your system and nee... |
workos.workos_authorization_resources_by_external_id_update_by_external_id | Write write | 0 | Update an existing authorization resource using its external ID. |
workos.workos_authorization_resources_by_external_id_delete_by_external_id | Write write | 0 | Delete an authorization resource by organization, resource type, and external ID. This also deletes all descendant resources. |
workos.workos_authorization_resources_by_external_id_list_organization_memberships_for_resource_by_external_id | Read read | 0 | Returns all organization memberships that have a specific permission on a resource, using the resource's external ID. This is useful for answering "Who can access this resource?... |
workos.workos_authorization_role_assignments_list_role_assignments_for_resource_by_external_id | Write write | 0 | List all role assignments granted on a resource, identified by its external ID. Each assignment includes the organization membership it was granted to. |
workos.workos_authorization_permissions_list | Read read | 0 | Get a list of all permissions in your WorkOS environment. |
workos.workos_authorization_permissions_create | Write write | 0 | Create a new permission in your WorkOS environment. The permission can then be assigned to environment roles and custom roles. |
workos.workos_authorization_permissions_find | Read read | 0 | Retrieve a permission by its unique slug. |
workos.workos_authorization_permissions_update | Write write | 0 | Update an existing permission. Only the fields provided in the request body will be updated. |
workos.workos_authorization_permissions_delete | Write write | 0 | Delete an existing permission. System permissions cannot be deleted. |
workos.workos_authorization_resources_list | Read read | 0 | Get a paginated list of authorization resources. |
workos.workos_authorization_resources_create | Write write | 0 | Create a new authorization resource. |
workos.workos_authorization_resources_find_by_id | Read read | 0 | Retrieve the details of an authorization resource by its ID. |
workos.workos_authorization_resources_update | Write write | 0 | Update an existing authorization resource. |
workos.workos_authorization_resources_delete | Write write | 0 | Delete an authorization resource and all its descendants. |
workos.workos_authorization_resources_list_organization_memberships_for_resource | Read read | 0 | Returns all organization memberships that have a specific permission on a resource instance. This is useful for answering "Who can access this resource?". |
workos.workos_authorization_role_assignments_list_role_assignments_for_resource | Write write | 0 | List all role assignments granted on a specific resource instance. Each assignment includes the organization membership it was granted to. |
workos.workos_authorization_roles_create | Write write | 0 | Create a new environment role. |
workos.workos_authorization_roles_list | Read read | 0 | List all environment roles in priority order. |
workos.workos_authorization_roles_get | Read read | 0 | Get an environment role by its slug. |
workos.workos_authorization_roles_update | Write write | 0 | Update an existing environment role. |
workos.workos_authorization_role_permissions_set_permissions | Write write | 0 | Replace all permissions on an environment role with the provided list. |
workos.workos_authorization_role_permissions_add_permission | Write write | 0 | Add a single permission to an environment role. If the permission is already assigned to the role, this operation has no effect. |
workos.workos_applications_list | Read read | 0 | List all Connect Applications in the current environment with optional filtering. |
workos.workos_applications_create | Write write | 0 | Create a new Connect Application. Supports both OAuth and Machine-to-Machine (M2M) application types. |
workos.workos_applications_find | Read read | 0 | Retrieve details for a specific Connect Application by ID or client ID. |
workos.workos_applications_update | Write write | 0 | Update an existing Connect Application. For OAuth applications, you can update redirect URIs. For all applications, you can update the name, description, and scopes. |
workos.workos_applications_delete | Write write | 0 | Delete an existing Connect Application. |
workos.workos_application_credentials_list | Read read | 0 | List all client secrets associated with a Connect Application. |
workos.workos_application_credentials_create | Write write | 0 | Create new secrets for a Connect Application. |
workos.workos_application_credentials_delete | Write write | 0 | Delete (revoke) an existing client secret. |
workos.workos_connections_list | Read read | 0 | Get a list of all of your existing connections matching the criteria specified. |
workos.workos_connections_find | Read read | 0 | Get the details of an existing connection. |
workos.workos_connections_delete | Write write | 0 | Permanently deletes an existing connection. It cannot be undone. |
workos.workos_data_integrations_get_data_integration_authorize_url | Write write | 0 | Generates an OAuth authorization URL to initiate the connection flow for a user. Redirect the user to the returned URL to begin the OAuth flow with the third-party provider. |
workos.workos_data_integrations_get_userland_user_token | Write write | 0 | Fetches a valid OAuth access token for a user's connected account. WorkOS automatically handles token refresh, ensuring you always receive a valid, non-expired token. |
workos.workos_directories_list | Read read | 0 | Get a list of all of your existing directories matching the criteria specified. |
workos.workos_directories_find | Read read | 0 | Get the details of an existing directory. |
workos.workos_directories_delete_directory | Write write | 0 | Permanently deletes an existing directory. It cannot be undone. |
workos.workos_directory_groups_list | Read read | 0 | Get a list of all of existing directory groups matching the criteria specified. |
workos.workos_directory_groups_find | Read read | 0 | Get the details of an existing Directory Group. |
workos.workos_directory_users_list | Read read | 0 | Get a list of all of existing Directory Users matching the criteria specified. |
workos.workos_directory_users_find | Read read | 0 | Get the details of an existing Directory User. |
workos.workos_events_list | Read read | 0 | List events for the current environment. |
workos.workos_feature_flags_list | Read read | 0 | Get a list of all of your existing feature flags matching the criteria specified. |
workos.workos_feature_flags_find_by_slug | Read read | 0 | Get the details of an existing feature flag by its slug. |
workos.workos_feature_flags_disable_flag | Write write | 0 | Disables a feature flag in the current environment. |
workos.workos_feature_flags_enable_flag | Write write | 0 | Enables a feature flag in the current environment. |
workos.workos_flag_targets_create_target | Write write | 0 | Enables a feature flag for a specific target in the current environment. Currently, supported targets include users and organizations. |
workos.workos_flag_targets_delete_target | Write write | 0 | Removes a target from the feature flag's target list in the current environment. Currently, supported targets include users and organizations. |
workos.workos_organization_domains_create | Write write | 0 | Creates a new Organization Domain. |
workos.workos_organization_domains_get | Read read | 0 | Get the details of an existing organization domain. |
workos.workos_organization_domains_delete | Write write | 0 | Permanently deletes an organization domain. It cannot be undone. |
workos.workos_organization_domains_verify | Write write | 0 | Initiates verification process for an Organization Domain. |
workos.workos_organizations_list | Read read | 0 | Get a list of all of your existing organizations matching the criteria specified. |
workos.workos_organizations_create | Write write | 0 | Creates a new organization in the current environment. |
workos.workos_organizations_get_by_external_id | Read read | 0 | Get the details of an existing organization by an [external identifier](/authkit/metadata/external-identifiers). |
workos.workos_organizations_find | Read read | 0 | Get the details of an existing organization. |
workos.workos_organizations_update_organization | Write write | 0 | Updates an organization in the current environment. |
workos.workos_organizations_delete_organization | Write write | 0 | Permanently deletes an organization in the current environment. It cannot be undone. |
workos.workos_organizations_get_audit_log_configuration | Read read | 0 | Get the unified view of audit log trail and stream configuration for an organization. |
workos.workos_audit_logs_retention_audit_logs_retention | Read read | 0 | Get the configured event retention period for the given Organization. |
workos.workos_audit_logs_retention_update_audit_logs_retention | Write write | 0 | Set the event retention period for the given Organization. |
workos.workos_organization_api_keys_list | Read read | 0 | Get a list of all API keys for an organization. |
workos.workos_organization_api_keys_create | Write write | 0 | Create a new API key for an organization. |
workos.workos_organization_feature_flags_list | Read read | 0 | Get a list of all enabled feature flags for an organization. |
workos.workos_groups_create | Write write | 0 | Create a new group within an organization. |
workos.workos_groups_list | Read read | 0 | Get a paginated list of groups within an organization. |
workos.workos_groups_get | Read read | 0 | Retrieve a group by its ID within an organization. |
workos.workos_groups_update | Write write | 0 | Update an existing group. Only the fields provided in the request body will be updated. |
workos.workos_groups_delete | Write write | 0 | Delete a group from an organization. |
workos.workos_group_memberships_add_member | Write write | 0 | Add an organization membership to a group. |
workos.workos_group_memberships_list_members | Read read | 0 | Get a list of organization memberships in a group. |
workos.workos_group_memberships_remove_member | Write write | 0 | Remove an organization membership from a group. |
workos.workos_portal_sessions_create | Write write | 0 | Generate a Portal Link scoped to an Organization. |
workos.workos_radar_standalone_assess | Write write | 0 | Assess a request for risk using the Radar engine and receive a verdict. |
workos.workos_radar_standalone_update_radar_attempt | Write write | 0 | You may optionally inform Radar that an authentication attempt or challenge was successful using this endpoint. Some Radar controls depend on tracking recent successful attempts... |
workos.workos_radar_standalone_update_radar_list | Write write | 0 | Add an entry to a Radar list. |
workos.workos_radar_standalone_delete_radar_list_entry | Write write | 0 | Remove an entry from a Radar list. |
workos.workos_sso_authorize | Read read | 0 | Initiates the single sign-on flow. |
workos.workos_sso_json_web_key_set | Read read | 0 | Returns the JSON Web Key Set (JWKS) containing the public keys used for verifying access tokens. |
workos.workos_sso_logout | Read read | 0 | Logout allows to sign out a user from your application by triggering the identity provider sign out flow. This `GET` endpoint should be a redirection, since the identity provide... |
workos.workos_sso_logout_authorize | Write write | 0 | You should call this endpoint from your server to generate a logout token which is required for the [Logout Redirect](/reference/sso/logout) endpoint. |
workos.workos_sso_get_profile | Read read | 0 | Exchange an access token for a user's [Profile](/reference/sso/profile). Because this profile is returned in the [Get a Profile and Token endpoint](/reference/sso/profile/get-pr... |
workos.workos_sso_token | Write write | 0 | Get an access token along with the user [Profile](/reference/sso/profile) using the code passed to your [Redirect URI](/reference/sso/get-authorization-url/redirect-uri). |
workos.workos_userland_sessions_authenticate_0 | Write write | 0 | Authenticate a user with a specified [authentication method](/reference/authkit/authentication). |
workos.workos_userland_sso_authorize | Read read | 0 | Generates an OAuth 2.0 authorization URL to authenticate a user with AuthKit or SSO. |
workos.workos_userland_sso_device_authorization | Write write | 0 | Initiates the CLI Auth flow by requesting a device code and verification URLs. This endpoint implements the OAuth 2.0 Device Authorization Flow ([RFC 8628](https://datatracker.i... |
workos.workos_cors_origins_create_cors_origin | Write write | 0 | Creates a new CORS origin for the current environment. CORS origins allow browser-based applications to make requests to the WorkOS API. |
workos.workos_userland_users_get_email_verification | Read read | 0 | Get the details of an existing email verification code that can be used to send an email to a user for verification. |
workos.workos_userland_user_invites_list | Write write | 0 | Get a list of all of invitations matching the criteria specified. |
workos.workos_userland_user_invites_create | Write write | 0 | Sends an invitation email to the recipient. |
workos.workos_userland_user_invites_get_by_token | Write write | 0 | Retrieve an existing invitation using the token. |
workos.workos_userland_user_invites_get | Write write | 0 | Get the details of an existing invitation. |
workos.workos_userland_user_invites_accept | Write write | 0 | Accepts an invitation and, if linked to an organization, activates the user's membership in that organization. |
workos.workos_userland_user_invites_resend | Write write | 0 | Resends an invitation email to the recipient. The invitation must be in a pending state. |
workos.workos_userland_user_invites_revoke | Write write | 0 | Revokes an existing invitation. |
workos.workos_jwt_templates_get_jwt_template | Read read | 0 | Get the JWT template for the current environment. |
workos.workos_jwt_templates_update_jwt_template | Write write | 0 | Update the JWT template for the current environment. |
workos.workos_userland_magic_auth_send_magic_auth_code_and_return | Write write | 0 | Creates a one-time authentication code that can be sent to the user's email address. The code expires in 10 minutes. To verify the code, [authenticate the user with Magic Auth](... |
workos.workos_userland_magic_auth_get | Read read | 0 | Get the details of an existing [Magic Auth](/reference/authkit/magic-auth) code that can be used to send an email to a user for authentication. |
workos.workos_userland_user_organization_memberships_list | Read read | 0 | Get a list of all organization memberships matching the criteria specified. At least one of `user_id` or `organization_id` must be provided. By default only active memberships a... |
workos.workos_userland_user_organization_memberships_create | Write write | 0 | Creates a new `active` organization membership for the given organization and user. Calling this API with an organization and user that match an `inactive` organization membersh... |
workos.workos_userland_user_organization_memberships_get | Read read | 0 | Get the details of an existing organization membership. |
workos.workos_userland_user_organization_memberships_delete | Write write | 0 | Permanently deletes an existing organization membership. It cannot be undone. |
workos.workos_userland_user_organization_memberships_update | Write write | 0 | Update the details of an existing organization membership. |
workos.workos_userland_user_organization_memberships_deactivate | Write write | 0 | Deactivates an `active` organization membership. Emits an [organization_membership.updated](/events/organization-membership) event upon successful deactivation. - Deactivating a... |
workos.workos_userland_user_organization_memberships_reactivate | Write write | 0 | Reactivates an `inactive` organization membership, retaining the pre-existing role(s). Emits an [organization_membership.updated](/events/organization-membership) event upon suc... |
workos.workos_organization_membership_groups_list_groups | Read read | 0 | Get a list of groups that an organization membership belongs to. |
workos.workos_userland_users_create_password_reset_token | Write write | 0 | Creates a one-time token that can be used to reset a user's password. |
workos.workos_userland_users_reset_password_0 | Write write | 0 | Sets a new password using the `token` query parameter from the link that the user received. Successfully resetting the password will verify a user's email, if it hasn't been ver... |
workos.workos_userland_users_get_password_reset | Write write | 0 | Get the details of an existing password reset token that can be used to reset a user's password. |
workos.workos_redirect_uris_create | Write write | 0 | Creates a new redirect URI for an environment. |
workos.workos_userland_sessions_logout | Read read | 0 | Logout a user from the current [session](/reference/authkit/session). |
workos.workos_userland_sessions_revoke_session | Write write | 0 | Revoke a [user session](/reference/authkit/session). |
workos.workos_userland_users_list_0 | Read read | 0 | Get a list of all of your existing users matching the criteria specified. |
workos.workos_userland_users_create_0 | Write write | 0 | Create a new user in the current environment. |
workos.workos_userland_users_get_by_external_id | Read read | 0 | Get the details of an existing user by an [external identifier](/authkit/metadata/external-identifiers). |
workos.workos_userland_users_update_0 | Write write | 0 | Updates properties of a user. The omitted properties will be left unchanged. |
workos.workos_userland_users_get_0 | Read read | 0 | Get the details of an existing user. |
workos.workos_userland_users_delete_0 | Write write | 0 | Permanently deletes a user in the current environment. It cannot be undone. |
workos.workos_userland_users_confirm_email_change | Write write | 0 | Confirms an email change using the one-time code received by the user. |
workos.workos_userland_users_send_email_change | Write write | 0 | Sends an email that contains a one-time code used to change a user's email address. |
workos.workos_userland_users_email_verification_0 | Write write | 0 | Verifies an email address using the one-time code received by the user. |
workos.workos_userland_users_send_verification_email_0 | Write write | 0 | Sends an email that contains a one-time code used to verify a user’s email address. |
workos.workos_userland_user_identities_get | Read read | 0 | Get a list of identities associated with the user. A user can have multiple associated identities after going through [identity linking](/authkit/identity-linking). Currently on... |
workos.workos_userland_user_sessions_list | Read read | 0 | Get a list of all active sessions for a specific user. |
workos.workos_user_api_keys_list | Read read | 0 | Get a list of API keys owned by a specific user. |
workos.workos_user_api_keys_create | Write write | 0 | Create a new API key owned by a user. The user must have an active membership in the specified organization. |
workos.workos_userland_user_feature_flags_list | Read read | 0 | Get a list of all enabled feature flags for the provided user. This includes feature flags enabled specifically for the user as well as any organizations that the user is a memb... |
workos.workos_authorized_applications_list | Read read | 0 | Get a list of all Connect applications that the user has authorized. |
workos.workos_authorized_applications_delete | Write write | 0 | Delete an existing Authorized Connect Application. |
workos.workos_data_integrations_user_management_get_user_data_installation | Read read | 0 | Retrieves a user's [connected account](/reference/pipes/connected-account) for a specific provider. |
workos.workos_data_integrations_user_management_delete_user_data_installation | Write write | 0 | Disconnects WorkOS's account for the user, including removing any stored access and refresh tokens. The user will need to reauthorize if they want to reconnect. This does not re... |
workos.workos_data_integrations_user_management_get_user_data_integrations | Read read | 0 | Retrieves a list of available providers and the user's connection status for each. Returns all providers configured for your environment, along with the user's [connected accoun... |
workos.workos_userland_user_authentication_factors_create_0 | Write write | 0 | Enrolls a user in a new [authentication factor](/reference/authkit/mfa/authentication-factor). |
workos.workos_userland_user_authentication_factors_list_0 | Read read | 0 | Lists the [authentication factors](/reference/authkit/mfa/authentication-factor) for a user. |
workos.workos_webhook_endpoints_list | Read read | 0 | Get a list of all of your existing webhook endpoints. |
workos.workos_webhook_endpoints_create | Write write | 0 | Create a new webhook endpoint to receive event notifications. |
workos.workos_webhook_endpoints_update | Write write | 0 | Update the properties of an existing webhook endpoint. |
workos.workos_webhook_endpoints_delete | Write write | 0 | Delete an existing webhook endpoint. |
workos.workos_widgets_public_issue_widget_session_token | Write write | 0 | Generate a widget token scoped to an organization and user with the specified scopes. |