{"id":290624,"date":"2026-04-27T12:16:51","date_gmt":"2026-04-27T12:16:51","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/integration-with-workos\/"},"modified":"2026-05-12T19:11:54","modified_gmt":"2026-05-12T19:11:54","slug":"integration-workos","status":"publish","type":"plugin","link":"https:\/\/uz.wordpress.org\/plugins\/integration-workos\/","author":13665834,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.3","stable_tag":"1.0.3","tested":"6.9.4","requires":"6.2","requires_php":"7.4","requires_plugins":null,"header_name":"Integration with WorkOS","header_author":"Gustavo Bordoni","header_description":"Enterprise identity management for WordPress powered by WorkOS. SSO, directory sync, MFA, and user management.","assets_banners_color":"f8f9fb","last_updated":"2026-05-12 19:11:54","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/github.com\/sponsors\/bordoni","header_plugin_uri":"https:\/\/github.com\/bordoni\/integration-workos","header_author_uri":"https:\/\/github.com\/bordoni","rating":0,"author_block_rating":0,"active_installs":0,"downloads":215,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"bordoni","date":"2026-04-27 12:15:20"},"1.0.1":{"tag":"1.0.1","author":"bordoni","date":"2026-05-01 18:17:36"},"1.0.2":{"tag":"1.0.2","author":"bordoni","date":"2026-05-11 23:20:15"},"1.0.3":{"tag":"1.0.3","author":"bordoni","date":"2026-05-12 19:11:54"}},"upgrade_notice":{"1.0.3":"<p>Fixes &quot;The user must choose an organization to finish their authentication.&quot; for AuthKit logins and the <code>\/workos\/callback<\/code> flow. When a Login Profile has an organization pinned, the plugin completes the authenticate call via the <code>organization-selection<\/code> grant transparently, and auto-enrolls pre-existing WordPress users into the pinned WorkOS organization (matching emails only \u2014 strangers still get rejected).<\/p>","1.0.2":"<p>Adds a WordPress-password fallback for the AuthKit password flow (with an optional email-confirmation step) so accounts that pre-date the WorkOS integration can keep logging in, and adds a <code>wp-config.php<\/code> constant seeder for all major settings. Also renames the auth REST nonce header from <code>X-WP-Nonce<\/code> to <code>X-WorkOS-Nonce<\/code> \u2014 external clients calling <code>\/wp-json\/workos\/v1\/auth\/*<\/code> directly need to update the header name.<\/p>","1.0.1":"<p>Adds a manual Refresh button next to the Organization dropdown, fixes a regression that prevented saving the Organization tab, and fixes the active-environment selector so picking &quot;Production&quot; actually loads production credentials instead of staging.<\/p>","1.0.0":"<p>Initial stable release: WordPress-hosted Custom AuthKit (React login with Login Profiles, MFA, and passkeys), plus SSO, Directory Sync, role mapping, organization management, and full admin tooling.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3516426,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3516426,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3516426,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3516426,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"workos\/login-button":{"$schema":"https:\/\/schemas.wp.org\/trunk\/block.json","apiVersion":3,"name":"workos\/login-button","version":"1.0.1","title":"WorkOS Login Button","category":"widgets","icon":"lock","description":"Display a WorkOS login or logout button.","keywords":["login","auth","workos","sso"],"textdomain":"integration-workos","supports":{"html":false,"multiple":true},"attributes":{"mode":{"type":"string","default":"auto"},"redirect_to":{"type":"string","default":""},"logged_in_display":{"type":"string","default":"hide"},"button_text":{"type":"string","default":""},"logout_text":{"type":"string","default":""},"alignment":{"type":"string","default":"left"},"size":{"type":"string","default":"medium"},"style":{"type":"string","default":"filled"},"bg_color":{"type":"string","default":""},"text_color":{"type":"string","default":""},"border_color":{"type":"string","default":""},"border_radius":{"type":"string","default":""},"show_icon":{"type":"boolean","default":false},"show_registration":{"type":"boolean","default":false},"show_password_fallback":{"type":"boolean","default":false},"registration_text":{"type":"string","default":""},"password_fallback_text":{"type":"string","default":""}},"editorScript":"file:..\/..\/..\/build\/login-button.js","editorStyle":"file:..\/..\/css\/login-button-editor.css","style":"file:..\/..\/css\/login-button.css"}},"tagged_versions":["1.0.0","1.0.1","1.0.2","1.0.3"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3516426,"resolution":"1","location":"assets","locale":"","width":1262,"height":1646},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3516426,"resolution":"2","location":"assets","locale":"","width":2028,"height":824},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3516426,"resolution":"3","location":"assets","locale":"","width":2168,"height":2652},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3516426,"resolution":"4","location":"assets","locale":"","width":2070,"height":2844}},"screenshots":{"1":"Branded Custom AuthKit login shown to site visitors \u2014 driven by a Login Profile, with logo, heading, brand color, and the sign-in methods (SSO, magic code, passkey, password) you enable.","2":"Login Profiles editor \u2014 pick sign-in methods, pin an organization, set the MFA policy, customize the URL path, and brand the card with a logo and color, all without code.","3":"WorkOS settings \u2014 switch between Production and Staging, manage API credentials and the webhook secret, and choose between Custom AuthKit and AuthKit Redirect login modes.","4":"Role mapping and redirects \u2014 map WorkOS organization roles to WordPress roles, route users to role-specific URLs after login and logout, and choose what happens to deprovisioned users."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,261169,22649,2469,261168],"plugin_category":[38],"plugin_contributors":[77685],"plugin_business_model":[],"class_list":["post-290624","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-directory-sync","plugin_tags-identity","plugin_tags-sso","plugin_tags-workos","plugin_category-authentication","plugin_contributors-bordoni","plugin_committers-bordoni"],"banners":{"banner":"https:\/\/ps.w.org\/integration-workos\/assets\/banner-772x250.png?rev=3516426","banner_2x":"https:\/\/ps.w.org\/integration-workos\/assets\/banner-1544x500.png?rev=3516426","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/integration-workos\/assets\/icon-128x128.png?rev=3516426","icon_2x":"https:\/\/ps.w.org\/integration-workos\/assets\/icon-256x256.png?rev=3516426","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/integration-workos\/assets\/screenshot-1.png?rev=3516426","caption":"Branded Custom AuthKit login shown to site visitors \u2014 driven by a Login Profile, with logo, heading, brand color, and the sign-in methods (SSO, magic code, passkey, password) you enable."},{"src":"https:\/\/ps.w.org\/integration-workos\/assets\/screenshot-2.png?rev=3516426","caption":"Login Profiles editor \u2014 pick sign-in methods, pin an organization, set the MFA policy, customize the URL path, and brand the card with a logo and color, all without code."},{"src":"https:\/\/ps.w.org\/integration-workos\/assets\/screenshot-3.png?rev=3516426","caption":"WorkOS settings \u2014 switch between Production and Staging, manage API credentials and the webhook secret, and choose between Custom AuthKit and AuthKit Redirect login modes."},{"src":"https:\/\/ps.w.org\/integration-workos\/assets\/screenshot-4.png?rev=3516426","caption":"Role mapping and redirects \u2014 map WorkOS organization roles to WordPress roles, route users to role-specific URLs after login and logout, and choose what happens to deprovisioned users."}],"raw_content":"<!--section=description-->\n<p>Integration with WorkOS connects your WordPress site with <a href=\"https:\/\/workos.com\">WorkOS<\/a> for enterprise-grade identity management.<\/p>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>WordPress 6.2 or higher<\/li>\n<li>PHP 7.4 or higher<\/li>\n<li>A <a href=\"https:\/\/workos.com\">WorkOS<\/a> account with API credentials<\/li>\n<\/ul>\n\n<h4>Custom AuthKit<\/h4>\n\n<ul>\n<li><strong>WordPress-hosted React login<\/strong> \u2014 no redirect to WorkOS for password, magic code, signup, invitation, or MFA. Mounts on wp-login.php, a shortcode (<code>[workos:login]<\/code>), and a dedicated <code>\/workos\/login\/{profile}<\/code> route.<\/li>\n<li><strong>Login Profiles<\/strong> \u2014 admin-defined presets (enabled sign-in methods, pinned organization, signup\/invite toggles, MFA policy, branding) edited from <strong>WorkOS \u2192 Login Profiles<\/strong>. The organization picker loads live from WorkOS so admins pick an org by name instead of pasting raw IDs.<\/li>\n<li><strong>Per-profile custom URL paths<\/strong> \u2014 assign any profile its own URL (e.g. <code>\/members<\/code>, <code>\/team\/login<\/code>) on top of the canonical <code>\/workos\/login\/{profile}<\/code> rewrite. When the default profile owns a custom path, <code>\/wp-login.php<\/code> 302s to it (preserving every inbound query arg). Reserved core paths can't be claimed.<\/li>\n<li><strong>Already-signed-in handling<\/strong> \u2014 visitors who hit any AuthKit surface while logged in are 302'd to their post-login destination (or, in the shortcode, see an inline \"You're already signed in\" notice with a Continue link).<\/li>\n<li><strong><code>forward_query_args<\/code> per-profile toggle<\/strong> \u2014 opt-in passing of marketing\/analytics query args (<code>utm_*<\/code>, <code>ref<\/code>, etc.) onto the post-login destination. WP and plugin internals are always stripped.<\/li>\n<li><strong>Sign-in methods<\/strong> \u2014 email + password, magic code, social OAuth (Google, Microsoft, GitHub, Apple), and passkey. Each profile chooses its own subset.<\/li>\n<li><strong>MFA<\/strong> \u2014 TOTP, SMS, and WebAuthn\/passkey with in-app enrollment + challenge. Profile-level <code>mfa.enforce<\/code> (<code>never<\/code>\/<code>if_required<\/code>\/<code>always<\/code>) and factor allowlist are applied at login time.<\/li>\n<li><strong>Self-serve sign-up + invitation acceptance + in-app password reset<\/strong> \u2014 all handled by the React shell; no third-party pages.<\/li>\n<li><strong>Branding controls<\/strong> \u2014 per-profile heading, subheading, primary color (with WordPress admin-color presets), and logo with a three-mode toggle (<code>default<\/code> falls back to the Site Icon then a bundled WP logo, <code>custom<\/code> uses the chosen image, <code>none<\/code> hides the logo).<\/li>\n<li><strong>Embed &amp; URLs in the editor<\/strong> \u2014 every Login Profile shows copyable input fields for its canonical URL, optional custom-path URL, and shortcode so admins can paste them into pages or share them with users.<\/li>\n<li><strong>WorkOS Radar<\/strong> anti-fraud integration optional via <code>WORKOS_RADAR_SITE_KEY<\/code>.<\/li>\n<li><strong>Profile routing rules<\/strong> \u2014 send incoming logins to a specific profile based on <code>redirect_to<\/code>, referrer host, or user role.<\/li>\n<\/ul>\n\n<h4>Authentication<\/h4>\n\n<ul>\n<li><strong>Single Sign-On (SSO)<\/strong> \u2014 legacy AuthKit redirect mode, per-profile selectable for SAML\/OIDC connections.<\/li>\n<li><strong>Headless mode<\/strong> \u2014 intercept WordPress's <code>authenticate<\/code> filter for custom login forms.<\/li>\n<li><strong>Legacy Login Button<\/strong> \u2014 Gutenberg block and classic widget (AuthKit-redirect flow).<\/li>\n<li><strong>Login Bypass<\/strong> \u2014 Access the native WordPress login form via <code>?fallback=1<\/code> when WorkOS is unavailable.<\/li>\n<li><strong>Password Reset Integration<\/strong> \u2014 Redirect password reset to WorkOS or fall back to WordPress.<\/li>\n<li><strong>Registration Redirect<\/strong> \u2014 Redirect registration to WorkOS AuthKit.<\/li>\n<li><strong>REST API Authentication<\/strong> \u2014 Verify WorkOS access tokens for headless\/API usage.<\/li>\n<\/ul>\n\n<h4>User &amp; Organization Management<\/h4>\n\n<ul>\n<li><strong>Directory Sync<\/strong> \u2014 Automatic user provisioning and deprovisioning via SCIM.<\/li>\n<li><strong>Role Mapping<\/strong> \u2014 Map WorkOS organization roles to WordPress roles.<\/li>\n<li><strong>Organization Management<\/strong> \u2014 Multi-tenant organization support.<\/li>\n<li><strong>Entitlement Gate<\/strong> \u2014 Require organization membership to log in.<\/li>\n<\/ul>\n\n<h4>Redirects<\/h4>\n\n<ul>\n<li><strong>Role-Based Login Redirects<\/strong> \u2014 Send users to different URLs after login based on their WordPress role.<\/li>\n<li><strong>Role-Based Logout Redirects<\/strong> \u2014 Send users to different URLs after logout based on their WordPress role.<\/li>\n<\/ul>\n\n<h4>Admin Tools<\/h4>\n\n<ul>\n<li><strong>Activity Logging<\/strong> \u2014 Local database table with admin viewer for tracking authentication and sync events.<\/li>\n<li><strong>Audit Logging<\/strong> \u2014 Forward WordPress events to WorkOS Audit Logs.<\/li>\n<li><strong>Diagnostics Page<\/strong> \u2014 System health checks, configuration status, and connectivity tests.<\/li>\n<li><strong>Onboarding Wizard<\/strong> \u2014 Guided setup for initial plugin configuration and user sync.<\/li>\n<li><strong>Admin Bar Badge<\/strong> \u2014 Shows the active WorkOS environment in the admin bar.<\/li>\n<li><strong>WP-CLI Commands<\/strong> \u2014 Full CLI access for scripting, bulk operations, and diagnostics.<\/li>\n<\/ul>\n\n<h4>Privacy &amp; Security<\/h4>\n\n<p>This plugin transmits user data (email, name) to WorkOS for authentication and directory sync. No data is sent until you configure API credentials and users authenticate. API keys are stored in the WordPress database or can be defined as constants in wp-config.php. See the \"External services\" section for full details on data transmitted.<\/p>\n\n<h3>Support<\/h3>\n\n<ul>\n<li><a href=\"https:\/\/github.com\/bordoni\/integration-workos\">Documentation &amp; Source Code<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/bordoni\/integration-workos\/issues\">Report a Bug<\/a><\/li>\n<li><a href=\"https:\/\/workos.com\/docs\">WorkOS Documentation<\/a><\/li>\n<\/ul>\n\n<h3>External services<\/h3>\n\n<p>This plugin connects to the <a href=\"https:\/\/workos.com\">WorkOS API<\/a> (<code>https:\/\/api.workos.com<\/code>) to provide enterprise identity management features for WordPress.<\/p>\n\n<h4>Authentication (SSO)<\/h4>\n\n<p>When a user logs in via WorkOS AuthKit or headless mode, the plugin sends an authorization code (and, in headless mode, the user's email and password) to WorkOS to exchange for user identity data and access tokens. This happens each time a user authenticates through WorkOS.<\/p>\n\n<h4>User Management<\/h4>\n\n<p>When the site administrator creates, updates, or syncs users between WordPress and WorkOS, the plugin sends user profile data (email, first name, last name) to the WorkOS API.<\/p>\n\n<h4>Directory Sync<\/h4>\n\n<p>The plugin receives incoming webhook requests from WorkOS containing directory and user data for automatic provisioning and deprovisioning. The webhook endpoint URL is registered with WorkOS by the site administrator.<\/p>\n\n<h4>Organization Management<\/h4>\n\n<p>When managing organizations, the plugin sends and retrieves organization data (name, membership details, role assignments) to and from the WorkOS API.<\/p>\n\n<h4>Audit Logging<\/h4>\n\n<p>When audit logging is enabled, the plugin sends WordPress event data (action performed, actor, target, and metadata) to the WorkOS Audit Logs API on each tracked event.<\/p>\n\n<h4>Token Verification<\/h4>\n\n<p>When REST API authentication is enabled, the plugin fetches JSON Web Key Sets (JWKS) from WorkOS (<code>https:\/\/api.workos.com\/sso\/jwks\/{client_id}<\/code>) to verify access tokens. The JWKS response is cached locally for one hour.<\/p>\n\n<h4>Service links<\/h4>\n\n<p>WorkOS is provided by WorkOS, Inc.<\/p>\n\n<ul>\n<li><a href=\"https:\/\/workos.com\/legal\/terms\">Terms of Service<\/a><\/li>\n<li><a href=\"https:\/\/workos.com\/legal\/privacy\">Privacy Policy<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Go to <strong>Plugins &gt; Add New<\/strong> in your WordPress admin and search for \"Integration with WorkOS\".<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong>.<\/li>\n<li>Go to <strong>Settings &gt; WorkOS<\/strong> and enter your API Key and Client ID from the <a href=\"https:\/\/dashboard.workos.com\">WorkOS Dashboard<\/a>.<\/li>\n<li>Configure your webhook endpoint in the WorkOS Dashboard using the URL shown on the settings page.<\/li>\n<li>(Optional) Run the Onboarding Wizard at <strong>Settings &gt; WorkOS &gt; Onboarding<\/strong> for guided setup.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"where%20do%20i%20get%20my%20api%20credentials%3F\"><h3>Where do I get my API credentials?<\/h3><\/dt>\n<dd><p>Sign up at <a href=\"https:\/\/workos.com\">workos.com<\/a> and find your API Key and Client ID in the dashboard.<\/p><\/dd>\n<dt id=\"can%20users%20still%20log%20in%20with%20passwords%3F\"><h3>Can users still log in with passwords?<\/h3><\/dt>\n<dd><p>Yes, if \"Password Fallback\" is enabled in settings. Users can access the standard login form via <code>?fallback=1<\/code>.<\/p><\/dd>\n<dt id=\"how%20do%20i%20add%20a%20login%20button%20to%20my%20site%3F\"><h3>How do I add a login button to my site?<\/h3><\/dt>\n<dd><p>Add the \"WorkOS Login\" Gutenberg block or use the \"WorkOS Login\" classic widget. Both render a styled login button that redirects to WorkOS AuthKit.<\/p><\/dd>\n<dt id=\"how%20do%20i%20show%20the%20new%20wordpress-hosted%20login%20%28custom%20authkit%29%20on%20a%20page%3F\"><h3>How do I show the new WordPress-hosted login (Custom AuthKit) on a page?<\/h3><\/dt>\n<dd><p>Use <code>[workos:login profile=\"your-profile-slug\"]<\/code> or link to <code>\/workos\/login\/{profile}<\/code>. Both mount the same React shell. The reserved <code>default<\/code> Login Profile automatically takes over wp-login.php.<\/p><\/dd>\n<dt id=\"can%20different%20login%20pages%20offer%20different%20sign-in%20methods%3F\"><h3>Can different login pages offer different sign-in methods?<\/h3><\/dt>\n<dd><p>Yes. Each Login Profile (WorkOS \u2192 Login Profiles) picks its own set of enabled methods (password, magic code, any subset of social providers, passkey), pins an organization, and sets its own MFA policy and branding. Reference a profile by slug in the shortcode or URL.<\/p><\/dd>\n<dt id=\"can%20i%20host%20a%20login%20profile%20at%20a%20custom%20url%20like%20%60%2Fmembers%60%3F\"><h3>Can I host a Login Profile at a custom URL like `\/members`?<\/h3><\/dt>\n<dd><p>Yes. Edit any profile and tick <strong>Use a custom URL path<\/strong>, then fill in the path (e.g. <code>members<\/code> or <code>team\/login<\/code>). The plugin registers an extra rewrite rule that mounts the same React shell at <code>https:\/\/yoursite.com\/members\/<\/code>. The canonical <code>\/workos\/login\/{slug}<\/code> URL keeps working too. Reserved core paths (<code>wp-admin<\/code>, <code>wp-includes<\/code>, <code>wp-content<\/code>, <code>wp-json<\/code>, <code>workos<\/code>, <code>feed<\/code>, etc.) are blocked at save time. If you set a custom path on the <strong>default<\/strong> profile, <code>\/wp-login.php?action=login<\/code> 302s to it for everyone (with all <code>redirect_to<\/code> \/ <code>interim-login<\/code> \/ language \/ nonce args preserved).<\/p><\/dd>\n<dt id=\"what%20happens%20if%20workos%20is%20down%3F\"><h3>What happens if WorkOS is down?<\/h3><\/dt>\n<dd><p>Users can bypass the WorkOS redirect by appending <code>?fallback=1<\/code> to the login URL (e.g., <code>wp-login.php?fallback=1<\/code>). This loads the standard WordPress login form with native password authentication.<\/p><\/dd>\n<dt id=\"can%20i%20require%20organization%20membership%20to%20log%20in%3F\"><h3>Can I require organization membership to log in?<\/h3><\/dt>\n<dd><p>Yes. The Entitlement Gate feature restricts login to users who belong to the configured WorkOS organization. Users without a membership are denied access with a customizable error message.<\/p><\/dd>\n<dt id=\"how%20do%20i%20sync%20existing%20wordpress%20users%20to%20workos%3F\"><h3>How do I sync existing WordPress users to WorkOS?<\/h3><\/dt>\n<dd><p>Use the Onboarding Wizard (Settings &gt; WorkOS &gt; Onboarding) for a guided walkthrough, or use the WP-CLI command <code>wp workos sync push<\/code> to bulk-push users to WorkOS.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20support%20wordpress%20multisite%3F\"><h3>Does this plugin support WordPress multisite?<\/h3><\/dt>\n<dd><p>Yes. Organizations can be mapped to specific sites in a multisite network, and the plugin stores organization-to-site mappings in a dedicated table.<\/p><\/dd>\n<dt id=\"how%20do%20i%20run%20diagnostics%3F\"><h3>How do I run diagnostics?<\/h3><\/dt>\n<dd><p>Go to <strong>Tools &gt; WorkOS Diagnostics<\/strong> in the WordPress admin. The diagnostics page checks API connectivity, configuration completeness, database schema status, and other health indicators.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.3 - 2026-05-12<\/h4>\n\n<ul>\n<li>Fix: AuthKit login flows now recover transparently from WorkOS <code>organization_selection_required<\/code>. When the Login Profile has an organization pinned (with <code>Config::get_organization_id()<\/code> as a fallback), the plugin re-authenticates via the <code>organization-selection<\/code> grant instead of surfacing \"The user must choose an organization to finish their authentication.\" to the user.<\/li>\n<li>Fix: pre-existing WordPress users who joined before an organization was pinned are now auto-enrolled into the pinned WorkOS organization. The plugin creates the WorkOS membership and retries the authenticate call when (and only when) a matching local WP user exists and the WorkOS error body carries the authenticated <code>user_id<\/code>. Membership creation and the <code>entity_already_exists<\/code> short-circuit are logged via <code>workos_log()<\/code> (visible under <code>WP_DEBUG<\/code> \/ <code>WORKOS_DEBUG<\/code>). Strangers and ambiguous lookups still get a clean <code>pinned_org_mismatch<\/code> error \u2014 no email-lookup guessing.<\/li>\n<li>Fix: the legacy OAuth callback at <code>\/workos\/callback<\/code> now routes through <code>LoginCompleter<\/code>, so it shares the same <code>organization_selection_required<\/code> recovery, MFA gating, and post-login bookkeeping as the AuthKit REST endpoints. The callback no longer short-circuits on the WorkOS error and discards the OAuth code. Legacy AuthKit-redirect callbacks (no profile slug in <code>state<\/code>) keep their original redirect contract \u2014 the state-supplied <code>redirect_to<\/code> still wins over the default profile's <code>post_login_redirect<\/code>.<\/li>\n<\/ul>\n\n<h4>1.0.2 - 2026-05-11<\/h4>\n\n<ul>\n<li>New: WordPress password fallback \u2014 if WorkOS rejects a password, the auth endpoint can retry against WordPress's own <code>wp_authenticate()<\/code> to cover users whose passwords were never synced to WorkOS, then link the user to WorkOS and (by default) write the password through so future logins authenticate directly. A new \"Require Email Confirmation on Fallback\" setting switches the post-fallback step to a magic-code email instead of syncing the plaintext password. Gated by the existing <code>allow_password_fallback<\/code> toggle.<\/li>\n<li>New: wp-config.php constant seeder \u2014 defining <code>WORKOS_*<\/code> (or env-scoped <code>WORKOS_{PRODUCTION|STAGING}_*<\/code>) constants now seeds those values into the database on boot, so the admin UI reflects them. Covers string credentials, the new boolean toggles, and <code>WORKOS_REDIRECT_URLS<\/code> arrays. Hash-skipped when nothing has changed \u2014 one autoloaded option read per request in steady state.<\/li>\n<li>Fix: Auth REST endpoints under <code>\/wp-json\/workos\/v1\/auth\/*<\/code> now read the nonce from <code>X-WorkOS-Nonce<\/code> instead of <code>X-WP-Nonce<\/code> to avoid a header collision with WordPress core and other plugins. The bundled React shell is updated; external clients hitting these endpoints directly must rename the header.<\/li>\n<\/ul>\n\n<h4>1.0.1 - 2026-05-01<\/h4>\n\n<ul>\n<li>New: Organization tab \u2014 manual Refresh button next to the organization dropdown re-fetches organizations from WorkOS on demand via the admin REST endpoint (no admin-ajax), bypassing the 5-minute cache. The dropdown is blocked with a spinner during the refresh and the selected organization is preserved when it still exists.<\/li>\n<li>New: <code>?refresh=1<\/code> query parameter on <code>GET \/wp-json\/workos\/v1\/admin\/profiles\/organizations<\/code> to drop the shared transient before fetching.<\/li>\n<li>Fix: Organization tab \u2014 \"Save Settings\" was blocked by a hidden, required <code>org_name<\/code> input. The Create Organization modal is now rendered at <code>admin_footer<\/code> so its inner <code>&lt;form&gt;<\/code> is no longer nested inside the settings form.<\/li>\n<li>Fix: Active environment is now stored in a single place. The admin Settings UI wrote to <code>workos_active_environment<\/code> while the runtime auth flow read from <code>workos_global['active_environment']<\/code>, so picking \"Production\" still loaded staging credentials and redirected to the staging AuthKit. The runtime now reads\/writes the standalone option, with a one-time migration (db_version 2 \u2192 3) that moves any legacy value out of <code>workos_global<\/code>.<\/li>\n<\/ul>\n\n<h4>1.0.0 - 2026-04-23<\/h4>\n\n<p>Custom AuthKit (WordPress-hosted login):\n* React login shell on wp-login.php, <code>[workos:login]<\/code> shortcode, and <code>\/workos\/login\/{profile}<\/code> route.\n* Login Profiles \u2014 admin-defined presets for enabled methods, pinned organization, signup\/invite\/reset flows, MFA policy, and branding, managed at WorkOS \u2192 Login Profiles.\n* Per-profile custom URL paths (e.g. <code>\/members<\/code>, <code>\/team\/login<\/code>) on top of the canonical <code>\/workos\/login\/{slug}<\/code> rewrite. The default profile can claim a custom path so <code>\/wp-login.php<\/code> bounces to it. Reserved core paths are blocked.\n* Already-signed-in visitors are 302'd to their post-login destination on every AuthKit surface (or shown an inline \"You're already signed in\" notice in the shortcode).\n* Per-profile <code>forward_query_args<\/code> toggle to pass marketing\/analytics args onto the post-login destination (internals always stripped).\n* Pinned-organization picker in the Profile editor reads live from WorkOS (with a \"Custom ID\u2026\" fallback for legacy or unlisted orgs), and the Profiles list renders organization names instead of raw IDs.\n* Embed &amp; URLs section in the editor exposes copyable input fields for the canonical URL, the optional custom-path URL, and the <code>[workos:login profile=\"\u2026\"]<\/code> shortcode.\n* Sign-in methods: email + password, magic code, social OAuth (Google, Microsoft, GitHub, Apple), passkey.\n* Full MFA support \u2014 TOTP, SMS, WebAuthn\/passkey with in-app enrollment + challenge.\n* Self-serve sign-up, invitation acceptance, and in-app password reset.\n* Branding \u2014 heading, subheading, primary color (defaults to WordPress admin-color palette), and three-mode logo control (<code>default<\/code> falls back to Site Icon \u2192 bundled WP logo, <code>custom<\/code> uses the chosen attachment, <code>none<\/code> hides the logo).\n* SlotFill extensibility \u2014 ten named slots (including <code>workos.authkit.belowCard<\/code>, which renders standard wp-login.php links by default) for plugins to inject React elements into the login UI.\n* Profile routing rules (redirect_to glob \/ referrer host \/ user role).\n* WorkOS Radar anti-fraud integration (set <code>WORKOS_RADAR_SITE_KEY<\/code>).\n* Public REST at <code>\/wp-json\/workos\/v1\/auth\/*<\/code> with profile-scoped nonces, per-IP\/per-email rate limits, and signature-verified tokens.\n* Full browser internationalization \u2014 every user-facing React\/TS\/JS string ships through <code>@wordpress\/i18n<\/code> with the <code>integration-workos<\/code> text domain and <code>wp_set_script_translations()<\/code> wiring.<\/p>\n\n<p>Base platform:\n* SSO login via WorkOS AuthKit (legacy redirect mode, per-profile selectable).\n* Headless authentication via WorkOS API.\n* Directory Sync (SCIM) for automatic user provisioning and deprovisioning.\n* Role mapping between WorkOS organization roles and WordPress roles.\n* Organization management with local caching and multisite support.\n* Entitlement gate \u2014 require organization membership to log in.\n* Webhook processing for user, organization, directory, membership, and connection events.\n* REST API Bearer token authentication using WorkOS access tokens.\n* Legacy login button Gutenberg block and classic widget (AuthKit-redirect flow).\n* Login bypass via <code>?fallback=1<\/code> for native WordPress login when WorkOS is unavailable.\n* Activity logging with local database table and admin viewer.\n* Audit logging \u2014 forward WordPress events to WorkOS Audit Logs.\n* Role-based login redirects with per-role URL configuration.\n* Role-based logout redirects with per-role URL configuration.\n* Password reset integration with WorkOS.\n* Registration redirect to WorkOS AuthKit.\n* Admin bar badge showing active environment (production\/staging).\n* Diagnostics page with health checks and connectivity tests.\n* Onboarding wizard for guided first-time setup.\n* WP-CLI commands for status, user management, organization management, and bulk sync.<\/p>","raw_excerpt":"Enterprise identity management for WordPress powered by WorkOS. SSO, directory sync, MFA, and user management.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/290624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"author":[{"embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/users\/13665834"}],"replies":[{"embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=290624"}],"wp:attachment":[{"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=290624"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=290624"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=290624"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=290624"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=290624"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/uz.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=290624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}