Identity Access - WorkOS
API capability pack for bounded WorkOS REST API operations against https://api.workos.com only. Enroll a WorkOS API-key connection named workos that injects Authorization: Bearer <sk_...>; no credential is embedded in this manifest. The pack reads organizations, AuthKit users, organization memberships, invitations, SSO connections, directory sync directories/users/groups, environment roles, organization roles, and permissions for B2B SaaS access governance, customer onboarding, directory-sync review, and offboarding. It exposes WorkOS before/after list cursors as explicit query args. Writes are approval-gated and limited to creating or updating one organization, user, invitation, or organization membership, and deactivating/reactivating one membership. The pack intentionally excludes deletes, password/password-hash fields, authentication token exchange, session revocation, API key creation, audit-log ingestion/export, SSO authorize/token/profile flows, destructive role/permission deletes, feature flags, data integrations, webhooks, and arbitrary WorkOS API passthrough.
What this pack installs
- WorkOS access hygiene digest Recipe
- WorkOS organization access brief Recipe
- WorkOS directory sync brief Recipe
- Invite WorkOS user to organization Recipe
- Create WorkOS organization intake Recipe
- Deactivate WorkOS organization membership Recipe
- workos Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.