WorkOS Docs Homepage
SDKs
API referenceDashboardSign In
SDKs

Go SDK

github.com
workos/ workos-go
97 Stars
31 Forks
69 Contributors
github.com
Official Go SDK for interacting with the WorkOS API.

Installation

Command Line
Go

Beta Versions

Certain WorkOS features may be available only in the beta version of the SDK. Beta versions have the -beta.* suffix, for example, 3.2.0-beta.1. For more information on how to use beta versions, refer to the README in the GitHub repository.

Releases

June 18, 2026

v9.3.0

Latest
June 18, 2026

⚠️ Breaking

  • organization_membership:
  • Changed response of UserManagementOrganizationMembership.list from UserOrganizationMembership to UserOrganizationMembershipList
  • pipes:
  • SDK surface change: PipeService.CreateDataIntegrationToken was renamed to PipeService.GetAccessToken
  • user_management:
  • Changed response of UserManagementInvitations.list from UserInvite to UserInviteList

Features

  • authorization:
  • Added model ReplaceGroupRoleAssignmentEntry
  • Added model ReplaceGroupRoleAssignments
  • Added model DeleteGroupRoleAssignmentsByCriteria
  • Added endpoint POST /authorization/groups/{group_id}/role_assignments
  • Added endpoint PUT /authorization/groups/{group_id}/role_assignments
  • Added endpoint DELETE /authorization/groups/{group_id}/role_assignments
  • Added endpoint GET /authorization/groups/{group_id}/role_assignments/{role_assignment_id}
  • Added endpoint DELETE /authorization/groups/{group_id}/role_assignments/{role_assignment_id}
  • client:
  • Added model ClientApiToken
  • Added model ClientApiTokenResponse
  • Added service Client
  • connect:
  • Added auth_method to ConnectedAccount
  • Added api_key_last_4 to ConnectedAccount
  • Added enum ConnectedAccountAuthMethod
  • groups:
  • Added model CreateGroupRoleAssignment
  • Added model GroupRoleAssignment
  • Added model GroupRoleAssignmentList
  • Added model GroupRoleAssignmentResource
  • organization_membership:
  • Added model UserOrganizationMembershipList
  • Added model UserOrganizationMembershipListListMetadata
  • pipes:
  • Added model DataIntegrationCredentials
  • Added model DataIntegrationConfigurationResponse
  • Added model DataIntegrationConfigurationListResponse
  • Added model ConfigureDataIntegrationBody
  • Added auth_methods to DataIntegrationsListResponseData
  • Added auth_method to DataIntegrationsListResponseDataConnectedAccount
  • Added api_key_last_4 to DataIntegrationsListResponseDataConnectedAccount
  • Added enum DataIntegrationCredentialsCredentialsType
  • Added enum DataIntegrationsListResponseDataAuthMethods
  • Added enum DataIntegrationsListResponseDataConnectedAccountAuthMethod
  • Added service PipesProvider
  • user_management:
  • Added model UserInviteList
  • Added model UserInviteListListMetadata
  • Made AuthorizationCodeSessionAuthenticateRequest.client_secret optional
  • Made RefreshTokenSessionAuthenticateRequest.client_secret optional
  • widgets:
  • Added widgets:pipes:manage to WidgetSessionTokenScopes
June 17, 2026

v9.2.0

June 17, 2026

Bug Fixes

⚠️ Breaking

  • api_keys:
  • Made expires_at required in API key models
  • directory_sync:
  • Removed model DsyncDeactivated
  • Removed model DsyncDeactivatedData
  • Removed model DsyncDeactivatedDataDomain
  • Removed enum DsyncDeactivatedDataType
  • Removed enum DsyncDeactivatedDataState
  • radar:
  • Removed domain_sign_up_rate_limit from RadarStandaloneResponseControl
  • user_management:
  • Removed return_to from RevokeSession

Features

  • api_keys:
  • Added model ExpireApiKey
  • Added model ApiKeyUpdated
  • Added model ApiKeyUpdatedData
  • Added model ApiKeyUpdatedDataOwner
  • Added model UserApiKeyUpdatedDataOwner
  • Added model ApiKeyUpdatedDataPreviousAttribute
  • Added endpoint POST /api_keys/{id}/expire
  • audit_logs:
  • Added Snowflake to AuditLogConfigurationLogStreamType
  • connect:
  • Added name to UserObject
  • directory_sync:
  • Added model DsyncTokenCreated
  • Added model DsyncTokenCreatedData
  • Added model DsyncTokenRevoked
  • Added model DsyncTokenRevokedData
  • user_management:
  • Added name to user management models
  • webhooks:
  • Added api_key.updated to CreateWebhookEndpointEvents
  • Added api_key.updated to UpdateWebhookEndpointEvents
May 27, 2026

v9.1.0

May 27, 2026

Features

Bug Fixes

⚠️ Breaking

  • audit_logs: Rename audit log model types (breaking)
  • Rename AuditLogExportJSON to AuditLogExport
  • Rename AuditLogsRetentionJSON to AuditLogsRetention
  • Rename AuditLogActionJSON to AuditLogAction
  • Rename AuditLogExportJSONState to AuditLogExportState
  • Update method signatures to use new type names
  • authorization: Remove Search parameter from AuthorizationListResourcesParams
  • radar: Remove device_fingerprint and bot_score parameters
  • Remove DeviceFingerprint field from RadarCreateAttemptParams
  • Remove BotScore field from RadarCreateAttemptParams
  • Remove enum values CREDENTIAL_STUFFING and IP_SIGN_UP_RATE_LIMIT from RadarStandaloneResponseControl
  • Remove and update enum values in RadarStandaloneAssessRequestAction (keep only SignUp and SignIn with updated values)
  • user_management: Refactor organization membership to dedicated service
  • Move organization membership operations from UserManagementService to new OrganizationMembershipService
  • Remove ListOrganizationMemberships, CreateOrganizationMembership, GetOrganizationMembership, UpdateOrganizationMembership, DeleteOrganizationMembership, DeactivateOrganizationMembership, ReactivateOrganizationMembership methods from user management
  • Remove role helper types (UserManagementRole, UserManagementRoleSingle, UserManagementRoleMultiple) from user management (now in organization_membership)
  • Add ExpiresAt field to UserManagementCreateAPIKeyParams
  • Remove UserManagementOrganizationMembershipGroups() client accessor (replaced by OrganizationMembership())
  • Remove UserManagementOrganizationMembershipGroupService type and ListOrganizationMembershipGroups method
  • vault: Rewrite vault service with breaking API changes
  • Remove KeyContext struct (replaced by map[string]string)
  • Remove DataKeyPair struct (replaced by CreateDataKeyResponse)
  • Remove DataKey struct (replaced by DecryptResponse)
  • Remove hand-written types: VaultObject, VaultObjectDigest, VaultObjectVersion, VaultListObjectsParams, VaultListObjectsResponse, VaultCreateObjectParams, VaultUpdateObjectParams, VaultDecryptDataKeyParams
  • Rename methods: ListObjectsListKv, CreateObjectCreateKv, ReadObjectGetKv, ReadObjectByNameGetName, UpdateObjectUpdateKv, DeleteObjectDeleteKv, ListObjectVersionsListKvVersions, DescribeObjectListKvMetadata, DecryptDataKeyCreateDecrypt
  • Change LocalEncrypt signature: second param from DataKeyPair to CreateDataKeyResponse
  • Change LocalDecrypt signature: second param from DataKey to DecryptResponse
  • Change Encrypt method: KeyContext param type to map[string]string
  • Change VaultEncryptResult.KeyContext field type from KeyContext to map[string]string

Features

  • api_keys: Add expires_at field to API key models
  • Add optional expires_at field to APIKeysCreateOrganizationAPIKeyParams
  • Add optional expires_at field to UserManagementCreateAPIKeyParams
  • Add optional expires_at field to APIKey, APIKeyCreatedData, APIKeyRevokedData, OrganizationAPIKey, OrganizationAPIKeyWithValue, UserAPIKey, and UserAPIKeyWithValue models
  • authorization: Add filter parameters to role/resource assignment list
  • Add ResourceID, ResourceExternalID, ResourceTypeSlug parameters to AuthorizationListRoleAssignmentsParams
  • Add RoleSlug parameter to AuthorizationListRoleAssignmentsForResourceByExternalIDParams and AuthorizationListRoleAssignmentsForResourceParams
  • organization_membership: Add new organization membership service
  • Add new OrganizationMembershipService with methods: List, Create, Get, Update, Delete, Deactivate, Reactivate, ListGroups
  • Define OrganizationMembershipRole interface with single and multiple variants for flexible role assignment
  • Add corresponding parameter types for all service methods
  • vault: Add new generated vault methods
  • Add CreateRekey method for re-encrypting data keys under a new context
  • Add ListKvMetadata method for retrieving object metadata
  • Add object CRUD operations via generated service: CreateKv, GetKv, GetName, UpdateKv, DeleteKv, ListKv, ListKvVersions
  • webhooks: Rename webhook endpoint model type
  • Rename WebhookEndpointJSON to WebhookEndpoint
  • Rename WebhookEndpointJSONStatus to WebhookEndpointStatus
  • Update method signatures and return types accordingly
  • pipes: Add pipes connected account event models
  • Add PipeConnectedAccount model with state tracking
  • Add PipesConnectedAccountConnected, PipesConnectedAccountDisconnected, PipesConnectedAccountReauthorizationNeeded event models
  • Add PipeConnectedAccountState enum with connected and needs_reauthorization values
  • Add webhook event types for pipes integration events
  • generated: Add new vault-related model types
  • Add Actor model for audit log actor representation
  • Add vault encryption models: CreateDataKeyResponse, DecryptResponse, DeleteObjectResponse
  • Add vault object models: Object, ObjectMetadata, ObjectSummary, ObjectVersion, ObjectWithoutValue
  • Add vault request models: CreateDataKeyRequest, DecryptRequest, RekeyRequest, CreateObjectRequest, UpdateObjectRequest
  • Add error and metadata models: Error, ListMetadata, VersionListResponse
  • session: Session.Refresh now returns a non-nil error alongside the result on authentication-level failures (refresh_token_revoked, refresh_failed). The RefreshSessionResult.Err field has been removed — use the second return value instead. Callers should check result.Authenticated (not err == nil) as the success signal.

Migration: replace result.Err with the err return value from Refresh:

  // Before (v8)
  result, _ := session.Refresh(ctx)
  if !result.Authenticated {
      if result.Err != nil {
          var apiErr *workos.APIError
          errors.As(result.Err, &apiErr)
      }
  }

  // After (v9)
  result, err := session.Refresh(ctx)
  if !result.Authenticated {
      if err != nil {
          var apiErr *workos.APIError
          errors.As(err, &apiErr)
      }
  }
May 26, 2026

v9.0.0

May 26, 2026

⚠ BREAKING CHANGES

Features

Bug Fixes

May 13, 2026

v8.0.1

May 13, 2026

v8.0.0...v8.0.1" rel="noreferrer" target="_blank">8.0.1 (2026-05-13)

Bug Fixes

May 6, 2026

v8.0.0

May 6, 2026

v7.1.2...v8.0.0" rel="noreferrer" target="_blank">8.0.0 (2026-05-06)

⚠ BREAKING CHANGES

  • authorization: Change email field type in multiple models
  • user_management: Add user API key management endpoints
  • user_management: Change email field type in user management models
  • authorization: Rename RoleAssignment to UserRoleAssignment

Features

Bug Fixes

May 6, 2026

v7.1.2

May 6, 2026

v7.1.1...v7.1.2" rel="noreferrer" target="_blank">7.1.2 (2026-05-01)

Bug Fixes

--- This PR was generated with Release Please. See documentation.

April 30, 2026

v7.1.1

April 30, 2026

v7.1.0...v7.1.1" rel="noreferrer" target="_blank">7.1.1 (2026-04-30)

Bug Fixes

April 28, 2026

v7.1.0

April 28, 2026

v7.0.0...v7.1.0" rel="noreferrer" target="_blank">7.1.0 (2026-04-28)

Features

April 22, 2026

v7.0.0

April 22, 2026

v6.5.0...v7.0.0" rel="noreferrer" target="_blank">7.0.0 (2026-04-22)

⚠ BREAKING CHANGES

  • v7 rewrites the SDK around the root workos package and a shared workos.Client, removing all legacy pkg/* imports, package-level SetAPIKey/Configure helpers, and compatibility re-exports.
  • Service access now goes through client.Service() accessors, many method signatures changed, and list endpoints now return auto-paginating iterators instead of List*Response wrappers with ListMetadata.
  • AuthKit/SSO/logout URL helpers changed, webhook verification now uses workos.NewWebhookVerifier(...), pkg/workos_errors was removed in favor of new root error types, and Vault models have several incompatible shape and field-name changes.

See the https://github.com/workos/workos-go/blob/main/docs/V7_MIGRATION_GUIDE.md" rel="noreferrer" target="_blank">v7 migration guide for the full upgrade checklist and code examples.

March 20, 2026

v6.5.0

March 20, 2026

v6.4.0...v6.5.0" rel="noreferrer" target="_blank">6.5.0 (2026-03-20)

Features

Bug Fixes

February 4, 2026

v6.4.0

February 4, 2026

What's Changed

  • Make Pipes interface a little more idiomatic Go by @dandorman in #488
  • Bump version to 6.3.0 by @workos-sdk-automation[bot] in #489
  • Add custom_attributes field to OrganizationMembership by @ajworkos in #490
  • add list session method by @petarTenderly in #470
  • Bump version to 6.4.0 by @workos-sdk-automation[bot] in #491

New Contributors

  • @workos-sdk-automation[bot] made their first contribution in #489
  • @petarTenderly made their first contribution in #470

Full Changelog: v6.3.0...v6.4.0

January 29, 2026

v6.3.0

January 29, 2026

What's Changed

  • Add context7.json to repo by @nicknisi in #483
  • Add ReadObjectByName method for Vault API by @hexedpackets in #484
  • Add Pipes module by @dandorman in #487
  • Make Pipes interface a little more idiomatic Go by @dandorman in #488
  • Bump version to 6.3.0 by @workos-sdk-automation[bot] in #489

New Contributors

  • @dandorman made their first contribution in #487
  • @workos-sdk-automation[bot] made their first contribution in #489

Full Changelog: v6.2.0...v6.3.0

December 3, 2025

v6.2.0

December 3, 2025

What's Changed

  • Add roles property to directory user & sso profile by @kendallstrautman in #481
  • Bump version v6.2.0 by @kendallstrautman in #482

Full Changelog: v6.1.0...v6.2.0

November 21, 2025

v6.1.0

November 21, 2025

What's Changed

  • Default to adding idempotecy-key to audit-logs/events if not present, added in retryability logic to endpoints#492 by @swaroopAkkineniWorkos in #475
  • Add support for resending invites by @antn in #476

New Contributors

  • @swaroopAkkineniWorkos made their first contribution in #475
  • @antn made their first contribution in #476

Full Changelog: v6.0.0...v6.1.0

November 6, 2025

v6.0.0

November 6, 2025

What's Changed

  • Add permissions to the ListOrganizationRoles response by @jyecusch in #468
  • Fix UpdateOrganization JSON serialization by @nicknisi in #472
  • Change organization metadata to map[string]*string by @nicknisi in #471
  • Remove "domain" param from directories query by @ameesha in #301
  • Fix CreateOrganizationOpts.Metadata to use map[string]string by @nicknisi in #474

New Contributors

  • @jyecusch made their first contribution in #468

Full Changelog: v5.2.0...v6.0.0

October 2, 2025

v5.2.0

October 2, 2025

What's Changed

  • Add organization name field to OrganizationMembership struct by @kaylagordon in #463
  • updated the UpdateOrganizationOpts fields to optional by @rarevalo13 in #460
  • V5.2.0 by @rarevalo13 in #465

New Contributors

  • @kaylagordon made their first contribution in #463

Full Changelog: v5.1.0...v5.2.0

September 25, 2025

v5.1.0

September 25, 2025

What's Changed

  • Add roles to user management API request/responses by @atainter in #459
  • v5.1.0 by @atainter in #462

Full Changelog: v5.0.0...v5.1.0

September 5, 2025

v5.0.0

September 5, 2025

What's Changed

  • Re-introduce metadata removal support (breaking change) by @nicknisi in #457

Breaking Changes Summary

The v5 release includes the following breaking change:

  • UpdateUserOpts.Metadata field type changed from map[string]string to map[string]*string (introduced in PR #457)
  • This allows setting metadata values to nil to remove them server-side

Migration Guide for Users

// v4 (old)
import "github.com/workos/workos-go/v4/pkg/usermanagement"

opts := usermanagement.UpdateUserOpts{
    User: "user_123",
    Metadata: map[string]string{
        "department": "Engineering",
    },
}

// v5 (new)
import "github.com/workos/workos-go/v5/pkg/usermanagement"

dept := "Engineering"
opts := usermanagement.UpdateUserOpts{
    User: "user_123",
    Metadata: map[string]*string{
        "department": &dept,
        "old_field": nil,  // Removes this field
    },
}

Full Changelog: v4.46.1...v5.0.0

September 5, 2025

v4.46.1

September 5, 2025

What's Changed

  • Fix: Revert breaking change in v4.46.0 to maintain backward compatibility by @nicknisi in #455

Full Changelog: v4.46.0...v4.46.1

September 4, 2025

v4.46.0

September 4, 2025
  • Adds ability to pass in nil values to metadata keys when updating a user. This allows for clearing of existing metadata fields on a user.
August 20, 2025

v4.45.1

August 20, 2025
  • Correctly unmarshal list_metadata pagination cursors across User Management, Organizations, SSO, and Directory Sync
July 31, 2025

v4.45.0

July 31, 2025
  • Added structured authentication error handling for AuthKit User Management API
  • New error types for authentication scenarios:
  • EmailVerificationRequiredError
  • MFAEnrollmentError
  • MFAChallengeError
  • OrganizationSelectionRequiredError
  • SSORequiredError
  • OrganizationAuthenticationMethodsRequiredError
  • Enhanced error parsing with user data, pending tokens, and organization info
  • Backwards compatible - existing error handling unchanged
  • Type-safe using standard Go errors.As() pattern
July 28, 2025

v4.44.0

July 28, 2025

What's Changed

  • added StripeCustomerID to org struct by @rarevalo13 in #442

Full Changelog: v4.43.0...v4.44.0

July 11, 2025

v4.43.0

July 11, 2025
  • Add metadata serialization for updating organizations
July 10, 2025

v4.42.0

July 10, 2025

What's Changed

  • add organization_domain created/updated/deleted events by @ajworkos in #435
  • fix: use standard 12-byte nonce for AES-GCM encryption in vault package by @hexedpackets in #438

Full Changelog: v4.41.0...v4.42.0

June 25, 2025

v4.41.0

June 25, 2025

What's Changed

Full Changelog: v4.40.0...v4.41.0

May 20, 2025

v4.40.0

May 20, 2025

What's Changed

  • Add Email to UpdateUserOpts by @cmatheson in #429
  • added omitempty to ExternalID field by @rarevalo13 in #428
  • Bump to v4.40.0 by @rarevalo13 in #430

Full Changelog: v4.39.0...v4.40.0

May 19, 2025

v4.39.0

May 19, 2025

What's Changed

  • Add "warnings" field to FGA query and check response by @atainter in #426
  • Bump to v4.39.0 by @atainter in #427

Full Changelog: v4.38.0...v4.39.0

May 6, 2025

v4.38.0

May 6, 2025

What's Changed

  • Support optional authenticated data in local encrypt/decrypt by @hexedpackets in #424

Full Changelog: v4.37.0...v4.38.0