WorkOS Docs Homepage
SDKs
API referenceDashboardSign In
SDKs

Go SDK

github.com
workos/workos-go
96 Stars
33 Forks
68 Contributors
github.com
Official Go SDK for interacting with the WorkOS API.

Installation

Command Line
Go

Beta Versions

Certain WorkOS features may be available only in the beta version of the SDK. Beta versions have the -beta.* suffix, for example, 3.2.0-beta.1. For more information on how to use the beta versions, refer to the README in the GitHub repository.

Releases

May 27, 2026

v9.1.0

Latest
May 27, 2026

Features

  • add generated events constants package (#560) (4a57b0d)

Bug Fixes

  • v9 module path release workflow (#559) (b89d38d)

  • #554 feat(generated)!: regenerate from spec (11 changes)

    ⚠️ Breaking

    • audit_logs: Rename audit log model types (breaking)
      • Rename AuditLogExportJSON to AuditLogExport
      • Rename AuditLogsRetentionJSON to AuditLogsRetention
      • Rename AuditLogActionJSON to AuditLogAction
      • Rename AuditLogExportJSONState to AuditLogExportState
      • Update method signatures to use new type names
    • authorization: Remove Search parameter from AuthorizationListResourcesParams
    • radar: Remove device_fingerprint and bot_score parameters
      • Remove DeviceFingerprint field from RadarCreateAttemptParams
      • Remove BotScore field from RadarCreateAttemptParams
      • Remove enum values CREDENTIAL_STUFFING and IP_SIGN_UP_RATE_LIMIT from RadarStandaloneResponseControl
      • Remove and update enum values in RadarStandaloneAssessRequestAction (keep only SignUp and SignIn with updated values)
    • user_management: Refactor organization membership to dedicated service
      • Move organization membership operations from UserManagementService to new OrganizationMembershipService
      • Remove ListOrganizationMemberships, CreateOrganizationMembership, GetOrganizationMembership, UpdateOrganizationMembership, DeleteOrganizationMembership, DeactivateOrganizationMembership, ReactivateOrganizationMembership methods from user management
      • Remove role helper types (UserManagementRole, UserManagementRoleSingle, UserManagementRoleMultiple) from user management (now in organization_membership)
      • Add ExpiresAt field to UserManagementCreateAPIKeyParams
      • Remove UserManagementOrganizationMembershipGroups() client accessor (replaced by OrganizationMembership())
      • Remove UserManagementOrganizationMembershipGroupService type and ListOrganizationMembershipGroups method
    • vault: Rewrite vault service with breaking API changes
      • Remove KeyContext struct (replaced by map[string]string)
      • Remove DataKeyPair struct (replaced by CreateDataKeyResponse)
      • Remove DataKey struct (replaced by DecryptResponse)
      • Remove hand-written types: VaultObject, VaultObjectDigest, VaultObjectVersion, VaultListObjectsParams, VaultListObjectsResponse, VaultCreateObjectParams, VaultUpdateObjectParams, VaultDecryptDataKeyParams
      • Rename methods: ListObjectsListKv, CreateObjectCreateKv, ReadObjectGetKv, ReadObjectByNameGetName, UpdateObjectUpdateKv, DeleteObjectDeleteKv, ListObjectVersionsListKvVersions, DescribeObjectListKvMetadata, DecryptDataKeyCreateDecrypt
      • Change LocalEncrypt signature: second param from DataKeyPair to CreateDataKeyResponse
      • Change LocalDecrypt signature: second param from DataKey to DecryptResponse
      • Change Encrypt method: KeyContext param type to map[string]string
      • Change VaultEncryptResult.KeyContext field type from KeyContext to map[string]string

    Features

    • api_keys: Add expires_at field to API key models
      • Add optional expires_at field to APIKeysCreateOrganizationAPIKeyParams
      • Add optional expires_at field to UserManagementCreateAPIKeyParams
      • Add optional expires_at field to APIKey, APIKeyCreatedData, APIKeyRevokedData, OrganizationAPIKey, OrganizationAPIKeyWithValue, UserAPIKey, and UserAPIKeyWithValue models
    • authorization: Add filter parameters to role/resource assignment list
      • Add ResourceID, ResourceExternalID, ResourceTypeSlug parameters to AuthorizationListRoleAssignmentsParams
      • Add RoleSlug parameter to AuthorizationListRoleAssignmentsForResourceByExternalIDParams and AuthorizationListRoleAssignmentsForResourceParams
    • organization_membership: Add new organization membership service
      • Add new OrganizationMembershipService with methods: List, Create, Get, Update, Delete, Deactivate, Reactivate, ListGroups
      • Define OrganizationMembershipRole interface with single and multiple variants for flexible role assignment
      • Add corresponding parameter types for all service methods
    • vault: Add new generated vault methods
      • Add CreateRekey method for re-encrypting data keys under a new context
      • Add ListKvMetadata method for retrieving object metadata
      • Add object CRUD operations via generated service: CreateKv, GetKv, GetName, UpdateKv, DeleteKv, ListKv, ListKvVersions
    • webhooks: Rename webhook endpoint model type
      • Rename WebhookEndpointJSON to WebhookEndpoint
      • Rename WebhookEndpointJSONStatus to WebhookEndpointStatus
      • Update method signatures and return types accordingly
    • pipes: Add pipes connected account event models
      • Add PipeConnectedAccount model with state tracking
      • Add PipesConnectedAccountConnected, PipesConnectedAccountDisconnected, PipesConnectedAccountReauthorizationNeeded event models
      • Add PipeConnectedAccountState enum with connected and needs_reauthorization values
      • Add webhook event types for pipes integration events
    • generated: Add new vault-related model types
      • Add Actor model for audit log actor representation
      • Add vault encryption models: CreateDataKeyResponse, DecryptResponse, DeleteObjectResponse
      • Add vault object models: Object, ObjectMetadata, ObjectSummary, ObjectVersion, ObjectWithoutValue
      • Add vault request models: CreateDataKeyRequest, DecryptRequest, RekeyRequest, CreateObjectRequest, UpdateObjectRequest
      • Add error and metadata models: Error, ListMetadata, VersionListResponse

  • session: Session.Refresh now returns a non-nil error alongside the result on authentication-level failures (refresh_token_revoked, refresh_failed). The RefreshSessionResult.Err field has been removed — use the second return value instead. Callers should check result.Authenticated (not err == nil) as the success signal.

    Migration: replace result.Err with the err return value from Refresh:

    // Before (v8)
result, _ := session.Refresh(ctx)
if !result.Authenticated {
    if result.Err != nil {
        var apiErr *workos.APIError
        errors.As(result.Err, &apiErr)
    }
}

// After (v9)
result, err := session.Refresh(ctx)
if !result.Authenticated {
    if err != nil {
        var apiErr *workos.APIError
        errors.As(err, &apiErr)
    }
}
May 26, 2026

v9.0.0

May 26, 2026

⚠ BREAKING CHANGES

  • return error from Session.Refresh on auth failures (#549)
  • audit_logs: Rename audit log model types (breaking) (#554)
  • radar: Remove device_fingerprint and bot_score parameters (#554)
  • user_management: Refactor organization membership to dedicated service (#554)

Features

  • api_keys: Add expires_at field to API key models (#554) (0add116)
  • audit_logs: Rename audit log model types (breaking) (#554) (0add116)
  • authorization: Add filter parameters to role/resource assignment list (#554) (0add116)
  • generated: Add new vault-related model types (#554) (0add116)
  • organization_membership: Add new organization membership service (#554) (0add116)
  • pipes: Add pipes connected account event models (#554) (0add116)
  • radar: Remove device_fingerprint and bot_score parameters (#554) (0add116)
  • user_management: Refactor organization membership to dedicated service (#554) (0add116)
  • vault: Add new vault service for encryption key management (#554) (0add116)
  • webhooks: Rename webhook endpoint model type (#554) (0add116)

Bug Fixes

  • return error from Session.Refresh on auth failures (#549) (239fc22)
May 13, 2026

v8.0.1

May 13, 2026

8.0.1 (2026-05-13)

Bug Fixes

  • add URL escaping, JWT exp, and refresh errors (#548) (d6ba223)
May 6, 2026

v8.0.0

May 6, 2026

8.0.0 (2026-05-06)

⚠ BREAKING CHANGES

  • authorization: Change email field type in multiple models
  • user_management: Add user API key management endpoints
  • user_management: Change email field type in user management models
  • authorization: Rename RoleAssignment to UserRoleAssignment

Features

  • add API documentation site generation (#546) (b9701ea)
  • api_keys: Add organization and user API key models (1b8f1d6)
  • authorization: Add pagination order enum and update enum handling (1b8f1d6)
  • authorization: Change email field type in multiple models (1b8f1d6)
  • authorization: Rename RoleAssignment to UserRoleAssignment (1b8f1d6)
  • authorization: Unify BYOK key provider enum (1b8f1d6)
  • directory_sync: Add name field to directory user models (1b8f1d6)
  • user_management: Add name field to Profile and SSO models (1b8f1d6)
  • user_management: Add user API key management endpoints (1b8f1d6)
  • user_management: Add user field to organization membership models (1b8f1d6)
  • user_management: Change email field type in user management models (1b8f1d6)

Bug Fixes

  • events: Add admin_portal source to EventContextActorSource (1b8f1d6)
  • events: Add vault.byok_key.deleted event type (1b8f1d6)
May 6, 2026

v7.1.2

May 6, 2026

7.1.2 (2026-05-01)

Bug Fixes

  • set canonical User-Agent header format (#542) (01d535f)

This PR was generated with Release Please. See documentation.

April 30, 2026

v7.1.1

April 30, 2026

7.1.1 (2026-04-30)

Bug Fixes

  • parse webhook/action signature timestamps as milliseconds (#539) (ed9b464)
April 28, 2026

v7.1.0

April 28, 2026

7.1.0 (2026-04-28)

Features

  • generated: Add Groups API and organization membership groups support (#537) (e9b53ed)
April 22, 2026

v7.0.0

April 22, 2026

7.0.0 (2026-04-22)

⚠ BREAKING CHANGES

  • v7 rewrites the SDK around the root workos package and a shared workos.Client, removing all legacy pkg/* imports, package-level SetAPIKey/Configure helpers, and compatibility re-exports.
  • Service access now goes through client.Service() accessors, many method signatures changed, and list endpoints now return auto-paginating iterators instead of List*Response wrappers with ListMetadata.
  • AuthKit/SSO/logout URL helpers changed, webhook verification now uses workos.NewWebhookVerifier(...), pkg/workos_errors was removed in favor of new root error types, and Vault models have several incompatible shape and field-name changes.

See the v7 migration guide for the full upgrade checklist and code examples.

March 20, 2026

v6.5.0

March 20, 2026

6.5.0 (2026-03-20)

Features

  • user-management: add DirectoryManaged to OrganizationMembership (#508) (e9206b1)

Bug Fixes

  • allow clearing organization domains by sending empty arrays (#522) (a315391)
  • directorysync.UserGroup: add missing fields (#480) (ba37619)
  • organizations delete has wrong url casing (#479) (5de4629)
  • update renovate rules (#504) (4158a58)
February 4, 2026

v6.4.0

February 4, 2026

What's Changed

  • Make Pipes interface a little more idiomatic Go by @dandorman in #488
  • Bump version to 6.3.0 by @workos-sdk-automation[bot] in #489
  • Add custom_attributes field to OrganizationMembership by @ajworkos in #490
  • add list session method by @petarTenderly in #470
  • Bump version to 6.4.0 by @workos-sdk-automation[bot] in #491

New Contributors

  • @workos-sdk-automation[bot] made their first contribution in #489
  • @petarTenderly made their first contribution in #470

Full Changelog: v6.3.0...v6.4.0

January 29, 2026

v6.3.0

January 29, 2026

What's Changed

  • Add context7.json to repo by @nicknisi in #483
  • Add ReadObjectByName method for Vault API by @hexedpackets in #484
  • Add Pipes module by @dandorman in #487
  • Make Pipes interface a little more idiomatic Go by @dandorman in #488
  • Bump version to 6.3.0 by @workos-sdk-automation[bot] in #489

New Contributors

  • @dandorman made their first contribution in #487
  • @workos-sdk-automation[bot] made their first contribution in #489

Full Changelog: v6.2.0...v6.3.0

December 3, 2025

v6.2.0

December 3, 2025

What's Changed

  • Add roles property to directory user & sso profile by @kendallstrautman in #481
  • Bump version v6.2.0 by @kendallstrautman in #482

Full Changelog: v6.1.0...v6.2.0

November 21, 2025

v6.1.0

November 21, 2025

What's Changed

  • Default to adding idempotecy-key to audit-logs/events if not present, added in retryability logic to endpoints#492 by @swaroopAkkineniWorkos in #475
  • Add support for resending invites by @antn in #476

New Contributors

  • @swaroopAkkineniWorkos made their first contribution in #475
  • @antn made their first contribution in #476

Full Changelog: v6.0.0...v6.1.0

November 6, 2025

v6.0.0

November 6, 2025

What's Changed

  • Add permissions to the ListOrganizationRoles response by @jyecusch in #468
  • Fix UpdateOrganization JSON serialization by @nicknisi in #472
  • Change organization metadata to map[string]*string by @nicknisi in #471
  • Remove "domain" param from directories query by @ameesha in #301
  • Fix CreateOrganizationOpts.Metadata to use map[string]string by @nicknisi in #474

New Contributors

  • @jyecusch made their first contribution in #468

Full Changelog: v5.2.0...v6.0.0

October 2, 2025

v5.2.0

October 2, 2025

What's Changed

  • Add organization name field to OrganizationMembership struct by @kaylagordon in #463
  • updated the UpdateOrganizationOpts fields to optional by @rarevalo13 in #460
  • V5.2.0 by @rarevalo13 in #465

New Contributors

  • @kaylagordon made their first contribution in #463

Full Changelog: v5.1.0...v5.2.0

September 25, 2025

v5.1.0

September 25, 2025

What's Changed

  • Add roles to user management API request/responses by @atainter in #459
  • v5.1.0 by @atainter in #462

Full Changelog: v5.0.0...v5.1.0

September 5, 2025

v5.0.0

September 5, 2025

What's Changed

  • Re-introduce metadata removal support (breaking change) by @nicknisi in #457

Breaking Changes Summary

The v5 release includes the following breaking change:

  • UpdateUserOpts.Metadata field type changed from map[string]string to map[string]*string (introduced in PR #457)
  • This allows setting metadata values to nil to remove them server-side

Migration Guide for Users

// v4 (old)
import "github.com/workos/workos-go/v4/pkg/usermanagement"

opts := usermanagement.UpdateUserOpts{
    User: "user_123",
    Metadata: map[string]string{
        "department": "Engineering",
    },
}

// v5 (new)
import "github.com/workos/workos-go/v5/pkg/usermanagement"

dept := "Engineering"
opts := usermanagement.UpdateUserOpts{
    User: "user_123",
    Metadata: map[string]*string{
        "department": &dept,
        "old_field": nil,  // Removes this field
    },
}

Full Changelog: v4.46.1...v5.0.0

September 5, 2025

v4.46.1

September 5, 2025

What's Changed

  • Fix: Revert breaking change in v4.46.0 to maintain backward compatibility by @nicknisi in #455

Full Changelog: v4.46.0...v4.46.1

September 4, 2025

v4.46.0

September 4, 2025
  • Adds ability to pass in nil values to metadata keys when updating a user. This allows for clearing of existing metadata fields on a user.
August 20, 2025

v4.45.1

August 20, 2025
  • Correctly unmarshal list_metadata pagination cursors across User Management, Organizations, SSO, and Directory Sync
July 31, 2025

v4.45.0

July 31, 2025

  • Added structured authentication error handling for AuthKit User Management API

  • New error types for authentication scenarios:

    • EmailVerificationRequiredError
    • MFAEnrollmentError
    • MFAChallengeError
    • OrganizationSelectionRequiredError
    • SSORequiredError
    • OrganizationAuthenticationMethodsRequiredError

  • Enhanced error parsing with user data, pending tokens, and organization info

  • Backwards compatible - existing error handling unchanged

  • Type-safe using standard Go errors.As() pattern

July 28, 2025

v4.44.0

July 28, 2025

What's Changed

  • added StripeCustomerID to org struct by @rarevalo13 in #442

Full Changelog: v4.43.0...v4.44.0

July 11, 2025

v4.43.0

July 11, 2025
  • Add metadata serialization for updating organizations
July 10, 2025

v4.42.0

July 10, 2025

What's Changed

  • add organization_domain created/updated/deleted events by @ajworkos in #435
  • fix: use standard 12-byte nonce for AES-GCM encryption in vault package by @hexedpackets in #438

Full Changelog: v4.41.0...v4.42.0

June 25, 2025

v4.41.0

June 25, 2025

What's Changed

  • Added support for custom oauth scopes (#431)
  • Correctly deserialize ListIdentitiesResult as array (#433)

Full Changelog: v4.40.0...v4.41.0

May 20, 2025

v4.40.0

May 20, 2025

What's Changed

  • Add Email to UpdateUserOpts by @cmatheson in #429
  • added omitempty to ExternalID field by @rarevalo13 in #428
  • Bump to v4.40.0 by @rarevalo13 in #430

Full Changelog: v4.39.0...v4.40.0

May 19, 2025

v4.39.0

May 19, 2025

What's Changed

  • Add "warnings" field to FGA query and check response by @atainter in #426
  • Bump to v4.39.0 by @atainter in #427

Full Changelog: v4.38.0...v4.39.0

May 6, 2025

v4.38.0

May 6, 2025

What's Changed

  • Support optional authenticated data in local encrypt/decrypt by @hexedpackets in #424

Full Changelog: v4.37.0...v4.38.0

April 25, 2025

v4.37.0

April 25, 2025

What's Changed

  • Add CustomAttributes field to SSO Profile (#422)

Full Changelog: v4.36.0...v4.37.0

April 22, 2025

v4.36.0

April 22, 2025

What's Changed

  • Added password_reset.succeeded event type (#419)

Full Changelog: v4.35.0...v4.36.0