WorkOS

The WorkOS plugin provides authentication for your mcp server using WorkOS AuthKit.

Installation

Install the WorkOS plugin:

npm install @xmcp-dev/workos

WorkOS Setup

Before getting started, we need to configure our WorkOS application:

  1. Go to your WorkOS Dashboard.
  2. In the Overview page, under Quickstart, find and save your WORKOS_API_KEY and WORKOS_CLIENT_ID.
  3. Go to Domains and save the AuthKit domain, it looks like this https://xxx.authkit.app.
  4. Navigate to Connect and go to Configuration and enable the following options inside MCP Auth settings: Client ID Metadata Document (CIMD) and Dynamic Client Registration (DCR).

Environment Variables

Create a .env file in the root of your project and configure the following environment variables:

WORKOS_API_KEY=sk_...
WORKOS_CLIENT_ID=client_...
WORKOS_AUTHKIT_DOMAIN=yourcompany.authkit.app

BASE_URL=http://127.0.0.1:3001

For production, the BASE_URL should be replaced with your deployed server URL.

Set up the Provider

Create a middleware.ts and import the provider from the package:

src/middleware.ts
import { workosProvider } from "@xmcp-dev/workos";

export default workosProvider({
  apiKey: process.env.WORKOS_API_KEY!,
  clientId: process.env.WORKOS_CLIENT_ID!,
  authkitDomain: process.env.WORKOS_AUTHKIT_DOMAIN!,
  baseURL: process.env.BASE_URL!,
});

Configuration Options

  • apiKey: WorkOS API key from your dashboard.
  • clientId: WorkOS client ID for OAuth.
  • authkitDomain: Your AuthKit domain.
  • baseURL: Base URL of your app for OAuth callbacks.
  • docsURL: (Optional) URL for your MCP server documentation.

Get a user session

Access the authenticated user in your xmcp tools using getSession.

Example: Greet the user with their WorkOS identity

src/tools/greet.ts
import { z } from "zod";
import { type InferSchema, type ToolMetadata } from "xmcp";
import { getSession } from "@xmcp-dev/workos";

// Define the schema for tool parameters
export const schema = {
  name: z.string().describe("The name of the user to greet"),
};

// Define tool metadata
export const metadata: ToolMetadata = {
  name: "greet",
  description: "Greet the user with their WorkOS identity"
};

// Tool implementation
export default function greet({ name }: InferSchema<typeof schema>): string {
  const session = getSession();

  return `Hello, ${name}! Your WorkOS user ID is ${session.userId}`;
}

Get user details

Access the authenticated user in your xmcp tools using getUser.

Example: Get user details

src/tools/get-user-info.ts
import type { ToolMetadata } from "xmcp";
import { getUser } from "@xmcp-dev/workos";

// Define tool metadata
export const metadata: ToolMetadata = {
  name: "get-user-info",
  description: "Get user details"
};

// Tool implementation
export default async function getUserInfo(): Promise<string> {
  const user = await getUser();
  return JSON.stringify(user, null, 2);
}

Access the client

The getClient() function gives you access to the full WorkOS Node SDK, allowing you to leverage all WorkOS features in your MCP tools.

Example: Get organization memberships

src/tools/get-memberships.ts
import { type ToolMetadata } from "xmcp";
import { getSession, getClient } from "@xmcp-dev/workos";

export const metadata: ToolMetadata = {
  name: "get-my-memberships",
  description: "Returns the user's organization memberships using the WorkOS SDK directly"
};

export default async function getMyMemberships(): Promise<string> {
  const session = getSession();
  const client = getClient();

  // Use the WorkOS SDK to fetch organization memberships
  const memberships = await client.userManagement.listOrganizationMemberships({
    userId: session.userId,
  });

  if (memberships.data.length === 0) {
    return "You are not a member of any organizations.";
  }

  return JSON.stringify(memberships.data, null, 2);
}

Troubleshooting

Token Expired Errors

Access tokens are short-lived. If you see token_expired errors:

  • MCP clients should automatically refresh tokens.
  • If errors persist, the client may have a bug or the refresh token expired.
  • Users can disconnect and reconnect to get fresh tokens.

Redirect URI Not Registered

If you see this error during OAuth:

  1. Copy the redirect URI from the error message.
  2. Go to WorkOS Dashboard → Connect → Applications
  3. Add the redirect URI to the application.

Finding a Client's Redirect URI

If you need to manually register a client:

  • Check the error message: OAuth errors include the redirect URI that needs to be registered.
  • Check client documentation: Each MCP client documents its callback URL.
  • Check your server logs: Look for the redirect_uri parameter in failed OAuth requests.

Session Not Initialized

If you see Session not initialized or can only be used within the workos-context-session context errors:

  • Ensure getSession is called within a tool or handler that runs through the middleware pipeline.
  • Verify the workosProvider middleware is properly configured in your middleware.ts.
  • Make sure the route is under the /mcp path.
  • Check that the request includes a valid bearer token.

Wrong Redirect URI

If you see that the redirect URI is not registered or not working, you can manually register it in the WorkOS Dashboard:

  • Check the error message: OAuth errors usually include the redirect URI.
  • Check client documentation: Each client documents its callback URL.
  • Check server logs: Look for the redirect_uri parameter in OAuth requests.
PreviousPolarNextxmcp MCP server

On this page

InstallationWorkOS SetupEnvironment VariablesSet up the ProviderConfiguration OptionsGet a user sessionExample: Greet the user with their WorkOS identityGet user detailsExample: Get user detailsAccess the clientExample: Get organization membershipsTroubleshootingToken Expired ErrorsRedirect URI Not RegisteredFinding a Client's Redirect URISession Not InitializedWrong Redirect URI
OpenAIOpen in ChatGPTAnthropicOpen in ClaudeConnect MCP

One framework to rule them all

    WorkOS | xmcp Documentation