Provides post-training WorkOS updates: Node SDK v8.10 (PKCE, createWorkOS factory), AuthKit Next.js v3 (proxy/middleware, client components), React SPA auth, Python/Go SDKs. Load before WorkOS tasks.
npx claudepluginhub nevaberry/nevaberry-plugins --plugin workos-knowledge-patchThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
| Topic | Reference | Key features |
|---|---|---|
| AuthKit Next.js | references/authkit-nextjs.md | Proxy/middleware, composable auth, client hooks, session management, eager auth, API key validation |
| AuthKit React (SPA) | references/authkit-react.md | Provider setup, sign-in endpoint, multi-org switching, feature flags, token refresh lifecycle |
| Node SDK v8 | references/node-sdk-v8.md | PKCE auth, createWorkOS factory, Cloudflare Workers, breaking changes from v7 |
| Python & Go SDKs | references/sdk-python-go.md | WorkOSClient (Python), AsyncWorkOSClient, per-package Go SDK |
| Next.js version | File | Export |
|---|---|---|
| 16+ | proxy.ts | authkitProxy() |
| <=15 | middleware.ts | authkitMiddleware() |
For composable proxy/middleware, use authkit() + handleAuthkitHeaders():
import { authkit, handleAuthkitHeaders } from '@workos-inc/authkit-nextjs';
export default async function proxy(request: NextRequest) {
const { session, headers, authorizationUrl } = await authkit(request);
if (!session.user && authorizationUrl) {
return handleAuthkitHeaders(request, headers, { redirect: authorizationUrl });
}
return handleAuthkitHeaders(request, headers);
}
For rewrites, use partitionAuthkitHeaders() + applyResponseHeaders() instead.
Pass custom data through OAuth via state parameter:
const signInUrl = await getSignInUrl({
state: JSON.stringify({ teamId: 'team_123', referrer: 'homepage' }),
});
export const GET = handleAuth({
onSuccess: async ({ user, state }) => {
const data = state ? JSON.parse(state) : null;
},
});
const { session, headers } = await authkit(request, {
onSessionRefreshSuccess: async ({ accessToken, user, impersonator }) => { /* ... */ },
onSessionRefreshError: async ({ error, request }) => { /* ... */ },
});
All client-side imports use the /components subpath:
import { AuthKitProvider, Impersonation } from '@workos-inc/authkit-nextjs/components';
import { useAuth, useAccessToken } from '@workos-inc/authkit-nextjs/components';
import { createWorkOS } from '@workos-inc/node';
// Public client (PKCE only, no server APIs)
const pub = createWorkOS({ clientId: 'client_123' });
// Confidential client (full API access)
const srv = createWorkOS({ apiKey: 'sk_...', clientId: 'client_123' });
For Cloudflare Workers: import { WorkOS } from '@workos-inc/node/worker';
const workos = new WorkOS({ clientId: 'client_123' }); // no apiKey
const { url, state, codeVerifier } =
await workos.userManagement.getAuthorizationUrlWithPKCE({
redirectUri: 'myapp://callback',
provider: 'authkit',
});
// After callback:
const { accessToken, refreshToken, user } =
await workos.userManagement.authenticateWithCode({
code: authCode,
codeVerifier, // required for PKCE
});
| Area | Change |
|---|---|
| Runtime | Node.js 20+ required (was 16+) |
| SSO | getAuthorizationUrl options: discriminated union -- specify one of connection, organization, provider |
| Directory Sync | User fields (emails, username, jobTitle) moved to customAttributes |
| MFA | verifyFactor() renamed to verifyChallenge() |
| Vault | All *Secret() methods renamed to *Object() |
| PKCE | Always enabled in AuthKit v3 -- remove WORKOS_ENABLE_PKCE env var |
| v7 | v8 |
|---|---|
sendMagicAuthCode() | createMagicAuth() |
sendPasswordResetEmail() | createPasswordReset() |
refreshAndSealSessionData() | loadSealedSession() then session.refresh() |
Wrap app in AuthKitProvider with clientId. Set apiHostname for custom auth domains in production.
import { useAuth } from '@workos-inc/authkit-react';
const { user, signIn, signOut, role, roles, featureFlags, permissions } = useAuth();
// Multi-org switching
const { switchToOrganization } = useAuth();
await switchToOrganization({ organizationId: 'org_123' });
Token refresh control: onBeforeAutoRefresh: () => boolean, onRefreshFailure: ({ signIn }) => void, refreshBufferInterval: number.
# Python -- uses WorkOSClient, not WorkOS
from workos import WorkOSClient
client = WorkOSClient(api_key="sk_1234", client_id="client_1234")
# Async
from workos import AsyncWorkOSClient
async_client = AsyncWorkOSClient(api_key="sk_1234", client_id="client_1234")
// Go v6 -- per-package configuration, no unified client
import "github.com/workos/workos-go/v6/pkg/sso"
sso.Configure("<API_KEY>", "<CLIENT_ID>")
| File | Contents |
|---|---|
| authkit-nextjs.md | Proxy migration, composable middleware, client hooks, useAccessToken, session callbacks, eager auth, validateApiKey, saveSession |
| authkit-react.md | SPA provider, sign-in endpoint, multi-org, feature flags, getClaims, token refresh, URL helpers |
| node-sdk-v8.md | PKCE auth, createWorkOS factory, Cloudflare Workers, all breaking changes v7 to v8, post-v8 additions |
| sdk-python-go.md | Python WorkOSClient/AsyncWorkOSClient, Go per-package SDK pattern |