> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcp-use.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WorkOS Provider

> Configure WorkOS AuthKit OAuth for your MCP server

WorkOS uses Dynamic Client Registration (DCR). MCP clients discover WorkOS's OAuth endpoints via `.well-known` passthrough and register themselves directly with WorkOS. Your server only verifies the resulting tokens.

## Setup

### 1. Create a WorkOS account

Sign up at the [WorkOS Dashboard](https://dashboard.workos.com/) and create a project.

### 2. Enable Dynamic Client Registration

In the WorkOS Dashboard, go to **Connect → Configuration** and enable **Dynamic Client Registration**.

### 3. Configure redirect URIs

Go to **Configuration → Redirects** and add your redirect URI:

```
http://localhost:3000/callback
```

### 4. Environment variables

```bash theme={null}
MCP_USE_OAUTH_WORKOS_SUBDOMAIN=your-company.authkit.app  # Full AuthKit domain
```

## Configuration

```typescript theme={null}
import { MCPServer, oauthWorkOSProvider } from 'mcp-use/server'

// Zero-config: reads MCP_USE_OAUTH_WORKOS_SUBDOMAIN
const server = new MCPServer({
  name: 'my-server',
  version: '1.0.0',
  oauth: oauthWorkOSProvider()
})

await server.listen(3000)
```

Or pass config explicitly:

```typescript theme={null}
oauth: oauthWorkOSProvider({
  subdomain: 'your-company.authkit.app',

  // Disable JWT verification during development only
  verifyJwt: process.env.NODE_ENV === 'production',

  // Override advertised scopes
  // Default: ['email', 'offline_access', 'openid', 'profile']
  scopesSupported: ['email', 'offline_access', 'openid', 'profile'],
})
```

<Tip>
  If you need to call the WorkOS Management API from your tool handlers, store your API key in any env var you like (e.g. `WORKOS_API_KEY`) and read it inside the tool  -  it isn't part of the OAuth provider config.
</Tip>

## Accessing user info in tools

WorkOS provides standard OIDC claims plus organization context:

```typescript theme={null}
server.tool(
  {
    name: 'get-profile',
    description: 'Get authenticated user profile',
  },
  async (_args, ctx) => ({
    userId: ctx.auth.user.userId,
    email: ctx.auth.user.email,
    name: ctx.auth.user.name,
    organizationId: ctx.auth.user.organization_id,
    roles: ctx.auth.user.roles,
    scopes: ctx.auth.scopes,
  })
)
```

## Multi-tenant filtering

Use `ctx.auth.user.organization_id` to scope data to the authenticated user's organization:

```typescript theme={null}
server.tool(
  {
    name: 'get-documents',
    description: 'Get documents for the authenticated organization',
  },
  async (_args, ctx) => {
    // Custom claims come back as `unknown`  -  narrow before use
    const orgId = ctx.auth.user.organization_id as string | undefined

    if (!orgId) {
      return { content: [{ type: 'text', text: 'Organization context required' }], isError: true }
    }

    const documents = await db.documents.findMany({
      where: { organizationId: orgId }
    })

    return { content: [{ type: 'text', text: JSON.stringify(documents) }] }
  }
)
```

## Resources

* [Runnable mcp-use + WorkOS AuthKit example](https://github.com/mcp-use/mcp-use/tree/main/libraries/typescript/packages/mcp-use/examples/server/oauth/workos)
* [WorkOS AuthKit MCP Guide](https://workos.com/docs/authkit/mcp)
* [WorkOS Documentation](https://workos.com/docs)

## Next Steps

* [User Context](/typescript/server/authentication/user-context)  -  Access user information in tools