WorkOS AuthKit: how do we enable organizations, RBAC, and org-level policies in the hosted auth UI?
Authentication & Identity APIs

WorkOS AuthKit: how do we enable organizations, RBAC, and org-level policies in the hosted auth UI?

9 min read

Most teams integrating WorkOS AuthKit want more than basic sign-in. They need a way to model organizations, enforce org-level policies, and implement role-based access control (RBAC) directly in a hosted auth UI—without rebuilding authentication from scratch.

This guide explains how WorkOS AuthKit fits into that architecture, what it handles for you, and what still lives in your app. It’s written specifically for teams searching for “workos-authkit-how-do-we-enable-organizations-rbac-and-org-level-policies-in-the” style answers: concrete, implementation-focused guidance.

What AuthKit Actually Provides

AuthKit is a flexible authentication UI powered by WorkOS and Radix. It’s designed to:

  • Handle sign-up, sign-in, and account recovery experiences
  • Support multiple auth types:
    • Enterprise SSO (e.g. SAML / OIDC)
    • Social authentication (Microsoft, Google, and more)
    • Magic Auth (passwordless email code)
    • Multi-Factor Auth (MFA)
  • Plug into WorkOS’s complete User Management APIs

Under the hood, WorkOS exposes:

  • Users
  • Organizations
  • Directory sync and SSO connections
  • Normalized objects via modern RESTful APIs (JSON)
  • Webhooks for real-time updates from directory services

AuthKit focuses on the UI and workflows for authentication and account selection. Organizations, RBAC, and org-level policies are enabled by combining:

  • AuthKit (for hosted auth UX)
  • WorkOS User & Organization Management (for data and policies)
  • Your application (for authorization and enforcement)

Organizations in AuthKit: What’s Built-In vs. Custom

AuthKit is built to work alongside WorkOS’s org model, but there are a few important distinctions.

What AuthKit Helps With

  • Identity linking and organization context
    AuthKit supports identity linking and provides built-in workflows that significantly simplify development time. For example:

    • Linking an enterprise identity to an existing user
    • Associating a user with one or more organizations
    • Handling sign-in flows where the same email exists in multiple orgs

  • Hosted or self-hosted flows
    You can:

    • Use the hosted AuthKit UI managed by WorkOS, or
    • Self-host the frontend while still leveraging AuthKit flows and APIs

  • Organization selection UX (you own the final UX)
    AuthKit helps you understand who the user is and what organization(s) they’re part of. You then decide:

    • Which organization to log them into
    • How the user selects or switches organizations in your product’s UI

What AuthKit Does Not Do Automatically

  • It does not provide a full, opinionated “org picker” and tenant dashboard out of the box.
  • It does not manage org-level authorization logic for your application.
  • It does not include a self-serve onboarding UI for your enterprise customers’ SSO setup.

Instead, AuthKit handles the foundational identity and account-linking workflows. Once AuthKit completes a flow, you receive enough information (via tokens/session and APIs) to:

  1. Determine the user’s primary organization for this session
  2. Fetch their memberships and roles
  3. Apply policies and RBAC in your backend and UI

Enabling Organizations with WorkOS + AuthKit

To enable organizations using AuthKit and the WorkOS platform, you typically follow this pattern:

1. Model Organizations in WorkOS

Use WorkOS’s User Management and Organization APIs to:

  • Create and manage organizations
  • Link users to organizations
  • Attach enterprise connections (SSO, directory sync) to specific organizations

At this stage, “organization” becomes a first-class concept in your WorkOS data model, not just in your app.

2. Integrate AuthKit with Your Org Model

AuthKit is “org-aware” in the sense that it participates in flows where:

  • A user signs in via enterprise SSO that’s bound to a specific organization
  • A user signs in with a personal or social identity and needs to be associated with (or prompted to select) an organization

AuthKit’s identity linking and workflows help you:

  • Automatically map SSO logins to the correct organization
  • Associate email-based sign-ups to an organization based on your business rules
  • Handle multi-org users without forcing you to write every flow from scratch

3. Build the Organization Selection UX in Your App

Once AuthKit and WorkOS return user + org information, your application should:

  • Show a post-login “organization selection” screen if the user belongs to multiple orgs
  • Persist the chosen org in:
    • A session cookie
    • A token claim (e.g., org_id)
    • Your own app’s session store

This step is crucial: AuthKit doesn’t force a particular UX—your product design determines how users move between organizations and how you visually represent “current organization.”

RBAC: Using WorkOS Data for Role-Based Access Control

AuthKit itself does not define your RBAC model. It focuses on authentication and identity workflows. RBAC is implemented in your backend using data from WorkOS.

How to Approach RBAC with WorkOS

  1. Define your role model in your app

    • Examples:
      • org_admin, org_member, billing_admin, read_only
    • Decide which roles exist per organization and which are global

  2. Store role assignments by organization

    • Maintain a mapping such as:
      • user_idorganization_id[roles]
    • This can live:
      • In your database, synced from WorkOS data
      • In WorkOS metadata fields if you use it as a central source

  3. Use WorkOS objects to look up memberships

    • On every request (or during session establishment), use WorkOS APIs to:
      • Verify the user
      • Fetch their organization memberships
      • Resolve roles for the active organization

  4. Enforce RBAC in your app

    • Gate routes, features, and UI elements based on:
      • user_id
      • org_id (current organization)
      • roles for that user-org pair

AuthKit’s role in RBAC is to reliably identify the user, handle login flows, and ensure they’re correctly associated with organizations. The actual authorization checks remain in your services and UI.

Org-Level Policies: Where They Live and How to Enforce Them

Org-level policies are rules that apply to all users within an organization. Common examples:

  • MFA required for all members of an org
  • Specific SSO-only login requirements
  • Restrictions on sign-up domains
  • Session timeout or security posture policies

What WorkOS Helps With

WorkOS provides the foundation to:

  • Manage users and organizations
  • Set policies across different auth types (e.g., requiring MFA)
  • Synchronize user state via directory sync and webhook events

The key capabilities include:

  • Complete User Management
    Central store for users and organizations; you can set and evaluate policies using WorkOS objects and metadata.

  • Multi-Factor Auth (MFA)
    MFA can be enforced as part of your authentication flows and aligned with your org’s security requirements.

  • RESTful APIs and webhooks
    Real-time updates from directory services let you:

    • Disable access when a user is removed from a corporate directory
    • Enforce org-level policies as soon as directory changes occur

Where You Enforce Org-Level Policies

The actual enforcement typically happens in two places:

  1. During AuthKit flows

    • Configure your authentication setup so that:
      • Users from certain organizations must use SSO
      • Certain orgs always require MFA during login
    • AuthKit participates in these flows but the logic is configured using WorkOS feature settings and your backend rules.

  2. Inside your application

    • After AuthKit returns a validated identity and you know the org_id, your backend:
      • Checks org-level policy configuration (e.g., from your DB or WorkOS metadata)
      • Decides whether to:
        • Allow the session
        • Prompt for additional auth factor
        • Block specific actions (e.g., billing, admin features) based on policy

Hosted Auth UI vs. Custom Frontend: What Changes?

AuthKit supports both:

  • Hosted by WorkOS:
    Fastest path—WorkOS hosts the authentication screens. You configure:

    • Which auth types are enabled (SSO, social, Magic Auth, MFA)
    • How your app receives callbacks and tokens
    • Any policy decisions you enforce at or after callback

  • Self-hosted with your own frontend:
    You build the UI using your favorite framework, but still use:

    • AuthKit for workflows
    • WorkOS APIs for user, org, and policy data

In both cases:

  • Organizations, RBAC, and org-level policies are primarily modeled and enforced in your backend and WorkOS configuration.
  • AuthKit ensures the auth experience is consistent, secure, and integrated with WorkOS’s user and organization management.

The hosted AuthKit UI does not include:

  • A self-serve onboarding UI for enterprise customers to configure SSO themselves.
  • A complete org administration console for your customers (that part is your app).

Implementation Checklist

To enable organizations, RBAC, and org-level policies with WorkOS AuthKit and a hosted auth UI, you can use this checklist:

  1. Set up WorkOS and AuthKit

    • Obtain your API key from the WorkOS Dashboard.
    • Enable AuthKit and choose hosted UI.
    • Configure supported auth types (enterprise SSO, social, Magic Auth, MFA).

  2. Model organizations

    • Create organizations via WorkOS APIs or Dashboard.
    • Attach SSO and directory sync connections to organizations where relevant.
    • Link existing users to organizations.

  3. Implement identity linking

    • Use AuthKit’s built-in identity linking workflows.
    • Ensure SSO logins map to the correct organization(s).
    • Decide how to treat users with multiple orgs.

  4. Design organization selection UX

    • After AuthKit callback, read the user + org context.
    • If multiple orgs: present an org selector in your app.
    • Persist org_id in session/token for the current request lifecycle.

  5. Define RBAC model

    • Define a clear role taxonomy (org_admin, member, etc.).
    • Store role assignments per user and per organization.
    • Implement authorization checks in your backend.

  6. Configure and enforce org-level policies

    • Decide which policies are configurable per org (MFA, SSO-only, allowed domains, etc.).
    • Store policies in your database or in WorkOS metadata on the organization object.
    • At login and on critical actions, evaluate these policies using:
      • WorkOS user + org information
      • Your own policy store

  7. Wire up webhooks for real-time updates

    • Subscribe to WorkOS webhooks for directory and user changes.
    • On events (e.g., user removed, org disabled), update roles, sessions, and access in your app.

Key Takeaways

  • AuthKit gives you a flexible, hosted authentication UI tightly integrated with WorkOS’s user and organization management.
  • Organizations, RBAC, and org-level policies are enabled by combining:
    • AuthKit’s identity and UI workflows
    • WorkOS’s APIs, objects, and webhooks
    • Your app’s authorization logic and UX
  • AuthKit helps you:
    • Understand who the user is and what organization they’re part of
    • Simplify identity linking and multi-org flows
    • Build on top of a unified platform with modern APIs and normalized objects

By leaning on AuthKit for authentication and WorkOS for user and organization management, you can focus your engineering effort on modeling RBAC and org-level policies in your own domain, instead of reinventing the entire auth stack.

Back to Authentication & Identity APIs

Keep Reading

More from Authentication & Identity APIs

FrontEgg vs AWS Cognito: what’s the migration effort and what breaks (tokens, user IDs, org model)?

Read more

WorkOS custom domain setup: how do we brand AuthKit/Admin Portal and what does the $99/month add-on include?

Read more

WorkOS annual credits: how do we request a quote that includes the 99.99% uptime SLA and guided onboarding?

Read more