Skip to content

[v8] feat: add PKCE support for public clients; remove /client entry point #1435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicknisi merged 28 commits into from
Jan 7, 2026
Merged

[v8] feat: add PKCE support for public clients; remove /client entry point #1435

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
fdf5908
[v8] feat: add PKCE support for public clients
nicknisi Jan 5, 2026
4ea2ecc
[v8] feat: add API key guards to HTTP methods
nicknisi Jan 5, 2026
acb9423
[v8] refactor: remove /client export, inline URL builders
nicknisi Jan 5, 2026
c7b3a19
feat(user-management): add PKCE-compatible refresh token method
nicknisi Jan 5, 2026
7874e81
refactor: unify refresh token method with auto-detection
nicknisi Jan 5, 2026
83f0c42
refactor: rename internal PKCE interfaces to public-client
nicknisi Jan 5, 2026
d1c579f
update README
nicknisi Jan 5, 2026
8e83244
docs: add JSDoc comments for public client methods and README section
nicknisi Jan 5, 2026
448cdf9
fix: fail fast when session sealing used in public client mode
nicknisi Jan 5, 2026
ef1864b
chore: remove redundant inline comments from workos.ts
nicknisi Jan 5, 2026
c285a04
fix: improve PKCE security and JWT error handling
nicknisi Jan 5, 2026
6419257
refactor: simplify PKCE verifier generation with base64url encoding
nicknisi Jan 5, 2026
366a0e0
fix: add API key check to SSO and remove catch-all in session auth
nicknisi Jan 5, 2026
2087dbe
fix lint issue
nicknisi Jan 5, 2026
8fb0777
feat: add getAuthorizationUrlWithPKCE helper for CLI/Electron apps
nicknisi Jan 6, 2026
fb5e08b
formatting
nicknisi Jan 6, 2026
d3e2f2f
remove pkce barrel file
nicknisi Jan 6, 2026
9a757fb
cleanup
nicknisi Jan 6, 2026
a6ede43
feat(sso): add PKCE support for public clients
nicknisi Jan 6, 2026
8d3f693
fix(pkce): improve validation and type safety
nicknisi Jan 6, 2026
8b9c16b
docs: update README with accurate PKCE method names
nicknisi Jan 6, 2026
085a43d
feat(pkce): support PKCE with confidential clients for defense in depth
nicknisi Jan 6, 2026
753502e
formatting
nicknisi Jan 6, 2026
6f16863
fix: properly handle all HeadersInit formats in HTTP client
nicknisi Jan 7, 2026
a3e370d
feat: support apiKey in options object for unified initialization
nicknisi Jan 7, 2026
391feb4
feat(user-management): make clientId optional with constructor fallback
nicknisi Jan 7, 2026
c801272
docs: add security note for codeVerifier storage
nicknisi Jan 7, 2026
436ec82
formatting
nicknisi Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,54 @@ import { WorkOS } from '@workos-inc/node';
const workos = new WorkOS('sk_1234');
```

## Public Client Mode (Browser/Mobile/CLI)

For apps that can't securely store secrets, initialize with just a client ID:

```ts
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS({ clientId: 'client_...' }); // No API key needed

// Generate auth URL with automatic PKCE
const { url, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
Copy link
Contributor

@cmatheson cmatheson Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we mention that the codeVerifier should be stored on-device (cookie, phone storage, etc.) for later? (it's somewhat clear since you need it for the authenticateWithCode call, but maybe not obvious to someone who has never done this before?

Copy link
Member Author

@nicknisi nicknisi Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the following to the README:

Important

Store codeVerifier securely on-device between generating the auth URL and handling the callback. For mobile apps, use platform secure storage (iOS Keychain, Android Keystore). For CLI apps, consider OS credential storage. The verifier must survive app restarts during the auth flow.

provider: 'authkit',
redirectUri: 'myapp://callback',
clientId: 'client_...',
});

// After user authenticates, exchange code for tokens
const { accessToken, refreshToken } = await workos.userManagement.authenticateWithCode({
code: authorizationCode,
codeVerifier,
clientId: 'client_...',
});
```

See the [AuthKit documentation](https://workos.com/docs/authkit) for details on PKCE authentication.

### PKCE with Confidential Clients

Server-side apps can also use PKCE alongside the client secret for defense in depth (recommended by OAuth 2.1):

```ts
const workos = new WorkOS('sk_...'); // With API key

// Use PKCE even with API key for additional security
const { url, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
provider: 'authkit',
redirectUri: 'https://example.com/callback',
clientId: 'client_...',
Copy link
Contributor

@cmatheson cmatheson Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the redundant clientId stuff that i wish we could omit given we already specified this when creating the client.

Copy link
Member Author

@nicknisi nicknisi Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clientId is now optional in all method parameters. If not provided, it falls back to the value from the constructor (new WorkOS('sk_...', { clientId: 'client_123' })).

Changes:

  • Added resolveClientId() helper that throws a clear error if clientId isn't available from either source
  • Updated all 10 affected methods (8 authenticate methods + 2 authorization URL methods)
  • Added WithResolvedClientId utility type for type-safe serializers (no ! assertions)
  • Added tests for fallback behavior

Usage:

const workos = new WorkOS('sk_...', { clientId: 'client_123' });

// clientId now optional - falls back to constructor value
await workos.userManagement.authenticateWithCode({ code });

});

// Both client_secret AND code_verifier will be sent
const { accessToken } = await workos.userManagement.authenticateWithCode({
code: authorizationCode,
codeVerifier,
clientId: 'client_...',
});
```

## SDK Versioning

For our SDKs WorkOS follows a Semantic Versioning ([SemVer](https://semver.org/)) process where all releases will have a version X.Y.Z (like 1.0.0) pattern wherein Z would be a bug fix (e.g., 1.0.1), Y would be a minor release (1.1.0) and X would be a major release (2.0.0). We permit any breaking changes to only be released in major versions and strongly recommend reading changelogs before making any major version upgrades.
Expand Down
18 changes: 15 additions & 3 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 1 addition & 11 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@
"@types/qs": "^6.14.0",
"@typescript-eslint/parser": "^8.46.0",
"babel-jest": "^30.2.0",
"baseline-browser-mapping": "^2.9.11",
"eslint": "^9.37.0",
"eslint-plugin-jest": "^29.0.1",
"eslint-plugin-n": "^17.23.1",
Expand Down Expand Up @@ -110,17 +111,6 @@
},
"default": "./lib/index.js"
},
"./client": {
"import": {
"types": "./lib/index.client.d.ts",
"default": "./lib/index.client.js"
},
"require": {
"types": "./lib/index.client.d.cts",
"default": "./lib/index.client.cjs"
},
"default": "./lib/index.client.js"
},
"./worker": {
"import": {
"types": "./lib/index.worker.d.ts",
Expand Down
18 changes: 0 additions & 18 deletions src/client/index.ts
View file
Open in desktop

This file was deleted.

115 changes: 0 additions & 115 deletions src/client/sso.spec.ts
View file
Open in desktop

This file was deleted.

55 changes: 0 additions & 55 deletions src/client/sso.ts
View file
Open in desktop

This file was deleted.

Loading