Skip to main content
This guide walks you through the complete WorkOS setup process, from creating an account to configuring authentication for Hazel Chat.

Prerequisites

Before you begin, ensure you have:

Overview

WorkOS AuthKit provides enterprise-ready authentication with:
  • Multi-provider auth - Email/password, Google, GitHub, Microsoft, and more
  • Enterprise SSO - SAML and OIDC support
  • Organization management - Multi-tenant with role-based access
  • Session management - Secure JWT tokens
  • MFA support - Two-factor authentication

Step-by-Step Setup

1. Create a WorkOS Account

1

Sign up for WorkOS

Go to workos.com and create a free account.
WorkOS offers a free tier for development with unlimited users.
2

Create your organization

After signing up, create your organization in the WorkOS dashboard.
3

Access your dashboard

Navigate to dashboard.workos.com to configure your application.

2. Enable AuthKit

AuthKit is WorkOS’s managed authentication solution.
1

Navigate to AuthKit

In the WorkOS dashboard, go to AuthenticationAuthKit.
2

Enable AuthKit

Click “Get started” or “Enable AuthKit” if not already enabled.
3

Configure your app

Set your application name and branding:
  • App Name: Hazel Chat (or your preferred name)
  • Logo: Optional - upload your logo
  • Primary Color: Optional - customize the auth UI
4

Enable sign-in methods

Choose at least one authentication method:Recommended for development:
  • ✅ Email + Password
  • ✅ Google OAuth
  • ✅ GitHub OAuth
Optional:
  • Microsoft
  • Magic Links
  • Apple
  • LinkedIn
You can enable additional sign-in methods later. Email + Password is sufficient to get started.

3. Configure Redirect URIs

Redirect URIs tell WorkOS where to send users after authentication.
1

Navigate to Redirects

In the WorkOS dashboard, go to RedirectsEdit redirect URIs.
2

Add development redirect URI

Add the backend callback URL for local development:
http://localhost:3003/auth/callback
This is the backend redirect URI, not the frontend URL.
3

Add production redirect URI (when ready)

When deploying to production, add your production callback URL:
https://api.example.com/auth/callback
Replace api.example.com with your actual backend domain.
4

Save changes

Click Save to apply the redirect URI configuration.

4. Create Required Roles

Hazel Chat uses custom roles for organization access control.
1

Navigate to Roles

In the WorkOS dashboard, go to Roles.
2

Create Owner role

Click “Create Role” and configure:
  • Role Slug: owner
  • Name: Owner
  • Description: Full access, can delete organization
Click Create.
3

Create Admin role

Create another role:
  • Role Slug: admin
  • Name: Admin
  • Description: Can manage members and settings
Click Create.
4

Create Member role

Create the default role:
  • Role Slug: member
  • Name: Member
  • Description: Standard access (default)
Click Create.
These role slugs (owner, admin, member) are hardcoded in Hazel Chat. They must match exactly.

Role Permissions Matrix

RoleDelete OrgManage MembersManage SettingsChannel Access
Owner
Admin
Member

5. Get API Credentials

Retrieve your API credentials from the WorkOS dashboard.
1

Get API Key

Go to API Keys in the dashboard.Copy your API Key:
  • Development: sk_test_...
  • Production: sk_live_...
Never commit API keys to git. Store them in .env files only.
2

Get Client ID

In the Configuration section, copy your Client ID:
client_01ABCDEF123456
3

Get Webhook Secret (optional)

If using webhooks, go to Webhooks and copy the Webhook Secret:
whs_abc123...

6. Configure Environment Variables

Add WorkOS credentials to your environment files. 
# WorkOS Authentication
WORKOS_API_KEY=sk_test_your_api_key_here
WORKOS_CLIENT_ID=client_01ABCDEF123456
WORKOS_REDIRECT_URI=http://localhost:3003/auth/callback
WORKOS_COOKIE_DOMAIN=localhost
WORKOS_WEBHOOK_SECRET=whs_your_webhook_secret
The frontend redirect URI is different from the backend. The frontend receives the code and exchanges it via the backend.

7. Test Authentication

Verify your WorkOS configuration is working.
1

Start development services

# Start Docker services
docker compose up -d

# Start application
bun run dev
2

Open the application

Navigate to http://localhost:3000
3

Click Sign In

Click the Sign In button to start the authentication flow.
4

Complete authentication

Sign up with email or OAuth provider.You should be redirected back to Hazel Chat after successful authentication.
5

Verify user creation

Check that the user was created in your database:
cd packages/db
bun run db:studio
Open http://localhost:4983 and check the users table.

Production Configuration

Update Redirect URIs

When deploying to production:
1

Add production redirect URI

In WorkOS dashboard → Redirects, add:
https://api.example.com/auth/callback
2

Update environment variables

apps/backend/.env.production
WORKOS_API_KEY=sk_live_your_production_key
WORKOS_CLIENT_ID=client_01ABCDEF123456
WORKOS_REDIRECT_URI=https://api.example.com/auth/callback
WORKOS_COOKIE_DOMAIN=example.com
3

Enable production API key

In WorkOS dashboard → API Keys, switch to using the Production API Key (sk_live_...).

Configure Custom Domain (Optional)

Customize the authentication URL:
1

Go to Custom Domains

In WorkOS dashboard → Custom Domains
2

Add your domain

Configure auth.example.com to brand the authentication flow.
3

Verify DNS

Add the required DNS records to verify ownership.

Webhooks (Optional)

Set up webhooks to receive events from WorkOS.
1

Navigate to Webhooks

Go to Webhooks in the WorkOS dashboard.
2

Add webhook endpoint

Configure your webhook URL:
https://api.example.com/webhooks/workos
3

Select events

Subscribe to relevant events:
  • user.created
  • user.updated
  • user.deleted
  • organization_membership.created
  • organization_membership.deleted
4

Copy webhook secret

Save the webhook secret to your environment:
WORKOS_WEBHOOK_SECRET=whs_abc123...

Multi-Organization Setup

Creating Organizations

Users can belong to multiple organizations:
1

Create organization via API

Organizations are typically created when users sign up:
const org = await workos.organizations.createOrganization({
  name: "ACME Corp",
  externalId: uuid(), // Your internal org ID
  allowProfilesOutsideOrganization: false
})
2

Add members

Add users to organizations with roles:
await workos.organizationMemberships.createOrganizationMembership({
  organizationId: org.id,
  userId: user.id,
  roleSlug: "member"
})

Organization Switching

Users can switch between organizations: 
// Login with specific organization
window.location.href = `${BACKEND_URL}/auth/login?organizationId=${orgId}`

Troubleshooting

Error: redirect_uri_mismatchSolution: Verify the redirect URI in your .env file matches exactly what’s configured in WorkOS dashboard:
# Check backend redirect URI
echo $WORKOS_REDIRECT_URI

# Should match WorkOS dashboard → Redirects
http://localhost:3003/auth/callback
Error: invalid_clientSolution: Verify your WORKOS_CLIENT_ID is correct:
echo $WORKOS_CLIENT_ID
# Should start with: client_
Copy the correct value from WorkOS dashboard → Configuration.
Error: Unauthorized or Invalid API keySolution: Check you’re using the correct API key for your environment:
# Development
WORKOS_API_KEY=sk_test_...

# Production
WORKOS_API_KEY=sk_live_...
Never mix development and production keys.
Error: Role 'owner' not foundSolution: Create all three required roles in WorkOS dashboard → Roles:
  • owner
  • admin
  • member
The role slug must match exactly (case-sensitive).
Error: User authenticates but doesn’t appear in databaseSolution: Check backend logs for errors:
# View backend logs
cd apps/backend
bun run dev
Verify DATABASE_URL is correct and database is accessible.

Security Best Practices

Follow these security guidelines in production:

API Keys

1

Never commit API keys

API keys should never be committed to git. Always use .env files.
# ✅ Correct
WORKOS_API_KEY=sk_test_...

# ❌ Wrong - hardcoded in source
const apiKey = "sk_test_abc123"
2

Use different keys per environment

Development and production must use separate API keys:
  • Development: sk_test_...
  • Production: sk_live_...
3

Rotate keys regularly

Rotate API keys every 90 days for security.
4

Restrict key access

Limit who can access production API keys.

Redirect URIs

1

Use HTTPS in production

# ✅ Production
WORKOS_REDIRECT_URI=https://api.example.com/auth/callback

# ❌ Production (insecure)
WORKOS_REDIRECT_URI=http://api.example.com/auth/callback
2

Whitelist exact URIs

Only add the specific redirect URIs you need. Don’t use wildcards.
3

Validate state parameter

The state parameter is validated automatically by Hazel Chat to prevent CSRF.
# Development
WORKOS_COOKIE_DOMAIN=localhost

# Production
WORKOS_COOKIE_DOMAIN=example.com  # Your root domain

Advanced Configuration

Custom Email Templates

Customize authentication emails:
  1. Go to WorkOS dashboard → Email Templates
  2. Edit templates for:
    • Welcome emails
    • Password reset
    • Email verification
    • Magic links

MFA Setup

Enable multi-factor authentication:
  1. Go to AuthenticationMFA
  2. Enable MFA options:
    • SMS
    • Authenticator apps (TOTP)
    • WebAuthn

Session Duration

Configure session expiration:
  1. Go to AuthenticationSession Settings
  2. Set session duration (default: 7 days)
  3. Configure refresh token expiration

Next Steps

Authentication Guide

Learn about the authentication flow

Environment Variables

Complete configuration reference

Deployment

Deploy to production

Database Setup

Set up PostgreSQL

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us