Skip to main content
The UserManagement class provides comprehensive methods for user authentication, user lifecycle management, session handling, and organization membership management.

​
User Methods

​
getUser

Retrieves a user by their ID.
​
userId
string
required
The unique identifier of the user
​
user
User
​
id
string
Unique identifier for the user
​
email
string
User’s email address
​
emailVerified
boolean
Whether the user’s email has been verified
​
firstName
string | null
User’s first name
​
lastName
string | null
User’s last name
​
profilePictureUrl
string | null
URL to user’s profile picture
​
createdAt
string
ISO 8601 timestamp of user creation
​
updatedAt
string
ISO 8601 timestamp of last update
​
externalId
string | null
External identifier from your system
​
metadata
Record<string, string>
Custom metadata associated with the user
const user = await workos.userManagement.getUser('user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5');
console.log(user.email);

​
getUserByExternalId

Retrieves a user by their external ID.
​
externalId
string
required
The external identifier of the user
​
user
User
Returns the same User object as getUser
const user = await workos.userManagement.getUserByExternalId('ext_12345');

​
listUsers

Retrieves a paginated list of users.
​
email
string
Filter by email address
​
organizationId
string
Filter by organization ID
​
limit
number
Number of results to return (default: 10)
​
before
string
Cursor for pagination (previous page)
​
after
string
Cursor for pagination (next page)
​
users
AutoPaginatable<User>
Paginated list of users
const users = await workos.userManagement.listUsers({
  organizationId: 'org_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  limit: 20
});

for await (const user of users) {
  console.log(user.email);
}

​
createUser

Creates a new user.
​
email
string
required
User’s email address
​
password
string
User’s password (plain text, will be hashed)
​
passwordHash
string
Pre-hashed password
​
passwordHashType
PasswordHashType
Type of password hash (e.g., ‘bcrypt’, ‘firebase-scrypt’)
​
firstName
string
User’s first name
​
lastName
string
User’s last name
​
emailVerified
boolean
Whether the email is already verified
​
externalId
string
External identifier from your system
​
metadata
Record<string, string>
Custom metadata to associate with the user
​
user
User
The created user object
const user = await workos.userManagement.createUser({
  email: '[email protected]',
  password: 'securePassword123',
  firstName: 'Jane',
  lastName: 'Doe',
  emailVerified: false,
  metadata: { department: 'engineering' }
});

​
updateUser

Updates an existing user.
​
userId
string
required
The ID of the user to update
​
firstName
string
Updated first name
​
lastName
string
Updated last name
​
emailVerified
boolean
Updated email verification status
​
metadata
Record<string, string>
Updated metadata
​
user
User
The updated user object
const user = await workos.userManagement.updateUser({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  firstName: 'Jane',
  metadata: { department: 'product' }
});

​
deleteUser

Deletes a user.
​
userId
string
required
The ID of the user to delete
await workos.userManagement.deleteUser('user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5');

​
Authentication Methods

​
authenticateWithPassword

Authenticates a user with email and password.
​
email
string
required
User’s email address
​
password
string
required
User’s password
​
clientId
string
OAuth client ID (optional if configured globally)
​
session
AuthenticateWithSessionOptions
Session options for sealing the session
​
authenticationResponse
AuthenticationResponse
​
user
User
The authenticated user
​
accessToken
string
JWT access token
​
refreshToken
string
Refresh token for obtaining new access tokens
​
organizationId
string
ID of the user’s organization
​
authenticationMethod
string
Method used for authentication (e.g., ‘Password’)
​
sealedSession
string
Encrypted session data (if sealSession option was enabled)
const authResponse = await workos.userManagement.authenticateWithPassword({
  email: '[email protected]',
  password: 'securePassword123',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

console.log(authResponse.accessToken);

​
authenticateWithCode

Exchanges an authorization code for tokens. Auto-detects public vs confidential client mode based on whether a code verifier or API key is provided.
​
code
string
required
Authorization code from OAuth callback
​
clientId
string
OAuth client ID (optional if configured globally)
​
codeVerifier
string
PKCE code verifier (for public clients)
​
session
AuthenticateWithSessionOptions
Session options for sealing the session
​
authenticationResponse
AuthenticationResponse
Authentication response with user and tokens
// Public client (PKCE flow)
const authResponse = await workos.userManagement.authenticateWithCode({
  code: 'auth_code_123',
  codeVerifier: 'code_verifier_from_pkce',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

// Confidential client (uses API key)
const authResponse = await workos.userManagement.authenticateWithCode({
  code: 'auth_code_123',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
authenticateWithRefreshToken

Refreshes an access token using a refresh token.
​
refreshToken
string
required
The refresh token
​
clientId
string
OAuth client ID (optional if configured globally)
​
session
AuthenticateWithSessionOptions
Session options for sealing the session
​
authenticationResponse
AuthenticationResponse
New authentication response with refreshed tokens
const authResponse = await workos.userManagement.authenticateWithRefreshToken({
  refreshToken: 'refresh_token_123',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
authenticateWithMagicAuth

Authenticates a user with a magic auth code.
​
code
string
required
Magic auth code from email
​
email
string
required
User’s email address
​
clientId
string
OAuth client ID (optional if configured globally)
​
session
AuthenticateWithSessionOptions
Session options for sealing the session
​
authenticationResponse
AuthenticationResponse
Authentication response with user and tokens
const authResponse = await workos.userManagement.authenticateWithMagicAuth({
  code: 'magic_code_123',
  email: '[email protected]',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
authenticateWithTotp

Authenticates a user with a TOTP code.
​
code
string
required
TOTP code from authenticator app
​
authenticationChallengeId
string
required
ID of the authentication challenge
​
pendingAuthenticationToken
string
required
Token from the initial authentication attempt
​
clientId
string
OAuth client ID (optional if configured globally)
​
session
AuthenticateWithSessionOptions
Session options for sealing the session
​
authenticationResponse
AuthenticationResponse
Authentication response with user and tokens
const authResponse = await workos.userManagement.authenticateWithTotp({
  code: '123456',
  authenticationChallengeId: 'auth_challenge_123',
  pendingAuthenticationToken: 'pending_token_123',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
getAuthorizationUrl

Generates an OAuth 2.0 authorization URL.
​
provider
string
OAuth provider (e.g., ‘authkit’, ‘GoogleOAuth’)
​
connectionId
string
SSO connection ID
​
organizationId
string
Organization ID
​
redirectUri
string
required
URL to redirect after authorization
​
state
string
State parameter for CSRF protection
​
codeChallenge
string
PKCE code challenge
​
codeChallengeMethod
string
PKCE code challenge method (e.g., ‘S256’)
​
screenHint
string
Screen hint for AuthKit (e.g., ‘sign-up’, ‘sign-in’)
​
url
string
The authorization URL
const url = workos.userManagement.getAuthorizationUrl({
  provider: 'authkit',
  redirectUri: 'https://myapp.com/callback',
  state: 'random_state_123',
  screenHint: 'sign-up'
});

// Redirect user to this URL
window.location.href = url;

​
getAuthorizationUrlWithPKCE

Generates an OAuth 2.0 authorization URL with automatic PKCE generation.
​
provider
string
OAuth provider (e.g., ‘authkit’)
​
connectionId
string
SSO connection ID
​
organizationId
string
Organization ID
​
redirectUri
string
required
URL to redirect after authorization
​
screenHint
string
Screen hint for AuthKit
​
result
PKCEAuthorizationURLResult
​
url
string
The authorization URL
​
state
string
Generated state parameter
​
codeVerifier
string
Code verifier for PKCE (store securely)
const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
  provider: 'authkit',
  clientId: 'client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  redirectUri: 'myapp://callback'
});

// Store state and codeVerifier securely
localStorage.setItem('pkce_state', state);
localStorage.setItem('pkce_verifier', codeVerifier);

// Redirect user
window.location.href = url;

​
Session Methods

​
loadSealedSession

Loads a sealed session for session management.
​
sessionData
string
required
Encrypted session data from cookie
​
cookiePassword
string
required
Password used to encrypt the session
​
session
CookieSession
Session object for managing the session
const session = workos.userManagement.loadSealedSession({
  sessionData: req.cookies.session,
  cookiePassword: process.env.WORKOS_COOKIE_PASSWORD
});

await session.refresh();

​
authenticateWithSessionCookie

Authenticates and validates a session cookie.
​
sessionData
string
required
Encrypted session data from cookie
​
cookiePassword
string
Password used to encrypt the session (defaults to WORKOS_COOKIE_PASSWORD env var)
​
result
AuthenticateWithSessionCookieSuccessResponse | AuthenticateWithSessionCookieFailedResponse
​
authenticated
boolean
Whether authentication was successful
​
user
User
The authenticated user (if successful)
​
sessionId
string
Session ID (if successful)
​
organizationId
string
Organization ID (if successful)
​
reason
string
Failure reason (if failed)
const result = await workos.userManagement.authenticateWithSessionCookie({
  sessionData: req.cookies.session,
  cookiePassword: process.env.WORKOS_COOKIE_PASSWORD
});

if (result.authenticated) {
  console.log('User:', result.user.email);
} else {
  console.log('Auth failed:', result.reason);
}

​
listSessions

Lists all sessions for a user.
​
userId
string
required
The user ID
​
limit
number
Number of results to return
​
before
string
Cursor for pagination
​
after
string
Cursor for pagination
​
sessions
AutoPaginatable<Session>
Paginated list of sessions
const sessions = await workos.userManagement.listSessions('user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5');

for await (const session of sessions) {
  console.log(session.id);
}

​
revokeSession

Revokes a user session.
​
sessionId
string
required
The session ID to revoke
await workos.userManagement.revokeSession({
  sessionId: 'session_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
getLogoutUrl

Generates a logout URL.
​
sessionId
string
required
The session ID to log out
​
returnTo
string
URL to redirect after logout
​
url
string
The logout URL
const logoutUrl = workos.userManagement.getLogoutUrl({
  sessionId: 'session_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  returnTo: 'https://myapp.com'
});

​
Organization Membership Methods

​
getOrganizationMembership

Retrieves an organization membership by ID.
​
organizationMembershipId
string
required
The organization membership ID
​
membership
OrganizationMembership
​
id
string
Membership ID
​
userId
string
User ID
​
organizationId
string
Organization ID
​
organizationName
string
Organization name
​
status
'active' | 'inactive' | 'pending'
Membership status
​
role
RoleResponse
User’s role in the organization
​
createdAt
string
ISO 8601 timestamp
​
updatedAt
string
ISO 8601 timestamp
const membership = await workos.userManagement.getOrganizationMembership(
  'om_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
listOrganizationMemberships

Lists organization memberships with filtering.
​
userId
string
Filter by user ID
​
organizationId
string
Filter by organization ID
​
statuses
OrganizationMembershipStatus[]
Filter by membership status
​
limit
number
Number of results to return
​
memberships
AutoPaginatable<OrganizationMembership>
Paginated list of memberships
const memberships = await workos.userManagement.listOrganizationMemberships({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  statuses: ['active']
});

​
createOrganizationMembership

Creates a new organization membership.
​
userId
string
required
The user ID
​
organizationId
string
required
The organization ID
​
roleSlug
string
Role slug to assign
​
membership
OrganizationMembership
The created membership
const membership = await workos.userManagement.createOrganizationMembership({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  organizationId: 'org_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  roleSlug: 'member'
});

​
updateOrganizationMembership

Updates an organization membership.
​
organizationMembershipId
string
required
The membership ID to update
​
roleSlug
string
New role slug
​
membership
OrganizationMembership
The updated membership
const membership = await workos.userManagement.updateOrganizationMembership(
  'om_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  { roleSlug: 'admin' }
);

​
deleteOrganizationMembership

Deletes an organization membership.
​
organizationMembershipId
string
required
The membership ID to delete
await workos.userManagement.deleteOrganizationMembership(
  'om_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
deactivateOrganizationMembership

Deactivates an organization membership.
​
organizationMembershipId
string
required
The membership ID to deactivate
​
membership
OrganizationMembership
The deactivated membership
const membership = await workos.userManagement.deactivateOrganizationMembership(
  'om_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
reactivateOrganizationMembership

Reactivates an organization membership.
​
organizationMembershipId
string
required
The membership ID to reactivate
​
membership
OrganizationMembership
The reactivated membership
const membership = await workos.userManagement.reactivateOrganizationMembership(
  'om_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
Email Verification Methods

​
sendVerificationEmail

Sends a verification email to a user.
​
userId
string
required
The user ID
​
result
{ user: User }
Object containing the user
const { user } = await workos.userManagement.sendVerificationEmail({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
verifyEmail

Verifies a user’s email with a code.
​
userId
string
required
The user ID
​
code
string
required
Verification code from email
​
result
{ user: User }
Object containing the verified user
const { user } = await workos.userManagement.verifyEmail({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
  code: 'verification_code_123'
});

​
getEmailVerification

Retrieves email verification details.
​
emailVerificationId
string
required
The email verification ID
​
emailVerification
EmailVerification
Email verification object
const verification = await workos.userManagement.getEmailVerification(
  'email_verification_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
Password Reset Methods

​
createPasswordReset

Creates a password reset request.
​
email
string
required
User’s email address
​
passwordReset
PasswordReset
Password reset object
const passwordReset = await workos.userManagement.createPasswordReset({
  email: '[email protected]'
});

​
resetPassword

Resets a user’s password.
​
token
string
required
Password reset token
​
newPassword
string
required
New password
​
result
{ user: User }
Object containing the user with reset password
const { user } = await workos.userManagement.resetPassword({
  token: 'reset_token_123',
  newPassword: 'newSecurePassword456'
});

​
getPasswordReset

Retrieves password reset details.
​
passwordResetId
string
required
The password reset ID
​
passwordReset
PasswordReset
Password reset object
const passwordReset = await workos.userManagement.getPasswordReset(
  'password_reset_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
Magic Auth Methods

​
createMagicAuth

Creates a magic authentication link.
​
email
string
required
User’s email address
​
magicAuth
MagicAuth
Magic auth object with authentication link
const magicAuth = await workos.userManagement.createMagicAuth({
  email: '[email protected]'
});

console.log(magicAuth.link);

​
getMagicAuth

Retrieves magic auth details.
​
magicAuthId
string
required
The magic auth ID
​
magicAuth
MagicAuth
Magic auth object
const magicAuth = await workos.userManagement.getMagicAuth(
  'magic_auth_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
Auth Factor Methods

​
enrollAuthFactor

Enrolls a new authentication factor (MFA).
​
userId
string
required
The user ID
​
type
'totp' | 'sms'
required
Type of authentication factor
​
phoneNumber
string
Phone number (required for SMS type)
​
issuer
string
TOTP issuer (required for TOTP type)
​
user
string
TOTP user (required for TOTP type)
​
result
object
​
authenticationFactor
FactorWithSecrets
The enrolled factor with secrets
​
authenticationChallenge
Challenge
Initial authentication challenge
const { authenticationFactor, authenticationChallenge } = 
  await workos.userManagement.enrollAuthFactor({
    userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5',
    type: 'totp',
    issuer: 'MyApp',
    user: '[email protected]'
  });

console.log(authenticationFactor.totp?.qrCode);

​
listAuthFactors

Lists authentication factors for a user.
​
userId
string
required
The user ID
​
limit
number
Number of results to return
​
factors
AutoPaginatable<Factor>
Paginated list of authentication factors
const factors = await workos.userManagement.listAuthFactors({
  userId: 'user_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

for await (const factor of factors) {
  console.log(factor.type);
}

​
Invitation Methods

​
sendInvitation

Sends an organization invitation.
​
email
string
required
Email address to invite
​
organizationId
string
required
Organization ID
​
invitation
Invitation
The created invitation
const invitation = await workos.userManagement.sendInvitation({
  email: '[email protected]',
  organizationId: 'org_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
listInvitations

Lists invitations.
​
organizationId
string
Filter by organization ID
​
email
string
Filter by email
​
limit
number
Number of results to return
​
invitations
AutoPaginatable<Invitation>
Paginated list of invitations
const invitations = await workos.userManagement.listInvitations({
  organizationId: 'org_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
});

​
getInvitation

Retrieves an invitation by ID.
​
invitationId
string
required
The invitation ID
​
invitation
Invitation
The invitation object
const invitation = await workos.userManagement.getInvitation(
  'invitation_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
revokeInvitation

Revokes an invitation.
​
invitationId
string
required
The invitation ID to revoke
​
invitation
Invitation
The revoked invitation
const invitation = await workos.userManagement.revokeInvitation(
  'invitation_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
resendInvitation

Resends an invitation.
​
invitationId
string
required
The invitation ID to resend
​
invitation
Invitation
The resent invitation
const invitation = await workos.userManagement.resendInvitation(
  'invitation_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5'
);

​
Utility Methods

​
getJwksUrl

Returns the JWKS URL for token verification.
​
clientId
string
required
The client ID
​
url
string
The JWKS URL
const jwksUrl = workos.userManagement.getJwksUrl('client_01HZXK8F9P3QZJQ2Z1Z2Z3Z4Z5');
console.log(jwksUrl);

Build docs developers (and LLMs) love

Get started for freeTalk to us