How to Integrate WorkOS with Your Headless CMS

What is WorkOS?

WorkOS is a developer platform for adding enterprise auth to B2B apps, including SSO, Directory Sync, User Management, Organizations, RBAC, Admin Portal, and Audit Logs. Teams use WorkOS when customers ask for SAML, OIDC, SCIM provisioning, and customer-visible audit trails without building every identity protocol from scratch. Its APIs and SDKs are common in SaaS products that sell to companies with strict IT requirements.

Why integrate WorkOS with a headless CMS?

Enterprise auth gets messy when identity setup and content live in separate places. Your sales team may promise SAML for acme.com, your product team may publish tenant-specific onboarding instructions, and your IT admin may expect WorkOS Admin Portal links, Directory Sync copy, and audit log events to match the exact organization they’re configuring. If those fields are copied by hand, one typo in a domain or one stale role label can block a customer’s launch.

Architecture overview

A typical setup starts in Sanity Studio, where an editor publishes an enterpriseOrganization document with fields like name, slug, domains, workosOrganizationId, roleMappings, adminPortalInstructions, and localized onboarding copy. The document is written to the Content Lake as structured JSON. A Sanity webhook or Function listens for publish events with a GROQ filter such as _type == "enterpriseOrganization" && !(_id in path("drafts.**")), then fetches the exact projection WorkOS needs with GROQ. The server-side handler uses the WorkOS Node SDK and a WorkOS API key to call WorkOS APIs, for example creating an audit log event with auditLogs.createEvent, updating organization metadata in your app, or generating Admin Portal links from your back end. Your frontend then reads the same Sanity tenant content and uses the WorkOS organization ID when sending users through AuthKit, SSO, or Admin Portal flows. The end user sees the right login path, organization copy, role labels, and setup instructions without your team copying data between tools.

Common use cases

Step-by-step integration

1. 1

   Set up WorkOS

   Create a WorkOS account, copy your API key from the dashboard, configure your redirect URI, and install the SDK with npm install @workos-inc/node. If you’re using SSO, create or connect a WorkOS organization and note its org_ ID.

2. 2

   Model tenant identity content in Sanity Studio

   Create an enterpriseOrganization schema with fields such as name, slug, domains, workosOrganizationId, adminPortalInstructions, ssoEnabled, directorySyncEnabled, and roleMappings. Keep WorkOS IDs as plain string fields so they can be queried and used by server-side code.

3. 3

   Create a publish trigger

   Add a Sanity webhook or Function that fires only for relevant documents. Use a GROQ filter like _type == "enterpriseOrganization" && !(_id in path("drafts.**")) so drafts don’t call WorkOS.

4. 4

   Fetch Sanity content and call WorkOS

   In the webhook handler or Function, use @sanity/client to fetch the published document with GROQ. Then use the WorkOS SDK to create audit log events, connect organization IDs to your app records, or generate Admin Portal links from a trusted server.

5. 5

   Build the frontend flow

   Query Sanity for the tenant page, show the correct SSO or Directory Sync instructions, and send the user into WorkOS AuthKit or an SSO authorization URL using the matched WorkOS organization ID.

6. 6

   Test with real publish and auth events

   Test one tenant with a draft, a publish, an update, and a delete. Confirm Sanity webhooks fire once per expected event, WorkOS receives the right organization ID, and your frontend never exposes the WorkOS API key.

How Sanity + WorkOS works

CMS approaches to WorkOS

Keep building

Explore related integrations to complete your content stack.