Changelog

9.0.0 (2026-05-26)

Bug Fixes

  • ci: extract version from PR title in changelog inline step (93768a1)

  • #491 feat(generated)!: regenerate from spec (9 changes)

⚠️ Breaking

  • organization_membership: Migrate organization membership to dedicated service
    • Moved organization membership methods from UserManagement to new OrganizationMembershipService class
    • Methods create_organization_membership, get_organization_membership, update_organization_membership, delete_organization_membership, deactivate_organization_membership, reactivate_organization_membership, list_organization_memberships, and list_organization_membership_groups now accessed via client.organization_membership instead of client.user_management
    • Removed UserManagement::RoleSingle and UserManagement::RoleMultiple data classes (moved to OrganizationMembershipService)
  • api_keys: Add expires_at field to API key models
    • Added expires_at optional field to ApiKey, OrganizationApiKey, OrganizationApiKeyWithValue, UserApiKey, and UserApiKeyWithValue models
    • Added expires_at field to CreateOrganizationApiKey and CreateUserApiKey request models
    • Updated create_organization_api_key and create_user_api_key methods to accept expires_at parameter
  • radar: Remove device_fingerprint and bot_score fields from Radar
    • Removed device_fingerprint and bot_score parameters from Radar.create_attempt method
    • Removed device_fingerprint and bot_score fields from RadarStandaloneAssessRequest model
    • Updated enum values in RadarStandaloneAssessRequestAction: removed LOGIN, SIGNUP, SIGN_UP_2, SIGN_IN_2, SIGN_IN_3, SIGN_UP_3; standardized to SIGN_UP and SIGN_IN
    • Removed CREDENTIAL_STUFFING and IP_SIGN_UP_RATE_LIMIT from RadarStandaloneResponseControl enum
  • audit_logs: Refactor audit logs models and type names
    • Merged AuditLogSchemaJson fields into AuditLogSchema; removed AuditLogSchemaJson class
    • Added new AuditLogSchemaInput class (write-side schema without read-only fields)
    • Renamed AuditLogSchemaJsonActor to AuditLogSchemaActorInput
    • Renamed AuditLogSchemaJsonTarget to AuditLogSchemaTargetInput
    • Removed AuditLogActionJson; AuditLogAction now extends BaseModel
    • Renamed AuditLogExportJson to AuditLogExport (now extends BaseModel)
    • Renamed AuditLogsRetentionJson to AuditLogsRetention (now extends BaseModel)
    • Removed AuditLogExportJsonState type; replaced with AuditLogExportState
    • Updated list_actions method return type from AuditLogActionJson to AuditLogAction
    • Updated create_export and get_export method return types from AuditLogExportJson to AuditLogExport
  • webhooks: Rename WebhookEndpointJson to WebhookEndpoint
    • Renamed WebhookEndpointJson to WebhookEndpoint
    • Updated list_webhook_endpoints, create_webhook_endpoint, and update_webhook_endpoint method return types
    • WebhookEndpointStatus is now an alias for UpdateWebhookEndpointStatus (no longer a standalone class); removed WebhookEndpointJsonStatus alias
    • Updated WebhookEndpoint to extend BaseModel for consistency
  • authorization: Add filtering parameters to authorization list methods
    • Added resource_id, resource_external_id, resource_type_slug filter parameters to list_role_assignments method
    • Added role_slug filter parameter to list_role_assignments_for_resource_by_external_id and list_role_assignments_for_resource methods
    • Removed search parameter from list_resources method

Features

  • vault: Add new Vault service with key-value operations
    • Added new Vault service class with methods: create_data_key, create_decrypt, create_rekey, list_kv, create_kv, get_name, get_kv, update_kv, delete_kv, list_kv_metadata, list_kv_versions
    • Added vault model classes: Actor, CreateDataKeyRequest, CreateDataKeyResponse, CreateObjectRequest, DecryptRequest, DecryptResponse, DeleteObjectResponse, ObjectModel, ObjectMetadata, ObjectSummary, ObjectVersion, ObjectWithoutValue, RekeyRequest, UpdateObjectRequest
    • Added VaultOrder enum for sorting operations
    • Added client.vault accessor to access the new service
  • pipes: Add Pipes connected account event models
    • Added PipeConnectedAccount model for representing connected accounts
    • Added three new event models: PipesConnectedAccountConnected, PipesConnectedAccountDisconnected, PipesConnectedAccountReauthorizationNeeded
    • Added PipeConnectedAccountState enum with CONNECTED and NEEDS_REAUTHORIZATION values
    • Added new webhook event types to CreateWebhookEndpointEvents and UpdateWebhookEndpointEvents
  • generated: Add Error and Actor shared models
    • Added Error model in shared module for error responses
    • Added Actor model in vault module representing user/actor information
    • Updated inflections to map 'object' to 'ObjectModel' to avoid conflicts

8.0.1 (2026-05-12)

Bug Fixes

  • harden session sealing, log redaction, and webhook tolerance checks (#482) (347fe1e)

8.0.0 (2026-05-06)

⚠ BREAKING CHANGES

  • authorization: Consolidate order enums to PaginationOrder
  • api_keys: Separate organization and user API key types
  • user_management: Consolidate order enums to PaginationOrder
  • vault: Add BYOK key deleted event and consolidate key provider enum
  • types: Consolidate pagination order enums
  • authorization: Rename RoleAssignment to UserRoleAssignment

Features

  • api_keys: Separate organization and user API key types (956386a)
  • authorization: Add new role assignment listing endpoints (956386a)
  • authorization: Consolidate order enums to PaginationOrder (956386a)
  • authorization: Rename RoleAssignment to UserRoleAssignment (956386a)
  • directory_sync: Add name field to directory users (956386a)
  • docs: publish YARD API docs + llms.txt to GitHub Pages (#480) (117eeac)
  • events: Add admin_portal source to event context actor (956386a)
  • sso: Add name field to SSO profile (956386a)
  • types: Consolidate pagination order enums (956386a)
  • user_management: Add get JWT template endpoint (956386a)
  • user_management: Add user API key management (956386a)
  • user_management: Add user field to membership and organization membership (956386a)
  • user_management: Consolidate order enums to PaginationOrder (956386a)
  • vault: Add BYOK key deleted event and consolidate key provider enum (956386a)

7.1.2 (2026-05-06)

Bug Fixes

  • decode legacy v6 sealed sessions on unseal (#479) (1d8b4aa)
  • replace parameter-group hashes with typed variant classes (#473) (a66c15b)
  • set canonical User-Agent header format (#476) (6728358)

7.1.1 (2026-04-29)

Bug Fixes

  • seal session client-side in Session#refresh (#470) (32662ab)

7.1.0 (2026-04-27)

Features

  • generated: update generated SDK from spec changes (#465) (6c145d2)

Bug Fixes

  • add ruby/setup-ruby to release-please workflow (aa5ebd0)
  • eagerly load configuration.rb to fix WorkOS.configure (#467) (eea391c)
  • remove stale URN-prefixed alias files breaking Zeitwerk (#466) (92b2aa5)
  • update Gemfile.lock in release-please PR and bump action pins (2aa0574)
  • update Zeitwerk autoload for inflections.rb (#460) (4fa1332)

7.0.0 (2026-04-20)

This is a major release that introduces a fully redesigned SDK architecture. The SDK is now generated from the WorkOS OpenAPI spec, bringing type safety, consistent interfaces, and improved developer ergonomics.

High-Level Changes

  • Client-centric architecture: The SDK now revolves around an instantiated WorkOS::Client rather than module-level service calls. All product areas are accessed through client methods (e.g., client.organizations, client.user_management, client.sso).

  • Generated request/response models: Typed models replace raw hashes. Response models no longer inherit from Hash — use accessor methods instead of bracket notation.

  • Per-request overrides: The new runtime supports request_options: for per-request API key, timeout, base URL, and retry overrides — useful for multi-tenant setups.

  • Minimum Ruby 3.3+: The minimum Ruby version has been raised to 3.3.

  • Renamed services and methods: Several top-level services were renamed (e.g., WorkOS::Portalclient.admin_portal, WorkOS::MFAclient.multi_factor_auth). Method signatures now use explicit keyword arguments.

  • Session management refactor: AuthKit session sealing, refresh, and authentication flows were overhauled with a dedicated SessionManager on the client instance.

  • New capabilities: Device code flow, public/PKCE clients, auto_paging_each pagination, and last_response observability on all responses.

Migration Guide

For detailed instructions on updating your application, see the v7 Migration Guide.

6.2.0 (2026-03-06)

Features

  • user-management: add directory_managed to OrganizationMembership (#446) (914d824)
  • user-management: add invitation accept endpoint (#448) (b5b4da1)

Bug Fixes

6.1.0 (2026-02-10)

Features

  • add support for totp_secret (#300) (c0a26bf)
  • Include Feature Flags decoded from the JWT in the payload of a Session (#386) (31a0e79)
  • workos-ruby: Add connection to authorization_url (#78) (c3a0e8e)

Bug Fixes

  • add invitation_token parameter to authentication methods (#438) (d24e3dc)