Module: WorkOS::UserManagement

Extended by:

Client, Deprecation

Defined in:

lib/workos/user_management.rb

Overview

The UserManagement module provides convenience methods for working with the WorkOS User platform. You'll need a valid API key.

Defined Under Namespace

Modules: Types

Constant Summary

PROVIDERS =

WorkOS::UserManagement::Types::Provider::ALL

AUTH_FACTOR_TYPES =

WorkOS::UserManagement::Types::AuthFactorType::ALL

Class Method Summary

• .authenticate_with_code(code:, client_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticate a user using OAuth or an organization's SSO connection.

• .authenticate_with_email_verification(code:, client_id:, pending_authentication_token:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticate a user using Email Verification Code.

• .authenticate_with_magic_auth(code:, email:, client_id:, ip_address: nil, user_agent: nil, link_authorization_code: nil, session: nil) ⇒ Object

  Authenticate user by Magic Auth Code.

• .authenticate_with_organization_selection(client_id:, organization_id:, pending_authentication_token:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticate a user into an organization they are a member of.

• .authenticate_with_password(email:, password:, client_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticates user by email and password.

• .authenticate_with_refresh_token(refresh_token:, client_id:, organization_id: nil, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticate a user using a refresh token.

• .authenticate_with_totp(code:, client_id:, pending_authentication_token:, authentication_challenge_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

  Authenticate a user using TOTP.

• .authorization_url(redirect_uri:, client_id: nil, domain_hint: nil, login_hint: nil, screen_hint: nil, provider: nil, connection_id: nil, organization_id: nil, state: '', provider_scopes: nil) ⇒ String

  Generate an OAuth 2.0 authorization URL that automatically directs a user to their Identity Provider.

• .create_magic_auth(email:, invitation_token: nil) ⇒ Object

  Creates a MagicAuth code.

• .create_organization_membership(user_id:, organization_id:, role_slug: nil, role_slugs: nil) ⇒ WorkOS::OrganizationMembership

  Create an Organization Membership.

• .create_password_reset(email:) ⇒ Object

  Creates a password reset token.

• .create_user(email:, password: nil, first_name: nil, last_name: nil, email_verified: nil, external_id: nil, password_hash: nil, password_hash_type: nil) ⇒ WorkOS::User

  Create a user.

• .deactivate_organization_membership(id:) ⇒ Object

  Deactivate an Organization Membership.

• .delete_organization_membership(id:) ⇒ Bool

  Delete an Organization Membership.

• .delete_user(id:) ⇒ Bool

  Delete a User.

• .enroll_auth_factor(user_id:, type:, totp_issuer: nil, totp_user: nil, totp_secret: nil) ⇒ Object

  Enroll a user into an authentication factor.

• .find_invitation_by_token(token:) ⇒ Object

  Finds an Invitation by Token.

• .get_email_verification(id:) ⇒ Object

  Gets an email verification object.

• .get_invitation(id:) ⇒ Object

  Gets an Invitation.

• .get_jwks_url(client_id) ⇒ Object

  Get the JWKS URL.

• .get_logout_url(session_id:, return_to: nil) ⇒ Object

  Get the logout URL for a session.

• .get_magic_auth(id:) ⇒ Object

  Gets a Magic Auth object.

• .get_organization_membership(id:) ⇒ Object

  Get an Organization Membership.

• .get_password_reset(id:) ⇒ Object

  Gets a password reset object.

• .get_user(id:) ⇒ Object

  Get a User.

• .list_auth_factors(user_id:) ⇒ Object

  Get all auth factors for a user.

• .list_invitations(options = {}) ⇒ WorkOS::Invitation

  Retrieve a list of invitations.

• .list_organization_memberships(options = {}) ⇒ WorkOS::OrganizationMembership

  Retrieve a list of Organization Memberships.

• .list_users(options = {}) ⇒ WorkOS::User

  Retrieve a list of users.

• .load_sealed_session(client_id:, session_data:, cookie_password:) ⇒ Object

  Load a sealed session.

• .reactivate_organization_membership(id:) ⇒ Object

  Reactivate an Organization Membership.

• .resend_invitation(id:) ⇒ Object

  Resends an existing Invitation.

• .reset_password(token:, new_password:) ⇒ Object

  Reset user password using token that was sent to the user.

• .revoke_invitation(id:) ⇒ Object

  Revokes an existing Invitation.

• .revoke_session(session_id:) ⇒ Object

  Revokes a session.

• .send_invitation(email:, organization_id: nil, expires_in_days: nil, inviter_user_id: nil, role_slug: nil) ⇒ Object

  Sends an Invitation to a recipient.

• .send_magic_auth_code(email:) ⇒ Object

  Create a one-time Magic Auth code and emails it to the user.

• .send_password_reset_email(email:, password_reset_url:) ⇒ Bool

  Create a password reset challenge and emails a password reset link to a user.

• .send_verification_email(user_id:) ⇒ Object

  Sends a verification email to the provided user.

• .update_organization_membership(id:, role_slug: nil, role_slugs: nil) ⇒ WorkOS::OrganizationMembership

  Update an Organization Membership.

• .update_user(id:, email: :not_set, first_name: :not_set, last_name: :not_set, email_verified: :not_set, external_id: :not_set, locale: :not_set, password: :not_set, password_hash: :not_set, password_hash_type: :not_set) ⇒ WorkOS::User

  Update a user.

• .verify_email(user_id:, code:) ⇒ Object

  Verifiy user email using one-time code that was sent to the user.

Methods included from Client

client, delete_request, execute_request, get_request, handle_error_response, post_request, put_request, user_agent

Methods included from Deprecation

warn_deprecation

Class Method Details

.authenticate_with_code(code:, client_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticate a user using OAuth or an organization's SSO connection.

query parameter in the callback to the Redirect URI. the optional cookie password.

Parameters:

• code (String) —

  The authorization value which was passed back as a

• client_id (String) —

  The WorkOS client ID for the environment

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 340

def authenticate_with_code(
  code:,
  client_id:,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        code: code,
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        ip_address: ip_address,
        user_agent: user_agent,
        grant_type: 'authorization_code',
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authenticate_with_email_verification(code:, client_id:, pending_authentication_token:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticate a user using Email Verification Code.

authentication attempt due to an unverified email address. the optional cookie password.

Parameters:

• code (String) —

  The one-time code that was emailed to the user.

• client_id (String) —

  The WorkOS client ID for the environment

• pending_authentication_token (String) —

  The token returned from a failed email/password or OAuth

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 547

def authenticate_with_email_verification(
  code:,
  client_id:,
  pending_authentication_token:,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        code: code,
        client_id: client_id,
        pending_authentication_token: pending_authentication_token,
        client_secret: WorkOS.config.key!,
        grant_type: 'urn:workos:oauth:grant-type:email-verification:code',
        ip_address: ip_address,
        user_agent: user_agent,
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authenticate_with_magic_auth(code:, email:, client_id:, ip_address: nil, user_agent: nil, link_authorization_code: nil, session: nil) ⇒ Object

Authenticate user by Magic Auth Code.

after having completed a Magic Code challenge. the optional cookie password.

rubocop:disable Metrics/ParameterLists

Parameters:

• code (String) —

  The one-time code that was emailed to the user.

• email (String) —

  The email address of the user.

• client_id (String) —

  The WorkOS client ID for the environment.

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• link_authorization_code (String) (defaults to: nil) —

  Used to link an OAuth profile to an existing user,

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 419

def authenticate_with_magic_auth(
  code:,
  email:,
  client_id:,
  ip_address: nil,
  user_agent: nil,
  link_authorization_code: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        code: code,
        email: email,
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        ip_address: ip_address,
        user_agent: user_agent,
        grant_type: 'urn:workos:oauth:grant-type:magic-auth:code',
        link_authorization_code: link_authorization_code,
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authenticate_with_organization_selection(client_id:, organization_id:, pending_authentication_token:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticate a user into an organization they are a member of.

the optional cookie password.

Parameters:

• client_id (String) —

  The WorkOS client ID for the environment.

• organization_id (String) —

  The organization ID the user selected to sign in to.

• pending_authentication_token (String) —

  The pending authentication token

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 461

def authenticate_with_organization_selection(
  client_id:,
  organization_id:,
  pending_authentication_token:,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        ip_address: ip_address,
        user_agent: user_agent,
        grant_type: 'urn:workos:oauth:grant-type:organization-selection',
        organization_id: organization_id,
        pending_authentication_token: pending_authentication_token,
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authenticate_with_password(email:, password:, client_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticates user by email and password.

the optional cookie password.

Parameters:

• email (String) —

  The email address of the user.

• password (String) —

  The password for the user.

• client_id (String) —

  The WorkOS client ID for the environment

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 301

def authenticate_with_password(
  email:,
  password:,
  client_id:,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        email: email,
        password: password,
        ip_address: ip_address,
        user_agent: user_agent,
        grant_type: 'password',
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authenticate_with_refresh_token(refresh_token:, client_id:, organization_id: nil, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticate a user using a refresh token.

the optional cookie password.

Parameters:

• refresh_token (String) —

  The refresh token previously obtained from a successful authentication call

• client_id (String) —

  The WorkOS client ID for the environment

• organization_id (String) (defaults to: nil) —

  The organization to issue the new access token for. (Optional)

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::RefreshAuthenticationResponse

# File 'lib/workos/user_management.rb', line 377

def authenticate_with_refresh_token(
  refresh_token:,
  client_id:,
  organization_id: nil,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        refresh_token: refresh_token,
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        ip_address: ip_address,
        user_agent: user_agent,
        grant_type: 'refresh_token',
        organization_id: organization_id,
      },
    ),
  )

  WorkOS::RefreshAuthenticationResponse.new(response.body, session)
end

.authenticate_with_totp(code:, client_id:, pending_authentication_token:, authentication_challenge_id:, ip_address: nil, user_agent: nil, session: nil) ⇒ Object

Authenticate a user using TOTP.

from the initial authentication request. authentication request. the optional cookie password.

rubocop:disable Metrics/ParameterLists

Parameters:

• code (String) —

  The one-time code that was emailed to the user.

• client_id (String) —

  The WorkOS client ID for the environment

• pending_authentication_token (String) —

  The pending authentication token

• authentication_challenge_id (String) —

  The authentication challenge ID for the

• ip_address (String) (defaults to: nil) —

  The IP address of the request from the user who is attempting to authenticate.

• user_agent (String) (defaults to: nil) —

  The user agent of the request from the user who is attempting to authenticate.

• session (Hash) (defaults to: nil) —

  An optional hash that determines whether the session should be sealed and

Returns:

• WorkOS::AuthenticationResponse

# File 'lib/workos/user_management.rb', line 504

def authenticate_with_totp(
  code:,
  client_id:,
  pending_authentication_token:,
  authentication_challenge_id:,
  ip_address: nil,
  user_agent: nil,
  session: nil
)
  validate_session(session)

  response = execute_request(
    request: post_request(
      path: '/user_management/authenticate',
      body: {
        code: code,
        client_id: client_id,
        client_secret: WorkOS.config.key!,
        pending_authentication_token: pending_authentication_token,
        grant_type: 'urn:workos:oauth:grant-type:mfa-totp',
        authentication_challenge_id: authentication_challenge_id,
        ip_address: ip_address,
        user_agent: user_agent,
      },
    ),
  )

  WorkOS::AuthenticationResponse.new(response.body, session)
end

.authorization_url(redirect_uri:, client_id: nil, domain_hint: nil, login_hint: nil, screen_hint: nil, provider: nil, connection_id: nil, organization_id: nil, state: '', provider_scopes: nil) ⇒ String

Generate an OAuth 2.0 authorization URL that automatically directs a user to their Identity Provider.

OAuth-compatible provider. Only 'authkit', 'AppleOAuth', 'GitHubOAuth', 'GoogleOAuth', and 'MicrosoftOAuth' are supported. initiate SSO for an Organization. field of the IdP sign-in page for the user, if you know their username ahead of time. (Only applicable when provider is 'authkit'). initiating authentication with Microsoft OAuth, or with a GoogleSAML connection type. rubocop:disable Metrics/ParameterLists

Examples:

WorkOS::UserManagement.authorization_url(
  connection_id: 'conn_123',
  client_id: 'project_01DG5TGK363GRVXP3ZS40WNGEZ',
  redirect_uri: 'https://your-app.com/callback',
  state: {
    next_page: '/docs'
  }.to_s
)

=> "https://api.workos.com/user_management/authorize?connection_id=conn_123" \
   "&client_id=project_01DG5TGK363GRVXP3ZS40WNGEZ" \
   "&redirect_uri=https%3A%2F%2Fyour-app.com%2Fcallback&" \
   "response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdocs%22%7D"

Parameters:

• redirect_uri (String) —

  The URI where users are directed after completing the authentication step. Must match a configured redirect URI on your WorkOS dashboard.

• client_id (String) (defaults to: nil) —

  This value can be obtained from the API Keys page in the WorkOS dashboard.

• provider (String) (defaults to: nil) —

  A provider name is used to initiate SSO using an

• connection_id (String) (defaults to: nil) —

  The ID for a Connection configured on WorkOS.

• organization_id (String) (defaults to: nil) —

  The organization_id selector is used to

• state (String) (defaults to: '') —

  An arbitrary state object that is preserved and available to the client in the response.

• login_hint (String) (defaults to: nil) —

  Can be used to pre-fill the username/email address

• screen_hint (String) (defaults to: nil) —

  Specify which AuthKit screen users should land on upon redirection

• domain_hint (String) (defaults to: nil) —

  Can be used to pre-fill the domain field when

• provider_scopes (Array<String>) (defaults to: nil) —

  An array of additional OAuth scopes to request from the provider.

Returns:

• (String)

# File 'lib/workos/user_management.rb', line 94

def authorization_url(
  redirect_uri:,
  client_id: nil,
  domain_hint: nil,
  login_hint: nil,
  screen_hint: nil,
  provider: nil,
  connection_id: nil,
  organization_id: nil,
  state: '',
  provider_scopes: nil
)

  validate_authorization_url_arguments(
    provider: provider,
    connection_id: connection_id,
    organization_id: organization_id,
  )

  query = URI.encode_www_form({
    client_id: client_id,
    redirect_uri: redirect_uri,
    response_type: 'code',
    state: state,
    domain_hint: domain_hint,
    login_hint: login_hint,
    screen_hint: screen_hint,
    provider: provider,
    connection_id: connection_id,
    organization_id: organization_id,
    provider_scopes: provider_scopes,
  }.compact)

  "https://#{WorkOS.config.api_hostname}/user_management/authorize?#{query}"
end

.create_magic_auth(email:, invitation_token: nil) ⇒ Object

Creates a MagicAuth code

Parameters:

• email (String) —

  The email address of the recipient.

• invitation_token (String) (defaults to: nil) —

  The token of an Invitation, if required.

Returns:

• WorkOS::MagicAuth

# File 'lib/workos/user_management.rb', line 649

def create_magic_auth(email:, invitation_token: nil)
  response = execute_request(
    request: post_request(
      path: '/user_management/magic_auth',
      body: {
        email: email,
        invitation_token: invitation_token,
      }.compact,
      auth: true,
    ),
  )

  WorkOS::MagicAuth.new(response.body)
end

.create_organization_membership(user_id:, organization_id:, role_slug: nil, role_slugs: nil) ⇒ WorkOS::OrganizationMembership

Create an Organization Membership

Parameters:

• user_id (String) —

  The ID of the User.

• organization_id (String) —

  The ID of the Organization to which the user belongs to.

• role_slug (String) (defaults to: nil) —

  The slug of the role to grant to this membership. (Optional)

• role_slugs (Array<String>) (defaults to: nil) —

  Array of role slugs to assign to this membership. (Optional)

Returns:

• (WorkOS::OrganizationMembership)

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 935

def create_organization_membership(user_id:, organization_id:, role_slug: nil, role_slugs: nil)
  raise ArgumentError, 'Cannot specify both role_slug and role_slugs' if role_slug && role_slugs

  body = {
    user_id: user_id,
    organization_id: organization_id,
  }

  body[:role_slugs] = role_slugs if role_slugs
  body[:role_slug] = role_slug if role_slug

  request = post_request(
    path: '/user_management/organization_memberships',
    body: body.compact,
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::OrganizationMembership.new(response.body)
end

.create_password_reset(email:) ⇒ Object

Creates a password reset token

Parameters:

• email (String) —

  The email address of the user.

Returns:

• WorkOS::PasswordReset

# File 'lib/workos/user_management.rb', line 816

def create_password_reset(email:)
  response = execute_request(
    request: post_request(
      path: '/user_management/password_reset',
      body: {
        email: email,
      },
      auth: true,
    ),
  )

  WorkOS::PasswordReset.new(response.body)
end

.create_user(email:, password: nil, first_name: nil, last_name: nil, email_verified: nil, external_id: nil, password_hash: nil, password_hash_type: nil) ⇒ WorkOS::User

Create a user

rubocop:disable Metrics/ParameterLists

Parameters:

• email (String) —

  The email address of the user.

• password (String) (defaults to: nil) —

  The password to set for the user.

• first_name (String) (defaults to: nil) —

  The user's first name.

• last_name (String) (defaults to: nil) —

  The user's last name.

• email_verified (Boolean) (defaults to: nil) —

  Whether the user's email address was previously verified.

• external_id (String) (defaults to: nil) —

  The user's external ID.

• password_hash (String) (defaults to: nil) —

  The user's hashed password.

• [String] (Hash) —

  a customizable set of options

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 195

def create_user(
  email:,
  password: nil,
  first_name: nil,
  last_name: nil,
  email_verified: nil,
  external_id: nil,
  password_hash: nil,
  password_hash_type: nil
)
  request = post_request(
    path: '/user_management/users',
    body: {
      email: email,
      password: password,
      first_name: first_name,
      last_name: last_name,
      email_verified: email_verified,
      external_id: external_id,
      password_hash: password_hash,
      password_hash_type: password_hash_type,
    }.compact,
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::User.new(response.body)
end

.deactivate_organization_membership(id:) ⇒ Object

Deactivate an Organization Membership

Parameters:

• id (String) —

  The unique ID of the Organization Membership.

Returns:

• WorkOS::OrganizationMembership

# File 'lib/workos/user_management.rb', line 1004

def deactivate_organization_membership(id:)
  response = execute_request(
    request: put_request(
      path: "/user_management/organization_memberships/#{id}/deactivate",
      auth: true,
    ),
  )

  WorkOS::OrganizationMembership.new(response.body)
end

.delete_organization_membership(id:) ⇒ Bool

Delete an Organization Membership

Parameters:

• id (String) —

  The unique ID of the Organization Membership.

Returns:

• (Bool) —
  • returns true if successful

# File 'lib/workos/user_management.rb', line 988

def delete_organization_membership(id:)
  response = execute_request(
    request: delete_request(
      path: "/user_management/organization_memberships/#{id}",
      auth: true,
    ),
  )

  response.is_a? Net::HTTPSuccess
end

.delete_user(id:) ⇒ Bool

Delete a User

Parameters:

• id (String) —

  The unique ID of the User.

Returns:

• (Bool) —
  • returns true if successful

# File 'lib/workos/user_management.rb', line 279

def delete_user(id:)
  response = execute_request(
    request: delete_request(
      path: "/user_management/users/#{id}",
      auth: true,
    ),
  )

  response.is_a? Net::HTTPSuccess
end

.enroll_auth_factor(user_id:, type:, totp_issuer: nil, totp_user: nil, totp_secret: nil) ⇒ Object

Enroll a user into an authentication factor.

factor. Generated if not provided. (Optional)

Parameters:

• user_id (String) —

  The id for the user.

• type (String) —

  The type of the factor to enroll. Only option available is totp.

• totp_issuer (String) (defaults to: nil) —

  For totp factors. Typically your application or company name, this helps users distinguish between factors in authenticator apps.

• totp_user (String) (defaults to: nil) —

  For totp factors. Used as the account name in authenticator apps.

• totp_secret (String) (defaults to: nil) —

  For totp factors. The Base32 encdoded secret key for the

Returns:

• WorkOS::AuthenticationFactorAndChallenge

# File 'lib/workos/user_management.rb', line 697

def enroll_auth_factor(user_id:, type:, totp_issuer: nil, totp_user: nil, totp_secret: nil)
  validate_auth_factor_type(
    type: type,
  )

  response = execute_request(
    request: post_request(
      path: "/user_management/users/#{user_id}/auth_factors",
      body: {
        type: type,
        totp_issuer: totp_issuer,
        totp_user: totp_user,
        totp_secret: totp_secret,
      }.compact,
      auth: true,
    ),
  )

  WorkOS::AuthenticationFactorAndChallenge.new(response.body)
end

.find_invitation_by_token(token:) ⇒ Object

Finds an Invitation by Token

Parameters:

• token (String) —

  The token of the Invitation.

Returns:

• WorkOS::Invitation

# File 'lib/workos/user_management.rb', line 1052

def find_invitation_by_token(token:)
  response = execute_request(
    request: get_request(
      path: "/user_management/invitations/by_token/#{token}",
      auth: true,
    ),
  )

  WorkOS::Invitation.new(response.body)
end

.get_email_verification(id:) ⇒ Object

Gets an email verification object

Parameters:

• id (String) —

  The unique ID of the EmailVerification object.

Returns:

• WorkOS::EmailVerification

# File 'lib/workos/user_management.rb', line 748

def get_email_verification(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/email_verification/#{id}",
      auth: true,
    ),
  )

  WorkOS::EmailVerification.new(response.body)
end

.get_invitation(id:) ⇒ Object

Gets an Invitation

Parameters:

• id (String) —

  The unique ID of the Invitation.

Returns:

• WorkOS::Invitation

# File 'lib/workos/user_management.rb', line 1036

def get_invitation(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/invitations/#{id}",
      auth: true,
    ),
  )

  WorkOS::Invitation.new(response.body)
end

.get_jwks_url(client_id) ⇒ Object

Get the JWKS URL

The JWKS can be used to validate the access token returned upon successful authentication

Parameters:

• client_id (String) —

  The WorkOS client ID for the environment

Returns:

• String

# File 'lib/workos/user_management.rb', line 620

def get_jwks_url(client_id)
  URI::HTTPS.build(
    host: WorkOS.config.api_hostname,
    path: "/sso/jwks/#{client_id}",
  ).to_s
end

.get_logout_url(session_id:, return_to: nil) ⇒ Object

Get the logout URL for a session

The user's browser should be navigated to this URL

Parameters:

• session_id (String) —

  The session ID can be found in the sid claim of the access token

• return_to (String) (defaults to: nil) —

  The URL to redirect the user to after logging out

Returns:

• String

# File 'lib/workos/user_management.rb', line 584

def get_logout_url(session_id:, return_to: nil)
  params = { session_id: session_id }
  params[:return_to] = return_to if return_to

  URI::HTTPS.build(
    host: WorkOS.config.api_hostname,
    path: '/user_management/sessions/logout',
    query: URI.encode_www_form(params),
  ).to_s
end

.get_magic_auth(id:) ⇒ Object

Gets a Magic Auth object

Parameters:

• id (String) —

  The unique ID of the MagicAuth object.

Returns:

• WorkOS::MagicAuth

# File 'lib/workos/user_management.rb', line 632

def get_magic_auth(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/magic_auth/#{id}",
      auth: true,
    ),
  )

  WorkOS::MagicAuth.new(response.body)
end

.get_organization_membership(id:) ⇒ Object

Get an Organization Membership

Parameters:

• id (String) —

  The unique ID of the Organization Membership.

Returns:

• WorkOS::OrganizationMembership

# File 'lib/workos/user_management.rb', line 880

def get_organization_membership(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/organization_memberships/#{id}",
      auth: true,
    ),
  )

  WorkOS::OrganizationMembership.new(response.body)
end

.get_password_reset(id:) ⇒ Object

Gets a password reset object

Parameters:

• id (String) —

  The unique ID of the PasswordReset object.

Returns:

• WorkOS::PasswordReset

# File 'lib/workos/user_management.rb', line 800

def get_password_reset(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/password_reset/#{id}",
      auth: true,
    ),
  )

  WorkOS::PasswordReset.new(response.body)
end

.get_user(id:) ⇒ Object

Get a User

Parameters:

• id (String) —

  The unique ID of the User.

Returns:

• WorkOS::User

# File 'lib/workos/user_management.rb', line 136

def get_user(id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/users/#{id}",
      auth: true,
    ),
  )

  WorkOS::User.new(response.body)
end

.list_auth_factors(user_id:) ⇒ Object

Get all auth factors for a user

Parameters:

• user_id (String) —

  The id for the user.

Returns:

• WorkOS::ListStruct

# File 'lib/workos/user_management.rb', line 723

def list_auth_factors(user_id:)
  response = execute_request(
    request: get_request(
      path: "/user_management/users/#{user_id}/auth_factors",
      auth: true,
    ),
  )

  parsed_response = JSON.parse(response.body)

  auth_factors = parsed_response['data'].map do |auth_factor|
    ::WorkOS::Factor.new(auth_factor.to_json)
  end

  WorkOS::Types::ListStruct.new(
    data: auth_factors,
    list_metadata: parsed_response['list_metadata'],
  )
end

.list_invitations(options = {}) ⇒ WorkOS::Invitation

Retrieve a list of invitations.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• email (String) —

  The email address of a recipient.

• organization_id (String) —

  The ID of the Organization that the recipient was invited to join.

• limit (String) —

  Maximum number of records to return.

• order (String) —

  The order in which to paginate records

• before (String) —

  Pagination cursor to receive records before a provided User ID.

• after (String) —

  Pagination cursor to receive records before a provided User ID.

Returns:

• (WorkOS::Invitation)

# File 'lib/workos/user_management.rb', line 1076

def list_invitations(options = {})
  options[:order] ||= 'desc'
  response = execute_request(
    request: get_request(
      path: '/user_management/invitations',
      auth: true,
      params: options,
    ),
  )

  parsed_response = JSON.parse(response.body)

  invitations = parsed_response['data'].map do |invitation|
    ::WorkOS::Invitation.new(invitation.to_json)
  end

  WorkOS::Types::ListStruct.new(
    data: invitations,
    list_metadata: parsed_response['list_metadata'],
  )
end

.list_organization_memberships(options = {}) ⇒ WorkOS::OrganizationMembership

Retrieve a list of Organization Memberships.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• user_id (String) —

  The ID of the User.

• organization_id (String) —

  Filter memberships by the organization they are members of.

• statuses (Array<String>) —

  Filter memberships by status.

• limit (String) —

  Maximum number of records to return.

• order (String) —

  The order in which to paginate records

• before (String) —

  Pagination cursor to receive records before a provided User ID.

• after (String) —

  Pagination cursor to receive records before a provided User ID.

Returns:

• (WorkOS::OrganizationMembership)

# File 'lib/workos/user_management.rb', line 905

def list_organization_memberships(options = {})
  options[:order] ||= 'desc'
  response = execute_request(
    request: get_request(
      path: '/user_management/organization_memberships',
      auth: true,
      params: options,
    ),
  )

  parsed_response = JSON.parse(response.body)

  organization_memberships = parsed_response['data'].map do |organization_membership|
    ::WorkOS::OrganizationMembership.new(organization_membership.to_json)
  end

  WorkOS::Types::ListStruct.new(
    data: organization_memberships,
    list_metadata: parsed_response['list_metadata'],
  )
end

.list_users(options = {}) ⇒ WorkOS::User

Retrieve a list of users.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• email (String) —

  Filter Users by their email.

• organization_id (String) —

  Filter Users by the organization they are members of.

• limit (String) —

  Maximum number of records to return.

• order (String) —

  The order in which to paginate records

• before (String) —

  Pagination cursor to receive records before a provided User ID.

• after (String) —

  Pagination cursor to receive records before a provided User ID.

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 160

def list_users(options = {})
  options[:order] ||= 'desc'
  response = execute_request(
    request: get_request(
      path: '/user_management/users',
      auth: true,
      params: options,
    ),
  )

  parsed_response = JSON.parse(response.body)

  users = parsed_response['data'].map do |user|
    ::WorkOS::User.new(user.to_json)
  end

  WorkOS::Types::ListStruct.new(
    data: users,
    list_metadata: parsed_response['list_metadata'],
  )
end

.load_sealed_session(client_id:, session_data:, cookie_password:) ⇒ Object

Load a sealed session

Parameters:

• client_id (String) —

  The WorkOS client ID for the environment

• session_data (String) —

  The sealed session data

• cookie_password (String) —

  The password used to seal the session

Returns:

• WorkOS::Session

# File 'lib/workos/user_management.rb', line 45

def load_sealed_session(client_id:, session_data:, cookie_password:)
  WorkOS::Session.new(
    user_management: self,
    client_id: client_id,
    session_data: session_data,
    cookie_password: cookie_password,
  )
end

.reactivate_organization_membership(id:) ⇒ Object

Reactivate an Organization Membership

Parameters:

• id (String) —

  The unique ID of the Organization Membership.

Returns:

• WorkOS::OrganizationMembership

# File 'lib/workos/user_management.rb', line 1020

def reactivate_organization_membership(id:)
  response = execute_request(
    request: put_request(
      path: "/user_management/organization_memberships/#{id}/reactivate",
      auth: true,
    ),
  )

  WorkOS::OrganizationMembership.new(response.body)
end

.resend_invitation(id:) ⇒ Object

Resends an existing Invitation.

Parameters:

• id (String) —

  The unique ID of the Invitation.

Returns:

• WorkOS::Invitation

# File 'lib/workos/user_management.rb', line 1147

def resend_invitation(id:)
  request = post_request(
    path: "/user_management/invitations/#{id}/resend",
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::Invitation.new(response.body)
end

.reset_password(token:, new_password:) ⇒ Object

Reset user password using token that was sent to the user.

Parameters:

• token (String) —

  The token that was sent to the user.

• new_password (String) —

  The new password to set for the user.

Returns:

• WorkOS::User

# File 'lib/workos/user_management.rb', line 860

def reset_password(token:, new_password:)
  response = execute_request(
    request: post_request(
      path: '/user_management/password_reset/confirm',
      body: {
        token: token,
        new_password: new_password,
      },
      auth: true,
    ),
  )

  WorkOS::UserResponse.new(response.body).user
end

.revoke_invitation(id:) ⇒ Object

Revokes an existing Invitation.

Parameters:

• id (String) —

  The unique ID of the Invitation.

Returns:

• WorkOS::Invitation

# File 'lib/workos/user_management.rb', line 1131

def revoke_invitation(id:)
  request = post_request(
    path: "/user_management/invitations/#{id}/revoke",
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::Invitation.new(response.body)
end

.revoke_session(session_id:) ⇒ Object

Revokes a session

Parameters:

• session_id (String) —

  The session ID can be found in the sid claim of the access token

# File 'lib/workos/user_management.rb', line 599

def revoke_session(session_id:)
  response = execute_request(
    request: post_request(
      path: '/user_management/sessions/revoke',
      body: {
        session_id: session_id,
      },
      auth: true,
    ),
  )

  response.is_a? Net::HTTPSuccess
end

.send_invitation(email:, organization_id: nil, expires_in_days: nil, inviter_user_id: nil, role_slug: nil) ⇒ Object

Sends an Invitation to a recipient.

Must be between 1 and 30, defaults to 7 if not specified.

Parameters:

• email (String) —

  The email address of the recipient.

• organization_id (String) (defaults to: nil) —

  The ID of the Organization to which the recipient is being invited.

• expires_in_days (Integer) (defaults to: nil) —

  The number of days the invitations will be valid for.

• inviter_user_id (String) (defaults to: nil) —

  The ID of the User sending the invitation.

• role_slug (String) (defaults to: nil) —

  The slug of the role to assign to the user upon invitation.

Returns:

• WorkOS::Invitation

# File 'lib/workos/user_management.rb', line 1108

def send_invitation(email:, organization_id: nil, expires_in_days: nil, inviter_user_id: nil, role_slug: nil)
  response = execute_request(
    request: post_request(
      path: '/user_management/invitations',
      body: {
        email: email,
        organization_id: organization_id,
        expires_in_days: expires_in_days,
        inviter_user_id: inviter_user_id,
        role_slug: role_slug,
      }.compact,
      auth: true,
    ),
  )

  WorkOS::Invitation.new(response.body)
end

.send_magic_auth_code(email:) ⇒ Object

Create a one-time Magic Auth code and emails it to the user.

Parameters:

• email (String) —

  The email address the one-time code will be sent to.

Returns:

• Boolean

# File 'lib/workos/user_management.rb', line 669

def send_magic_auth_code(email:)
  warn_deprecation '`send_magic_auth_code` is deprecated.
  Please use `create_magic_auth` instead. This method will be removed in a future major version.'

  response = execute_request(
    request: post_request(
      path: '/user_management/magic_auth/send',
      body: {
        email: email,
      },
      auth: true,
    ),
  )

  response.is_a? Net::HTTPSuccess
end

.send_password_reset_email(email:, password_reset_url:) ⇒ Bool

Create a password reset challenge and emails a password reset link to a user.

Parameters:

• email (String) —

  The email of the user that wishes to reset their password.

• password_reset_url (String) —

  The URL that will be linked to in the email.

Returns:

• (Bool) —
  • returns true if successful

# File 'lib/workos/user_management.rb', line 836

def send_password_reset_email(email:, password_reset_url:)
  warn_deprecation '`send_password_reset_email` is deprecated.
  Please use `create_password_reset` instead. This method will be removed in a future major version.'

  request = post_request(
    path: '/user_management/password_reset/send',
    body: {
      email: email,
      password_reset_url: password_reset_url,
    },
    auth: true,
  )

  response = execute_request(request: request)

  response.is_a? Net::HTTPSuccess
end

.send_verification_email(user_id:) ⇒ Object

Sends a verification email to the provided user.

Parameters:

• user_id (String) —

  The unique ID of the User whose email address will be verified.

Returns:

• WorkOS::UserResponse

# File 'lib/workos/user_management.rb', line 764

def send_verification_email(user_id:)
  response = execute_request(
    request: post_request(
      path: "/user_management/users/#{user_id}/email_verification/send",
      auth: true,
    ),
  )

  WorkOS::UserResponse.new(response.body)
end

.update_organization_membership(id:, role_slug: nil, role_slugs: nil) ⇒ WorkOS::OrganizationMembership

Update an Organization Membership

Parameters:

• id (String) —

  The ID of the Organization Membership.

• role_slug (String) (defaults to: nil) —

  The slug of the role to grant to this membership. (Optional)

• role_slugs (Array<String>) (defaults to: nil) —

  Array of role slugs to assign to this membership. (Optional)

Returns:

• (WorkOS::OrganizationMembership)

Raises:

• (ArgumentError)

# File 'lib/workos/user_management.rb', line 964

def update_organization_membership(id:, role_slug: nil, role_slugs: nil)
  raise ArgumentError, 'Cannot specify both role_slug and role_slugs' if role_slug && role_slugs

  body = { id: id }

  body[:role_slugs] = role_slugs if role_slugs
  body[:role_slug] = role_slug if role_slug

  request = put_request(
    path: "/user_management/organization_memberships/#{id}",
    body: body.compact,
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::OrganizationMembership.new(response.body)
end

.update_user(id:, email: :not_set, first_name: :not_set, last_name: :not_set, email_verified: :not_set, external_id: :not_set, locale: :not_set, password: :not_set, password_hash: :not_set, password_hash_type: :not_set) ⇒ WorkOS::User

Update a user

Parameters:

• id (String) —

  of the user.

• email (String) (defaults to: :not_set) —

  of the user.

• first_name (String) (defaults to: :not_set) —

  The user's first name.

• last_name (String) (defaults to: :not_set) —

  The user's last name.

• email_verified (Boolean) (defaults to: :not_set) —

  Whether the user's email address was previously verified.

• external_id (String) (defaults to: :not_set) —

  The users's external ID

• locale (String) (defaults to: :not_set) —

  The user's locale.

• password (String) (defaults to: :not_set) —

  The user's password.

• password_hash (String) (defaults to: :not_set) —

  The user's hashed password.

• [String] (Hash) —

  a customizable set of options

Returns:

• (WorkOS::User)

# File 'lib/workos/user_management.rb', line 240

def update_user(
  id:,
  email: :not_set,
  first_name: :not_set,
  last_name: :not_set,
  email_verified: :not_set,
  external_id: :not_set,
  locale: :not_set,
  password: :not_set,
  password_hash: :not_set,
  password_hash_type: :not_set
)
  request = put_request(
    path: "/user_management/users/#{id}",
    body: {
      email: email,
      first_name: first_name,
      last_name: last_name,
      email_verified: email_verified,
      external_id: external_id,
      locale: locale,
      password: password,
      password_hash: password_hash,
      password_hash_type: password_hash_type,
    }.reject { |_, v| v == :not_set },
    auth: true,
  )

  response = execute_request(request: request)

  WorkOS::User.new(response.body)
end

.verify_email(user_id:, code:) ⇒ Object

Verifiy user email using one-time code that was sent to the user.

Parameters:

• user_id (String) —

  The unique ID of the User whose email address will be verified.

• code (String) —

  The one-time code emailed to the user.

Returns:

• WorkOS::UserResponse

# File 'lib/workos/user_management.rb', line 781

def verify_email(user_id:, code:)
  response = execute_request(
    request: post_request(
      path: "/user_management/users/#{user_id}/email_verification/confirm",
      body: {
        code: code,
      },
      auth: true,
    ),
  )

  WorkOS::UserResponse.new(response.body)
end