Ruby SDK

• #501 feat(generated)!: regenerate from spec (12 changes)

Features

• authorization:
• Added model ReplaceGroupRoleAssignmentEntry
• Added model ReplaceGroupRoleAssignments
• Added model DeleteGroupRoleAssignmentsByCriteria
• Added endpoint POST /authorization/groups/{group_id}/role_assignments
• Added endpoint PUT /authorization/groups/{group_id}/role_assignments
• Added endpoint DELETE /authorization/groups/{group_id}/role_assignments
• Added endpoint GET /authorization/groups/{group_id}/role_assignments/{role_assignment_id}
• Added endpoint DELETE /authorization/groups/{group_id}/role_assignments/{role_assignment_id}
• client:
• Added model ClientApiToken
• Added model ClientApiTokenResponse
• Added service Client
• connect:
• Added auth_method to ConnectedAccount
• Added api_key_last_4 to ConnectedAccount
• Added enum ConnectedAccountAuthMethod
• groups:
• Added model CreateGroupRoleAssignment
• Added model GroupRoleAssignment
• Added model GroupRoleAssignmentList
• Added model GroupRoleAssignmentResource
• organization_membership:
• Added model UserOrganizationMembershipList
• Added model UserOrganizationMembershipListListMetadata
• pipes:
• Added model DataIntegrationCredentials
• Added model DataIntegrationConfigurationResponse
• Added model DataIntegrationConfigurationListResponse
• Added model ConfigureDataIntegrationBody
• Added auth_methods to DataIntegrationsListResponseData
• Added auth_method to DataIntegrationsListResponseDataConnectedAccount
• Added api_key_last_4 to DataIntegrationsListResponseDataConnectedAccount
• Added enum DataIntegrationCredentialsCredentialsType
• Added enum DataIntegrationsListResponseDataAuthMethods
• Added enum DataIntegrationsListResponseDataConnectedAccountAuthMethod
• Added service PipesProvider
• user_management:
• Added model UserInviteList
• Added model UserInviteListListMetadata
• Made AuthorizationCodeSessionAuthenticateRequest.client_secret optional
• Made RefreshTokenSessionAuthenticateRequest.client_secret optional
• widgets:
• Added widgets:pipes:manage to WidgetSessionTokenScopes

Fixes

• organization_membership:
• Changed response of UserManagementOrganizationMembership.list from UserOrganizationMembership to UserOrganizationMembershipList
• user_management:
• Changed response of UserManagementInvitations.list from UserInvite to UserInviteList

Bug Fixes

• renovate: explicitly enable minor and patch updates (#493) (c6da3f3)
• Use Thread.current[] instead of Fiber[] for connection cache (#499) (a44d650)

• #495 feat(generated): regenerate from spec (8 changes)

Features

• api_keys:
• Added model ExpireApiKey
• Added model ApiKeyUpdated
• Added model ApiKeyUpdatedData
• Added model ApiKeyUpdatedDataOwner
• Added model UserApiKeyUpdatedDataOwner
• Added model ApiKeyUpdatedDataPreviousAttribute
• Added endpoint POST /api_keys/{id}/expire
• audit_logs:
• Added Snowflake to AuditLogConfigurationLogStreamType
• connect:
• Added name to UserObject
• directory_sync:
• Added model DsyncTokenCreated
• Added model DsyncTokenCreatedData
• Added model DsyncTokenRevoked
• Added model DsyncTokenRevokedData
• user_management:
• Added name to user management models
• webhooks:
• Added api_key.updated to CreateWebhookEndpointEvents
• Added api_key.updated to UpdateWebhookEndpointEvents

Bug Fixes

• ci: extract version from PR title in changelog inline step (93768a1)

• #491 feat(generated)!: regenerate from spec (9 changes)

⚠️ Breaking

• organization_membership: Migrate organization membership to dedicated service
• Moved organization membership methods from UserManagement to new OrganizationMembershipService class
• Methods create_organization_membership, get_organization_membership, update_organization_membership, delete_organization_membership, deactivate_organization_membership, reactivate_organization_membership, list_organization_memberships, and list_organization_membership_groups now accessed via client.organization_membership instead of client.user_management
• Removed UserManagement::RoleSingle and UserManagement::RoleMultiple data classes (moved to OrganizationMembershipService)
• api_keys: Add expires_at field to API key models
• Added expires_at optional field to ApiKey, OrganizationApiKey, OrganizationApiKeyWithValue, UserApiKey, and UserApiKeyWithValue models
• Added expires_at field to CreateOrganizationApiKey and CreateUserApiKey request models
• Updated create_organization_api_key and create_user_api_key methods to accept expires_at parameter
• radar: Remove device_fingerprint and bot_score fields from Radar
• Removed device_fingerprint and bot_score parameters from Radar.create_attempt method
• Removed device_fingerprint and bot_score fields from RadarStandaloneAssessRequest model
• Updated enum values in RadarStandaloneAssessRequestAction: removed LOGIN, SIGNUP, SIGN_UP_2, SIGN_IN_2, SIGN_IN_3, SIGN_UP_3; standardized to SIGN_UP and SIGN_IN
• Removed CREDENTIAL_STUFFING and IP_SIGN_UP_RATE_LIMIT from RadarStandaloneResponseControl enum
• audit_logs: Refactor audit logs models and type names
• Merged AuditLogSchemaJson fields into AuditLogSchema; removed AuditLogSchemaJson class
• Added new AuditLogSchemaInput class (write-side schema without read-only fields)
• Renamed AuditLogSchemaJsonActor to AuditLogSchemaActorInput
• Renamed AuditLogSchemaJsonTarget to AuditLogSchemaTargetInput
• Removed AuditLogActionJson; AuditLogAction now extends BaseModel
• Renamed AuditLogExportJson to AuditLogExport (now extends BaseModel)
• Renamed AuditLogsRetentionJson to AuditLogsRetention (now extends BaseModel)
• Removed AuditLogExportJsonState type; replaced with AuditLogExportState
• Updated list_actions method return type from AuditLogActionJson to AuditLogAction
• Updated create_export and get_export method return types from AuditLogExportJson to AuditLogExport
• webhooks: Rename WebhookEndpointJson to WebhookEndpoint
• Renamed WebhookEndpointJson to WebhookEndpoint
• Updated list_webhook_endpoints, create_webhook_endpoint, and update_webhook_endpoint method return types
• WebhookEndpointStatus is now an alias for UpdateWebhookEndpointStatus (no longer a standalone class); removed WebhookEndpointJsonStatus alias
• Updated WebhookEndpoint to extend BaseModel for consistency
• authorization: Add filtering parameters to authorization list methods
• Added resource_id, resource_external_id, resource_type_slug filter parameters to list_role_assignments method
• Added role_slug filter parameter to list_role_assignments_for_resource_by_external_id and list_role_assignments_for_resource methods
• Removed search parameter from list_resources method

Features

• vault: Add new Vault service with key-value operations
• Added new Vault service class with methods: create_data_key, create_decrypt, create_rekey, list_kv, create_kv, get_name, get_kv, update_kv, delete_kv, list_kv_metadata, list_kv_versions
• Added vault model classes: Actor, CreateDataKeyRequest, CreateDataKeyResponse, CreateObjectRequest, DecryptRequest, DecryptResponse, DeleteObjectResponse, ObjectModel, ObjectMetadata, ObjectSummary, ObjectVersion, ObjectWithoutValue, RekeyRequest, UpdateObjectRequest
• Added VaultOrder enum for sorting operations
• Added client.vault accessor to access the new service
• pipes: Add Pipes connected account event models
• Added PipeConnectedAccount model for representing connected accounts
• Added three new event models: PipesConnectedAccountConnected, PipesConnectedAccountDisconnected, PipesConnectedAccountReauthorizationNeeded
• Added PipeConnectedAccountState enum with CONNECTED and NEEDS_REAUTHORIZATION values
• Added new webhook event types to CreateWebhookEndpointEvents and UpdateWebhookEndpointEvents
• generated: Add Error and Actor shared models
• Added Error model in shared module for error responses
• Added Actor model in vault module representing user/actor information
• Updated inflections to map 'object' to 'ObjectModel' to avoid conflicts

8.0.1 (2026-05-12)

Bug Fixes

• harden session sealing, log redaction, and webhook tolerance checks (#482) (347fe1e)

8.0.0 (2026-05-06)

⚠ BREAKING CHANGES

• authorization: Consolidate order enums to PaginationOrder
• api_keys: Separate organization and user API key types
• user_management: Consolidate order enums to PaginationOrder
• vault: Add BYOK key deleted event and consolidate key provider enum
• types: Consolidate pagination order enums
• authorization: Rename RoleAssignment to UserRoleAssignment

Features

• api_keys: Separate organization and user API key types (956386a)
• authorization: Add new role assignment listing endpoints (956386a)
• authorization: Consolidate order enums to PaginationOrder (956386a)
• authorization: Rename RoleAssignment to UserRoleAssignment (956386a)
• directory_sync: Add name field to directory users (956386a)
• docs: publish YARD API docs + llms.txt to GitHub Pages (#480) (117eeac)
• events: Add admin_portal source to event context actor (956386a)
• sso: Add name field to SSO profile (956386a)
• types: Consolidate pagination order enums (956386a)
• user_management: Add get JWT template endpoint (956386a)
• user_management: Add user API key management (956386a)
• user_management: Add user field to membership and organization membership (956386a)
• user_management: Consolidate order enums to PaginationOrder (956386a)
• vault: Add BYOK key deleted event and consolidate key provider enum (956386a)

7.1.2 (2026-05-06)

Bug Fixes

• decode legacy v6 sealed sessions on unseal (#479) (1d8b4aa)
• replace parameter-group hashes with typed variant classes (#473) (a66c15b)
• set canonical User-Agent header format (#476) (6728358)

7.1.1 (2026-04-29)

Bug Fixes

• seal session client-side in Session#refresh (#470) (32662ab)

--- This PR was generated with Release Please. See documentation.

7.1.0 (2026-04-27)

Features

• generated: update generated SDK from spec changes (#465) (6c145d2)

Bug Fixes

• add ruby/setup-ruby to release-please workflow (aa5ebd0)
• eagerly load configuration.rb to fix WorkOS.configure (#467) (eea391c)
• remove stale URN-prefixed alias files breaking Zeitwerk (#466) (92b2aa5)
• update Gemfile.lock in release-please PR and bump action pins (2aa0574)
• update Zeitwerk autoload for inflections.rb (#460) (4fa1332)

This is a major release that introduces a fully redesigned SDK architecture. The SDK is now generated from the WorkOS OpenAPI spec, bringing type safety, consistent interfaces, and improved developer ergonomics.

High-Level Changes

• Client-centric architecture: The SDK now revolves around an instantiated WorkOS::Client rather than module-level service calls. All product areas are accessed through client methods (e.g., client.organizations, client.user_management, client.sso).

• Generated request/response models: Typed models replace raw hashes. Response models no longer inherit from Hash — use accessor methods instead of bracket notation.

• Per-request overrides: The new runtime supports request_options: for per-request API key, timeout, base URL, and retry overrides — useful for multi-tenant setups.

• Minimum Ruby 3.3+: The minimum Ruby version has been raised to 3.3.

• Renamed services and methods: Several top-level services were renamed (e.g., WorkOS::Portal → client.admin_portal, WorkOS::MFA → client.multi_factor_auth). Method signatures now use explicit keyword arguments.

• Session management refactor: AuthKit session sealing, refresh, and authentication flows were overhauled with a dedicated SessionManager on the client instance.

• New capabilities: Device code flow, public/PKCE clients, auto_paging_each pagination, and last_response observability on all responses.

Migration Guide

For detailed instructions on updating your application, see the v7 Migration Guide.

6.2.0 (2026-03-06)

Features

• user-management: add directory_managed to OrganizationMembership (#446) (914d824)
• user-management: add invitation accept endpoint (#448) (b5b4da1)

Bug Fixes

• update renovate rules (#443) (f156c79)

See CHANGELOG.md for details

What's Changed

• Add release-please for automated releases by @workos-sdk-automation[bot] in #435
• fix: add invitation_token parameter to authentication methods by @gjtorikian in #438
• Update amannn/action-semantic-pull-request action to v6 by @renovate[bot] in #436
• chore(main): release workos 6.1.0 by @workos-sdk-automation[bot] in #437
• fix: use simple v-prefixed tags and fix gem publish path by @workos-sdk-automation[bot] in #441
• fix: revert VERSION extraction to handle simple v-prefixed tags by @workos-sdk-automation[bot] in #442

Full Changelog: v6.0.0...v6.1.0

What's Changed

• Add Rakefile to fix release workflow by @workos-sdk-automation[bot] in #426
• Use gem-push-command to skip git push in release workflow by @workos-sdk-automation[bot] in #427
• Fix release workflow to use OIDC credentials directly by @workos-sdk-automation[bot] in #429
• Update actions/create-github-app-token action to v2 by @renovate[bot] in #422
• Update peter-evans/create-pull-request action to v8 by @renovate[bot] in #424
• Add ability to extract custom claims from the JWT during authentication by @adam-h in #431
• Upgrade jwt gem from ~> 2.8 to ~> 3.1 by @workos-sdk-automation[bot] in #433
• Allow pluggable encryptors for session seal/unseal by @gjtorikian in #432
• v6.0.0 by @workos-sdk-automation[bot] in #434

Full Changelog: v5.31.1...v6.0.0

What's Changed

• Add custom_attributes field to OrganizationMembership by @ajworkos in #419
• v5.31.1 by @workos-sdk-automation[bot] in #420
• Update actions/checkout action to v6 by @renovate[bot] in #421
• Add rake as a development dependency by @gjtorikian in #423

New Contributors

• @ajworkos made their first contribution in #419

Full Changelog: v5.31.0...v5.31.1

What's Changed

• Add context7.json to repo by @nicknisi in #413
• Update ruby/setup-ruby action to v1.281.0 by @renovate[bot] in #358
• Update actions/checkout action to v6 by @renovate[bot] in #409
• Update CODEOWNERS to point to the right Rubyist Team by @gjtorikian in #416
• Bump rexml from 3.4.1 to 3.4.2 by @dependabot[bot] in #395
• Add list sessions to user management by @adam-h in #415
• 💎 5.31.0 by @gjtorikian in #418

New Contributors

• @gjtorikian made their first contribution in #416

Full Changelog: v5.30.1...v5.31.0

What's Changed

• Version bump v5.30.1 by @kendallstrautman in #412
• Multiple roles support: Add roles to SSO profile and directory user by @kendallstrautman in #411

Full Changelog: v5.29.0...v5.30.1

⚠️ Misconfigured release version. Use v5.30.1 instead

In this version, the package semver was not updated properly and still references v5.29.0

What's Changed

• Multiple roles support: Add roles to SSO profile and directory user by @kendallstrautman in #411

Full Changelog: v5.29.0...v5.30.0

What's Changed

• expose authentication object even if expired by @ollym in #398

New Contributors

• @ollym made their first contribution in #398

Full Changelog: v5.28.0...v5.29.0

What's Changed

• Add ability to resend invitations by @antn in #404
• Fix reset_password to handle wrapped API response by @nicknisi in #406

New Contributors

• @antn made their first contribution in #404

Full Changelog: v5.27.0...v5.28.0

What's Changed

• Added locale to user (https://github.com/workos/workos-ruby/pull/400)

Full Changelog: v5.26.0...v5.27.0

What's Changed

• Add SSO and Domain Verification widget scopes by @adam-h in #396
• AuthKit multiple roles support by @csrbarber in #397
• Bump to 5.26.0 by @csrbarber in #399

New Contributors

• @csrbarber made their first contribution in #397

Full Changelog: v5.25.0...v5.26.0

What's Changed

• Add GET /organizations/:orgId/feature-flags support by @stanleyphu in #391
• v5.25.0 by @stanleyphu in #393

New Contributors

• @stanleyphu made their first contribution in #391

Full Changelog: v5.24.0...v5.25.0

What's Changed

• Add screen_hint to Ruby Gem + vcr 6 by @Teyler7 in #389
• v5.24.0 by @nholden in #390

Full Changelog: v5.23.0...v5.24.0

What's Changed

• Add external_id to user and organization in #381

Full Changelog: v5.22.0...v5.23.0

What's Changed

• Include decoded Feature Flags from the JWT into the payload of a WorkOS Session by @vdyalex in #386
• Fix request body construction to only send non-nil values by @nicknisi in #384
• Fix SSO error handling to surface detailed validation errors by @nicknisi in #385

New Contributors

• @vdyalex made their first contribution in #386

Full Changelog: v5.21.0...v5.22.0

What's Changed

• user: allow updating external_id, add to User object by @mxlje in #378
• Add permissions to Role by @andrewhampton in #382

New Contributors

• @mxlje made their first contribution in #378
• @andrewhampton made their first contribution in #382

Full Changelog: v5.20.0...v5.21.0

What's Changed

• Added support for custom OAuth scopes (https://github.com/workos/workos-ruby/pull/379)

Full Changelog: v5.19.0...v5.20.0

What's Changed

• add missing session param to authenticate_with methods by @jameslcarpino in #375

New Contributors

• @jameslcarpino made their first contribution in #375

Full Changelog: v5.18.0...v5.19.0

What's Changed

• Added support for email in UserManagement.update_user (#365)

What's Changed

• Bump rexml from 3.2.6 to 3.4.1 by @alexandrule in #359
• v5.17.1 by @nicknisi in #364

New Contributors

• @alexandrule made their first contribution in #359

Full Changelog: v5.17.0...v5.17.1

What's Changed

• Add custom_attributes field to SSO Profile (#360)

Full Changelog: v5.16.1...v5.17.0