Authentication & Compliance with WorkOS

How WorkOS enables secure authentication and enterprise compliance capabilities in Doen.

Doen uses WorkOS for authentication and to enable enterprise compliance capabilities. This provides secure access for individual users today, with the ability to add enterprise features when needed.

Current: OAuth 2.1 Authentication

All Doen authentication uses OAuth 2.1 through WorkOS AuthKit:

For Users

• Secure sign-in without storing passwords in Doen's database
• Session management with automatic token rotation
• Ability to revoke access to connected applications

For AI Tool Integration (MCP)

When Claude Code, Cursor, or other AI tools connect to Doen's MCP server:

• User authenticates once via OAuth
• Access is scoped to that specific user's permissions
• Tokens are rotated automatically without user interaction
• Users can revoke MCP access from their settings

Future: Enterprise Compliance

When enterprise features are enabled, WorkOS provides:

Single Sign-On (SSO)

For Business Buyers:

• Users authenticate with existing company credentials (Okta, Azure AD, Google Workspace)
• IT controls access centrally through the identity provider
• Session policies and MFA are enforced from your existing identity system
• Reduces password-related security risks

For Engineers:

• WorkOS handles all identity provider integrations
• No per-provider OAuth implementation required
• Protocol updates managed by WorkOS

Directory Sync (SCIM)

For Business Buyers:

• Automatic user provisioning when employees join
• Immediate access revocation when employees leave
• Centralized access control through your identity provider
• Audit trail of who has access

For PMs:

• New team members get access automatically—no manual onboarding
• Offboarding is immediate and complete
• No orphaned accounts

Audit Logs

For Business Buyers:

• Complete audit trail for SOC 2, ISO 27001, GDPR compliance
• Track sign-ins, permission changes, and sensitive data access
• Export logs for compliance reporting
• Each event includes actor, action, timestamp, IP, and location

Secure Credential Storage (WorkOS Vault)

For Business Buyers:

• Third-party OAuth tokens (GitHub, Linear) are encrypted and stored separately from application database
• Database breach doesn't expose connected service credentials
• Meets data encryption requirements for compliance frameworks

For Engineers:

• Application stores only reference IDs, not actual tokens
• Tokens are retrieved on-demand from WorkOS Vault
• Reduces security surface area

Compliance Framework Support

WorkOS enables compliance with:

SOC 2

• Access controls (SSO, MFA)
• Audit logging
• Encrypted credential storage

GDPR

• User consent tracking (OAuth flows)
• Data access logs
• Account deletion

ISO 27001

• Identity and access management
• Role-based access control
• Security monitoring