Connect WorkOS so enterprise auth events fire Brew automations. Welcome new SSO users, confirm password resets, mirror SCIM provisioning into Brew contacts, or notify ops the moment an SSO connection activates.Documentation Index
Fetch the complete documentation index at: https://docs.brew.new/llms.txt
Use this file to discover all available pages before exploring further.
What you can do
- Trigger automations from WorkOS events. Cover SSO + SCIM + magic-link + password reset workflows in one connection
- Auto-sync contacts into your audience. Every WorkOS event upserts the user / directory user into Brew with
workos_*custom fields you can filter and segment on - Sync SCIM users into Brew contacts. Directory-sync events stream user data straight into your audience without manual import
- Confirm sensitive changes. Fire a security confirmation the moment a password reset completes
How it works
- Brew mints a unique webhook URL for your brand and you paste it into your WorkOS Dashboard.
- WorkOS signs every webhook with a
WorkOS-Signature: t=<timestamp>,v1=<hmac>header. Brew verifies the HMAC against your per-endpoint signing secret, with a 180-second timestamp tolerance to block replays. - For each verified event Brew (a) starts every matching automation and (b) upserts the WorkOS user (or SCIM-provisioned directory user) into your audience with
workos_*custom fields.
Setup
Generate your Brew webhook URL
In Brew, open Integrations, click the WorkOS card, and click Generate URL. Copy the URL Brew generates.
Create an endpoint in WorkOS
Open dashboard.workos.com, go to Webhooks → Create Endpoint, and paste the Brew URL into the Endpoint URL field.
Subscribe to the events Brew supports
Enable the user, authentication, password_reset, organization, organization_membership, dsync.user, connection, and invitation events listed below, then click Create.
Copy the endpoint Signing Secret
WorkOS reveals the per-endpoint signing secret on the endpoint detail page. Copy it — the value is opaque (no prefix).
Paste the Signing Secret into Brew
Paste the secret into the Brew connect form and click Connect. Brew verifies every webhook with the WorkOS
t=<timestamp>,v1=<hmac> envelope, with a 180-second timestamp tolerance.Triggering automations
Once connected, WorkOS events show up as available triggers in the automation builder. Open the Manage tab in the WorkOS integration to enable the specific events you want to fire automations.Supported events
Brew supports the following 18 WorkOS events: Useruser.createduser.updateduser.deleted
authentication.email_verification_succeededauthentication.password_failedauthentication.magic_auth_succeededpassword_reset.succeeded
organization.createdorganization.updatedorganization.deleted
organization_membership.createdorganization_membership.updatedorganization_membership.deleted
dsync.user.createddsync.user.updateddsync.user.deleted
connection.activated
invitation.accepted
password_reset.succeeded is the canonical WorkOS event name — it lives at the top level, NOT under authentication.*. If you saw authentication.password_reset_succeeded referenced anywhere, that’s an old name no longer used.Common patterns
| Goal | WorkOS event |
|---|---|
| Welcome new user | user.created |
| Real welcome (after email verification) | authentication.email_verification_succeeded |
| Security confirmation on a password reset | password_reset.succeeded |
| Magic-link sign-in notification | authentication.magic_auth_succeeded |
| Welcome the workspace owner | organization.created |
| Welcome the new teammate | organization_membership.created or invitation.accepted |
| Mirror SCIM provisioning into Brew contacts | dsync.user.created / updated |
| Drop deprovisioned users from audiences | dsync.user.deleted |
| Ops alert when SSO is wired | connection.activated |
Personalization
| Variable | Example |
|---|---|
{{@trigger:output.payload.firstName}} | Alex |
{{@trigger:output.payload.lastName}} | Morgan |
{{@trigger:output.payload.organizationName}} | Acme Inc. |
{{@trigger:output.payload.role}} | member |
{{@trigger:output.payload.emailVerified}} | true |
Troubleshooting
An event arrived but no automation fired
An event arrived but no automation fired
Brew provisions every WorkOS event disabled-by-default. Open the WorkOS integration in Brew, go to the Manage tab, and toggle the event ON. Then make sure at least one of your automations uses it as a trigger and is set to Published.
WorkOS shows 401 with timestamp_invalid:out_of_tolerance
WorkOS shows 401 with timestamp_invalid:out_of_tolerance
Clock skew between WorkOS and Brew exceeds 180 seconds. Verify your platform’s clock with
date -u and re-deliver the webhook from the WorkOS Dashboard.Password-reset webhooks don't fire
Password-reset webhooks don't fire
WorkOS uses
password_reset.succeeded (top-level event), NOT authentication.password_reset_succeeded. Re-subscribe in the WorkOS endpoint to the canonical name.I want to test before going live
I want to test before going live
Trigger a WorkOS event (e.g. provision a directory user, send yourself a magic link) and watch the Manage → Recent events panel. Pre-publish your automation as a Draft, run a test send, then flip to Published once you’re happy.
Requirements
- A WorkOS account with admin access
- Permission to create webhook endpoints in the WorkOS Dashboard
Need Help?
Our team is ready to support you at every step of your journey with Brew. Choose the option that works best for you:- Self-Service Tools
- Talk to Our Team
Search Documentation
Type in the “Ask any question” search bar at the top left to instantly find relevant documentation pages.
ChatGPT/Claude Integration
Click “Open in ChatGPT” at the top right of any page to analyze documentation with ChatGPT or Claude for deeper insights.