WorkOS is selling a new integrations layer called Pipes for developers who need their apps, and increasingly their AI agents, to reach into users’ other software without hoarding refresh tokens themselves.
The company describes Pipes as a managed credential broker: a user connects a service through a WorkOS widget, authorizes access with OAuth, and the refresh token remains inside Pipes rather than in the developer’s application. The app then calls the WorkOS API for an access token tied to a provider, user and organization.
That is the pitch, at least. WorkOS says its getAccessToken call returns a valid token and handles token expiry, refresh and concurrent requests. For teams that have built a pile of brittle OAuth adapters and cron-job refresh logic, that is the boring infrastructure they would rather not own. Boring, in this case, is the product.
How Pipes is supposed to work
WorkOS says developers can drop a Pipes widget into an app so users can connect external tools. Once connected, credentials are scoped to the user and stored in WorkOS Vault. The application requests access when needed, using the WorkOS SDK or API, rather than storing long-lived credentials in its own database.
The company says Pipes supports OAuth and API-key based connections, including custom apps. Its provider directory lists more than 100 integrations, with examples shown for GitHub, GitLab, Bitbucket, DigitalOcean, Fly.io, Netlify, Jira, Linear, Snowflake, Sentry and Datadog.
WorkOS is also aiming the product at agentic software. The company says agents can use the same user-authorized connection as a human-driven integration, and that Pipes includes an MCP-native interface so agents can access tools through one server after the user has granted access.
The practical problem is duration. Many integrations assume a user is present to reconnect or reauthorize when something breaks. WorkOS says Pipes automatically refreshes tokens, which would let a long-running agent continue working without failing because a short-lived access token expired midway through a task.
Security claims and platform fit
WorkOS frames Pipes as a way to move credential risk out of customer applications. The company says credentials can be revoked with a single call, access stops when a user disconnects, and session-scoped credentials expire when the relevant session ends.
For storage, WorkOS says tokens are encrypted at rest with AES-256 in Vault. The company also says Pipes uses PKCE by default and inherits the compliance posture of the WorkOS platform, including SOC 2, HIPAA and GDPR support. Those are vendor claims, not an independent audit of how a specific customer implements the product.
Pipes sits alongside WorkOS products such as single sign-on, Directory Sync, Audit Logs, AuthKit, Radar, Admin Portal and Vault. WorkOS says developers can use the same API key and dashboard across those services.
The product’s bet is straightforward: as more software needs access to customers’ SaaS accounts, especially through autonomous agents, credential handling becomes a piece of infrastructure rather than a feature. WorkOS wants developers to outsource that plumbing to Pipes. Developers will still need to decide which scopes to request, what actions agents may take, and how to explain those permissions to users before the consent screen becomes a liability of its own.
This story draws on original reporting from Daring Fireball.