最近融资 01
$100M Series C [CO024] 尽调报告
WorkOS
企业身份认证平台
WorkOS 是高质量、开发者优先的企业身份平台,AI 客户验证异常扎实;但 2026 年 3 月 $2B 轮融资给出的价格,仍跑在公开经营披露之前,难以支撑高把握买入。
封面要素
公司概况
WorkOS 是一家由创始人主导的私人开发者基础设施公司,向软件厂商出售企业就绪的身份与信任构件。Michael Grinich 在 Nylas 经历后于 2019 年创办公司;WorkOS 从 SSO 和目录同步扩展到用户管理、MFA、细粒度授权、可审计性、滥用检测,以及邻近的开发者控制。公开证据支持几个判断:公司位于 San Francisco、团队远程优先、在 AI 原生和 B2B 软件公司中采用度强,最近一轮融资为 $100M Series C、估值 $2B;但关键经营指标和治理细节仍未公开。
- 成立时间
- 2019-05-20
- 创始人
- Michael Grinich
- 创立地点
- San Francisco, CA, USA
- 总部
- San Francisco, CA, USA
- 产品
- WorkOS 为企业身份提供 API、SDK 和托管工作流:SSO、SCIM 目录同步、用户管理、MFA/AuthKit、审计日志和细粒度授权;新表面还包括滥用检测及邻近信任基础设施。
- 客户
- B2B SaaS 和 AI 原生软件公司;它们需要为自己的客户提供企业就绪的身份、授权和管理控制。
- 商业模式
- 按连接和用量计费的 SaaS:1M 用户以内免费用户管理,企业 SSO 和目录同步连接付费,日志与验证工作负载作为附加项,另有高级支持和年度积分计划。
- 阶段
- Series C
- 融资情况
- 私有公司;最新公开融资是在 2026-03-02 宣布的 $100M Series C,估值 $2B;公开材料可见的公司历史累计融资约 $199M。
执行摘要
主要优势
- 开发者优先的产品设计切中了高速增长软件公司的企业化落地瓶颈,覆盖 SSO、SCIM、用户管理、MFA、审计日志和授权等关键环节。
- 作为私有基础设施厂商,客户质量少见地强,OpenAI、Anthropic、Vercel、Webflow、Indeed、Warp、Hopin 等软件公司都有公开证据。
- 2026 年 3 月 Series C 带来可信的增长资金,也有 Meritech 和 Sapphire 背书,同时强化了 WorkOS 对 AI 原生应用开发者的相关性。
主要风险
- 缺少公开 ARR、留存、毛利率、集中度和股权结构披露,$2B 估值很难承保;本轮价格敏感,且可能偏高。
- WorkOS 直接嵌在客户登录、开通和授权链路里,认证层安全、SDK 回归和状态页事故都会放大下行风险。
- 如果平台宽度不能转化成持久变现,Okta/Auth0、Clerk、Stytch、Microsoft、AWS 和开源工具的打包或低价替代会压低定价、利润率和销售效率。
未决问题
- 当前 ARR、收入增速、NRR/GRR、毛利率和烧钱速度仍未披露。
- 当前付费客户数量、收入集中度和合同规模分布没有公开。
- Series C 后的董事会构成、所有权集中度和清算优先权条款没有公开资料。
- 公开证据无法说明 Radar、feature flags、MCP 等新产品是否已经贡献实质收入,还是主要扩大产品触面。
- 私有尽调应穿透公开信任页和状态页,核验子处理方范围、数据驻留承诺、SLA 抵扣历史以及事故处理负担。
目录
01公司概况
1.1 身份、定位与产品边界
WorkOS 的公开身份异常清晰:它出售开发者 API 和 SDK,帮软件公司更快做到企业就绪,不用自己搭身份和合规管线。首页、创始文章、文档和后续融资文章反复把问题定义为跨过「企业鸿沟」:产品已经有用户拉力,但缺少 SSO、SCIM 用户预配、可审计性、权限和安全控制等 IT 管理要求。到 2026 年,产品足迹已经显著宽于早期 SSO 加 Directory Sync 的根基。WorkOS 现在在同一平台表面公开推广 Enterprise SSO、Directory Sync、Audit Logs、AuthKit、MFA、FGA、Radar,以及更新的智能体 / 认证连接器。战略解读是:WorkOS 仍从身份切入,但越来越把自己讲成面向企业和 AI 软件、开发者优先的信任层,而不只是登录点产品。[CO005, CO006, CO007, CO008, CO009, CO010]
| 指标 | 数值 / 状态 | 日期 / 锚点 | 置信度 | 缺口 / 限制 |
|---|---|---|---|---|
| 法律实体 | WorkOS, Inc. | 当前 | 高 | 公开网络来源不能替代州注册文件摘录来做法律尽调 |
| 成立日期 / 创始人 | 2019-05-20;由 Michael Grinich 创立 | 2019-05-20 | 高 | 仍需从公司档案确认准确注册辖区 |
| 总部锚点 | San Francisco, California | 当前 | 高 | 各来源披露的准确公开邮寄地址不一致 |
| 运营模式 | 远程优先团队 | 当前 | 中 | 公司也称正在 San Francisco、New York 和远程岗位招聘 |
| 员工规模信号 | 官方称 100+ 名建设者;第三方区间为 51-200 | 当前 | 中 | 准确员工数没有公开钉牢 |
| 当前阶段 | 后期私营公司 / Series C | 2026-03-02 | 高 | 未留存公开董事席位或所有权图谱 |
| 最新融资 | $100M Series C | 2026-03-02 | 高 | 除金额、估值和投资方名称外,轮次条款未公开 |
| 最新公开估值 | $2B | 2026-03-02 | 高 | 未留存之后的估值标记或老股交易定价 |
| 推算累计披露融资 | ~$199M | 2026-03-02 | 中 | 该数值由公司披露的轮次金额和 2021 年截至当时数字推算 |
| 付费客户规模 | 估计到 2025 年初已有 1,000+ 付费客户;公司称拥有数千客户 | 2025-10 至 2026-03-02 | 中 | WorkOS 没有公布当前准确付费客户数 |
| 公开点名客户 | OpenAI、Anthropic、Cursor、Perplexity 等 B2B 软件公司 | 2026-03-02 | 中 | 客户名单是选择性披露,可能过度代表头部标杆客户 |
| 核心产品套件 | 企业 SSO、目录同步 / SCIM、审计日志、AuthKit / MFA、FGA、Radar | 当前 | 高 | 更广的平台邻接仍在扩张 |
| 公司反向信号 | 已披露的 AuthKit 漏洞和反复出现的状态页事故,使可靠性和安全执行成为正在发生的尽调议题 | 2025-01-13 至 2026-05-22 | 中 | 公开来源没有量化业务影响或 SLA 赔付成本 |
各行结合了 WorkOS 官方页面和独立市场、监测、档案来源;准确收入、所有权和当前员工数仍属私有信息或方向性信息。
[CO001, CO002, CO004, CO005, CO021, CO024]WorkOS 如何把企业级身份基础设施与客户采用、平台扩张、资本支持,以及不断加重的信任负担串起来。
这是一张分析性逻辑图,不是组织架构图;箭头表示战略强化关系,不代表法律因果。
[CO005, CO006, CO019, CO020, CO029, CO039]1.2 创始人、足迹与组织画像
公司仍明显由创始人主导。WorkOS 的结构化数据将 Michael Grinich 列为创始人,官方融资文章以他的口吻写成,外部画像也把公司起源直接连到他在 Nylas 的经历,以及一个教训:终端用户很喜欢的产品,如果企业要求来得太晚,仍可能失败。公司足迹证据足以把 WorkOS 锚在 San Francisco,但不足以把精确邮寄地址当成定论:WorkOS 自己的结构化数据列出 660 Market Street,第三方目录数据则列出另一个 Market Street 邮箱地址。更扎实的是运营模式信号。WorkOS 自称远程优先,团队有 100+ 名建设者;第三方员工区间把它放在 51-200,说明员工规模已有分量但仍未公开。Grinich 之外的公开领导层可见度相对薄,尽调应把关键人依赖和治理透明度视为仍需验证的问题,而不是已关闭的答案。[CO001, CO002, CO003, CO004, CO013, CO018]
| 人员 / 群体 | 当前公开角色 / 相关性 | 背景 / 职能覆盖 | 关键人物依赖 |
|---|---|---|---|
| Michael Grinich | 创始人兼 CEO | 曾任 Nylas 创始人 / CEO;其企业就绪经验支撑 WorkOS 最初投资逻辑,且在留存材料中仍是主要公开运营者 | 极高——创始人、公众面孔和产品叙事者集中在同一人 |
| 公开高管梯队 | 留存公开来源未完整披露 | 官方页面更强调公司和产品,而不是点名高管名单;创始人之外的日常职能归属不够可见 | 高——管理层厚度需要直接尽调 |
| 2022 年加入的 Modulz / 设计系统人才 | 收购来的团队拓宽了产品和开发者体验能力 | Modulz 收购说明 WorkOS 借 M&A 增加 UI 和平台杠杆,而不只是靠有机招聘 | 中——能力扩张有用,但当前具体领导角色未公开映射 |
| 远程优先运营团队 | 官方关于页面文案称 100+ 名建设者 | 公开证据指向一个工程占比高、分布式的组织,而不是销售外勤很重的队伍 | 中——产品表面积扩大后,协同质量很关键 |
这只是部分公开领导层画像,不是法定高管名单;创始人很可见,更广的高管和董事会细节在公开来源中仍然很薄。
[CO002, CO004, CO013, CO016, CO030, CO031]公开可见的公司形态指标;不抹平不确定性,而是保留给读者看。
融资和客户数字要么来自公司披露,要么来自第三方估计;当前精确收入、所有权结构和员工数仍未披露。
[CO024, CO025, CO027, CO033, CO034, CO035]1.3 资本基础、阶段与利益相关方图谱
公开融资历史支持一个清晰的后期私有公司判断。WorkOS 在 March 2021 融资公告中披露至今已融 $19 million;June 2022 完成由 Greenoaks 领投的 $80 million Series B;March 2026 完成由 Meritech 和 Sapphire 领投、估值 $2 billion 的 $100 million Series C。机械相加,官方披露意味着到 March 2026 已披露资本约 $199 million。可见投资人组合也相当连贯:早期支持包括 Lachy Groom、Abstract、Lightspeed 和其他运营者,后续轮次叠加 Greenoaks、Meritech、Sapphire、Audacious 和 Craft。该画像说明,公司已从早期开发者基础设施信念资本,走向更广义的成长阶段资金支持。未公开的信息同样重要:留存来源没有给出完整股权结构表、董事席位图、清算堆叠或所有权集中度视图,因此治理和经济权益仍需要在管理层会议中确认。[CO014, CO015, CO016, CO024, CO032, CO033]
| 利益相关方 | 角色 | 控制权 / 经济重要性 | 公开证据 | 尽调要求 |
|---|---|---|---|---|
| Michael Grinich | 创始人 / CEO | 鉴于创始人主导姿态,普通股和控制影响力可能有实质权重 | 关于页面结构化数据;融资帖子;Contrary 档案 | 确认持股、投票控制权和留任方案 |
| Lachy Groom | 早期领投方 | 2021 年 3 月融资中的关键早期背书,也是反复参投方 | 2021 年融资帖子 | 确认当前持股、按比例跟投权,以及任何董事或观察员角色 |
| Greenoaks | Series B 领投方 | 2022 年拐点时的成长期资金支持方 | Series B 帖子;Sacra | 确认 Series C 后持股和任何优先权堆叠 |
| Meritech | Series C 联合领投方 | 与 2026 年 $2B 估值重置绑定的最新领投方 | Series C 帖子;Fenwick;SiliconANGLE | 确认董事会席位和治理权 |
| Sapphire Ventures | Series C 联合领投方 | 最新领投方,也是可能的治理对手方 | Series C 帖子;Fenwick;SiliconANGLE | 确认董事会席位、信息权和基金持股 |
| Abstract Ventures | 多轮参投方 | 从早期融资到后续轮次都可见 | 2021 年融资帖子;2026 年 Series C 帖子 | 确认持续持股和稀释历史 |
| Audacious / Craft / Lightspeed 群组 | 跟投机构投资方 | 扩大了 VC 财团,但具体经济权益未公开 | 2021 年融资帖子;2026 年 Series C 帖子 | 确认哪些机构仍持有有意义股份,以及哪些权利仍然有效 |
公开证据能识别重要融资对手方,但不能给出完整股权结构表、董事会观察员结构或清算堆叠。
[CO014, CO015, CO024, CO032, CO033, CO034]1.4 牵引、里程碑与公司层面保留项
最强公开牵引信号不是经审计财务披露,而是客户质量和产品宽度。官方 2026 材料称 OpenAI、Anthropic 等领先 AI 公司使用 WorkOS;客户故事索引列出广泛的 B2B 软件账户;Sacra 估计公司在 early 2025 跨过 1,000 付费客户,并在 October 2025 达到约 $30 million ARR。里程碑节奏也显示平台稳步扩张:AuthKit 在 late 2023 发布,Radar 在 late 2024 发布,2026 Series C 叙事把 WorkOS 重新定义为安全智能体软件基础设施。反面也真实存在,即便不构成生死问题。WorkOS 发布过 Hosted AuthKit MFA-bypass 安全公告,公开漏洞数据库列出 2025 和 2026 年多项 AuthKit 相关问题,官方状态页与 IsDown 也显示反复运营事故,包括 May 2026 控制台故障。尽调结论是:WorkOS 看起来战略相关、资本充足,但承保仍取决于能否在强叙事之下确认运营成熟度、客户集中度和财务质量。[CO017, CO021, CO022, CO023, CO025, CO026]
| 日期 | 事件 | 类型 | 金额 / 估值 / 状态 | 参与方 | 含义 |
|---|---|---|---|---|---|
| 2019-05-20 | WorkOS 创立 / 注册成立 | 创立 | 官方结构化数据中的创立日期 | Michael Grinich;WorkOS | 确立公司和创始人锚点 |
| 2021-03-10 | 融资帖子披露累计融资 $19M | 融资 | 累计 $19M;由 Lachy Groom 领投 | WorkOS 与 Lachy Groom、Lightspeed、Abstract、Audacious、Uncorrelated | 标志企业就绪投资逻辑获得早期验证 |
| 2022-06-01 | 宣布 Series B | 融资 | $80M Series B,由 Greenoaks 领投 | WorkOS 与 Greenoaks、Lachy Groom、Lightspeed、Abstract | 公司进入更大的成长期资本阶段 |
| 2022-06-01 | 宣布收购 Modulz | 产品 | Modulz / Radix 团队加入 WorkOS | WorkOS;Modulz | 拓宽产品和设计系统能力 |
| 2023-11-28 | 推出 AuthKit 和用户管理 APIs | 产品 | 最高 100 万用户免费 | WorkOS | 扩展到核心身份验证和用户管理 |
| 2024-11-19 | 推出 Radar | 产品 | Bot 阻断和滥用检测产品 | WorkOS | 把 WorkOS 进一步推向欺诈和风险控制 |
| 2025-01-13 | 发布 Hosted AuthKit MFA 绕过安全公告 | 反向 | 披露高严重性问题;已于 2025-01-07 修复 | WorkOS;CyberRisk | 显示产品安全执行负担开始公开化 |
| 2026-03-02 | 宣布以 $2B 估值完成 Series C | 融资 | $100M Series C;$2B 估值 | WorkOS 与 Meritech、Sapphire、Audacious、Craft、Abstract、Greenoaks | 确认后期私营公司状态和 AI 时代投资方支持 |
| 2026-05-22 | Dashboard 错误升高事故 | 反向 | Dashboard / Admin Portal / Docs 样式事故;APIs 未受影响 | WorkOS | 强化运营可靠性这个尽调议题 |
这条时间线是选择性而非穷尽式的,聚焦对身份范围、资本形成和公司级执行风险最重要的里程碑。
[CO002, CO014, CO015, CO016, CO019, CO020]从创立到 2026 年融资及可靠性记录中,挑选公开里程碑。
时间线刻意筛选,只聚焦有日期、且影响身份边界、资本和运营信任的事件。
[CO002, CO014, CO015, CO016, CO019, CO020]1.5 图表
02市场分析
2.1 市场边界、纳入支出,以及 WorkOS 为何存在
WorkOS 应被定义为面向 B2B 软件厂商、开发者优先的企业身份基础设施,而不是整个身份与访问管理市场的替代指标。广义 IAM 分母包括 用户预配、目录服务、单点登录、高级认证、审计、合规、治理、特权访问、员工身份、CIAM、B2B 身份和非人类身份。WorkOS 只在这一堆栈内部货币化较窄一层:SaaS 公司在客户要求 SAML/OIDC SSO、基于 SCIM 的用户预配、审计日志导出、组织级安全政策和越来越细的授权后所需要的企业功能。因此,最贴近的买方问题是「让我的产品企业就绪」,而不是「替换我公司的整套身份套件」。 该边界解释了纳入项和排除项。纳入支出应覆盖企业 SSO 连接、目录同步和生命周期自动化、审计与日志流基础设施、客户管理员入驻工作流,以及多租户协作和 AI 智能体所需的授权逻辑。排除支出应包括仅面向消费者的 CIAM、内部 IT 采购的员工侧身份套件,以及不能解决 SaaS 产品身份工作流的无关网络安全类别。主要现状替代不是某一个具名竞争对手,而是混杂组合:自研 SAML 和 SCIM 实现、大型套件不透明的企业层级定价、手工用户预配,以及产品团队临时满足企业安全审查导致交易周期拖延。WorkOS 存在,是因为符合标准的身份功能正变成入场券,但每个 SaaS 产品内部自建和维护这些功能仍然昂贵且分心。[CM001, CM002, CM003, CM004, CM005, CM006]
| 细分 / 类别 | 纳入支出 | 排除支出 | 买方 / 付款方 | 为何重要 |
|---|---|---|---|---|
| 广义 IAM | 配置开通、目录服务、SSO、高级认证、审计 / 合规 / 治理、PAM、员工身份、CIAM、B2B、非人类身份 | 不含身份、日志或授权工作流的无关安全工具 | CIO、CISO、身份平台负责人 | 只能作为外层上限;远宽于 WorkOS 已变现楔子 |
| CIAM 与外部用户身份 | 客户登录、联合身份、社交和无密码认证、资料与组织管理 | 仅面向内部员工的 IAM 项目 | 产品、增长、平台、数字团队 | 与 AuthKit 和开发者侧认证 APIs 相关 |
| 企业 SaaS 就绪基础设施 | SSO 连接、SCIM 与目录同步、审计日志导出、管理员上线、组织安全策略 | 仅面向消费者的登录 UX 或无关 CX 工具 | 产品工程加安全 / 合规支持方 | 最贴近 WorkOS 当前核心市场的实用描述 |
| 授权与协作控制平面 | RBAC/FGA、委托访问、多租户权益、智能体权限、访问变更可审计性 | 不带访问控制的独立应用分析 | 平台工程、安全架构 | 可提升 WorkOS 钱包份额的扩张邻接 |
| 现状替代方案 | 买方已有的自建 SAML/SCIM、手工开通、工单,以及捆绑身份套件功能 | 企业客户原本不需要的专用基础设施支出 | 既有工程和 IT 预算 | WorkOS 必须证明 ROI 的真实竞争基准 |
| 排除的邻近市场 | 消费者欺诈、仅面向员工的 HR 套件、没有嵌入式产品身份层的通用 SIEM 或 GRC 平台 | N/A | 独立的安全、欺诈或 HR 负责人 | 避免用非核心类别高估 TAM |
边界有意把中心放在 B2B 软件里的企业就绪基础设施上,而不是把整个 IAM 栈都算作 WorkOS 眼前可触达市场。
[CM001, CM002, CM003, CM005, CM006, CM049]WorkOS 的机会嵌在更宽的 IAM 和 CIAM 中,但可变现层是 B2B 软件厂商为签下并留住大客户而购买的企业就绪基础设施。
[CM001, CM004, CM005, CM012, CM049]2.2 规模测算口径、重叠和现实承保分母
自上而下的市场证据支持基本判断,但不能相加。公开分析师页面把广义 IAM 放在 2026 年等效口径约 $24.8 billion 到 $28.7 billion;CIAM 专项估计集中在 2026 年 $13.3 billion 到 $14.5 billion。访问管理预测同样庞大,一个公开估计为 2026 年 $25 billion,且该类别内部有 31% 的审计 / 合规 / 治理切片。MarketsandMarkets 也把 B2B 身份、consumer IAM 和 非人类身份明确当作广义 IAM 市场的切片;另一个非人类身份访问管理预测到 2030 年达到 $18.71 billion。这些数字确认 WorkOS 位于真实扩张的控制层,但也说明简单 TAM 算术会夸大机会。 正确承保动作是保留多套口径,而不是挑最大标题数字。广义 IAM 是外层天花板,因为它包含让 WorkOS 相关的协议、治理和访问控制功能。CIAM 更接近 WorkOS AuthKit 和外部用户身份。访问管理与审计 / 合规数据覆盖推动 Enterprise 和 Scale plan 需求的管理与取证型工作流。非人类身份和智能体授权扩大 FGA 周边邻近空间,但还不是当前收入的清晰替代。公开来源没有给出「卖给 B2B SaaS 厂商的企业功能基础设施」的独立市场规模序列。缺了这座桥,精确公开 SAM 或 SOM 仍无法有把握地拆出来。[CM010, CM011, CM012, CM013, CM014, CM015]
| 发布方或视角 | 年份锚点 | 地理范围 | 数值 | CAGR | 方法 | 置信度 | 限制 |
|---|---|---|---|---|---|---|---|
| The Business Research Company IAM 市场预测 | 2026 / 2030 | 全球 | 2026 年 $25.23B;2030 年达到 $45.22B | 15.7% | 广义 IAM,包含配置开通、目录服务、SSO、审计 / 合规 / 治理及相关组件 | 高 | 范围太宽,不能当作 WorkOS SAM;它混合了员工身份、套件和邻近身份支出 |
| MarketsandMarkets IAM | 2025 / 2030 | 全球 | 2025 年 $25.96B;2030 年达到 $42.61B | 10.4% | 按技术、类型(员工身份、CIAM、B2B)、身份类型、部署模式和垂直行业拆分的 IAM | 高 | 2026 年点位未明示;类别重叠明显 |
| Fairfield IAM | 2026 | 全球 | 2026 年达到 $24.8B | 14.8% (2021-2026) | 强调数据泄露和欺诈顺风的广义 IAM 展望 | 中 | 框架较旧,类别拆分不如新报告细 |
| Mordor CIAM | 2026 / 2031 | 全球 | 2026 年 $13.3B;2031 年达到 $30.06B | 17.72% | 按组件、部署、组织规模、垂直行业和地理切分的消费者 IAM 预测 | 高 | CIAM 只是 WorkOS 产品表面的一个切片 |
| Fortune Business Insights CIAM | 2026 / 2034 | 全球 | 2026 年 $14.46B;2034 年达到 $53.36B | 17.73% | 聚焦外部用户身份需求的独立 CIAM 预测 | 高 | 周期长且偏消费者范围,可能高估近期 B2B 基础设施需求 |
| MarketsandMarkets CIAM | 2025 / 2030 | 全球 | 2025 年 $14.12B;2030 年达到 $22.47B | 9.7% | 按解决方案、服务、认证类型和垂直行业拆分的 CIAM | 中 | 2026 年点位必须插值;仍不是 WorkOS 专属楔子 |
| Coherent 访问管理 | 2026 / 2033 | 全球 | 2026 年 $25B;2033 年达到 $65B | 12% | 带有明确合规驱动细分的访问管理市场 | 中 | 包含开发者优先 SaaS 基础设施之外更广的访问控制预算 |
| 访问管理中的审计 / 合规 / 治理切片 | 2026 | 全球 | 访问管理的 ~31%(由 $25B 推算为 ~$7.75B) | n/a | 由 Coherent 2026 年审计、合规和治理细分占比推导 | 中 | 推导占比,不是独立市场预测 |
| 非人类身份访问管理 | 2024 / 2030 | 全球 | 2024 年 $9.45B;2030 年达到 $18.71B | 11.9% | 为应用、API、机器和加密身份分别建立市场视角 | 中 | 更贴近 WorkOS FGA 的未来机会,而非当前核心收入 |
| 证据受限的 WorkOS SAM / SOM | 2026 | 全球 | 公开数据无法单独拆出 | n/a | 若要拆出 WorkOS 特定切口,需要 B2B 企业就绪基础设施的独立支出数据 | 高 | 公开资料无法足够清晰地区分套件支出、自建投入和独立基础设施需求 |
表格保留重叠的分析师视角,而不是强行压成一个 TAM 数字。衍生条目已明确标注, 不应与广义 IAM 或 CIAM 总量相加。
[CM010, CM011, CM012, CM013, CM014, CM015]公开市场估算指向一个很大的身份控制背景,但如果口径换成 IAM、CIAM 或偏合规的访问管理,相关区间会明显变化。
数值单位为十亿美元。MarketsandMarkets IAM 高位情形是以 2025 基数按 CAGR 向前滚动一年;审计 / 合规行是派生切片,不是分析师单独预测。
[CM010, CM012, CM013, CM014, CM015, CM017]2.3 买方、付款方与自建 vs 购买采用路径
购买动作异常跨职能,因为 WorkOS 卖的是嵌入产品内部、但由企业安全和合规要求证明价值的基础设施。大客户签约前要求 SSO、SCIM 或审计导出时,产品和平台工程团队通常最先感到痛点。安全、IT 或合规利益相关方随后变成间接买方,因为他们关心生命周期控制、最小权限、日志记录和标准合规。WorkOS 的终端使用者通常是集成 API 的开发者或产品团队;下游使用者则是通过自助管理员门户配置的客户 IT 管理员。因此,付款方早期可能在产品基础设施预算里,随着高端市场收入变得重要,再迁移到共享工程、安全或企业就绪预算。 公开客户证明把自建还是购买的触发点说得很明白。WorkOS 强调:相比自建,交付 SSO 和 SCIM 可快超过九个月;客户在不到一周内上线 SSO;团队每个连接可避免 2–4 小时的手工用户预配工作。它的 SCIM 指南认为,内部用户预配项目会撞上 IdP 特定差异、事件顺序和扩展问题、入驻摩擦,以及持续维护。该证据贴合更广的市场结构:大型企业主导 CIAM 支出,云是默认部署模式,无密码登录和 passkey 采用仍在快速增长。含义是,SaaS 公司需要快速拿到企业级身份功能、已有某种认证堆栈、且不想只为再关一个企业单而迁入全套件平台时,WorkOS 最容易赢。[CM019, CM022, CM023, CM024, CM025, CM026]
| 细分市场 | 买方 | 用户 | 付款方 | 工作流 | 预算负责人 | 采用触发点 |
|---|---|---|---|---|---|---|
| AI 原生或开发者主导的 B2B SaaS | 产品副总裁 / 平台工程 | 应用开发者 | 共享产品基础设施预算 | 在不替换现有身份验证栈的前提下,补上企业 SSO、组织策略和管理员引导流程 | 产品工程 | 企业客户线索或新的高阶套餐急需 SSO |
| 大型企业扩张动作 | 工程负责人和安全赞助人 | 开发者和客户 IT 管理员 | 企业就绪或共享研发预算 | 补上 SSO、SCIM 和审计导出,打通采购审批 | 工程团队,安全团队签字 | 大客户采购清单或安全审查卡点 |
| 受监管 SaaS 工作流 | 安全 / 合规负责人 | IAM 管理员、审计员、租户管理员 | 安全或合规预算 | 向客户证明最小权限、生命周期控制和可导出证据 | CISO / 合规办公室 | SOC、审计或客户尽调需求 |
| 已有身份验证栈的团队 | Staff 级平台工程师 | 身份集成工程师 | 平台预算 | 保留当前登录栈,把企业连接和生命周期同步外包出去 | 平台工程 | 团队想要 SCIM 或 SSO,但不想迁移平台 |
| 协作型或多租户数据应用 | 产品架构师 / 安全架构师 | 后端工程师 | 产品加安全预算 | 补上资源级权限、委托和管理员可见性 | 平台 + 安全架构 | 客户要求细粒度角色和组织共享控制 |
| 智能体或自动化重度产品 | 平台安全负责人 | AI 平台和 API 工程师 | 创新 / 平台安全预算 | 从身份验证转向面向智能体和 MCP 客户端的范围化授权 | 平台安全 | 需要最小权限智能体访问和可审计的策略变更 |
WorkOS 的市场由委员会买单。发起团队往往是产品工程,但预算审批通常取决于安全、 合规或企业销售压力。
[CM019, CM022, CM023, CM024, CM026, CM027]同一个账户里,直接任务是 SSO、SCIM、可审计性还是细粒度授权,会决定发起买方、运营用户、付款方和证明负担各不相同。
[CM022, CM023, CM027, CM028, CM040, CM041]WorkOS 需求通常从一笔被卡住的企业订单开始。随后,开通、日志和授权要求逐步显露:身份基础设施不是一次性功能,需求会继续叠加。
[CM006, CM007, CM023, CM024, CM026, CM041]2.4 标准、合规,以及从认证转向授权
监管和标准压力,是该市场持续扩张最清楚的理由之一。SCIM 现在是成熟的 IETF 跨域身份管理标准,明确目标是降低 enterprise-to-cloud 场景中用户管理的成本和复杂度。OIDC 和 SAML 仍是联合企业登录的核心互操作标准。NIST 的 July 2025 数字身份修订增加了 同步 passkeys、订阅者控制钱包,以及针对注入攻击和伪造媒体的新控制;NIST SP 800-207 和 OMB M-22-09 则把身份与访问决策推向零信任、逐请求验证,而不是边界信任。CISA 的 maturity model 用身份作为专门支柱,把该转向操作化。对于 B2B SaaS 厂商,这意味着企业买家越来越把基于标准的身份管线和更丰富的策略控制当作基础能力,而不是高级附加项。 市场也在从认证延伸到细粒度授权。Google 的 Zanzibar 论文证明,基于关系的授权可以在互联网规模下运行,并保持低于 10 毫秒延迟和极高可用性。OpenFGA 在 late 2025 进入 CNCF 孵化,说明生态成熟;Auth0 和 WorkOS 也都把 FGA 与 AI 智能体授权放到一等产品领域。WorkOS 认为智能体是一个独立身份类别,扁平 RBAC 无法处理瞬时、任务范围权限。Auth0 则称,定制授权逻辑无法扩展到多租户 B2B API、MCP servers 和 AI 智能体。这些来源合在一起,指向 WorkOS 可信的邻近扩张:认证、用户预配和日志解决后,授权会成为买家想外包的下一个控制平面。[CM029, CM030, CM031, CM032, CM033, CM034]
| 驱动 / 约束 | 方向 | 时间 | 影响 | 尽调问题 |
|---|---|---|---|---|
| 采购中的企业 SSO 和 SCIM 要求 | 正向 | 当前 | 身份功能成为高端 SaaS 厂商的入场门槛 | WorkOS 销售管线中,多少由采购卡点触发,多少来自主动平台战略? |
| 零信任身份策略和 MFA 基线 | 正向 | 当前 | 推高对基于标准的身份验证、账号预置和访问控制的需求 | 哪些买方垂直行业最明确地把采用 WorkOS 绑定到零信任计划? |
| 通行密钥、钱包和数字身份指南变化 | 正向 | 近期 | 需求从纯密码系统转向现代、灵活的身份层 | WorkOS 需求中,多少是身份验证现代化,多少是企业功能门槛? |
| 合规驱动的审计和外包保障 | 正向 | 当前 | 支撑日志流、审计证据和管理员控制功能 | 在真实企业交易中,Audit Logs 和日志流的附加率是多少? |
| AI 智能体和非人类身份增长 | 正向 | 近期至中期 | 催生新的授权和最小权限控制平面机会 | 目前有多少客户为 FGA 或智能体授权付费,而不是只在试点? |
| 既有厂商企业级定价不透明 | 对 WorkOS 正向 | 当前 | 按连接计价、开发者优先的基础设施更容易对标套件 | WorkOS 有多常明确靠价格可预测性而非迁移速度赢单? |
| 预算约束、隐私顾虑和技能短缺 | 负向 | 当前 | 即使赛道在增长,也会拖慢或收窄 IAM 部署 | 哪些细分市场最可能在有需求的情况下推迟企业就绪工作? |
| 品类重叠与 SAM 模糊 | 负向 | 持续 | 如果粗糙叠加 IAM、CIAM 和访问管理数字,估值可能被抬高 | 哪些内部收入结构或连接数据能让尽调估出更干净的 SAM? |
驱动和约束刻意绑定到时间节奏和投资判断影响,而不是抽象市场话术。
[CM006, CM018, CM020, CM033, CM034, CM036]2.5 约束、在位者定价结构与未解尽调缺口
乐观情景成立,但摩擦并不轻。分析师仍把预算约束、隐私担忧、统一身份标准缺失和熟练网络安全从业者短缺列为 IAM 推进卡住或缩窄范围的原因。市场重叠也带来估值风险:广义 IAM、CIAM、访问管理、合规工具和非人类身份 都引用相近支出池,草率相加会重复计算同一预算。因此,即便市场不错,如果 SaaS 厂商不确定是外挂一个功能、迁移到更大套件,还是彻底推迟企业就绪,采用也可能滞后。 反向证据也支持 WorkOS 的定位。公开「SSO tax」和「SCIM tax」追踪器认为,许多 SaaS 厂商仍把 SAML 和生命周期自动化锁在 企业层级或不透明报价后面;SCIM tax 数据集记录了大量已安装应用仍对自动用户预配加收费用。Stitchflow 更激进的批评称,721 个受访 SaaS apps 中 42% 把 SCIM 锁在企业定价后,57% 任何价位都不提供 SCIM,只有 1.2% 把它纳入 base tier。Auth0 自己的定价页也强化了更广泛模式:企业连接、自助 SSO 和 SCIM 绑定到 B2B 或企业包装,同时在更高堆栈宣传 AI 智能体与 FGA 功能。对 WorkOS 而言,这既是机会,也是剩余尽调缺口:痛点显而易见,但公开证据仍无法拆出多少痛点会转化为持久的独立基础设施收入,而不是最终被更大身份套件吸收。[CM021, CM042, CM043, CM044, CM045, CM046]
2.6 图表
03竞争格局
3.1 竞争版图与买方分层
WorkOS 所在的身份堆栈拥挤,已经无法映射到一个干净的竞争对手集合。直接战场是 Auth0、Clerk、Stytch、PropelAuth、Frontegg、Descope 等嵌入式 B2B 认证平台;它们都承诺比从零自建 SAML、SCIM、组织感知权限和管理员流程 更快达到企业就绪。邻近战场是 Permit.io 和 Cerbos 等授权专家;当买方想要比打包认证堆栈更深的策略控制时,它们可以替代或补充 WorkOS 较新的 RBAC 叙事。替代品战场是买方已经拥有的基础设施,尤其是 AWS 账户里的 Amazon Cognito 和 Microsoft-oriented enterprises 里的 Microsoft Entra External ID。现状路径仍包括开源或定制自建,Keycloak 和自托管友好的 FusionAuth 为成本敏感或控制敏感团队提供了可信替代。因此,买方重视一体化企业就绪,胜过最低价格、最深策略模型或套件捆绑时,WorkOS 的胜面最清楚。[CP004, CP024, CP026, CP028, CP029, CP031]
| 竞争对手 | 类别 | 买方重点 | 产品范围线索 | 打包或控制线索 | 对 WorkOS 的主要压力 |
|---|---|---|---|---|---|
| WorkOS | 集成式 B2B 身份栈 | 想快速补齐企业级身份验证的 SaaS 团队 | 身份验证 UI、联邦、组织策略、RBAC | 1M 用户内免费,之后按组织和附加模块计费 | 必须证明打包价值能顶住更便宜的单点工具 |
| Auth0 | 既有 CIAM 套件 | B2B SaaS 和企业客户身份团队 | 多租户、委托管理员、自助 SSO、迁移支持 | 免费 MAU 档,加企业连接和自助 SSO | 买方替换旧身份验证时,既有厂商信用很强 |
| Clerk | 开发者主导的 B2B 身份验证 | 快速上线多租户 SaaS 的产品团队 | 组织、角色、邀请、活跃组织上下文 | 50k 留存用户内免费,付费入门价低 | PLG 和入门体验简化压力 |
| Stytch | API 优先的身份验证和安全平台 | 想掌控 SDK 和 API 的构建者 | 身份验证、授权、安全、欺诈、智能体身份验证 | 公开免费档之后,按用量计费且没有硬断崖 | 更宽的 API 主导安全组合 |
| PropelAuth | B2B 优先的嵌入式身份验证 | 组织模型需求强的企业 SaaS 团队 | 组织、高级 RBAC、SAML、OIDC、SCIM | 免费档宣称不限组织、协作者和 SAML | 激进的 B2B 默认配置和定价压力 |
| Frontegg | CIAM 身份层 | 需要保护多个入口的 SaaS 公司 | CIAM 和企业连接,并叠加智能体 SaaS 话术 | 7,500 用户和 5 个企业连接内免费 | 在 CIAM 加企业联邦上形成直接打包对比 |
| Descope | 客户和智能体身份平台 | 需要客户和业务用户身份旅程的企业 | 客户身份、委托管理员、细粒度访问、可审计性 | 免费和付费 MAU 档 | 更宽的身份旅程叙事压缩 WorkOS 信息优势 |
| FusionAuth | 自托管、控制优先的身份验证 | 受监管或基础设施重的团队 | SSO、MFA、OIDC、任意部署灵活性 | 社区和企业计划,自托管控制 | 当数据本地性或控制比速度更重要时,它就是替代选项 |
| Amazon Cognito | 超大规模云厂商 CIAM | AWS 中心型构建者 | 托管 CIAM、通行密钥、M2M、企业级用户池 | MAU 档,加单独消息和部分联邦成本 | 足够可用的云捆绑默认选项 |
| Microsoft Entra External ID | 套件式外部身份 | Microsoft 中心型企业和 B2B 协作用户 | 外部租户 CIAM 加员工 B2B 协作 | MAU 计费,加 Microsoft 信任和应用邻近性 | 更大的 Microsoft 栈带来采购引力 |
| Permit.io、Cerbos、Keycloak、自建 | 邻近品类和替代品 | 优化策略深度、控制或许可成本的团队 | Authz 控制平面或开源 IAM | 免费社区、开源或自托管经济性 | 可补足也可替代 WorkOS 栈的一部分 |
各行概括截至 2026-05-24 的当前公开信息;私营公司的融资或客户规模披露常常缺失, 因此在精确规模未公开时,用打包和控制线索替代。
[CP004, CP005, CP006, CP008, CP009, CP011]WorkOS 在嵌入式企业就绪上表现不错,但既有厂商和超大规模云厂商在分发能力或控制优势上仍评分更高。
坐标轴是基于当前公开产品、定价和部署界面的 1-10 序数判断,不是内部市场份额数据。
[CP004, CP024, CP026, CP028, CP029, CP030]3.2 直接嵌入式身份平台
在直接平台中,WorkOS 的故事异常连贯:AuthKit 提供嵌入式认证 UI,定价突出 SSO 和 Directory Sync 等企业联合身份基础件,RBAC 则把堆栈延伸到组织范围授权。Auth0 是最大的在位者类比,因为它也向 B2B SaaS 买家兜售 multi-tenancy、委托管理、自助 SSO 和迁移工具;这份宽度让它在替换旧认证层的团队中比从零起步的初创团队更有可信度。Clerk 从市场另一端切入同一任务,围绕组织、活跃组织上下文和更低入口价格走更轻的 PLG。Stytch 走得最远,已从经典登录扩展到更宽的认证、授权、安全和智能体身份叙事;PropelAuth 则靠对 B2B 默认项的强主张和更低包装价格竞争。Frontegg 与 Descope 进一步拓宽战场,主打 CIAM 宽度,并越来越使用智能体或客户旅程语言,缩窄 WorkOS 最初的信息领先。[CP001, CP002, CP003, CP005, CP006, CP008]
| 能力 | WorkOS | Auth0 | Clerk | Stytch | PropelAuth | Frontegg / Descope |
|---|---|---|---|---|---|---|
| 企业联邦和目录工作流 | 定价页显示内置 | 面向 B2B SaaS 内置 | SSO 扩张路径 | 定价话术中提到 B2B 或企业连接 | 与组织模型和自助接入深度绑定 | CIAM 定位显示内置 |
| 多租户 B2B 模型 | 组织范围的身份验证策略和连接模型 | 明确提到多租户 | 组织是一等对象 | 组织级身份验证 API | 组织是一等对象 | 企业客户和 SaaS 入口 |
| 嵌入式身份验证 UI 与用户管理体验 | AuthKit 组件系统 | 引用页面未明确说明 | 嵌入式产品姿态强 | 预构建前端加无头 SDK | B2B 身份验证产品,而非宽 UI 系统 | 工作流或 CIAM 体验层 |
| 内置授权 | 当前 WorkOS 界面显示 RBAC | 明确提到细粒度授权 | 组织内角色和权限 | 平台叙事包含授权 | 包含高级 RBAC | Descope 提到细粒度访问;Frontegg 定位为 CIAM |
| 智能体或 AI 身份线索 | 引用页面未明确说明 | 引用页面未明确说明 | 引用页面未明确说明 | 是,智能体身份验证和 MCP 话术 | 引用页面未明确说明 | 是,智能体 SaaS 或智能体身份话术 |
| 部署和控制灵活性 | 引用材料仅显示托管 | 引用材料仅显示托管 | 引用材料仅显示托管 | 托管 API 和 SDK | 引用材料显示托管产品 | 引用材料显示托管产品 |
| 最佳匹配购买路径 | 集成式企业就绪组合 | 既有企业 CIAM | 低摩擦开发者接入 | API 主导安全平台 | 有明确取舍的 B2B SaaS 默认配置 | 更宽的 CIAM 和身份旅程扩张 |
单元格只使用当前引用页面明确披露的信息;页面看不到的细节,比较保持窄口径, 不假设功能等同。
[CP001, CP002, CP003, CP005, CP008, CP009]在嵌入式企业就绪上,WorkOS 覆盖面较广;相邻玩家通常在控制权、授权深度或智能体身份叙事等单一维度胜出。
标签基于引用的当前页面和证据作出分类判断,不是隐藏产品评分。
[CP003, CP011, CP013, CP019, CP020, CP022]3.3 邻近玩家、替代品与捆绑方案
当买方把身份视为更大平台决策中的一层时,竞争框架会更严苛。Permit.io 和 Cerbos 直接攻击授权层,提供以策略为中心的控制平面,而不是完整认证套件;团队愿意把单独认证服务与更深策略引擎搭配时,它们就会挤压 WorkOS。FusionAuth 和 Keycloak 通过优化控制权、任意部署灵活性和更低许可证支出,重新定义争论;这对受监管部署或已有身份专家的工程团队很重要。AWS Cognito 和 Microsoft Entra External ID 带来另一种压力:它们可能不如 WorkOS 优雅,但背靠更广的平台预算和信任锚点。Cognito 对以 AWS 为中心的团队可能已经够用,尤其是它们重视托管 CIAM、passkeys 和机器到机器认证;Entra External ID 则延伸到许多企业已理解的 Microsoft 协作和外部租户模式。这些套件驱动的默认选项,让 WorkOS 不只是在打功能比较,也在对抗采购重力。[CP015, CP016, CP022, CP023, CP024, CP025]
| 供应商 | 入门线索 | 主要计量口径或计划话术 | 企业增售线索 | 对 WorkOS 的影响 |
|---|---|---|---|---|
| WorkOS | 1M 活跃用户内免费 | 按组织计价,加附加模块 | 企业支持和后续更多模块 | 如果附加率真实,集成组合能支撑支出合理性 |
| Auth0 | 25k MAUs 内免费 | MAUs 加企业连接 | 自助 SSO 和更宽的企业计划动作 | 既有厂商可凭宽度和迁移安心感竞争 |
| Clerk | 50k 留存用户内免费 | 月度入门价低 | 高级 B2B 和企业功能作为扩张路径 | 低端 PLG 定价压力强 |
| Stytch | 免费档设用量阈值 | 按用量计价,无硬断崖 | 安全、欺诈和 B2B 附加模块随用量扩张 | API 主导定价在构建者眼里可能更友好 |
| PropelAuth | 免费档不限组织和 SAML | MAUs 加后续企业功能 | 产品叙事已内置企业级 B2B 接入 | 削弱 B2B 优先需求的高端定价 |
| FusionAuth | 免费和社区导向计划 | 许可和支持档,而非纯 SaaS 计量 | SCIM、支持和企业系统增售 | 自托管路径是买方谈判杠杆 |
| Frontegg | 7,500 用户内免费 | MAUs 加企业连接 | CIAM 规模和企业连接分别变现 | SSO 和 SCIM 打包上的直接对标项 |
| Descope | 永久免费,之后进入 MAU 档 | MAU 打包 | 更大企业用量对应更高档 | 客户身份定价与其他 CIAM 工具保持可比 |
| Amazon Cognito | Lite、Essentials 和 Plus 档 | MAUs 加单独电子邮件、SMS 和部分联邦成本 | 高级安全和更高档增加支出 | AWS 买方可能为更低的捆绑 TCO 接受更粗糙的 UX |
| Permit.io 与 Cerbos | 免费社区或开源线索 | 授权检查或开源控制平面经济性 | 企业支持和托管后续变现 | Authz 可以单独购买,价格也低于完整身份套件 |
公开定价页混用 MAUs、留存用户、企业连接和社区档等不同计量口径,因此比较聚焦打包线索, 不强行拉成虚假的单位经济性横比。
[CP001, CP006, CP010, CP012, CP014, CP016]3.4 切换成本、护城河耐久性与反向视角
采用后,WorkOS 确实有切换成本杠杆,因为用户迁移、组织模型、联合身份连接和权限设计都会进入生产控制平面。客户上线后,这会有帮助,但无法完全解决前瞻护城河风险。最大的反向视角是定价权:多个直接对手公开慷慨免费层或便宜的社区路径,开源和自托管替代品也给买方一条用时间换更低经常性支出的路。第二个反向视角是捆绑。Cognito 和 Entra 不需要做到同类最佳才能赢,只要在已经集中云或协作支出的账户里足够好。第三个反向视角是宽度追赶。WorkOS 不再独占可信企业就绪叙事;邻近厂商正在公开表面增加智能体身份、更广 CIAM 或策略深度。除非 WorkOS 能证明挂载率、授权扩张和输赢动能,否则它的套装可能从差异化楔子漂移为高价便利层。[CP007, CP029, CP030, CP032, CP033, CP034]
| WorkOS 护城河主张 | 反向压力 | 现在为什么重要 | 严重性 | 尽调要求 |
|---|---|---|---|---|
| 集成式企业级身份栈 | 直接平台如今也覆盖重叠的 B2B 广度 | 若对手覆盖足够的认证、组织和 CIAM 范围,打包优势会收窄 | 高 | 衡量现有 SSO 客户中 AuthKit 和 RBAC 的附加率 |
| 企业 SSO 和认证部署能快速落地 | 开源或自托管控制路径仍有可信替代性 | 重视控制权的团队可能愿意多花实施精力,换取更低经常性支出 | 中 | 测试受监管买家选择 FusionAuth 或 Keycloak 而不是 WorkOS 的频率 |
| 内置授权减少栈数量 | Permit.io 和 Cerbos 仍专攻更深的策略控制 | 即便认证被打包,Authz 也可能仍是独立采购中心 | 中 | 收集替代或补充 WorkOS RBAC 的参考架构 |
| 独立聚焦应能保持执行锐度 | AWS 和 Microsoft 可凭采购惯性拿单 | 身份能力常被并入更大的云或协作采购决策 | 高 | 按 AWS 使用重和 Microsoft 使用重的账户切分销售管线 |
| 已安装的身份栈带来粘性 | 迁移工具也说明流失需要付出多少工作量 | 只有 WorkOS 已经上线后,切换成本才会支撑留存 | 中 | 在续约案例中跟踪上线时长和迁移复杂度 |
| 企业就绪品牌领先 | 竞争对手发布的替代方案如今主张,以更低成本也能达到相近就绪度 | 若 WorkOS 看起来只是省事工具而非独特能力,定价权会走弱 | 高 | 收集独立的 2026 年赢单 / 输单证据,而不是依赖厂商对比 |
严重性来自对上述竞争暴露面的分析判断,不是公司披露的指标。
[CP007, CP029, CP030, CP032, CP033, CP034]WorkOS 仍握着一套连贯的企业就绪度组合,但价格压力、套件捆绑和授权专精化都在削弱护城河, 耐久性还谈不上干净可防守。
这些项目是分析型评分卡视角,不是公司披露的 KPI。
[CP029, CP030, CP032, CP033, CP034, CP035]3.5 图表
04财务情况
4.1 收入模型与定价可见度
WorkOS 货币化的是混合基础设施模型,而不是单一 SaaS 席位价格。公开表面从最多 1 million 用户的免费用户管理开始;客户需要 SSO、SCIM、可审计性和相关控制时,再叠加付费企业身份基础设施。官方定价和对比页面把关键商业单位讲得异常清楚:用户管理按 MAUs 扩展,Enterprise SSO 和 Directory Sync 按连接计费;WorkOS 将连接 定义为与一个企业客户的一段关系。这在财务上很重要,因为企业收入更贴近已货币化客户账户数量,而不是下游终端用户总数。 定价表面不止身份连接。WorkOS 还列出日志流、事件留存、验证或滥用检查容量等可货币化附加项;支持计划则打包高级入驻、Slack 支持和 SLA 支撑的响应承诺。这对变现宽度是正面信号,因为 WorkOS 有不止一种方式扩张单账户收入。缺点同样重要:公开标价不等于实际成交价。官方材料没有披露平均合同价值、有效折扣或按 SKU 的挂载率,因此公开定价可见度高于公开收入可见度。[CI001, CI002, CI003, CI004, CI005, CI006]
| 收入来源 | 变现机制 | 计费单位 | 当前价格 / 状态 | 质量 | 尽调要求 |
|---|---|---|---|---|---|
| 用户管理 | 按 MAU 定价的身份与会话层 | 1M 月活跃用户 | 最多 1M 用户免费;每增加 1M 收 $2,500/mo | 标价可见度高;实际收益率可见度低 | 提供付费 MAU 数、超额发生率,以及免费队列转付费的转化率。 |
| 企业 SSO | 按企业 IdP 连接计费 | 连接 / 月 | 标价每连接 $125,自动给予阶梯折扣 | 标价可见度高;实际折扣可见度低 | 提供活跃付费 SSO 连接数、折扣表,以及各层级平均合同额。 |
| 目录同步(SCIM) | 按企业目录连接计费 | 连接 / 月 | 标价每连接 $125,自动给予阶梯折扣 | 标价可见度高;附加率可见度低 | 提供 SCIM 相对 SSO 的附加率、付费连接数和续约画像。 |
| 基础设施附加项 | 日志流、事件留存,以及验证 / 滥用检查 | SIEM 连接 / 事件 / 检查 | 日志流 $125/mo,事件留存每百万事件 $99,前 1,000 次后每 50k 次检查 $100 | 中;标价可见,用量组合未公开 | 提供附加率、月均用量,以及各附加项毛利率。 |
| 高级支持与入职实施 | 引导式迁移、私有 Slack、响应 SLA、客户管理 | 支持套餐 / 合同 | 打包为付费高级支持,但实际定价由销售驱动且未公开 | 低 | 提供支持收入占比、支持团队人数,以及客户 / 支持负载比。 |
各行覆盖官方定价、支持和产品材料中可见的变现面;它们不是 GAAP 收入分部,也不披露实际收入组合。
[CI001, CI002, CI003, CI005, CI006, CI034]| SKU 或合同 | 价格 / 单位 / 合同 | 标价与实际定价 | 折扣 / 未知项 |
|---|---|---|---|
| 用户管理 | 前 1,000,000 MAU 免费;之后每增加 1M MAU 收 $2,500/mo | 公开标价可见 | 未公开付费 MAU 数、免费转付费转化率或企业折扣数据。 |
| 企业 SSO | 每连接每月 $125 | 公开标价可见 | 存在自动阶梯折扣;实际合同额和 101+ 连接定价未公开。 |
| 目录同步(SCIM) | 每连接每月 $125 | 公开标价可见 | 存在阶梯折扣;公开材料未披露 SCIM 附加率或实际净价。 |
| 基础设施附加项 | 日志流 $125/mo;事件留存每百万事件 $99;检查每 50k 次 $100 | 公开标价可见 | 实际附加率、使用强度和利润率影响未公开。 |
| 高级支持 | 联系销售 / 合同驱动 | 公开打包方式可见,实际定价未披露 | 未公开支持 ASP、人员配比或服务利润率。 |
公开定价只是标价快照。由于阶梯折扣、自定义层级和合同打包未披露,不能把它当作实际收益率。
[CI001, CI002, CI003, CI004, CI005, CI006]WorkOS 先靠慷慨免费层拿到开发者采用;企业需求触发后,再用付费连接、附加项和支持变现。
这座桥是定性的:公开证据能看到标价和套餐,却看不到实际产品组合或 SKU 层面的利润率。
[CI001, CI002, CI003, CI005, CI006, CI007]4.2 融资历史、估值推进与公开规模代理
公开融资年表有大致轮廓,尽管更细的股权结构表细节缺失。WorkOS 自己的 Series A 文章称,公司此前已由 Lachy Groom 领投融得 $15M,累计融资 $19M。2022 Series B 公告和 TechCrunch 均佐证 Greenoaks 领投的 $80M 轮次;TechCrunch 称当时总融资已达约 $100M。2026 Series C 公告随后增加一轮 $100M,Fenwick 佐证 Meritech 和 Sapphire 为领投方。合在一起,已披露轮次金额意味着累计融资至少约 $199M。 规模披露也随时间改善,但仍只通过代理呈现。官方材料称 Series A 阶段已有超过 100 个企业就绪应用,Series B 时有超过 200 个付费客户,Series C 时有数千客户以及每月数十亿次 API 请求。估值故事更不完整。WorkOS 披露 Series C 估值为 $2B,但更早的官方轮次文章没有公布中间估值标记。因此,投资人能看到当前估值跃升,却看不到早期和后期私有轮之间的干净路径。[CI008, CI009, CI010, CI011, CI012, CI013]
第三方数据库分歧越大的地方,公开财务区间越宽;WorkOS 自己明确披露过的地方,区间最窄。
这张区间图混合了直接公开事实和低置信度第三方边界,用来标出公开确定性在哪里存在、在哪里断裂。
[CI004, CI015, CI017, CI024, CI025, CI037]4.3 GTM 动作、销售效率代理与成本结构信号
公开记录指向开发者驱动的切入动作,随后扩展到销售辅助的企业变现。WorkOS 送出有分量的用户管理层,通过 AuthKit 推广打磨过的托管登录表面,并在客户需要 SSO、SCIM、可审计性和实施支持等企业身份基础设施时变现。公司自己的企业销售文章明确认为,企业要求现在更早出现在购买周期里;Vercel 案例则展示 WorkOS 如何通过外包非核心企业功能帮助客户拿下高端市场交易。这支持一个可信的 PLG 到企业扩张动作,但没有给出 CAC、payback 或背配额销售指标。 成本结构同样只能通过代理看到。支持计划、引导式入驻、私有 Slack、员工福利和案例措辞都说明,WorkOS 在软件毛利之外还承载了有分量的人员和服务层。公开员工数代理仍弱:TechCrunch 称 2022 年员工 40 人,低置信度数据厂商则集中在 2025 年 88-89 名员工。这些代理对估算服务负载和生产率有方向性帮助,但不足以承保销售效率或毛利率扩张。[CI013, CI024, CI025, CI027, CI028, CI031]
| 指标 | 数值 / 空值 | 置信度 | 为什么重要 | 尽调要求 |
|---|---|---|---|---|
| 公开收入代理指标 | $12.8M(Growjo)至 $30M(GetLatka) | 低 | 收入区间太宽,无法支撑估值或销售效率建模。 | 提供按季度审计的收入 / ARR,并解释与公开数据库的差异。 |
| 公开员工数代理指标 | 2022 年 40 名员工;2025 年估计 88-89 名员工 | 低 | 员工数可框定服务负载和生产率,但当前官方人数缺失。 | 提供当前按职能划分的员工数,以及 Series B 以来的月度历史增长。 |
| 人均收入代理指标 | 人均收入约 $145k(Growjo 估计) | 低 | 若属实,说明生产率低于成熟基础设施同行;若不属实,公开记录会误导判断。 | 用内部真实数据提供每名 FTE 的 ARR,并按职能组拆分,而不是使用数据库估计。 |
| 毛利率 | Null | 低 | 毛利率是判断 WorkOS 更像软件基础设施,还是支持负担较重的混合体的关键测试。 | 提供毛利率桥表,纳入托管、支持,以及任何合作伙伴 / 合规成本分摊。 |
| CAC / 回本周期 | Null | 低 | 没有销售效率指标,公开客户和定价代理指标无法转化为增长质量判断。 | 提供 CAC、CAC 回本周期、销售产能,以及自助式交易与企业协助式交易的渠道组合。 |
| NRR / 流失 / 队列质量 | Null | 低 | 收入质量取决于续约和扩张行为,尤其因为连接数是核心企业计费单位。 | 提供 GRR、NRR、连接队列留存,以及按客户分部拆分的扩张。 |
本表混合了直接公开事实和明确空值;空值表示没有公开的承销级指标。数据库估计仅作为低置信度代理指标处理。
[CI024, CI025, CI027, CI028, CI036, CI037]公开记录暴露了需求信号和标价,但到 CAC、利润率和留存可量化之前,能见度就断了。
这座桥有意停在公开证据停住的地方。它用于标出承销断点,而不是模拟真实经济性。
[CI024, CI027, CI028, CI029, CI032, CI033]4.4 资本充足性与公开证据边界
公开披露的股权融资金额很大,这是资本充足性故事中最强的一环。WorkOS 明确表示 Series B 后拥有多年现金跑道,Series C 又增加 $100M,用于资助安全可靠的智能体软件能力。仅看融资标题数字,足以判断公司并不明显缺钱。但融资标题数字不等于现金承保包。已审阅来源没有披露手头现金、月度烧钱、烧钱倍数、营运资本状况、资本开支负担或董事会层面的融资计划。 备案记录也凸显不透明。WorkOS 法人实体可识别为 WorkOS, Inc.,但针对该精确名称的 EDGAR 全文搜索返回零结果,没有公开 SEC 轨迹可验证证券类型、任何风险债或准确发行人历史。这并不证明公司没有其他融资工具;它只说明公开 SEC 搜索没有提供该证据。因此,资本故事因公司反复融资而方向性正面,但用于尽调现金充足性和融资依赖时仍不完整。[CI014, CI020, CI021, CI022, CI036, CI038]
| 指标 | 公开数值 / 状态 | 置信度 | 为什么重要 | 尽调要求 |
|---|---|---|---|---|
| 已披露累计股权融资 | 由 Series A 公告中的 $19M 累计融资、$80M Series B 和 $100M Series C 推算,约 $199M | 中 | 这是目前最清晰的公开资本缓冲。 | 确认完整轮次时间线、发行主体,以及是否有任何过渡融资工具位于公开叙事之外。 |
| 手头现金 | Null | 低 | 融资标题不等于当前流动性。 | 提供当前现金、受限现金和最低运营现金阈值。 |
| 月度烧钱额和烧钱倍数 | Null | 低 | 没有真实烧钱额,就无法承销现金跑道。 | 提供 12 个月月度烧钱额、净新增 ARR 和烧钱倍数历史。 |
| 现金跑道月数 | Series B 称有“多年现金跑道”;当前现金跑道未披露 | 低 | 资本充足性取决于剩余现金跑道,而不是历史融资额本身。 | 提供基准、下行和扩招情景下的当前现金跑道模型。 |
| 资金用途 / 下一轮触发条件 | Series C 投向安全可靠的智能体软件;下一轮触发条件未披露 | 中 | 资金用途显示增长优先级,下一轮触发条件则揭示融资依赖度。 | 提供董事会材料,覆盖计划现金投放、盈亏平衡时间表和预期下一次融资里程碑。 |
| 债务或公开备案痕迹 | 已审阅来源未发现债务融资工具;EDGAR 搜索“WorkOS, Inc.”返回 0 条结果 | 中 | 公开叙事看起来主要由股权融资支撑,但私人信贷情况仍是缺口。 | 提供债务明细表、SAFE / 票据摘要,以及涵盖历史融资轮次的任何 Form D 或律师备忘录。 |
本表区分公开记录明确显示的内容和未显示的内容。这里的空值是真实尽调阻碍,不是格式空白。
[CI008, CI010, CI014, CI015, CI016, CI020]收入套餐可见,但成本和现金能见度仍很低,仅凭公开证据还无法承销 WorkOS。
这个矩阵是合成分析,目的是把定价和融资能见度,与真实经营经济性的能见度拆开。
[CI028, CI035, CI036, CI038, CI041, CI045]4.5 财务判断与尽调卡点
正面案例很直接。WorkOS 有宽广的企业身份变现表面、异常清楚的公开标价、可信具名客户,以及穿透 Series C 的清晰融资跃升。这些事实支持一个判断:需求质量真实,WorkOS 正在搭建严肃的类别平台,而不是单点功能。公司也像是在产品扩张前融资,而非困境中融资,因此降低了近端融资焦虑。 负面案例使本章无法给出干净承保结论。公开数据没有披露经审计收入、ARR、毛利率、客户集中度、NRR、CAC、回本周期、烧钱 或当前现金。第三方收入估计从 $12.8M 到 $30M 互相冲突,且一家数据厂商一边声称 WorkOS 是 bootstrapped,一边无视公司自己的融资披露。这些不是小缺口;它们是判断收入质量、效率和现金跑道的核心输入。因此,财务判断在商业动能和资本可得性上为正,但在已兑现经济性上不完整。任何投资流程都应把管理层私人财务包视为必需项,而不是可选项。[CI026, CI029, CI030, CI036, CI037, CI041]
| 缺失的私有指标 | 对承销判断的影响 | 具体尽调路径 |
|---|---|---|
| 经审计收入 / ARR | 公开数据库互相冲突,因此估值、增长和生产率无法用外部数据锚定。 | 要求提供经审计年度收入、当前 ARR,以及从预订收入到确认收入的季度桥表。 |
| 毛利率和服务成本 | 缺少托管、支持和合规成本细节,利润率路径无法判断。 | 要求按产品线和客户支持层级提供毛利率桥表。 |
| 现金、烧钱额和现金跑道 | 只看融资标题,无法判断资本充足性。 | 要求提供 12 个月月度现金流量表、当前资产负债表和董事会现金跑道模型。 |
| NRR、流失和连接队列数据 | 收入质量取决于企业账户在初次采用 SSO / SCIM 后是否续约并扩张。 | 要求提供按连接划分的队列留存、按分部划分的 GRR / NRR,以及 logo 流失历史。 |
| 实际折扣表和合同额 | 标价可见,但企业端实际收益率不可见。 | 要求提供代表性 MSA / 订单表,以及按连接层级划分的有效净价分布。 |
| 客户集中度和支持负担 | 已命名 logo 不披露收入集中度,也看不出支持负担重的账户是否稀释利润率。 | 要求提供前 20 大账户集中度、支持工单负载,以及每个高级支持客户消耗的工时。 |
上述指标是实际投资承销中价值最高的缺口;已审阅公开记录并未给出,而不只是难找。
[CI022, CI036, CI037, CI038, CI041, CI045]05产品与技术
5.1 企业身份产品表面
WorkOS 最适合理解为企业就绪套装,而不是单一登录组件。当前公开表面横跨 Enterprise SSO、Directory Sync、User Management、AuthKit、MFA、Audit Logs、Admin Portal 和较新的细粒度授权。关键架构选择在于,WorkOS 不试图成为客户完整应用数据层:SSO 文档把产品定义为认证中间件;用户管理页面反复要求团队通过 Events API 保持自己的用户表更新;AuthKit 既可作为托管 UI,也可作为无头 API 使用。这让初创公司能更快拿到企业登录和用户预配,而无需完全外包核心产品模型。套件也明确具备组织感知特征:用户可通过成员关系属于组织,JIT provisioning 可基于已验证域名把人挂到组织,Admin Portal 流程给 IT 团队一条面向客户的设置路径,而不是由工程主导入驻。[CE001, CE002, CE003, CE005, CE006, CE007]
| 模块 | 核心用户 | 当前范围 | 差异化 | 关键尽调缺口 |
|---|---|---|---|---|
| 企业 SSO | 产品工程师;企业 IT | 通过一个 API 抽象 SAML 和 OIDC,并支持 20+ IdP | 团队可保留自己的认证栈和数据库,同时加入企业登录 | 未公开按 IdP 拆分的成功率、SLA 或证书续期自动化指标 |
| 目录同步 | IT 管理员;预配流水线 | SCIM 风格的预配、退配、群组和标准化目录数据 | 一次集成覆盖多种目录和 HRIS 来源 | 未公开用量、吞吐量或大型租户基准数据 |
| 用户管理 / AuthKit | 应用团队;终端用户 | 托管或无头认证,涵盖邮箱 / 密码、社交登录、SSO、Magic Auth、会话和组织策略 | 把企业认证接到应用原生登录上,并让应用数据库继续作为主记录系统 | 公开定价和深层 token / 会话限制仅部分公开 |
| MFA | 重视安全的应用团队 | 一个 API 统一 TOTP 和 SMS 因子;AuthKit 文档描述了对非 SSO 用户强制使用认证器应用 | 无需单独 MFA 厂商即可增强认证 | 当前公开文档未显示 WorkOS 可对 SSO 单独强制 MFA |
| 管理门户 | 客户 IT 联系人 | 域验证、SSO、目录同步、审计 / 日志流意图的自助设置 | 把 IdP 专属设置迁入托管流程,减少入职实施人力 | 每个组织一个连接的约束,可能限制复杂租户设置 |
| 审计日志 | 合规和平台团队 | 组织范围事件捕获、日志流、留存附加项 | 跨 SDK 复用的模式和元数据模型 | 公开文档未披露存储架构或长期不可变保证 |
| 细粒度授权 | B2B SaaS 产品团队 | 在现有 RBAC 之上叠加资源范围角色和权限 | 从组织级 RBAC 走向层级授权的渐进路径 | 多项高价值功能仍标记为即将推出 |
| 组织 + 成员关系 | 多租户应用构建者 | 不限数量的组织、灵活工作区模型、生命周期状态、JIT 成员资格 | 提供一个在认证和管理界面之间共享的一致租户对象 | 公开文档未量化组织 / 成员规模上限 |
各行综合 WorkOS 产品页面和技术文档;缺口指出公开未说明的信息,而不是实现缺陷。
[CE001, CE002, CE005, CE007, CE010, CE012]| 用户任务 | 当前工作流 | WorkOS 方案 | 可衡量收益 | 限制 |
|---|---|---|---|---|
| 向要求 SSO 的企业销售 | 在现有认证栈中加入 SAML 或 OIDC 登录 | 独立 SSO API 或 AuthKit SSO | 一次集成,替代按 IdP 定制流程 | 客户应用仍须验证组织上下文,并掌握自己的用户记录 |
| 自动化员工预配 | 从目录或 HRIS 接收入职、变更和离职事件 | 通过 webhook 或 Events API 使用目录同步 | 去掉手工用户生命周期操作,减少状态漂移 | 客户仍负责下游对账和吞吐韧性 |
| 快速上线应用认证 | 提供品牌化登录、会话和组织感知策略 | AuthKit 托管 UI 或用户管理 API | 从基础认证走向企业级认证的最快路径 | 框架专属设置和 cookie 规则仍然重要 |
| 让 IT 联系人自助配置 | 将 SSO 或目录入职交给客户管理员 | 来自仪表盘或 API 的管理门户链接 | 减少高接触入职实施,并保持提供商文档更新 | 门户范围按组织划定,连接模型约束较强 |
| 建模粗粒度和细粒度授权 | 先从组织角色开始,再加入资源级检查 | RBAC 加 FGA Authorization API | 无需完整数据迁移的渐进路径 | FGA 路线图仍有部分企业诉求待交付 |
| 满足合规日志需求 | 捕获登录或管理操作,并转发到 SIEM | 审计日志 + 日志流 | 跨 SDK 标准化事件模型 | 留存和流目标已产品化为附加项 |
收益和限制单元格概括了文档所称当前已产品化的内容,以及客户仍需自己处理的实现细节。
[CE003, CE006, CE008, CE017, CE023, CE026]企业上线通常从 IT 联系人在 Admin Portal 配置 SSO 或 Directory Sync 开始,再流向终端用户认证、成员分配和应用侧状态同步。
[CE005, CE007, CE014, CE017, CE023, CE024]5.2 控制平面与授权模型
底层看,WorkOS 不只是协议抽象,而是一个共享控制平面,把来自 IdPs、目录和应用认证事件的输入标准化。SSO 接受 SAML 或 OIDC,但暴露的是类似 OAuth 的发起和回调流程,并带有组织感知重定向处理。Directory Sync 与这条路径并行,摄入目录和 HRIS 变更,标准化用户和组,再通过 webhooks 或 Events API 回传。组织成员关系随后成为从身份到授权的桥。基础 RBAC 围绕环境和成员关系展开,包含默认角色、可选多角色模式,以及来自 SSO 或 SCIM 来源的组到角色映射。FGA 把该模型从组织范围权限延伸到 workspaces、projects、apps 等资源树。公开文档把这定位为渐进采用,而不是全面重写:组织范围角色可留在令牌里做快速检查,资源范围决策则迁移到 Authorization API。[CE004, CE015, CE016, CE017, CE018, CE019]
| 层级 | 作用 | 接口 | 依赖 | 风险 |
|---|---|---|---|---|
| 托管认证界面 | 呈现登录、密码、MFA、社交登录和 SSO 流程 | AuthKit 托管 UI,或基于 API 的应用自有 UI | WorkOS 仪表盘配置、重定向 URI、会话 cookie | 框架设置错误可能破坏回调或 cookie |
| SSO 控制平面 | 承接 SAML 或 OIDC IdP 认证 | 授权 URL 生成、回调交换、组织感知重定向 | 企业 IdP 和重定向配置 | 租户验证错误或 IdP 专属边缘场景可能在运行时暴露 |
| 目录同步控制平面 | 标准化目录、群组和用户 | SDK、webhook 与 Events API | 目录提供商和 HRIS 系统 | 下游仍需处理突发或碎片化的 SCIM 行为 |
| 授权层 | 映射成员关系、角色、权限和 FGA 资源 | 仪表盘配置、JWT 声明、Authorization API | 组织成员关系图和应用资源模型 | 多角色会放大 JWT,FGA 仍有路线图缺口 |
| 操作事件层 | 发出审计事件和生命周期更新 | Audit Logs API、webhook、日志流 | 客户 webhook 端点和 SIEM 目的地 | 投递可能乱序或重复,消费者必须具备幂等性 |
| 本地部署变体 | 支持连网本地部署安装 | 每个客户使用独立 WorkOS 环境和 API key | 防火墙、HTTPS 入站和出站、可选隧道 | 物理隔离客户需要定制打包或替代模式 |
架构行只反映文档公开描述的控制平面模型,并不是对 WorkOS 内部基础设施的深度拆解。
[CE004, CE006, CE017, CE020, CE027, CE028]WorkOS 把面向客户的认证表面叠在共享身份控制平面、运营事件和企业系统集成之上,同时让客户继续持有应用数据。
[CE003, CE006, CE020, CE026, CE029, CE035]WorkOS 依赖外部身份和目录系统、客户自有 webhook 消费者,以及互联网络部署假设;相比 API 表面,这些依赖更能决定实施风险。
[CE027, CE028, CE029, CE030, CE043, CE046]5.3 安全、部署与可靠性姿态
WorkOS 暴露出多个地方:集成质量比营销文案更重要。MFA 不只是打勾项;公开 MFA 产品页描述一个 API 后面的 TOTP 和 SMS 因素,而 AuthKit 文档把当前已记录的强制流程行为收窄到使用认证器应用的非 SSO 用户。Webhooks 也很有主张:端点必须是 HTTPS POST 处理器,用 WorkOS-Signature header 签名,并能容忍重复或乱序投递。生产重试可以拉长到三天,这有利于韧性,但也把幂等性和重放处理推回给集成方。对于自托管客户,WorkOS 可在类似云的联网部署中工作,但本地部署指南仍要求每个客户单独环境和 API keys、firewall 与 callback 规划,并为真正气隙安装提供定制包。安全姿态在清单层面可信——SOC 2 Type 2、GDPR/CCPA、年度渗透测试、外部代码审计,以及企业计划的 HIPAA BAAs——但公开安全页没有给出密钥管理归属、数据驻留选项或已发布恢复目标等深层架构细节。[CE010, CE011, CE027, CE028, CE029, CE030]
| 控制项 | 状态 | 范围 | 证据 | 缺口 |
|---|---|---|---|---|
| SOC 2 Type 2 | 公开披露 | 公司整体安全态势 | 安全页面 | 未公开控制矩阵或纳入范围的服务拆分 |
| GDPR 和 CCPA | 公开披露 | 隐私 / 合规 | 安全 FAQ | 公开页面未细化数据驻留或删除 SLA |
| HIPAA BAA | 企业套餐可用 | 医疗健康客户 | 安全 FAQ | 未公开 PHI 边界设计实施指南 |
| 年度渗透测试和外部代码审计 | 公开披露 | 应用与代码库审查 | 安全页面 | 除年度测试外,未公开整改摘要或节奏细节 |
| Webhook 签名验证 | 文档已说明 | 入站事件真实性 | Webhook 文档 | 客户仍需存储密钥、校验时间戳,并实现幂等 |
| 本地部署指引 | 连网本地部署已有文档 | 企业部署模式 | 本地部署文档 | 物理隔离架构仍是公开尽调缺口 |
该表只捕捉 WorkOS 公开披露的内容,不覆盖其私有 Trust Center 或面向客户的定制安全材料里可能存在的信息。
[CE027, CE028, CE029, CE031, CE032]5.4 开发者体验、生态与路线图
开发者体验是 WorkOS 最清楚的优势之一,但并非零摩擦。文档和代码库显示 SDK 足迹很宽,覆盖 Node、Next.js/AuthKit、Go、PHP、.NET 和官方 Postman 资源;Node README 现在也暴露面向移动端和 CLI 用例的 public-client PKCE flows。Next.js helper 不只是薄 SDK 封装,而是内置 session middleware 或 proxy behavior、加密 cookies 和 callback helpers,应该能加速从零开发的 App Router 应用。代价是团队仍继承框架特定坑,例如 cookie configuration、callback routing 和 middleware matcher edge cases。公开包表面也显示活跃维护:Packagist 报告 PHP SDK 有数百万安装,NuGet 显示 WorkOS.net 在 2026 年仍有更新节奏。外部社区证据更薄且更混杂:创始人主导的 Show HN 发布表明有一些自然关注,但公开 Stack Overflow 足迹很小,并凸显仍落在实施方身上的边缘案例调试——redirect semantics 和 invalid role slugs。FGA 自己的文档也把几个重要能力留在即将推出状态。[CE034, CE035, CE036, CE037, CE038, CE039]
| 日期或阶段 | 功能或里程碑 | 状态 | 含义 | 来源 |
|---|---|---|---|---|
| 2023-12-29 回顾 | 推出 AuthKit 和 User Management | 已发布 | WorkOS 从企业协议工具扩展到完整应用认证层 | 2023 产品更新回顾 |
| 2023-12-29 回顾 | Events API 和 Directory Events 视图 | 已发布 | 为应用同步状态提供 webhooks 之外的替代或补充路径 | 2023 产品更新回顾 |
| 2023-12-29 回顾 | Admin Portal 邀请邮件、简化的设置链接和沙盒品牌 | 已发布 | 提升企业自助接入体验 | 2023 产品更新回顾 |
| 2023-12-29 回顾 | SSO、Directory Sync 和 Audit Logs 可用性 99.99% | 公司披露的可靠性里程碑 | 释放运营成熟信号,但不是完整公开 SLA 包 | 2023 产品更新回顾 |
| 当前文档 | FGA p95 访问检查低于 50ms,且具备强一致性 | 当前能力已有文档 | FGA 定位偏生产落地,而非停留在概念层 | FGA 文档 |
| 当前文档(即将推出) | FGA 用户组、子资源 IdP 映射、权限覆盖、边缘缓存 | 路线图 / 尚未完全发布 | 授权能力面仍在扩张 | FGA 文档 |
| 2026-05-11 | WorkOS.net 4.0.1 包更新 | 近期 SDK 发布 | 2026 年仍在维护 SDK 的证据 | NuGet WorkOS.net 包 |
发布历史主要锚定 WorkOS 自己的 2023 回顾、当前 FGA 文档和一次 2026 年 NuGet 包更新;公开的 2024–2026 变更日志链条并不完整。
[CE021, CE022, CE033, CE034, CE041]从公开信息看,WorkOS 目前最强的是企业身份和上线基础件;授权有吸引力,但几项关键能力仍标着即将推出, 因此仍是披露最不完整的表面。
矩阵评级是对公开文档和生态信号的分析性摘要,不是 WorkOS 自己的产品评分。
[CE001, CE018, CE021, CE022, CE023, CE035]5.5 图表
06客户情况
6.1 客户分层与买方-使用者-付款方图谱
公开证据显示,WorkOS 主要卖给正在向更大企业账户上探的软件公司,而不是卖给终端企业、让其直接为内部使用采购身份基础设施。留存证据集横跨 AI 应用厂商、开发者工具、Web 平台、招聘和工作流产品、医疗协同、气候 API、合规软件和事件管理厂商。在这些故事里,经济买方通常是产品、平台或工程负责人,他们想解锁企业收入,又不想把工程师分流到非核心身份自建;实施使用者是客户自己的工程团队;下游运营使用者是通过 WorkOS Admin Portal 配置 SSO 或 SCIM 的企业 IT 管理员。Vercel、Webflow、Netlify、Warp、Perplexity、OpenAI、incident.io 和 Drata 的客户侧企业页面也强化了这种匹配:WorkOS 最可见的地方,是客户自己也向买家营销企业安全、治理和用户生命周期控制。[CU001, CU003, CU004, CU005, CU009, CU034]
| 客户分层 | 代表客户 | 买方 / 用户 / 付费方 | WorkOS 主要用例 | 战略价值 | 缺口 |
|---|---|---|---|---|---|
| AI 模型与应用厂商 | OpenAI、Cursor、Perplexity、AI21 Labs、Copy.ai 等客户 | 买方:CTO / 产品 / 平台;用户:工程师;付费方:产品或企业 GTM 负责人 | 为 AI 产品补上 SSO、SCIM 或用户管理 | AI 标杆 logo 可见度高,且很契合企业级就绪需求 | OpenAI / Cursor / Perplexity 的证据比长篇案例研究薄 |
| 开发者与基础设施平台 | Vercel、Warp、Netlify、Chromatic、incident.io、Prefect 等客户 | 买方:平台 / 安全负责人;用户:工程师和 IT 管理员;付费方:平台 / 产品预算 | 不重建核心技术栈也能交付企业级认证 | 最契合的分层:身份能力是刚需,但不是差异化来源 | 未披露分层 ARR 或席位数 |
| Web 体验与协作平台 | Webflow、Hopin | 买方:企业功能团队;用户:开发者和客户 IT;付费方:企业产品线 | 拿下要求 SSO / SCIM 的更大品牌客户 | 企业功能缺口与成交转化直接挂钩 | 公开证据仍由供应商撰写 |
| 医疗健康与受监管工作流软件 | Hypercare、Indeed | 买方:CTO / 产品;用户:工程和管理团队;付费方:企业增长负责人 | 安全地开通和取消大规模用户 | 证明 WorkOS 能服务工作流对合规敏感的买方 | 医院 / 雇主收入集中度未公开 |
| 气候、活动与垂直企业 SaaS | Patch、Drata | 买方:创始人 / 安全 / 产品;用户:开发者;付费方:企业扩张预算 | 快速打通采购和信任要求 | 有助于证明 WorkOS 在小公司规模也能成为关键能力 | 公开量化结果只有少数 |
| 第三方技术栈代理信号 | Webflow、Warp、Prefect,经 Apps Run The World | 外部研究视角 | 至少部分安装基数获得独立确认 | 为 logo 集合补上非 WorkOS 的佐证 | 方法论和覆盖范围不够透明,无法用于硬计数 |
各行概括公开可见的客户证据,而不是完整安装基数普查;买方 / 用户 / 付费方角色基于保留案例研究综合判断。
[CU001, CU003, CU004, CU009, CU035, CU038]公开案例研究显示了一条一致路径:企业交易阻塞点出现,随后 SSO 上线、自助上线,再到后续产品扩张。
[CU004, CU005, CU006, CU007, CU008, CU029]6.2 具名客户证明与部署结果
最高质量公开证明来自 WorkOS 撰写的案例研究:它们引用客户运营者,并描述 WorkOS 之前的具体瓶颈、部署路径,以及业务或工程结果。Vercel 把 WorkOS 和拿下更大企业账户、从内部 SSO 路径迁移到 SSO、Directory Sync、Admin Portal 联系起来。Webflow 称缺少 SCIM 会让交易流失,一名工程师在不到几周内加上 Directory Sync。Indeed 描述替换 Auth0,因为手工入驻需要数小时工程支持;Warp 称它保留 Firebase,仍快速交付企业 SSO。AI21 Labs 在数天内实施;Copy.ai、Chromatic、Hypercare 和 Hopin 各自描述大约两周实施窗口;Patch 称一天集成解锁 $1 million 企业 GMV。相比之下,OpenAI、Cursor、Perplexity、Drata 和 incident.io 在 WorkOS 客户表面上有公开佐证,但留存证明更薄,更多依赖简短引用,而不是完整部署叙事。[CU002, CU010, CU011, CU012, CU013, CU014]
| 指标 | 数值 | 日期 | 来源 | 置信度 | 含义 | 缺失分母 |
|---|---|---|---|---|---|---|
| 保留的具名详细案例研究 | 11 | 2026-05-24 | 本轮审阅的 WorkOS 案例研究 | 高 | WorkOS 有真实生产环境背书,不只是 logo | 占全部客户比例未知 |
| 披露最快部署 | 1 天 | 历史 | Patch 案例研究 | 高 | 紧急企业采购卡点能很快移除 | 1 天案例可能不具代表性 |
| 公开案例中的常见部署窗口 | 数天到 <2 周 | 历史 | AI21 Labs、Copy.ai、Chromatic、Hypercare、Hopin 等客户 | 高 | 精简产品团队的实施负担看起来较低 | 营销筛选样本 |
| 明确的多产品扩展案例 | 6 | 2026-05-24 | Vercel、Webflow、Indeed、Copy.ai、Hypercare、Chromatic 等客户 | 中 | 初始 SSO 之后的先落地再扩张看起来真实 | 全量客户中的附加率未披露 |
| 独立评价量 | 15 条 G2 评价;13 条 Product Hunt 评价 | 2026-05-24 | G2 和 Product Hunt | 中 | 除供应商故事外,还有一些第三方用户验证 | 评价基数仍小 |
| 第三方安装基数代理信号 | 589 家检测到的公司;66 个即将续约 | 2026-05-24 | Bloomberry DNS 遥测 | 低 | 安装基数可能已达数百家 | 方法论不透明,且未经公司确认 |
该表跟踪公开证据信号,而不是经审计收入或客户数;低置信度代理行已明确标注。
[CU026, CU028, CU037, CU039]| 客户 | 分层 | 部署 / 用例 | 生产环境 vs 试点 | 结果 | 限制 |
|---|---|---|---|---|---|
| Vercel | 开发者平台 | SSO、目录同步、Admin Portal | 生产环境并已扩展 | 帮助拿下更大的企业客户,并把接入体验打磨得更顺 | 供应商撰写的案例研究 |
| Webflow | Web 体验平台 | 先 SSO,后 Directory Sync | 生产环境并已扩展 | SCIM 是硬性要求;1 名工程师在不到几周内交付 | 未披露合同规模或续约数据 |
| Indeed | 招聘市场 | 大规模 SSO 接入,计划上线 SCIM | 生产环境 | 用自助门户流程替代 Auth0 驱动的人工接入 | 未公开支出数据 |
| Warp | 开发者工具 | 在 Firebase 上叠加 SSO | 生产环境 | 不替换核心认证栈,也快速交付企业 SSO | 早期客户背景 |
| AI21 Labs | 企业 AI | 企业 SSO | 生产环境 | 企业客户要求 SSO 后,数天内落地 | 公开证据仍只有一篇案例研究 |
| Copy.ai | GTM AI 平台 | SSO、目录同步、用户管理 | 生产环境并已扩展 | 不到 2 周上线,并迁移数十万活跃用户 | 仍是供应商撰写的证据 |
| Hypercare | 医疗协同 | 先 Directory Sync,后更广泛整合 | 生产环境并已扩展 | 面向数千用户的医院客户,2 周部署 SCIM | 收入影响未公开 |
| Patch | 气候 API 平台 | 企业 SSO | 生产环境 | 1 天集成打通了 $1 million 的企业 GMV | 结果绑定在狭窄销售场景 |
| Hopin | 虚拟活动平台 | SSO,后续支持 Admin Portal | 生产环境 | 与客户测试 2 周,节省 2 个月工程时间 | 历史案例研究 |
各行突出保留资料中最强的公开证据。OpenAI、Cursor、Perplexity、Drata 和 incident.io 也出现在 WorkOS 的公开客户页面,但保留证据比上方行更薄。
[CU002, CU010, CU012, CU015, CU017, CU018]这是公开证据漏斗,不是客户总量:它跟踪留存参考样本中,有多少进入证据集里的各个成熟阶段。
计数来自本次运行保留的公开证据样本,而不是 WorkOS 内部遥测。
[CU001, CU026, CU028, CU029, CU037, CU039]证据质量最高的,是 WorkOS 仍有当前案例研究且给出量化结果或多产品扩张的客户; 证据最弱的,仍停留在客户名单或引语层面。
[CU002, CU030, CU032, CU037, CU038]6.3 扩张、重复使用与耐久性代理
公开证据在扩张触发点上强于正式留存指标。Vercel、Webflow、Indeed、Hypercare、Chromatic、Copy.ai 和 Warp 的案例中,WorkOS 常以 SSO 落地,随后随着客户自己的企业业务成熟,扩展到 Directory Sync、Admin Portal、Audit Logs 或更广用户管理工作流。反复出现的价值楔子不只是协议覆盖,而是运营杠杆:自助 IT 入驻、更轻松的取消预配、更少手工支持,以及更少维护脆弱定制 SAML 或 SCIM 基础设施的需求。G2 和 Product Hunt 上的独立评论大体佐证了这一模式,称赞文档、支持和速度,同时把 WorkOS 描述为让工程时间回到差异化产品工作的一种方式。不过,公开耐久性证据仍主要是定性的。WorkOS 不公布 NRR、GRR、流失、续约日程或产品挂载率,因此最强留存读数是:部分客户在初始 SSO 采用后公开扩大了产品范围,而不是存在硬续约数据。[CU006, CU007, CU008, CU021, CU028, CU029]
| 指标 | 数值 | 分层 | 置信度 | 尽调问题 |
|---|---|---|---|---|
| 净收入留存率(NRR) | 全部客户 | 低 | 要求提供过去 8 个季度按产品、按队列拆分的 NRR | |
| 总收入留存率(GRR) / 流失 | 全部客户 | 低 | 要求提供流失、logo 留存和前 20 大客户续约时间表 | |
| 扩张代理信号 | 多个公开案例显示 SSO -> Directory Sync / Admin Portal / User Management | 企业软件客户 | 中 | 提供按产品拆分的附加率和扩张收入结构 |
| 评价情绪代理信号 | 实施 / 支持反馈多为正面,但价格和功能有保留意见 | G2 和 Product Hunt 上的评价用户 | 中 | 按产品线和公司规模拆分评价分数 |
| 运营韧性代理信号 | Dashboard / Admin Portal UI 事件在 2026-05-22 当天解决 | 托管接入界面 | 中 | 提供事故历史、SLA 达成情况和客户沟通数据 |
| 合同期限 / 多年期证据 | 全部客户 | 低 | 要求提供合同期限中位数,以及多年期承诺占 ARR 的 % |
空值表示保留来源未公开,并不代表为零。由于正式留存指标缺失,表中纳入定性代理信号。
[CU007, CU008, CU028, CU029, CU030, CU031]示意性的公开证据耐久性代理指标。这些百分比估计的是正面客户证据随时间仍可见的比例, 不是实际付费留存。
队列数值是基于当前案例研究、评论和扩张提及的证据能见度代理指标,不应解读为 NRR 或 logo 留存。
[CU028, CU030, CU031, CU033, CU036]6.4 集中度、披露缺口与反向证据
客户质量看起来强,但投资人想要的硬承保数据仍披露稀疏。公开证据集集中在 VC 支持的软件和基础设施厂商;Hypercare 是留存集合中最清楚的受监管例外,客户级收入集中度和分层组合未披露。官方材料没有提供客户数、头部客户敞口、续约率或流失。第三方代理填补了一部分真空,但不等同于经审计公司披露:Apps Run The World 独立列出少数 WorkOS 客户;Bloomberry 声称通过 DNS 遥测检测到数百个安装,但方法过于不透明,不能重度依赖。评论也暴露价格传导、session management 缺口和少数功能限制。运营上,May 22, 2026 状态事故显示,即便底层认证和数据未受影响,Dashboard/Admin Portal UI 问题仍可能拖累许多客户依赖的关键入驻表面。[CU031, CU033, CU036, CU038, CU039, CU040]
| 扩张驱动 / 集中度风险 | 证据 | 影响 | 尽调路径 |
|---|---|---|---|
| SSO 到 SCIM 增购 | Webflow、Vercel、Copy.ai、Chromatic、Hypercare、Indeed 均提到生命周期管理扩张 | 支撑先落地再扩张打法 | 要求提供按产品拆分的附加率和毛利率 |
| Admin Portal 接入切入点 | Vercel、Indeed、Warp、Hypercare、Patch 反复称 Admin Portal 自助且顺滑 | 降低支持负担,并可能提升转化 | 询问 Admin Portal 在付费客户中的渗透率 |
| 软件行业集中度 | 具名证据最集中在 AI、开发者工具、Web 基础设施和工作流 SaaS | 收入可能与单一创投 / 软件周期相关 | 要求提供按行业和客户成熟度分层的 ARR |
| 标杆 AI logo 证据偏薄 | OpenAI、Cursor、Perplexity、Drata 和 incident.io 是公开背书,但文档深度较浅 | 更难判断生产环境深度和合同价值 | 要求为头部 AI logo 安排客户访谈或提供部署确认函 |
| 定价传导风险 | G2 评价称,即便实施体验强,低价档也可能难以证明 WorkOS 的花费合理 | 可能限制较小 SaaS 客户采用 | 要求提供按客户规模拆分的总留存和降级数据 |
| 对托管界面的运营依赖 | 2026-05-22 状态页事件影响 Dashboard/Admin Portal UI | 即便认证核心保持健康,也可能短期打断入驻流程 | 索取 SLA 罚则、事件频率和 IT 管理员使用指标 |
本表同时列出上行扩张抓手、集中度和执行风险,因为公开材料对业务动作的支撑强于对经审计留存数据的支撑。
[CU008, CU029, CU031, CU033, CU036, CU037]6.5 图表
07风险
7.1 监管、合同与合规风险
WorkOS 是处理方,也是身份中间件厂商,下行风险不是由某个单一行业监管方决定,而是由隐私法、采购控制和客户合同预期叠加而成。公开 DPA 相对成熟:它承认子处理方、跨境传输、安全事件通知、DPIA 支持,以及数据保护法要求时客户提出异议的权利。这个基线是加分项,但也说明公司正落在 GDPR Article 28 式处理方义务内;每一次企业部署,都要正确管理子处理方变更、传输机制和控制方指令。 公开风险在于,WorkOS 只展示了部分合同栈,真正的客户文件仍在门后。网站条款依据 California 法律排除不中断可用性的承诺,并把网站使用责任上限压到 $100;生产 SLA 则放在另一份仅面向企业客户的文件里。SLA 范围很窄:只覆盖企业层级生产环境服务,排除 staging、alpha、beta、preview 及其他非 GA 使用。对基础设施厂商来说,这在商业上合理,但也意味着,投资者仍需看到实际 MSA、DPA 附件、审计权语言和赔偿条款,才能假设下行已经封顶。如果企业客户要求超出公开文件的数据驻留或审计权,WorkOS 可能需要给出定制让步,进而挤压利润率或拖慢销售周期。 合规姿态方向上较强。WorkOS 公开营销 SOC 2 Type 2、GDPR 和 CCPA 合规、年度第三方渗透测试、外部代码审计,以及企业计划的 HIPAA BAA;其 Trust Center 称 SOC 报告、渗透测试材料和子处理方都集中在那里。剩余暴露不是缺少徽章,而是新鲜度和范围问题:WorkOS 从 SSO 和 SCIM 扩到 passkeys、权限、功能开关、滥用检测以及 MCP 相关暴露面后,企业采购团队会关心这些材料是否保持最新。合规漂移,或 Trust Center 细节继续设门槛、信息不完整,都会直接伤到受监管客户的赢单率。[CR001, CR002, CR003, CR004, CR005, CR006]
| 规则 / 义务 | 司法辖区 | 公开状态 | 可能性 | 严重性 | 缓释措施 | 剩余暴露 | 尽调路径 |
|---|---|---|---|---|---|---|---|
| GDPR 第 28 条 / DPA 处理者义务 | 欧盟 / 英国 / 瑞士 | 公开 DPA、法律中心和 Trust Center 引用均可访问 | 中 | 高 | 公开 DPA、子处理方通知流程、安全事件通知条款 | 跨境传输和子处理方细节请求仍可能拖慢采购 | 签 NDA 后审查客户 DPA 红线、SCC 机制和控制者异议流程 |
| 跨境传输和数据驻留 | 欧盟 / 英国及全球企业账户 | DPA 授权国际传输;已检索页面未写明区域级承诺 | 中 | 高 | 公开法律条款、Trust Center 和安全材料 | 数据驻留承诺仍可能需要定制文件或产品范围界定 | 索取托管区域地图、按产品拆分的子处理方矩阵和驻留例外 |
| 企业正常运行时间和支持承诺 | 全球企业合同 | 99.99% SLA 已公开,但仅限企业生产服务 | 中 | 高 | 独立 SLA、服务抵免框架、支持计划、状态页 | 预发、beta、preview 和定制支持预期仍在公开保证之外 | 核查头部客户 SLA、抵免索赔、排除项和谈判例外 |
| SOC / 安全保证时效性 | 企业采购 / 审计 | 安全页面和 Trust Center 展示 SOC 报告、渗透测试和子处理方 | 低-中 | 中-高 | Trust Center 集中管理材料,年度测试,代码审计 | 认证徽章滞后或范围跟不上,会直接伤害受监管客户转化 | 核验最新 SOC 报告期、渗透测试整改状态和产品范围覆盖 |
| HIPAA 和受监管工作负载支持 | 美国医疗 / 受监管买家 | WorkOS 称企业计划可提供 BAA | 低-中 | 中 | 企业计划 BAA 支持,加上更广的安全控制 | 公开材料没有说明哪些产品或数据流被排除 | 索取 BAA 模板、排除服务和医疗部署架构样例 |
严重性和可能性是基于截至 2026-05-24 公开来源的分析判断;投资人仍需私有客户合同和受限 Trust Center 材料,才能彻底厘清法律暴露。
[CR001, CR002, CR003, CR004, CR005, CR006]7.2 安全、可靠性与标准依赖风险
WorkOS 卡在身份边缘,登录、配置开通或授权路径哪怕短暂出错,都会影响下游客户。2026 年 5 月状态页给了一个有用的现实校验:WorkOS 前 90 天核心服务可用性为 100%,但同一个公开页面在同月记录了仪表盘和文档不可用、webhook 投递延迟、OIDC 错误,以及 AuthKit 邮件渲染事故。这个组合不能证明控制体系大面积失效,但它说明,即便头部可用性看起来干净,支撑服务和边缘场景事故仍会触达客户。 2026 年 SDK 和 issue 轨迹也强化了这个风险。WorkOS 发布了多项认证加固变更,覆盖 OAuth state 验证、PKCE cookie 隔离、原始字节 webhook 验证、Python 依赖安全,以及多次主要 SDK 迁移。公开 GitHub issue 显示的问题不只是理论边缘场景:客户报告过功能开关 定向与 JWT claims 不一致、过期组织 ID 导致 400 认证失败、托管登录触发双重 Cloudflare challenge、同步的 token-refresh 重试、passkey 注册缺口,以及托管登录流程可能自动创建非预期账号。单看哪一项都不致命,但合在一起,说明平台仍在消化快速产品扩张,同时还要守住关键认证路径。 标准层让问题更复杂。WorkOS 自己记录,SCIM 实现会随提供方不同而变化,并可能引入安全漏洞;其 SAML 指南也直说,SAML 常见但容易出漏洞,能用 OIDC 时更好。这个技术框架是对的,但也确认了依赖关系:WorkOS 不控制 SAML、OIDC 或 SCIM,也无法强迫 Microsoft、Okta、Google、Workday 和客户自有 IdP 行为一致。标准漂移、身份提供商怪癖,或受监管客户在 NIST 式身份规则下改变预期,都可能带来支持负担、连接器脆弱性和更慢的价值落地。[CR013, CR014, CR015, CR016, CR017, CR018]
| 失效模式 | 可能性 | 严重性 | 缓释成熟度 | 剩余暴露 | 未解缺口 |
|---|---|---|---|---|---|
| AuthKit 认证流程回归(CSRF / PKCE 加固在上线使用后才发布) | 中 | 极高 | 中 | 快速补丁节奏有帮助,但认证故障会立刻扩大到客户侧 | 需要 2026 年认证修复的根因和回归测试证据 |
| 功能标记 JWT 不匹配:Dashboard 定向与运行时 claims 不一致 | 中 | 高 | 低-中 | May 2026 问题显示,客户生产流程里的状态传播仍有不确定性 | 需要规则传播、token 刷新语义和回填工具的 SLO |
| 陈旧 sessionStorage 状态导致组织切换认证失败 | 中 | 高 | 低-中 | 400 登录失败会影响真实多组织用户流,直到清除客户端状态 | 需要补丁状态、受影响版本和客户事件量 |
| 状态页可见 Webhook / OIDC / 邮件投递事件 | 中 | 高 | 中 | 状态透明度不错,但 May 2026 多次事件说明运营负担真实存在 | 需要 12 个月事件日志、MTTR 和面向客户的复盘 |
| Passkey 推出和托管 UI 边缘案例 | 中 | 中-高 | 低-中 | 域名绑定和渐进注册缺陷抬高迁移与支持负担 | 需要产品路线图、回滚计划和自定义域名迁移手册 |
行项结合了公开状态事件、WorkOS 维护的变更日志和用户报告的 GitHub 问题;可能性和严重性是投资人判断,不是厂商承认。
[CR013, CR014, CR015, CR016, CR017, CR023]最高风险簇落在身份验证回归、标准依赖、价格压缩与客户关键任务工作流交汇的位置。
发生可能性和影响是基于截至 2026-05-24 公开证据的分析判断;单元格展示主导风险标签,不代表概率。
[CR009, CR014, CR023, CR024, CR029, CR032]7.3 平台依赖、商业压力与集中风险
WorkOS 的范围确实不止一个狭义 SSO 包装层,但公开证据仍把公司放在同一个控制平面内:企业身份、授权、可审计性和相邻安全工具。2026 年 3 月 Series C 帖子称,WorkOS 现在覆盖权限、集成、加密、滥用检测、功能开关和 MCP;公开定价页面仍锚定在 用户管理、SSO、目录同步、可审计性和相邻访问功能上。这意味着扩张上行真实存在,但单一技术栈集中也同样存在:一旦核心认证和目录叙事走弱,相邻产品大概率会一起走弱,而不是形成抵消。 锁定效应双向作用。Hosted UI 是最容易上手的路径,但文档说得很清楚:不想使用 WorkOS 托管认证界面的团队,必须自己承担更多 API 和状态管理复杂度。Passkeys 会加深这个取舍,因为 WorkOS 建议客户在生产前设置自定义域名;passkeys 一旦注册到该域名,后续迁移就更难。官方 Laravel 包带来分发杠杆,但也意味着 WorkOS 采用可能嵌入另一个生态系统的默认值。产品跑得好时,这些动态有利于净留存;但如果定价、事故响应或产品方向变化,冲击半径也会更大。 竞争压力是最尖锐的商业风险。Auth0、Clerk 和 Stytch 都公开了慷慨的入门定价,Microsoft Entra 和 AWS Cognito 则能搭上既有云或办公生产力预算。Hanko 等开源替代方案明确把 WorkOS 作为对标对象。身份厂商这个类别还有声誉问题:Okta 支持系统被攻破说明,IAM 提供商事故破坏力很大,因为供应商被攻破可能演变为客户生态被攻破。WorkOS 自己的 Series C 带来流动性和可信度,但公开 ARR、烧钱速度、流失和产品组合披露仍然缺席。因此,投资者是在信息不完整的情况下承销 $2 billion 估值:新产品究竟显著分散收入,还是只是扩大执行表面积,仍看不清。[CR011, CR012, CR035, CR036, CR037, CR038]
| 依赖 | 交易对手 | 角色 | 集中度 | 失效情景 | 严重性 | 缓释措施 | 剩余暴露 |
|---|---|---|---|---|---|---|---|
| 身份标准和 IdP 异质性 | Okta、Microsoft、Google、Workday 及其他企业 IdP | 协议与连接器兼容性 | 高 | SCIM、SAML 或 OIDC 差异会破坏入驻、预配或会话完整性 | 极高 | WorkOS 抽象标准,并发布文档、指南和 SDK | WorkOS 仍无法强制供应商行为统一,也无法保证客户配置规范性 |
| 托管认证 UX 和 passkey 域名绑定 | WorkOS 托管的 AuthKit,加上客户 DNS / 自定义域名设置 | 登录、passkey 和终端用户 UX | 中-高 | 切换供应商或更换域名会打断 passkey 可携性,或迫使重建自定义 UI | 高 | 托管 UI 加快上线;自定义 UI 仍可通过 API 实现 | 客户在生产中采用托管 UI 和 passkey 后,锁定效应会上升 |
| 框架生态分发 | Laravel 入门套件和其他框架集成 | 开发者获客和入驻 | 中 | 框架默认选项变化、生态破裂或伙伴策略调整会拖慢采用 | 中 | 官方包和文档降低集成工作量 | 分发部分依赖 WorkOS 无法控制的外部生态 |
| 开发者侧价格竞争 | Auth0、Clerk、Stytch、Hanko | 客户获取和扩张 | 高 | 免费层或开源替代品会在企业增购前削弱 WorkOS | 高 | 透明定价、企业定位、迁移帮助 | 价格压力在早期和自助服务细分市场仍很强 |
| 现有巨头捆绑竞争 | Microsoft Entra ID 和 AWS Cognito | 企业和云原生身份栈 | 高 | 客户接受捆绑身份方案,而不是为 WorkOS 单独付费 | 高 | WorkOS 以开发者体验和企业就绪包装做差异化 | 捆绑身份方案仍可能凭采购简单和既有预算胜出 |
该台账同时纳入协议依赖、分发依赖和商业依赖,因为 WorkOS 既靠技术集成销售,也靠采购便利性销售。
[CR015, CR016, CR017, CR018, CR019, CR020]| 角色 / 职能 | 依赖或缺口 | 可能性 | 严重性 | 缓释措施 | 尽调路径 |
|---|---|---|---|---|---|
| 产品领导层 / 创始团队 | Series C 后扩张加大执行跨度,而公开收入结构仍未披露 | 中 | 高 | 新资本和宽平台雄心 | 索取产品线 ARR、路线图人员配置和相邻业务推出顺序逻辑 |
| 安全与发布工程 | 2026 年 AuthKit、Node、Python 多次 SDK 安全修复和破坏性迁移 | 中-高 | 高 | 可见补丁节奏和公开变更日志 | 审查发布流程、回归测试覆盖和安全评审人员配置 |
| 客户支持 / 事件响应 | 企业支持承诺升高,同时 May 2026 事件节奏仍然可见 | 中 | 高 | 状态页、SLA、支持计划、Trust Center | 核查人员配比、值班覆盖和复盘流程 |
| GTM 和财务 | 公开估值已更新,但 ARR、烧钱率、流失率和产品组合仍未公开 | 中 | 高 | Series C 资本和表观客户规模 | 审查董事会材料、最新 KPI 包和按客户细分拆分的留存 |
人员 / 执行台账聚焦职能集中度;相比发布管理和资本可见性风险,公开领导层变动风险不是主信号。
[CR011, CR012, CR027, CR028, CR038, CR039]身份入口故障先侵蚀客户信任、抬高接入摩擦,再传导到赢单率、留存、利润率,最终压到估值。
[CR009, CR012, CR014, CR016, CR035, CR036]WorkOS 夹在客户应用与外部标准、IdP、云和框架生态栈之间;这些环节没有一个完全受 WorkOS 控制。
[CR004, CR016, CR017, CR035, CR036, CR037]7.4 缓释成熟度、剩余暴露与否决标准
WorkOS 看起来并不鲁莽。公开材料展示了一套连贯的缓释栈:正式 DPA、单独的企业 SLA、状态页、Trust Center、最新融资,以及 2026 年反复出现的 SDK 修复,而不是可见停滞。这些都是企业身份厂商该有的材料。问题在剩余暴露,而不是没有控制。公司仍在认证、功能开关、权限、滥用检测和智能体安全用例上快速推进,同时依赖异质外部标准和客户 IdP。公司刚完成大额融资、外部预期正在抬升,这个组合会提高回归缺陷、迁移摩擦和企业定制诉求出现的概率。 因此,本章否决标准盯的是可衡量信号,而不是叙事上的不适。硬停止信号包括:任何面向客户的安全事故,表现出类似 Okta 身份供应链的传导机制;修复后仍反复出现公开 认证回归;或有证据显示,企业 SLA 与 Trust Center 材料显著窄于拿下受监管客户所需承诺。较软但仍严肃的预警是竞争压缩:如果 Microsoft、AWS、Auth0、Clerk 或 Stytch 能以更低有效成本匹配核心功能,WorkOS 的销售效率和长期利润率假设会很快变化。 核心尽调要求是私有证据。投资者不应只靠公开网站条款、营销徽章或创始人博客,就放行合同、数据驻留或流动性风险。在承销本轮或把业务标记为基础设施级之前,应索取客户 MSA 和安全附件、当前子处理方与托管区域矩阵、SLA 赔付历史、续约和流失数据,以及产品级 ARR 或毛利率组合。如果这些私有材料显示集中度、高事故处理负担或采购高度依赖让步,WorkOS 的风险画像应比公开表面显示的情况明显更差。[CR004, CR007, CR009, CR010, CR011, CR012]
| 风险 | 可监控触发项 | 阈值 / 事件 | 行动含义 |
|---|---|---|---|
| 认证层回归风险 | 公开事件、安全公告、GitHub 问题波动 | 宣称完成修复周期后,再次出现客户可见的认证或 webhook 完整性事件 | 暂停投资确信,直到 WorkOS 提供根因、影响范围和回归防护证据 |
| 合同 / 合规错配 | 客户文件 vs 公开条款 | MSA、DPA 或 Trust Center 材料明显窄于企业销售主张 | 下调企业胜率和利润率假设 |
| 价格压缩 | 竞争对手定价和现有巨头捆绑采用 | 输单给捆绑 Entra/Cognito,或相对 Auth0/Clerk/Stytch 持续打折 | 下调长期毛利率和 CAC 回收假设 |
| 单一栈集中 | 产品线 ARR 和使用结构 | 即便公司宣称扩张,AuthKit/SSO/Directory Sync 仍占毛利绝大多数 | 把新产品视为执行负担,而不是多元化加分 |
| 流动性可见性缺口 | 董事会报告和后续融资 | Series C 尽调请求后,仍没有清晰披露 ARR、烧钱率、现金跑道和优先权结构 | 转入观察名单,或在承销前要求更强下行保护 |
叫停标准采用可衡量的尽调阈值,因此即使公开证据仍不完整,本章也可执行。
[CR009, CR010, CR011, CR012, CR014, CR038]7.5 附录要点
08估值
8.1 建议与价格纪律
WorkOS 值得投资者关注,因为它有真实的产品紧迫性和客户证明,而不只是融资标题。2026 年 3 月融资把公司定价到 $2 billion;WorkOS 称,平台上增长最快的 AI 公司已经包括 OpenAI、Anthropic、xAI、Cursor、Perplexity、Sierra、Replit、Vercel 等。公司还称,它已从认证 扩到权限、集成、加密、滥用检测、功能开关和 MCP;同时在数千客户和每月数十亿 API 请求上跑出五个 9 可用性。客户故事页和首页进一步说明,价值主张不只是技术优雅:WorkOS 营销企业 SSO 和 SCIM 可节省超过 9 个月自建时间、拥有 50-plus 项集成,并引用客户明确表示,相比内部自建或继续使用老身份厂商,它更能支撑企业就绪度。 这些正面因素本身仍过不了承销门槛。在本次审阅的公开来源集中,WorkOS 没有披露 ARR、收入增长、NRR、毛利率、准确客户数、员工数、烧钱速度或清算优先权。因此,$2 billion 投后估值无法直接验证。只能用公开可比公司倍数和代数收入阈值来间接测试。本章因此落在观察 / 继续研究,而不是买入:如果 WorkOS 已经在 mid-$100 million ARR 区间运营,且留存优异、股权结构表干净,这个价格可以成立;但如果收入基数仍低于这个区间,或融资条款埋有沉重优先权悬挂,估值就显得偏紧。投资问题不是 WorkOS 是否有战略吸引力,而是未披露的运营基数是否已经大到足以支撑 2026 年身份赛道的溢价倍数。[CV001, CV003, CV004, CV005, CV006, CV007]
| 维度 | 评估 | 重要性 | 行动含义 |
|---|---|---|---|
| 建议 | 跟踪 / 继续研究 | WorkOS 拿到的 AI 客户证明异常强,产品紧迫感也高;但公开记录仍缺 ARR、NRR、利润率和股权结构表披露,无法支撑 March 2026 $2B 锚点的投资论证。 | 密切跟踪并争取尽调权;不要只凭公开证据就假设当前轮次可投。 |
| 信心 | 中 | 战略质量看得见,估值支撑看不见。主要不确定性不在品类吸引力,而在被隐藏的经营规模。 | 只有披露 ARR、留存和毛利率数据后,信心才可能上调。 |
| 风险评级 | 高 | 核心风险是在指标不透明下为估值付太多钱;2026 年软件倍数环境弱于 2021 年身份赛道高点,进一步放大风险。 | 如果披露仍薄,要求下行保护,否则放弃。 |
| 估值立场 | 待指标验证,合理至偏贵 | 只有 WorkOS 已大致达到 mid-$100M ARR 区间,并保持高质量增长,这个价格才说得通。 | 只有通过指标阈值测试后,本轮才有辩护空间。 |
| 下一步 | 指标设门槛的尽调 | 最高价值问题是经营指标和优先权条款,不是产品演示或品类材料。 | 推进前索取 ARR、NRR、毛利率、客户集中度和清算优先权细节。 |
本表刻意对价格敏感,而不是对公司质量敏感。它只用公开证据总结当前 $2B 轮次隐含的投资姿态;WorkOS 一披露经营指标或融资条款,就应更新。
[CV001, CV041, CV044, CV046, CV047, CV048]| 支柱 | 正向论点 | 反向论点 | 改变判断的证据 |
|---|---|---|---|
| 客户证明 | WorkOS 已服务一组少见的 AI 头部客户,包括 OpenAI、Anthropic、xAI、Cursor 和 Perplexity;这说明企业级身份基础设施的产品-市场时点很强。 | 公开客户 logo 不透露合同规模、留存质量,也不说明收入有多少集中在少数 AI 爆发赢家身上。 | 披露准确 ARR、头部客户集中度和按年份队列拆分的留存。 |
| 产品宽度 | 公司已从认证扩展到权限、集成、加密、滥用检测、功能标记和 MCP,抬高切换成本和账户价值。 | 单靠产品宽度不能证明货币化深度;部分模块可能仍是采用辅助,而非实质收入线。 | 按主要模块拆分收入贡献和附加率。 |
| 企业转化 | WorkOS 宣传可节省 9 个月以上构建时间、覆盖 50 多个集成并加快实施,支撑了面向快速扩张软件厂商的 ROI 故事。 | 集成更快可以赢得试点,但不保证长期扩张或溢价定价权。 | 提供企业转化的胜率、扩张和回本数据。 |
| AI 顺风 | AI agent 身份叙事可能把平台从员工和应用身份,扩展为自治软件的更广权限层。 | AI agent 机会在已审查公开证据中仍更像叙事,还不是经审计收入流。 | 展示真实运行的 AI agent 相关客户、定价和收入贡献。 |
| 可比框架 | CyberArk 和高溢价 AI-native SaaS 区间显示,优质身份或安全资产在 2026 年仍能拿到双位数收入或 ARR 倍数。 | Okta 和 SailPoint 表明,当前公开身份倍数远低于 2021 年稀缺定价,$2B 私募轮的门槛因此明显更高。 | 披露足够指标,让 WorkOS 能可信地落入可比公司集合。 |
| 市场环境 | 即便市场已修正,AI-native 资产仍可获得溢价。 | 软件板块抛售和 post-2021 倍数重置意味着,投资人不再愿意为没有证据的故事付费。 | 验证 Rule-of-40 式经济性,或坚持更低入场价格。 |
正反论点表把公开证据中已经可见的部分,与仍需管理层披露的部分拆开。若干正向论点今天已经具备战略吸引力,但反向论点本质上仍是估值和披露问题,而不是纯产品反对意见。
[CV004, CV005, CV006, CV011, CV017, CV035]决策链从 WorkOS 可见的产品与客户证据,走到缺失指标这道门槛;门槛让本章停在观察 / 继续研究,而不是买入。图中强调,瓶颈是估值验证,不是赛道相关性。
这张图是分析综合产物,不是 WorkOS 披露的流程。每个节点都有本章明确论断支撑,用来显示公开证据链目前断在哪里。
[CV001, CV004, CV005, CV037, CV044, CV046]8.2 可比估值背景与市场制度
给 WorkOS 估值,最干净的框架是把 $2 billion 锚点同时放到当前公开身份 / 安全倍数和历史身份交易里比较。公开市场侧,Okta 在约 $2.92 billion 过去十二个月收入上,EV/sales 约 4.8x;SailPoint 在约 $1.07 billion 收入上,EV/sales 约 8.0x。CyberArk 是这组中最强的身份安全溢价参照:2026 年 5 月市值约 $20.6 billion,对应约 $1.36 billion 收入和 $1.44 billion ARR,隐含十几倍中段的收入或 ARR 倍数。CrowdStrike 是更广义安全上限,而不是直接同业:企业价值约 $164.5 billion,EV/sales 约 34.2x;除非规模和证据异常强,WorkOS 不应按接近这个上限来承销。 历史也重要,因为身份资产曾经卖出更高价格。Okta 2021 年同意以约 $6.5 billion 收购 Auth0;TechCrunch 报道称,Auth0 预计当年收入约 $200 million,意味着在身份软件稀缺性高峰期,前瞻收入倍数约 32.5x。SailPoint 2022 年约 $6.9 billion 私有化说明,规模化身份资产仍能支撑数十亿美元级结果,但市场制度已经变了。Reuters 报道,到 2026 年 2 月,S&P 500 software and services index 自 1 月下旬以来已蒸发约 $1 trillion 市值;Acquiry、Windsor Drake 和 Aventis 的行业评论也显示,2026 年公开 SaaS 倍数稳定在远低于 2021 年峰值的位置。实际结论很直接:WorkOS 也许配得上 AI 原生溢价,但 2021 年 Auth0 式收入倍数已不再是默认基准。[CV011, CV012, CV013, CV017, CV018, CV019]
| 可比公司 | 状态 | 收入 / ARR 锚点 | 估值 / EV 锚点 | 隐含倍数 | 相关性 | 局限 |
|---|---|---|---|---|---|---|
| Okta | 上市 | ~$2.92B LTM 收入 | ~$14.07B EV / ~$16.17B 市值 | ~4.82x EV/销售额 | 员工和客户身份领导者;是标准化公开身份倍数最接近的大盘 IAM 基准。 | 规模成熟且增速更低,使其更像公开倍数底部,而非上限。 |
| CyberArk | 上市身份安全高溢价标的 | ~$1.36B 收入 / ~$1.44B ARR | ~$20.63B 市值 | ~15.2x 市值/收入,~14.3x 市值/ARR | 当前最佳身份安全高溢价可比公司;说明强身份紧迫性在 2026 年能拿到什么定价。 | 产品组合覆盖 PAM 和更广义身份安全;不是直接的开发者基础设施可比对象。 |
| SailPoint | 上市身份安全标的 | ~$1.07B LTM 收入 | ~$8.59B EV / ~$8.93B 市值 | ~8.02x EV/sales 倍数 | 当前公开披露的身份软件公司中,可作中位估值倍数参考。 | 业务重心在治理和身份安全,区别于 WorkOS 由开发者切入的企业认证定位。 |
| CrowdStrike | 上市安全标的估值上限 | ~$4.81B LTM 收入 | ~$164.46B EV / ~$168.87B 市值 | ~34.18x EV/sales 倍数 | 任务关键型企业软件的安全溢价上限参考。 | 业务太宽、规模太大,难以作为 WorkOS 直接估值测算可比项。 |
| Auth0 出售给 Okta(2021) | 战略并购先例 | ~$200M 预期收入(2021) | ~$6.5B 收购价 | ~32.5x 远期收入 | 显示 2021 年高点身份资产稀缺性溢价能打到的水平。 | 高峰周期交易;不能作为 2026 年稳妥基准。 |
| SailPoint 私有化(2022) | 战略 / PE 先例 | 具备规模的身份安全平台 | ~$6.9B 全现金价格 | 已审阅公开来源集中为 n/a | 说明即便不走 IPO 市场,规模化身份资产也能撑起数十亿美元级结果。 | 交易发生在另一套利率和软件估值倍数环境中。 |
可比集刻意只取部分样本。它混合当前公开市场基准和历史身份交易,从几个角度框定 2026 年 3 月 WorkOS 融资轮。倍数没有按增长、NRR 或利润率归一化;因此,WorkOS 未披露的经营指标对估值判断极为关键。
[CV011, CV013, CV017, CV018, CV019, CV022]不同收入或 ARR 倍数假设下,支撑 $2B 估值所需的 ARR。图中显示,假设倍数一旦压向当前公开身份赛道区间,所需经营规模会很快抬升。
数值为隐含 ARR 门槛,单位为 USD millions,由披露的 $2B 轮次估值除以各个选定倍数得出。倍数组合参考了本章公开市场和私募市场的身份与 SaaS 可比样本。
[CV041, CV042, CV043, CV052]这是一张 IC 风格评分卡,覆盖决定 $2B 轮次是否可投的六个变量。最强信号是客户证据和产品紧迫性;最弱的是指标披露和价格验证。
KPI 标签是分析师的定性判断,来自本章论断集;用于决策框架,不用于机械打分。
[CV004, CV006, CV037, CV039, CV044, CV045]8.3 情景框架、估值阈值与决策条件
WorkOS 没有公开披露收入,因此情景框架最好用阈值逻辑表达,而不是围绕一个隐藏 ARR 数字制造虚假精确。在当前 $2 billion 估值下,WorkOS 需要约 $400 million ARR 才能对应 5x 倍数;$250 million 对应 8x;$200 million 对应 10x;$167 million 对应 12x;$133 million 对应 15x;$100 million 对应 20x。这些阈值让可比集合自己发挥作用。如果 WorkOS 已经高于约 $150 million ARR,NRR 高于 120%、毛利率高于 75%,且能从 AI 客户群可信转化企业客户,那么当前轮次可以落在一个可防守的 12x 至 15x AI 身份区间内。但如果 ARR 更接近 $100 million,本轮就隐含约 20x ARR——这更接近 2021 年稀缺性定价,而不是今天的公开身份区间。 乐观、基准和悲观情景因此同样取决于披露质量,而不只是运营表现。乐观情景假设 WorkOS 已经处于或高于 mid-$100 million ARR 区间,AI 智能体身份 成为增量变现层,而不只是叙事延伸,并且公司能够守住顶级留存画像。基准情景假设规模扎实但不惊艳,足以让 $2 billion 看起来合理到偏高,但并不明显便宜。悲观情景假设收入仍低于 2026 年溢价倍数隐含的阈值,或融资条款实质稀释普通股回报。买入、观察和放弃条件应直接绑定这些阈值,而不是只绑定对身份类别的热情。[CV037, CV038, CV041, CV042, CV043, CV046]
| 情景 | 假设 ARR 区间 | 倍数区间 | 隐含估值区间 | 关键条件 | 概率信号 |
|---|---|---|---|---|---|
| 牛 | $170M-$220M ARR | 12x-16x ARR | $2.04B-$3.52B | AI 客户采用转化为可持续的企业扩张;NRR 超过 120%;毛利率超过 75%;AI agent 身份产生实质货币化。 | 低至中,除非管理层很快披露高质量指标。 |
| 基准 | $120M-$160M ARR | 10x-14x ARR | $1.20B-$2.24B | WorkOS 规模已经清晰且仍在增长,但还没有优秀到能在每项指标上拿到 CyberArk 式溢价。 | 如果披露指标落在 mid-$100M ARR 区间,概率为中。 |
| 熊 | $70M-$100M ARR | 6x-10x ARR | $0.42B-$1.00B | 收入规模仍低于溢价门槛,留存普通,或融资条款造成沉重优先权包袱。 | 如果披露继续缺失或令人失望,概率显著。 |
这些是分析情景,不是公司披露预测。它们以已披露的 $2B 轮次锚点和 2026 年公开身份、安全、SaaS 市场可比区间为基础,意在说明当前估值要变得有吸引力、公允或过度延展,必须具备怎样的经营规模。
[CV041, CV042, CV043, CV046, CV047, CV048]| 触发因素或条件 | 阈值 | 对投资逻辑的传导 | 行动含义 |
|---|---|---|---|
| 买入门槛未达成 | 管理层无法拿出至少约 $150M ARR,同时证明高留存和高质量利润率。 | 按 2026 年身份和 SaaS 可比估值区间,当前 $2B 定价仍缺支撑。 | 继续跟踪或退出;不要硬给买入结论。 |
| 发现优先权负担 | Series C 条款包含激进清算优先权、参与型优先股安排,或异常大的反稀释保护。 | 即使企业价值判断方向正确,普通股上行空间也会被压缩。 | 除非重新谈定价格或结构,否则放弃。 |
| 倍数重置持续 | 公开市场软件倍数仍钉在修正后的 6x-8x 区间附近,身份同业也未重估。 | 私募账面估值支撑转弱,溢价入场价格失去下行保护。 | 收紧价格纪律,并要求更强经营证据。 |
| 企业转化不及预期 | AI 客户 logo 没能转化为可复制扩张,或客户集中度被证明过高。 | 溢价叙事从耐用平台转向集中敞口。 | 将公司估值重估至较低的私有 SaaS 区间。 |
| AI 智能体叙事仍停在变现前 | 智能体相关身份仍是路线图话术,而非已签约收入。 | 溢价倍数中相当一部分变成尚未挣到的可选性。 | 只按核心企业认证平台测算,不给未来故事估值。 |
| 隐藏指标不及预期 | ARR 低于 ~$100M,或 NRR 接近 100%。 | 本轮更像高峰周期的超额支付,而非有依据的溢价定价。 | 按当前估值坚决放弃。 |
前两行是投前门槛,后几行是持续跟踪的投资逻辑破裂指标。每个触发因素都要逼出清晰行动,而不是模糊观察项;符合价格敏感型建议。
[CV035, CV037, CV044, CV048, CV051]在当前收入未披露的情况下,用假设 ARR 区间和倍数区间给 WorkOS 做情景估值。当前 $2B 轮次锚点落在乐观区间内、接近基准区间上沿,因此披露质量决定建议。
所有数值单位均为 USD millions,来自 TV003 的情景假设。当前轮次锚点是披露的 March 2026 估值。情景区间不是公司预测;它们是门槛测试,用来判断业务需要长成什么样,这一轮才算便宜、合理或昂贵。
[CV001, CV049, CV050, CV051, CV052]8.4 未解决的披露缺口与最终尽调要求
最强的反向逻辑不是产品风险,而是披露风险。本章审阅的公开来源显示,WorkOS 有强客户标杆,也踩中了有吸引力的产品市场时点;但它没有给出投资者用来测试 $2 billion 投后估值是否公平的底层数字。没有公开 ARR 桥、没有披露 NRR 或 GRR、没有准确客户数或集中度瀑布图、没有员工数或烧钱速度披露,也没有公开股权结构表或清算优先权视图。2026 年,这些缺口比 2021 年更重要,因为软件倍数现在奖励增长和耐久性的组合,而不是只奖励叙事。 正确尽调路径因此很窄,也很实用。在承销乐观甚至基准情景前,投资者应要求当前 ARR 和增长桥、队列留存数据、毛利率披露、准确大客户暴露,以及 Series C 后优先股堆叠。公司还应说明 AI 智能体身份产品已经开始变现,还是仍只是叠加在核心企业认证业务上的路线图溢价。没有这些披露,最可防守的姿态是把 WorkOS 放在高优先级观察名单上,而不是强行给出明确买入结论。退出逻辑也类似:如果后续披露验证了溢价经济性,公司可以复合进当前轮次;如果没有,价格给 2026 年软件倍数压缩留下的空间太小。[CV044, CV045, CV046, CV047, CV048]
| 主题 | 缺失证据 | 重要性 | 尽调路径 |
|---|---|---|---|
| 当前 ARR 和增长桥 | 已审阅的 2026 年来源中,WorkOS 没有公开 ARR 或收入披露。 | $2B 究竟有吸引力、公允还是偏高,核心只看这个变量。 | 向管理层索取最新 ARR、季度增长趋势和企业收入占比。 |
| NRR、GRR 和毛利率 | 公开来源未披露留存或利润率质量。 | AI 原生溢价倍数需要证明扩张可持续、单位经济模型有吸引力。 | 索取按主要产品线拆分的队列留存、毛利率和回本周期数据。 |
| 精确客户数和集中度 | WorkOS 只披露数千家客户和具名 logo,未披露精确数量或集中度。 | 如果少数 AI 头部客户主导 ARR,即便 logo 很多,经济上仍可能高度集中。 | 索取精确客户数、前 10 大客户集中度和续约计划。 |
| 员工数和烧钱速度 | 已审阅来源未发现 2026 年公开员工数或烧钱披露。 | 投资人需要判断,公司能否在不以不利条款再融资的情况下消化本轮估值。 | 索取按职能拆分的员工数、现金消耗,以及基准和悲观招聘计划下的现金跑道。 |
| 股权结构表和清算优先权 | 公开记录未披露 Series C 后优先股堆叠或任何投资人保护。 | 如果权利堆栈很厚,即便企业价值结果不错,普通股回报仍可能偏弱。 | 审阅投后股权结构表、清算瀑布和任何优先证券条款。 |
| AI 智能体身份变现 | 公开来源描述了智能体身份机会,但没有量化现有收入贡献。 | 没有付费采用证据时,可选性不应像已验证 ARR 一样资本化。 | 索取面向智能体产品的销售管线、付费客户数、定价模型和附加率数据。 |
这些问题按估值影响排序,而非按叙事吸引力排序。前四项是核心投资测算输入,后两项决定当前溢价应维持还是打折。
[CV044, CV045, CV046, CV047, CV048]免责声明
本报告是基于公开证据的尽调快照,不构成投资建议。重要的财务、法律、技术和合同事实仍未公开;任何投资决策前,都应直接向管理层和一手文件核验。
证据索引
| 编号 | 陈述 | 可信度 | 来源 |
|---|---|---|---|
| CO001 | WorkOS’s legal entity is publicly identified as WorkOS, Inc. | 高 | SO001, SO018 |
| CO002 | WorkOS’s official structured data lists a founding date of 2019-05-20 and names Michael Grinich as founder. | 高 | SO001, SO024 |
| CO003 | WorkOS’s official structured data lists 660 Market St, San Francisco, CA 94104 as the company address. | 中 | SO001 |
| CO004 | WorkOS describes itself as a remote-first team of 100+ builders. | 中 | SO001, SO028 |
| CO005 | WorkOS publicly positions itself as a developer-focused platform for enterprise-ready identity features such as SSO, SCIM Directory Sync, MFA, AuthKit, Audit Logs, and related controls. | 高 | SO001, SO002, SO007 |
| CO006 | WorkOS says its platform abstracts dozens of enterprise integrations through a single interface and supports 20+ enterprise services. | 中 | SO002, SO007 |
| CO007 | AuthKit supports email and password, social login, magic auth, Enterprise SSO, and MFA. | 高 | SO008, SO009, SO019 |
| CO008 | Directory Sync provides SCIM and HRIS provisioning workflows with real-time webhook events across more than a dozen directory services. | 高 | SO010, SO013, SO024 |
| CO009 | Audit Logs supports ingestion, export, schema configuration, and retention or streaming workflows for compliance-oriented activity tracking. | 高 | SO011, SO014, SO024 |
| CO010 | WorkOS says FGA extends RBAC with hierarchical, resource-scoped access control and sub-50ms p95 access checks. | 中 | SO012, SO002 |
| CO011 | Radar adds bot detection, brute-force protection, device fingerprinting, and abuse-defense controls to the WorkOS platform. | 高 | SO015, SO020 |
| CO012 | A core WorkOS thesis is that post-product-market-fit software companies need enterprise-ready features to cross the “enterprise chasm.” | 高 | SO007, SO006 |
| CO013 | Michael Grinich has publicly tied WorkOS’s founding to the lesson from Nylas that user love is not enough if enterprise IT requirements arrive too late. | 中 | SO007, SO024 |
| CO014 | On 2021-03-10 WorkOS announced financing led by Lachy Groom and said it had raised $19M to date. | 中 | SO007 |
| CO015 | On 2022-06-01 WorkOS announced an $80M Series B led by Greenoaks with participation from Lachy Groom, Lightspeed Ventures, and Abstract Ventures. | 高 | SO006, SO023 |
| CO016 | The 2022 Series B announcement also disclosed WorkOS’s acquisition of Modulz, the company behind Radix. | 中 | SO006, SO024 |
| CO017 | By June 2022 WorkOS said it had over 200 paying customers, including Webflow and Hopin. | 中 | SO006, SO024 |
| CO018 | In 2022 WorkOS described itself as a global company of 40+ people spanning five continents. | 中 | SO006 |
| CO019 | On 2023-11-28 WorkOS launched AuthKit and User Management APIs, materially broadening the platform beyond federation and provisioning. | 高 | SO019, SO008 |
| CO020 | On 2024-11-19 WorkOS launched Radar, extending the platform into bot blocking and abuse detection. | 高 | SO020, SO015 |
| CO021 | WorkOS publicly advertises SOC 2 Type 2, GDPR and CCPA compliance, annual third-party penetration tests, and external code audits. | 高 | SO016, SO026, SO027 |
| CO022 | On 2025-01-13 WorkOS published a security advisory for a Hosted AuthKit password-authentication MFA bypass that it said was fixed on 2025-01-07 and never exploited. | 中 | SO017 |
| CO023 | Public vulnerability listings show additional AuthKit-related issues across 2025 and 2026, including token exposure, open redirects, expired-session reuse, and cache-header problems, with patched versions disclosed. | 中 | SO017, SO031 |
| CO024 | On 2026-03-02 WorkOS announced a $100M Series C at a $2B valuation led by Meritech and Sapphire. | 高 | SO005, SO021, SO022, SO029 |
| CO025 | The 2026 Series C post says leading AI companies using WorkOS include OpenAI, Anthropic, xAI, Cursor, Perplexity, Sierra, Baseten, Fal, Replit, Vercel, Synthesia, Temporal, Gamma, Clay, Exa, Parallel, and Serval. | 中 | SO005, SO029 |
| CO026 | WorkOS says it operates at thousands of customers, five-nines uptime, and billions of API requests each month. | 中 | SO005, SO029 |
| CO027 | Sacra estimates WorkOS reached $30M ARR in October 2025 and crossed 1,000 paying customers in early 2025. | 中 | SO023, SO006 |
| CO028 | WorkOS’s customer pages and testimonials show named customers including OpenAI, Cursor, Perplexity, Drata, incident.io, Patch, Hypercare, Hopin, Indeed, and others. | 中 | SO003, SO004 |
| CO029 | Official customer and homepage testimonials repeatedly argue that WorkOS helps customers ship enterprise features faster than building SSO, SCIM, and audit infrastructure in-house. | 高 | SO002, SO003 |
| CO030 | WorkOS remains strongly founder-led in public materials, with Michael Grinich signing core financing posts and serving as the main public company voice. | 高 | SO005, SO007, SO001 |
| CO031 | Public governance transparency is limited because retained official sources identify the founder and investors but do not publish a comprehensive current board or officer roster. | 中 | SO001, SO005, SO006 |
| CO032 | WorkOS’s publicly visible capital base is dominated by recurring venture backers including Lachy Groom, Abstract, Lightspeed, Greenoaks, Meritech, Sapphire, Audacious, and Craft. | 中 | SO007, SO006, SO005 |
| CO033 | As of 2026 WorkOS is best described as a late-stage private company at the Series C stage. | 高 | SO005, SO021 |
| CO034 | Summing the company’s disclosed 2021 $19M-to-date statement, 2022 $80M Series B, and 2026 $100M Series C implies roughly $199M total raised by March 2026. | 中 | SO007, SO006, SO005 |
| CO035 | WorkOS’s official status page shows an “Elevated Dashboard Errors” incident on 2026-05-22 that affected dashboard, admin-portal, and docs UI while APIs, authentication, and data were not impacted. | 高 | SO030, SO025 |
| CO036 | IsDown says it has tracked 119 WorkOS incidents since March 2023 and identifies May 22, 2026 as the last outage before the fetch date. | 中 | SO025, SO030 |
| CO037 | UpGuard and Nudge both portray WorkOS as a monitored vendor with a comparatively broad public security and compliance surface area. | 低 | SO026, SO027 |
| CO038 | WorkOS’s legal terms and structured data identify the operating entity as WorkOS, Inc. and anchor it in California and San Francisco. | 高 | SO018, SO001 |
| CO039 | By 2026 WorkOS had expanded from core identity primitives into adjacent trust layers such as AuthKit, FGA, Radar, connectors, and agent-oriented security or auth products. | 中 | SO002, SO019, SO020, SO012 |
| CO040 | Third-party directory data places WorkOS at another San Francisco Market Street mailing address, so San Francisco is consistent but the exact current mailing address should be confirmed in diligence. | 低 | SO028, SO001 |
| CO041 | Public scale signals place WorkOS in a 51-200 employee band and above 100 builders, making exact headcount directional rather than precise. | 中 | SO001, SO028 |
| CO042 | WorkOS maintains an official customer page for OpenAI and links to it from its customer-story index. | 高 | SO003, SO004 |
| CO043 | WorkOS says it can sign HIPAA business associate agreements for customers on enterprise plans. | 中 | SO016, SO027 |
| CO044 | WorkOS says FGA can be adopted incrementally alongside existing RBAC rather than requiring a full migration. | 中 | SO012, SO002 |
| CO045 | WorkOS says Directory Sync normalizes attributes from dozens of HRIS and directory providers and emits real-time lifecycle events. | 高 | SO010, SO013 |
| CO046 | WorkOS says AuthKit includes bot detection or blocking and environment-level MFA controls to improve application security. | 中 | SO008, SO009, SO015 |
| CO047 | WorkOS’s 2026 messaging shifts the company from generic enterprise readiness toward securing AI and agentic software. | 中 | SO005, SO029, SO002 |
| CM001 | WorkOS's practical market is developer-first enterprise identity infrastructure for B2B software rather than the whole IAM stack. | 中 | SM001, SM004, SM008, SM009 |
| CM002 | MarketsandMarkets segments IAM by technology, type including workforce, CIAM, and B2B, identity type, deployment mode, and vertical. | 中 | SM008 |
| CM003 | The Business Research Company describes IAM components to include provisioning, directory service, SSO, advanced authentication, audit, compliance, and governance. | 中 | SM009 |
| CM004 | WorkOS prices enterprise SSO and Directory Sync around the unit of a customer connection rather than by total user volume. | 中 | SM001 |
| CM005 | WorkOS markets SSO, SCIM, audit logs, MFA, onboarding, and related enterprise features as a bundled enterprise-readiness surface. | 中 | SM002 |
| CM006 | WorkOS says secure automated user provisioning is a fundamental requirement for SaaS platforms selling into the enterprise. | 中 | SM004 |
| CM007 | WorkOS argues that building and maintaining SCIM in-house rarely makes sense for a growing startup focused on its core product. | 中 | SM004 |
| CM008 | WorkOS identifies IdP-specific inconsistencies, scaling reliability, onboarding friction, and ongoing maintenance as major costs of homegrown SCIM. | 中 | SM004 |
| CM009 | Auth0 ties enterprise connections, self-service SSO, and SCIM to its B2B or enterprise packaging rather than leaving those capabilities permanently on lower self-serve plans. | 中 | SM027 |
| CM010 | The Business Research Company says the global IAM market will reach $25.23 billion in 2026. | 中 | SM009 |
| CM011 | The Business Research Company says the global IAM market will reach $45.22 billion by 2030 at a 15.7% CAGR from the 2026 base. | 中 | SM009 |
| CM012 | MarketsandMarkets projects IAM from $25.96 billion in 2025 to $42.61 billion by 2030, with CIAM as the largest type and non-human IAM growing faster than human identity. | 中 | SM008 |
| CM013 | Fairfield Market Research expects the global IAM market to be worth $24.8 billion by 2026. | 中 | SM010 |
| CM014 | Mordor Intelligence estimates the CIAM market at $13.3 billion in 2026 and $30.06 billion in 2031. | 中 | SM006 |
| CM015 | Fortune Business Insights estimates the CIAM market at $14.46 billion in 2026 and $53.36 billion by 2034. | 中 | SM007 |
| CM016 | MarketsandMarkets projects the CIAM market from $14.12 billion in 2025 to $22.47 billion by 2030. | 中 | SM005 |
| CM017 | Coherent Market Insights estimates the global access-management market at $25 billion in 2026 and $65 billion by 2033. | 中 | SM011 |
| CM018 | Coherent Market Insights says audit, compliance, and governance will account for 31% of the global access-management market in 2026. | 中 | SM011 |
| CM019 | Mordor says large enterprises held 61.15% of CIAM spending in 2025, cloud accounted for 77.35%, and BFSI led with 28.55% share. | 中 | SM006 |
| CM020 | Mordor says passwordless and passkey solutions are expanding at a 23.65% CAGR through 2031. | 中 | SM006 |
| CM021 | Public sources do not isolate a standalone WorkOS SAM or SOM because IAM, CIAM, access management, and non-human identity forecasts measure overlapping perimeters. | 中 | SM005, SM006, SM008, SM009, SM011 |
| CM022 | The WorkOS buying motion usually spans product engineering, downstream customer IT admins, and security or compliance stakeholders rather than a single functional owner. | 中 | SM002, SM004, SM019, SM020 |
| CM023 | Adoption usually begins with an enterprise readiness blocker such as SSO or SCIM and then expands into broader lifecycle, logging, or authorization needs. | 中 | SM002, SM004 |
| CM024 | WorkOS customer proof says teams shipped SSO and SCIM more than nine months faster than building those capabilities in-house. | 中 | SM002 |
| CM025 | One WorkOS customer said its in-house approach required 2-4 hours to provision each SSO connection. | 中 | SM002 |
| CM026 | WorkOS customer proof says SCIM is crucial because customers may switch to a provider with smoother provisioning if lifecycle automation is missing. | 中 | SM002 |
| CM027 | WorkOS argues that per-directory pricing aligns better with B2B revenue growth than per-monthly-active-user pricing. | 中 | SM004 |
| CM028 | WorkOS lists SSO and Directory Sync at $125 per connection per month and log streaming at $125 per SIEM connection per month while keeping the first million user actions free. | 中 | SM001 |
| CM029 | RFC 7642 defines SCIM as the system for cross-domain identity management and includes enterprise-to-cloud scenarios and SSO triggers among its flows. | 高 | SM012, SM013 |
| CM030 | RFC 7644 says SCIM is intended to reduce the cost and complexity of user management through a common schema, extension model, and service protocol. | 高 | SM012, SM013 |
| CM031 | OpenID Connect is an identity layer on top of OAuth 2.0 for interoperable end-user identity verification and profile claims. | 中 | SM014 |
| CM032 | SAML provides a framework for exchanging security information between online business partners. | 中 | SM015 |
| CM033 | NIST's July 2025 digital identity revision added synced passkeys, subscriber-controlled wallets, and controls for injection attacks and forged media. | 中 | SM016 |
| CM034 | NIST SP 800-207 defines zero trust as a model that emphasizes accurate, least-privilege per-request access decisions focused on users, assets, and resources. | 高 | SM017, SM018 |
| CM035 | CISA's Zero Trust Maturity Model version 2.0 aligns with OMB M-22-09 and organizes adoption around five pillars and three cross-cutting capabilities. | 高 | SM018, SM019 |
| CM036 | OMB M-22-09 makes stronger enterprise identity and access controls, including MFA, a federal zero-trust baseline. | 高 | SM017, SM018, SM019 |
| CM037 | AICPA says SOC assurance reports give users information needed to assess and address the risks associated with outsourcing services. | 中 | SM020 |
| CM038 | Google's Zanzibar authorization system scaled to trillions of access control lists and millions of authorization requests per second while maintaining sub-10 millisecond p95 latency and greater than 99.999% availability. | 中 | SM022 |
| CM039 | OpenFGA was accepted into CNCF in 2022 and reached incubating maturity in October 2025. | 中 | SM023 |
| CM040 | Auth0 says custom authorization logic does not scale for multi-tenant B2B APIs, MCP servers, and AI agents, and positions FGA as least-privilege infrastructure for millions of users and billions of resources. | 中 | SM028 |
| CM041 | WorkOS argues that agents are a distinct identity class and that flat RBAC breaks when permissions need to be task-scoped and resource-specific. | 中 | SM003 |
| CM042 | SSOtax.org documents many SaaS vendors still gating SSO behind enterprise pricing or opaque quotes. | 中 | SM024 |
| CM043 | The SCIM Tax dataset says it surveys about 300 widely deployed SaaS apps to document who gates SCIM and what it costs. | 中 | SM025 |
| CM044 | Stitchflow claims that across 721 SaaS apps, 42% lock SCIM behind enterprise pricing, 57% have no SCIM at any price, and only 1.2% include SCIM on the base tier. | 中 | SM026 |
| CM045 | Public IAM market commentary still identifies lack of unified identity standards, budget constraints, privacy concerns, and shortages of skilled cybersecurity professionals as adoption constraints. | 中 | SM008, SM009, SM010 |
| CM046 | Non-human identity and AI-agent authorization clearly expand the market narrative around WorkOS, but public evidence on paid production adoption is still less mature than the evidence on SSO and SCIM demand. | 中 | SM003, SM005, SM023, SM028 |
| CM047 | Auth0's pricing and FGA pages show that incumbents are also bundling AI-agent and fine-grained authorization capabilities into broader identity platforms. | 中 | SM027, SM028 |
| CM048 | WorkOS customer proof includes Cursor's statement that it left Auth0's opaque and customer-hostile pricing. | 中 | SM002 |
| CM049 | The practical underwriting wedge for WorkOS is enterprise-readiness infrastructure sold into B2B products, not full-suite corporate IAM replacement. | 中 | SM001, SM004, SM008, SM009 |
| CM050 | The largest remaining market diligence gaps are WorkOS's connection mix, attach rates across SSO or audit or FGA, and a clean standalone denominator for enterprise-feature infrastructure. | 低 | SM001, SM002, SM021 |
| CP001 | WorkOS pricing packages SSO, directory sync, audit logs, and user-management-style features around organization-based billing and a free tier up to 1 million active users. | 中 | SP001 |
| CP002 | WorkOS positions AuthKit as a fully featured component system for embedded authentication flows. | 中 | SP002 |
| CP003 | WorkOS positions RBAC as enterprise-grade authorization with org-scoped roles and permissions delivered inside the application runtime. | 中 | SP003 |
| CP004 | Across its current pricing and B2B SaaS pages, WorkOS presents a bundled enterprise-ready stack spanning auth UI, enterprise federation, and authorization rather than a single point product. | 高 | SP001, SP002, SP003 |
| CP005 | Auth0 markets itself to B2B SaaS teams with multi-tenancy, delegated administration, self-serve enterprise SSO, and fine-grained authorization. | 中 | SP005 |
| CP006 | Auth0 pricing exposes a free tier up to 25,000 monthly active users and separately calls out enterprise connections and self-service SSO. | 中 | SP004 |
| CP007 | Auth0 documents import, export, and automatic user migration flows, which implies meaningful switching work once user records and passwords live inside the platform. | 中 | SP006 |
| CP008 | Clerk competes as a built-in B2B SaaS auth layer centered on organizations, roles, invitations, and SSO. | 中 | SP008 |
| CP009 | Clerk documentation says users can belong to multiple organizations and switch active organization context, making the product a strong fit for collaboration-heavy multi-tenant apps. | 中 | SP009 |
| CP010 | Clerk pricing starts free up to 50,000 monthly retained users with pro plans from $20 per month, making its entry price lower and more PLG-oriented than WorkOS enterprise infrastructure framing. | 中 | SP007, SP001 |
| CP011 | Stytch presents one integration for authentication, authorization, and security, extending its current positioning beyond login alone. | 中 | SP011 |
| CP012 | Stytch pricing is explicitly usage based with no hard caps or pricing cliffs after the free tier thresholds it discloses. | 中 | SP010 |
| CP013 | PropelAuth is explicitly built for B2B products, with organizations, advanced RBAC, and deeply integrated SAML, OIDC, and SCIM in its organization model. | 中 | SP013 |
| CP014 | PropelAuth pricing advertises unlimited organizations, unlimited collaborators, and unlimited SAML on its free tier. | 中 | SP012 |
| CP015 | FusionAuth competes on deployment control by offering self-hosted, dedicated, on-prem, hybrid, and air-gapped deployment options. | 中 | SP015 |
| CP016 | FusionAuth pricing and plan language emphasize community support, free licensing, and paid enterprise add-ons such as SCIM and live engineering help. | 中 | SP014 |
| CP017 | Frontegg frames itself as the identity layer for every SaaS entry point and extends that positioning into agentic SaaS. | 中 | SP017 |
| CP018 | Frontegg pricing starts free up to 7,500 monthly active users and separately meters enterprise connections for SSO and SCIM. | 中 | SP016 |
| CP019 | Descope positions itself as a customer and agentic identity platform spanning users, business customers, partners, AI agents, and MCP servers. | 中 | SP019 |
| CP020 | Descope says it meets B2B enterprise requirements across authentication, SSO, delegated administration, fine-grained access, and auditability. | 中 | SP019 |
| CP021 | Descope pricing uses free and paid monthly active user tiers, putting it into the same meter family as other developer-led CIAM entrants. | 中 | SP018 |
| CP022 | Permit.io focuses on permissions and fine-grained authorization rather than full authentication, and its pricing is framed around the number of users checked for access with a free community plan. | 中 | SP020, SP021 |
| CP023 | Cerbos positions itself as an open-source or open-core authorization layer for enterprise software and AI rather than an end-user authentication suite. | 中 | SP022, SP023, SP029 |
| CP024 | Amazon Cognito is a fully managed CIAM service that supports social login, passkeys, machine-to-machine authentication, and scale to millions of users. | 高 | SP024, SP025 |
| CP025 | Cognito pricing is MAU based across Lite, Essentials, and Plus tiers, with separate charges for SMS, email, and some SAML or OIDC federation usage. | 中 | SP024 |
| CP026 | Microsoft Entra External ID spans both CIAM for external tenants and B2B collaboration for workforce tenants. | 中 | SP026 |
| CP027 | Entra External ID documentation ties the product to Microsoft platform security and compliance features, and says workforce B2B collaboration extends to Microsoft applications and other SaaS apps while external-tenant SSO stays scoped to apps registered in that external tenant. | 中 | SP026 |
| CP028 | Keycloak is an open-source identity and access management option that supports OpenID Connect, OAuth 2.0, and SAML. | 中 | SP027, SP028 |
| CP029 | Open-source and self-hosted substitutes such as Keycloak, Cerbos, and FusionAuth increase substitution pressure whenever buyers prioritize control, deploy-anywhere flexibility, or lower license spend over managed speed. | 中 | SP014, SP015, SP023, SP027 |
| CP030 | WorkOS is strongest when a buyer wants one vendor for embedded auth UI, enterprise federation, and built-in authorization instead of assembling separate auth and authz layers. | 高 | SP001, SP002, SP003 |
| CP031 | The field splits between broad CIAM suites such as Auth0, Clerk, Stytch, Frontegg, and Descope, and narrower B2B-first or authz-first products such as PropelAuth, Permit.io, and Cerbos. | 中 | SP005, SP008, SP011, SP013, SP017, SP019, SP021, SP023 |
| CP032 | Hyperscaler and suite bundling pressure is real because Cognito rides inside AWS buying motion while Entra External ID extends into Microsoft collaboration and SaaS access patterns that many enterprises already pay for. | 中 | SP024, SP025, SP026 |
| CP033 | Identity switching costs rise after deployment because user stores, migration flows, organization models, SAML or SCIM connections, and permissions structures all have to move together. | 中 | SP006, SP009, SP013 |
| CP034 | Multiple direct rivals use generous free tiers, usage pricing, or community and self-host options, limiting how much standalone identity vendors can widen price without showing better time-to-value or attach rates. | 中 | SP007, SP010, SP012, SP014, SP016, SP018, SP020, SP022 |
| CP035 | A competitor-authored alternatives guide argues that WorkOS is no longer the only enterprise-ready option and that some alternatives now offer similar readiness at materially lower cost. | 低 | SP030 |
| CP036 | Agentic or AI identity language is spreading across adjacent vendors, with current public positioning from Stytch, Frontegg, Descope, Permit.io, and Cerbos all extending beyond classic login. | 中 | SP011, SP017, SP019, SP021, SP023 |
| CI001 | WorkOS makes user management free up to 1 million users and lists $2,500 per month for each additional 1 million users. | 高 | SI001, SI002, SI011 |
| CI002 | WorkOS publicly prices Enterprise SSO at $125 per connection per month. | 高 | SI001, SI010, SI011, SI023 |
| CI003 | WorkOS publicly prices Directory Sync (SCIM) at $125 per connection per month. | 高 | SI010, SI011, SI023 |
| CI004 | WorkOS pricing materials describe automatic connection-volume discounts and route the largest connection tiers to custom sales pricing. | 高 | SI010, SI011, SI023 |
| CI005 | Current WorkOS pricing also monetizes log streaming, event retention, and verification or abuse-check workloads beyond core identity connections. | 中 | SI001 |
| CI006 | WorkOS packages guided integration, private Slack support, and 24x7/365 response-time SLAs as premium support layers beyond baseline documentation and web support. | 中 | SI003 |
| CI007 | WorkOS repeatedly frames connection-based pricing as aligned to customer growth rather than raw end-user counts. | 高 | SI003, SI007, SI010, SI011 |
| CI008 | The WorkOS Series A announcement says the company had previously raised $15 million led by Lachy Groom and had raised $19 million total to date. | 中 | SI004 |
| CI009 | The same Series A post says more than 100 enterprise-ready apps were already built on WorkOS. | 中 | SI004 |
| CI010 | WorkOS disclosed an $80 million Series B led by Greenoaks with Lachy Groom, Lightspeed Ventures, and Abstract Ventures participating. | 高 | SI005, SI018 |
| CI011 | TechCrunch reported that the 2022 Series B brought WorkOS total funding to about $100 million. | 中 | SI018 |
| CI012 | By the time of its Series B announcement, WorkOS said it had over 200 paying customers across the globe. | 高 | SI005, SI018 |
| CI013 | TechCrunch reported that the Modulz acquisition expanded WorkOS to a 40-employee workforce in 2022. | 中 | SI018 |
| CI014 | WorkOS said its Series B left the company with many years of runway, but it did not disclose cash or burn figures. | 中 | SI005 |
| CI015 | WorkOS disclosed a $100 million Series C financing. | 高 | SI006, SI019 |
| CI016 | The Series C was led or co-led by Meritech and Sapphire, with Audacious, Craft, Abstract, Greenoaks, and others participating. | 高 | SI006, SI019 |
| CI017 | WorkOS said the Series C valued the company at $2 billion. | 中 | SI006 |
| CI018 | WorkOS said it now serves thousands of customers and processes billions of API requests each month. | 中 | SI006 |
| CI019 | WorkOS names OpenAI, Anthropic, xAI, Cursor, Perplexity, Vercel, Replit, and other AI-native vendors among its customer set. | 高 | SI006, SI008, SI012, SI013, SI014 |
| CI020 | Fenwick says WorkOS will use Series C proceeds to build what is needed to make agentic software secure and reliable. | 高 | SI006, SI019 |
| CI021 | WorkOS legal terms and Crunchbase both identify the legal entity as WorkOS, Inc. | 高 | SI009, SI021 |
| CI022 | An SEC EDGAR full-text search for “WorkOS, Inc.” returned zero hits. | 中 | SI020 |
| CI023 | Crunchbase’s archived WorkOS profile says the company was founded in 2019 and is based in San Francisco, California. | 中 | SI021 |
| CI024 | Growjo estimates WorkOS at 88 employees, $12.8 million in annual revenue, and roughly $145,000 of revenue per employee. | 低 | SI022 |
| CI025 | GetLatka claims WorkOS reached $30 million of revenue, 89 employees, and 1,000 customers in 2025. | 低 | SI025 |
| CI026 | The same GetLatka profile also says WorkOS is bootstrapped and has raised $0, which conflicts with WorkOS’s own funding disclosures. | 中 | SI025, SI004, SI005, SI006 |
| CI027 | Public headcount proxies cluster around the high-80s by 2025, but WorkOS does not publish a current official headcount. | 中 | SI006, SI022, SI025 |
| CI028 | WorkOS’s published benefits and premium support model indicate a real employee and service-delivery cost base rather than a purely self-serve software business. | 中 | SI003, SI015 |
| CI029 | Infisign says WorkOS pricing is transparent but can become expensive as enterprise connection counts scale and core enterprise features remain paid. | 中 | SI023 |
| CI030 | SaaSworthy says WorkOS offers no free trial and warns that third-party pricing snapshots may lag the vendor’s current website. | 中 | SI024 |
| CI031 | Official WorkOS customer pages show adoption by OpenAI, Cursor, and Vercel, which is a revenue-quality signal but not a direct revenue disclosure. | 高 | SI008, SI012, SI013, SI014 |
| CI032 | Vercel’s customer story says SSO was essential to closing enterprise deals and that WorkOS let Vercel outsource SSO, Directory Sync, and Admin Portal work to focus on its core product. | 中 | SI014 |
| CI033 | WorkOS’s enterprise-sales guide argues that enterprise requirements are arriving earlier, supporting a developer-led entry motion that expands into sales-assisted enterprise identity needs. | 中 | SI016 |
| CI034 | AuthKit marketing shows that WorkOS now spans login, SSO, MFA, social auth, RBAC, and bot detection, widening the set of monetizable surfaces beyond SSO alone. | 中 | SI017 |
| CI035 | WorkOS monetizes a mix of free user management upsell, paid enterprise connections, infrastructure add-ons, and premium support. | 高 | SI001, SI002, SI003, SI017 |
| CI036 | No reviewed public source disclosed audited revenue, ARR, burn, cash balance, gross margin, CAC, or NRR for WorkOS. | 高 | SI001, SI005, SI006, SI020 |
| CI037 | Public revenue proxies conflict sharply, with Growjo at $12.8 million and GetLatka at $30 million, so public-only revenue estimation is not underwriteable. | 中 | SI022, SI025 |
| CI038 | Reviewed sources show repeated equity fundraising but no disclosed debt facility or public SEC filing trail, so the public capital-structure record looks equity-funded but incomplete on private credit. | 中 | SI004, SI005, SI006, SI020 |
| CI039 | Disclosed round amounts imply at least about $199 million of cumulative capital raised across pre-Series-B history, Series B, and Series C. | 高 | SI004, SI005, SI006 |
| CI040 | Public valuation history remains incomplete because official early-round posts did not publish a valuation, while the Series C post did publish a $2 billion value. | 高 | SI004, SI005, SI006 |
| CI041 | WorkOS exposes list pricing more clearly than many peers, but realized pricing remains opaque because custom pricing starts in larger tiers and official materials do not publish average contract values or discount realization. | 中 | SI001, SI010, SI011, SI023 |
| CI042 | WorkOS defines one SSO or Directory Sync connection as one enterprise-customer relationship, making enterprise-customer count a core revenue driver for those modules. | 高 | SI001, SI010, SI023 |
| CI043 | WorkOS customer testimonials explicitly position connection-based pricing as a more viable growth-aligned alternative to opaque competitor pricing. | 高 | SI003, SI007 |
| CI044 | Series C messaging and the named AI-heavy customer set imply that new capital is being deployed toward AI-oriented product expansion rather than near-term profitability optimization. | 高 | SI006, SI019 |
| CI045 | Public evidence supports a positive demand and capital story for WorkOS, but the lack of audited operating metrics leaves margin path, capital adequacy, and sales efficiency as core diligence blockers. | 高 | SI001, SI003, SI006, SI020 |
| CE001 | WorkOS publicly sells an enterprise identity suite that includes SSO, Directory Sync, User Management/AuthKit, MFA, Audit Logs, Admin Portal, and fine-grained authorization. | 高 | SE001, SE002, SE003, SE005, SE006, SE007, SE017 |
| CE002 | WorkOS Enterprise SSO supports both SAML and OIDC through a single integration surface and advertises 20+ supported identity providers. | 高 | SE001, SE011 |
| CE003 | WorkOS positions its SSO product as authentication middleware that lets customers keep their own database and user records rather than outsourcing the app's user store to WorkOS. | 高 | SE001, SE011 |
| CE004 | WorkOS SSO docs recommend authenticating against an organization parameter and explicitly warn teams to validate the returned organization ID rather than relying on email-domain matching at callback time. | 中 | SE011 |
| CE005 | Directory Sync provides SCIM-style provisioning and deprovisioning behind a single integration and advertises real-time updates through webhook events. | 高 | SE002, SE012 |
| CE006 | WorkOS says Directory Sync normalizes data from directories and HRIS sources and can deliver changes through webhooks or the Events API. | 高 | SE002, SE012 |
| CE007 | User Management and AuthKit support email/password, enterprise SSO, social login, and Magic Auth, and can be consumed through a hosted UI or public APIs. | 高 | SE003, SE004, SE013 |
| CE008 | WorkOS tells customers to keep user data in their own database and use the Events API to receive realtime updates when WorkOS-side user state changes. | 中 | SE003 |
| CE009 | AuthKit's public security positioning includes default email verification, automatic identity linking, bot detection, and MFA availability. | 高 | SE004, SE013 |
| CE010 | The MFA product page says WorkOS supports both TOTP and SMS factors behind one API interface. | 高 | SE005, SE014 |
| CE011 | AuthKit MFA docs say MFA can be enabled in the dashboard, requires authenticator-app setup for new and existing users before sign-in, and does not apply to SSO users. | 中 | SE014 |
| CE012 | Organizations are a first-class WorkOS object with no public limit on count and can model both many-to-many workspaces and single-workspace tenancy patterns. | 中 | SE015 |
| CE013 | WorkOS treats email address as the unique user identifier and automatically handles identity linking across authentication methods on the same email. | 中 | SE013, SE015 |
| CE014 | Organization memberships have pending, active, and inactive states; deactivation revokes active sessions and reactivation retains the prior role before it can be updated. | 中 | SE015 |
| CE015 | In AuthKit RBAC, roles and permissions are assigned through organization memberships and each environment is seeded with a default member role. | 中 | SE016 |
| CE016 | AuthKit's multiple-role mode gives a membership the union of permissions across assigned roles, but WorkOS warns permission slugs live in JWT claims and that larger role sets mean larger tokens and more governance overhead. | 中 | SE016 |
| CE017 | When Directory Sync is present, WorkOS recommends directory-group role assignment over SSO role assignment and documents that explicit directory-group mappings override SSO or manual role assignment. | 中 | SE016 |
| CE018 | WorkOS FGA extends tenant-wide RBAC into hierarchical, resource-scoped authorization for resources such as organizations, workspaces, projects, and apps. | 中 | SE017 |
| CE019 | The FGA docs say teams can adopt FGA incrementally alongside existing RBAC without data migration or a separate schema DSL. | 中 | SE017 |
| CE020 | WorkOS describes FGA runtime evaluation as a two-layer model in which AuthKit embeds organization-scoped roles into access tokens while the Authorization API evaluates resource-scoped permissions against the full hierarchy. | 中 | SE017 |
| CE021 | FGA docs advertise sub-50ms p95 access checks, strong consistency, and warmed caches, while also saying edge caches are still coming soon. | 中 | SE017 |
| CE022 | WorkOS still marks FGA user groups and teams, identity-provider role assignment for sub-resources, permission assignment overrides, and further performance enhancements as coming soon. | 中 | SE017 |
| CE023 | Admin Portal gives IT contacts a self-serve UI for domain verification, SSO, Directory Sync, and related enterprise setup flows, including test sign-in and connection-status views. | 高 | SE007, SE020 |
| CE024 | API-generated Admin Portal links expire five minutes after creation, whereas dashboard-generated setup links remain active for 30 days or until configured. | 中 | SE007, SE020 |
| CE025 | Admin Portal sessions are scoped to a specific organization and WorkOS says organizations may have only one connection, which makes the portal workflow opinionated around a single active setup context. | 中 | SE020 |
| CE026 | Audit Logs support organization-scoped events with actors, targets, metadata, and JSON schema validation, while log streaming and retention are separately priced product elements. | 中 | SE006 |
| CE027 | Webhook consumers must accept HTTPS POSTs, read the WorkOS-Signature header, and verify an HMAC SHA256 signature plus timestamp tolerance using the shared webhook secret. | 中 | SE018 |
| CE028 | If a webhook endpoint fails, WorkOS retries production events up to six times with exponential backoff over three days, does not guarantee in-order delivery, and recommends idempotent processing that compares timestamps to avoid stale overwrites. | 中 | SE018 |
| CE029 | Connected on-prem deployments require a distinct WorkOS environment and API key per customer plus explicit firewall planning for callbacks, actions, webhooks, and outbound HTTPS traffic. | 中 | SE019 |
| CE030 | WorkOS recommends the Events API rather than inbound webhooks for many on-prem scenarios because requests can originate from customer infrastructure, but truly air-gapped environments require a specialized package or alternate approach. | 中 | SE019 |
| CE031 | WorkOS's security page publicly states SOC 2 Type 2 certification, GDPR and CCPA compliance, annual third-party penetration tests, external code audits, and HIPAA BAAs for enterprise plans. | 中 | SE009 |
| CE032 | WorkOS says the data it stores is limited to what identity providers send and directs customers to a public subprocessor list and Trust Center for more compliance detail. | 中 | SE009 |
| CE033 | WorkOS's 2023 product recap claimed more than 40 releases that year and highlighted 99.99% availability for SSO, Directory Sync, and Audit Logs. | 中 | SE022 |
| CE034 | That 2023 recap also highlighted Events API, User Management/AuthKit, GitHub OAuth support, Admin Portal invite and branding improvements, Domain Verification API, and a Postman public workspace. | 中 | SE022 |
| CE035 | WorkOS publicly exposes both backend SDKs and AuthKit-focused SDKs, and the public ecosystem clearly includes Node, Next.js, Go, PHP, and .NET surfaces. | 中 | SE010, SE023, SE024, SE027, SE028, SE029 |
| CE036 | The official Node SDK requires Node 22.11 or higher and supports public-client PKCE flows that exchange authorization codes using a stored code verifier. | 中 | SE023, SE025 |
| CE037 | The AuthKit Next.js library is intended for Next.js App Router apps and requires encrypted session-cookie configuration, including a WORKOS_COOKIE_PASSWORD of at least 32 characters. | 中 | SE024, SE026 |
| CE038 | The Next.js helper relies on proxy or middleware for session management and warns that SameSite none reduces CSRF protection while overly broad matchers can break static assets. | 中 | SE026 |
| CE039 | Packagist reports the official WorkOS PHP SDK with 2,725,740 installs, 7 dependents, 41 GitHub stars, and 3 open issues. | 中 | SE027 |
| CE040 | The Go package docs enumerate focused packages for SSO, Directory Sync, User Management, Audit Logs, Organizations, and Webhooks. | 中 | SE028 |
| CE041 | NuGet lists WorkOS.net as the official .NET client, shows version 4.0.1 last updated on 2026-05-11, and computes target support across net8.0, net9.0, and net10.0 platforms. | 中 | SE029 |
| CE042 | A founder-led Show HN thread for AuthKit and User Management appeared on 2023-11-28, indicating at least some launch-time community attention around the WorkOS auth surface. | 低 | SE031 |
| CE043 | A 2024 Stack Overflow post describes an iOS or PWA SSO integration where Microsoft authentication produced a GET-versus-POST callback problem when WorkOS generated the login URL, showing public evidence of redirect-edge friction. | 低 | SE032 |
| CE044 | Another 2024 Stack Overflow thread shows that creating an organization membership with roleSlug admin fails if the role has not already been created in WorkOS. | 低 | SE033 |
| CE045 | In WorkOS's own build-versus-buy framing, a first SSO implementation for only one IdP can take about three months and each enterprise onboarding can consume roughly 10 to 20 hours of engineering and support time. | 中 | SE021 |
| CE046 | The same WorkOS article argues that SCIM implementations are harder than SSO because providers fragment data and behavior, duplicate requests occur, and large initial syncs can flood systems because most IdPs do not allow rate limits. | 中 | SE021 |
| CU001 | The retained public proof set substantiates current WorkOS references including OpenAI, Cursor, Perplexity, Vercel, Webflow, Indeed, Warp, AI21 Labs, Copy.ai, Chromatic, Hypercare, Patch, and Hopin. | 高 | SU001, SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU002 | Public WorkOS evidence ranges from detailed deployment case studies to thinner logo- or quote-level mentions. | 高 | SU001, SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU003 | The visible WorkOS reference base is concentrated in software vendors selling enterprise-ready products rather than end-enterprises buying identity infrastructure directly. | 高 | SU001, SU002, SU003, SU004, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU004 | In the retained case studies, the buyer is usually a product, engineering, or security leader, the implementation user is engineering, and the downstream operational user is the customer IT admin. | 高 | SU002, SU003, SU005, SU006, SU010, SU014 |
| CU005 | Enterprise SSO or SCIM is repeatedly described as the initial procurement blocker that triggers WorkOS adoption. | 高 | SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU006 | WorkOS often integrates around an existing authentication stack rather than forcing a rip-and-replace migration. | 中 | SU006, SU007, SU009 |
| CU007 | Admin Portal is repeatedly used as a self-serve IT-admin onboarding surface instead of manual support. | 高 | SU002, SU003, SU005, SU006, SU010, SU011, SU014 |
| CU008 | Directory Sync or SCIM is the most visible expansion product after initial SSO in the retained public stories. | 高 | SU002, SU003, SU004, SU005, SU008, SU009, SU010, SU015 |
| CU009 | Visible WorkOS references span AI applications, developer tools, web platforms, hiring and workflow software, healthcare coordination, climate APIs, and incident-management products. | 高 | SU001, SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012, SU023, SU024 |
| CU010 | Vercel says WorkOS helped it support enterprise customers like GitHub, eBay, and The Washington Post by making SSO a first-class enterprise feature. | 中 | SU002, SU017 |
| CU011 | Vercel expanded beyond SSO into Directory Sync and Admin Portal after its in-house approach left session and onboarding gaps. | 中 | SU002, SU014, SU015 |
| CU012 | Webflow says lack of SCIM left deals on the table and that WorkOS Directory Sync solved a hard requirement for larger organizations. | 中 | SU003, SU018 |
| CU013 | Webflow says one engineer added Directory Sync in less than a couple of weeks while avoiding a much larger in-house build. | 中 | SU003 |
| CU014 | Netlify moved off a homegrown SSO solution because supporting more identity providers and SCIM internally became too complex. | 中 | SU004, SU019 |
| CU015 | Indeed says it replaced Auth0 because customer onboarding required hours of engineering support and WorkOS provided a better enterprise fit. | 中 | SU005 |
| CU016 | Indeed says Admin Portal turned SSO onboarding into a few self-serve steps instead of manual redeploy and support work. | 中 | SU005, SU014 |
| CU017 | Warp says it kept Firebase in place while using WorkOS to ship enterprise SSO quickly. | 中 | SU006 |
| CU018 | Warp says Admin Portal saved hours of back-and-forth by letting customer IT admins configure SSO themselves. | 中 | SU006, SU014 |
| CU019 | AI21 Labs says it implemented WorkOS SSO within days after enterprise customers made SSO a requirement. | 中 | SU007 |
| CU020 | AI21 Labs says pricing clarity and developer experience mattered alongside protocol coverage when choosing WorkOS. | 中 | SU007, SU013 |
| CU021 | Copy.ai says it rolled out SSO and Directory Sync in less than two weeks. | 中 | SU008 |
| CU022 | Copy.ai says it later migrated hundreds of thousands of active users to WorkOS User Management. | 中 | SU008 |
| CU023 | Chromatic says it moved from Passport.js and in-house onboarding to WorkOS in less than two weeks after spending 2-4 hours per SSO connection. | 中 | SU009, SU001 |
| CU024 | Hypercare says it deployed SCIM in roughly two weeks for hospital customers with thousands of users. | 中 | SU010 |
| CU025 | Hypercare says WorkOS became more attractive than a split Auth0-plus-WorkOS setup because of connections-based pricing and Admin Portal. | 中 | SU010, SU013 |
| CU026 | Patch says a one-day WorkOS SSO integration unblocked $1 million in enterprise GMV. | 中 | SU011 |
| CU027 | Hopin says WorkOS saved two months of engineering time and let it test SSO with customers within two weeks. | 中 | SU012 |
| CU028 | Publicly quantified customer outcomes are mostly about implementation speed, onboarding labor, or engineering time saved rather than about recurring retention metrics. | 高 | SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU029 | Connections-based or otherwise transparent pricing is a recurring public reason customers choose WorkOS over building in-house or staying with Auth0-style alternatives. | 高 | SU001, SU005, SU007, SU010, SU013, SU025 |
| CU030 | G2 and Product Hunt reviews corroborate implementation ease, documentation quality, and strong support as recurring strengths for WorkOS users. | 高 | SU025, SU026 |
| CU031 | G2 reviews also surface pricing pass-through pain, session-management gaps, passwordless and Azure profile-image limitations, and documentation gaps for some use cases. | 中 | SU025 |
| CU032 | Product Hunt reviews summarize strong support and easy enterprise-auth integration but also suggest WorkOS could provide more startup-specific guidance on enterprise readiness. | 中 | SU026 |
| CU033 | The May 22, 2026 status incident shows Dashboard and Admin Portal UI issues can degrade customer onboarding even when underlying authentication and data remain unaffected. | 中 | SU016 |
| CU034 | Customer-side enterprise pages show WorkOS serves accounts that themselves market enterprise-grade security, governance, access control, and operational scale to their own buyers. | 中 | SU017, SU018, SU019, SU020, SU021, SU022, SU023, SU024 |
| CU035 | The strongest public WorkOS fit is for enterprise-ready software vendors that want identity features without staffing a full internal identity team. | 高 | SU002, SU003, SU004, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012, SU025 |
| CU036 | Official retained materials do not disclose customer count, NRR, GRR, churn, renewal schedules, or revenue concentration by customer or segment. | 中 | SU001, SU013, SU014, SU015, SU016 |
| CU037 | OpenAI, Cursor, Perplexity, Drata, and incident.io are publicly substantiated on WorkOS’s current customer surface, but their retained proof is thinner than the long-form stories for Vercel, Webflow, Indeed, Warp, AI21, Copy.ai, Chromatic, Hypercare, Patch, and Hopin. | 中 | SU001, SU002, SU003, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU038 | Apps Run The World independently lists Webflow, Warp, and Prefect as WorkOS customers. | 低 | SU027 |
| CU039 | Bloomberry’s DNS-based telemetry claims 589 detected WorkOS customers and 66 upcoming renewals, but the methodology is too opaque to treat as a hard customer-count disclosure. | 低 | SU028 |
| CU040 | Customer concentration risk is hard to size because the public proof set skews toward venture-backed software accounts and WorkOS does not disclose top-customer exposure. | 中 | SU001, SU002, SU003, SU004, SU005, SU006, SU007, SU008, SU009, SU010, SU011, SU012 |
| CU041 | Vercel Enterprise currently markets RBAC, SSO, audit visibility, and a 99.99% uptime SLA, which aligns with the kind of enterprise buyer expectations that make WorkOS relevant. | 中 | SU017 |
| CU042 | Webflow Enterprise currently markets permissions, governance, and reduced developer backlog, reinforcing that WorkOS serves customers already selling controlled enterprise workflows. | 中 | SU018 |
| CU043 | WorkOS pricing currently advertises a free tier up to 1 million users and a 99.99% uptime SLA on annual-credit plans, which supports its fit for fast-growing PLG SaaS customers. | 中 | SU013 |
| CU044 | WorkOS Directory Sync currently claims one integration can connect 12+ directory services and automate provisioning and deprovisioning, supporting the expansion path cited in customer stories. | 中 | SU015 |
| CR001 | WorkOS's publicly accessible website terms disclaim uninterrupted or error-free website availability. | 中 | SR001 |
| CR002 | WorkOS's website terms cap liability for website use at $100 and route disputes to California courts. | 中 | SR001 |
| CR003 | WorkOS's privacy policy says it processes personal data for customer contracts, orders, invoices, follow-ups, and legal or regulatory obligations. | 中 | SR002 |
| CR004 | WorkOS's DPA allows WorkOS to engage subprocessors, requires data-protection terms with them, and says customers may object to new subprocessors where data-protection law requires it. | 高 | SR003, SR004, SR029 |
| CR005 | WorkOS's DPA authorizes cross-border transfers, including data moving from the EEA, Switzerland, and the UK to other countries. | 中 | SR003, SR029 |
| CR006 | WorkOS's DPA says WorkOS will notify subscribers of security incidents without undue delay and assist with data-subject requests and DPIAs where required by law. | 中 | SR003, SR029 |
| CR007 | WorkOS publicly markets SOC 2 Type 2 certification, GDPR and CCPA compliance, annual third-party penetration tests, and external code audits, and says its Trust Center holds the supporting artifacts. | 高 | SR006, SR014 |
| CR008 | WorkOS says HIPAA BAAs are available only for enterprise plans. | 中 | SR006 |
| CR009 | WorkOS's public SLA covers only enterprise-tier production services and excludes staging, sandbox, alpha, beta, preview, and other non-GA usage. | 高 | SR005, SR007, SR013 |
| CR010 | WorkOS aligns public availability commitments around 99.99% uptime and service-credit remedies rather than open-ended damages. | 中 | SR005, SR013 |
| CR011 | WorkOS pricing pairs free user management up to 1 million monthly active users with annual credits, 99.99% uptime SLA, guaranteed support SLA, and 24x7x365 enterprise response SLAs. | 中 | SR007 |
| CR012 | WorkOS still routes some meaningful production economics through sales contact or add-ons, including volume user-management pricing above 1 million MAUs and custom branding or custom domains. | 中 | SR007 |
| CR013 | WorkOS Status reported 100.0% uptime over the prior 90 days for core services as of May 24, 2026. | 中 | SR008 |
| CR014 | The same status page logged May 2026 incidents affecting dashboard or docs availability, webhook delivery, OIDC connections, and AuthKit email rendering. | 中 | SR008 |
| CR015 | WorkOS's SSO docs say apps should validate the returned organization ID and not rely on email-domain matching. | 中 | SR009 |
| CR016 | WorkOS's Directory Sync docs say directory providers implement SCIM differently and that manual SCIM implementation can introduce security vulnerabilities. | 高 | SR010, SR030, SR031 |
| CR017 | WorkOS's own SAML guide says SAML is common in enterprise but prone to vulnerabilities and that OIDC is preferable when possible. | 中 | SR016, SR032 |
| CR018 | RFC 7643 presents SCIM core schema as a standard intended to reduce the cost and complexity of user management in cloud services. | 中 | SR030 |
| CR019 | RFC 7644 defines SCIM as an HTTP-based protocol for enterprise-to-cloud and inter-cloud identity management. | 中 | SR031 |
| CR020 | OpenID Connect Core remains a maintained identity layer on top of OAuth 2.0, so vendors must keep pace with evolving protocol expectations. | 中 | SR032 |
| CR021 | NIST SP 800-63B is the federal digital-identity baseline for regulated US workloads and includes authentication and session-security guidance. | 中 | SR033 |
| CR022 | AICPA describes SOC reports as outsourcing-risk assurance artifacts, making report scope and freshness commercially important for enterprise procurement. | 中 | SR034 |
| CR023 | The AuthKit Next.js changelog shows a 2026 change to add OAuth state verification on callback to prevent CSRF attacks. | 中 | SR017 |
| CR024 | The same AuthKit Next.js changelog shows hardening around PKCE and concurrent-flow cookie clobbering in 2026. | 中 | SR017 |
| CR025 | The WorkOS Node SDK changelog records a 2026 fix resolving miniflare and undici vulnerabilities. | 中 | SR018 |
| CR026 | The WorkOS Node SDK changelog records a 2026 change to accept raw request bytes for webhook signature verification. | 中 | SR018 |
| CR027 | The WorkOS Python SDK updated pyjwt for security and then moved to breaking releases that require Python 3.10 or newer. | 中 | SR019 |
| CR028 | The Node SDK v9 migration guide drops Node 20, removes legacy FGA, renames portal to adminPortal, and changes pagination defaults. | 中 | SR020, SR018 |
| CR029 | A public May 2026 issue reported two separate incidents where dashboard feature-flag targeting and the JWT feature_flags claim diverged. | 中 | SR021 |
| CR030 | A public AuthKit issue reported stale workos_organization_id values in sessionStorage could cause 400 authentication failures when users switch organizations. | 中 | SR022 |
| CR031 | A public AuthKit issue reported double Cloudflare human-verification prompts during hosted sign-in. | 中 | SR023 |
| CR032 | A public AuthKit issue said token-refresh retries lack jitter, creating synchronized retry peaks when deployments skew. | 中 | SR024 |
| CR033 | A public April 2026 issue said progressive passkey enrollment did not prompt OTP or magic-link users in staged AuthKit deployments. | 中 | SR025 |
| CR034 | Another public AuthKit issue says hosted AuthKit can auto-create a new user during sign-in flow, which some integrators view as phantom-account risk. | 中 | SR026 |
| CR035 | WorkOS's hosted UI is the fastest path to integration, but teams that avoid it must own more authentication state through the AuthKit API directly. | 中 | SR011 |
| CR036 | WorkOS passkeys should be enabled only after a custom domain is configured because passkeys are bound to the domain on which they are registered. | 中 | SR012 |
| CR037 | WorkOS passkeys are currently available only through AuthKit hosted UI. | 中 | SR012 |
| CR038 | WorkOS announced a $100 million Series C at a $2 billion valuation on March 2, 2026. | 中 | SR015 |
| CR039 | WorkOS says it expanded from authentication into permissions, integrations, encryption, abuse detection, feature flags, and MCP, but those products still sit inside the same identity and security control plane. | 中 | SR015, SR007 |
| CR040 | WorkOS claims five nines uptime across thousands of customers and billions of API requests each month. | 中 | SR015 |
| CR041 | Laravel maintains an official WorkOS utilities package for its starter kits, increasing WorkOS distribution through a third-party framework ecosystem. | 中 | SR027 |
| CR042 | Hanko markets itself as an open-source alternative to Auth0, Clerk, WorkOS, and Stytch. | 中 | SR028 |
| CR043 | Official competitor pricing shows direct pressure at the developer edge: Auth0 is free to 25,000 MAUs, Clerk to 50,000 MRUs, and Stytch advertises no hard pricing cliffs while including five SSO or SCIM connections free. | 高 | SR035, SR036, SR037 |
| CR044 | Microsoft Entra ID's free edition bundles user and group management, directory synchronization, reports, and SSO across Azure, Microsoft 365, and many SaaS apps. | 中 | SR038 |
| CR045 | AWS Cognito prices by MAUs and separately prices SAML or OIDC federation, giving AWS-native builders a hyperscaler substitute for core WorkOS functions. | 中 | SR039, SR007 |
| CR046 | Okta's support-system breach affected 134 customers and enabled session hijacking at five customers, while third-party analyses framed the incident as an identity-supply-chain event with phishing and social-engineering implications for customers. | 高 | SR040, SR041, SR042 |
| CV001 | WorkOS disclosed a $100 million Series C financing at a $2 billion valuation in March 2026. | 高 | SV001, SV004 |
| CV002 | WorkOS said the round was led by Meritech and Sapphire with participation from Audacious, Craft, Abstract, Greenoaks, and others. | 中 | SV001 |
| CV003 | TBPN reported that the March 2026 financing was WorkOS's first outside capital in more than four years. | 中 | SV004 |
| CV004 | WorkOS publicly said that customers on the platform include OpenAI, Anthropic, xAI, Cursor, Perplexity, Sierra, Replit, and Vercel. | 高 | SV001, SV003 |
| CV005 | WorkOS said it runs at five nines uptime across thousands of customers and billions of API requests each month. | 高 | SV001, SV002 |
| CV006 | WorkOS's website markets more than nine months faster time-to-value than building SSO and SCIM in-house, along with 50-plus integrations on one API surface. | 中 | SV002, SV003 |
| CV007 | A customer story on WorkOS's site quotes Cursor as saying it now runs on WorkOS and is no longer subject to Auth0's opaque pricing. | 中 | SV003 |
| CV008 | TBPN reported that WorkOS offers a free tier supporting up to one million users and monetizes when customers close enterprise deals. | 中 | SV004 |
| CV009 | TBPN reported that WorkOS cut integration time to roughly seven to eight minutes through an AI-powered CLI installer. | 中 | SV004 |
| CV010 | WorkOS says its platform now spans authentication, permissions, integrations, encryption, abuse detection, feature flags, and MCP. | 中 | SV001, SV031 |
| CV011 | Okta agreed to acquire Auth0 in 2021 for approximately $6.5 billion in stock. | 高 | SV014, SV015, SV016 |
| CV012 | TechCrunch reported that Auth0 had last been valued at $1.92 billion and was expected to reach about $200 million of revenue in 2021 when Okta agreed to buy it. | 中 | SV016 |
| CV013 | Using TechCrunch's reported $200 million revenue expectation, Okta's $6.5 billion Auth0 purchase implied roughly 32.5x forward revenue. | 中 | SV015, SV016 |
| CV014 | One Identity acquired OneLogin in October 2021 and did not publicly disclose the transaction value. | 中 | SV017, SV018 |
| CV015 | One Identity said the combined company would serve more than 10,000 customers and actively manage 300 million identities worldwide. | 中 | SV017 |
| CV016 | TechCrunch reported that OneLogin's last disclosed private valuation was about $330 million in 2019. | 中 | SV018 |
| CV017 | Thoma Bravo completed its acquisition of SailPoint in 2022 in an all-cash transaction valued at approximately $6.9 billion, or $65.25 per share. | 高 | SV019, SV020, SV021 |
| CV018 | Okta's market capitalization was about $16.17 billion in late May 2026. | 中 | SV006, SV007 |
| CV019 | Stock Analysis reported that Okta's enterprise value was about $14.07 billion and its EV/sales ratio was about 4.82x as of May 22, 2026. | 中 | SV007 |
| CV020 | Stock Analysis reported that Okta generated about $2.92 billion of last-twelve-month revenue and $875 million of free cash flow. | 中 | SV007 |
| CV021 | Stock Analysis reported that Okta's gross margin was about 77.36% and revenue per employee was about $458,530. | 中 | SV007 |
| CV022 | CyberArk's market capitalization was about $20.63 billion in May 2026. | 中 | SV009, SV010 |
| CV023 | CyberArk reported full-year 2025 revenue of $1.361 billion, up 36% year over year. | 高 | SV008, SV026 |
| CV024 | CyberArk reported year-end 2025 ARR of $1.440 billion and subscription ARR of $1.267 billion, up 23% and 30% respectively. | 高 | SV008, SV026 |
| CV025 | CyberArk reported fourth-quarter 2025 subscription revenue of $310.5 million, up 28% year over year. | 高 | SV008, SV026 |
| CV026 | CyberArk reported about $2.095 billion of cash, cash equivalents, deposits, and marketable securities at December 31, 2025 and about $127.5 million of adjusted fourth-quarter free cash flow. | 中 | SV008 |
| CV027 | Using reviewed public sources, CyberArk's May 2026 market cap equated to roughly 15.2x revenue and about 14.3x ARR. | 中 | SV008, SV009, SV010 |
| CV028 | SailPoint's market capitalization was about $8.93 billion in late May 2026. | 中 | SV012, SV013 |
| CV029 | Stock Analysis reported that SailPoint's enterprise value was about $8.59 billion and its EV/sales ratio was about 8.02x as of May 22, 2026. | 中 | SV013 |
| CV030 | Stock Analysis reported that SailPoint generated about $1.07 billion of last-twelve-month revenue and held about $358 million of cash. | 中 | SV013 |
| CV031 | Stock Analysis reported that SailPoint's gross margin was about 64.47% and last-twelve-month free cash flow was about $47.9 million. | 中 | SV013 |
| CV032 | CrowdStrike's market capitalization was about $168.87 billion in late May 2026. | 中 | SV029, SV030 |
| CV033 | Stock Analysis reported that CrowdStrike's enterprise value was about $164.46 billion and its EV/sales ratio was about 34.18x. | 中 | SV030 |
| CV034 | Stock Analysis reported that CrowdStrike generated about $4.81 billion of last-twelve-month revenue and about $1.31 billion of free cash flow. | 中 | SV030 |
| CV035 | Reuters reported that the S&P 500 software and services index had shed about $1 trillion in market value since January 28, 2026 and was down 21% below its 200-day moving average on February 5, 2026. | 中 | SV022 |
| CV036 | Reuters reported that cybersecurity and SaaS companies saw the biggest jump in bearish bets during the early-2026 software selloff. | 中 | SV022 |
| CV037 | Acquiry wrote that 2026 private-market multiples cluster around 4x-7x ARR for non-AI SaaS and 8x-15x ARR for AI-native SaaS, with traditional SaaS above 30% growth at roughly 5x-8x ARR. | 中 | SV023 |
| CV038 | Acquiry wrote that a SaaS company with roughly 120% NRR can command about a 30%-50% higher multiple than a comparable business near 100% NRR. | 中 | SV023 |
| CV039 | Windsor Drake wrote that public SaaS multiples peaked near 18.6x EV/revenue in 2021 and sat around 6x-7x by late 2025, while private lower-middle-market SaaS traded around 4x-5x revenue. | 中 | SV025 |
| CV040 | Aventis wrote that its SaaS index remains more than 55% below the 2021 peak and that investors entering 2025 and 2026 were prioritizing profitability and sustainable growth over aggressive expansion. | 中 | SV024 |
| CV041 | At a $2 billion valuation, WorkOS would need about $400 million of ARR at 5x, $250 million at 8x, $200 million at 10x, $167 million at 12x, and $133 million at 15x to justify the round price. | 中 | SV001, SV023, SV025 |
| CV042 | If WorkOS were already at roughly $100 million of ARR, the $2 billion round would imply about a 20x ARR multiple. | 中 | SV001, SV023 |
| CV043 | If WorkOS were already at roughly $150 million of ARR, the $2 billion round would imply about a 13.3x ARR multiple. | 中 | SV001, SV023 |
| CV044 | The reviewed public 2026 source set does not disclose WorkOS ARR, revenue, NRR, gross margin, headcount, or cap-table terms. | 中 | SV001, SV002, SV003, SV004, SV031 |
| CV045 | WorkOS's AI-customer set and enterprise-identity breadth support a premium to traditional SaaS medians, but the absence of disclosed financials makes the investment call sharply price-sensitive. | 中 | SV001, SV002, SV003, SV023, SV025 |
| CV046 | A buy case at the current valuation would require disclosed ARR of at least roughly $150 million, NRR above 120%, gross margin above 75%, and no material preference overhang. | 中 | SV001, SV023, SV025 |
| CV047 | A track case is most consistent with ARR in roughly the $110 million to $150 million band or with only partial disclosure that leaves the round fair-to-stretched rather than clearly attractive. | 中 | SV001, SV023, SV025 |
| CV048 | A pass case becomes compelling if ARR is below roughly $100 million, retention is ordinary rather than elite, or the financing stack materially impairs common-equity upside. | 中 | SV001, SV022, SV023, SV025 |
| CV049 | A base-case valuation band of roughly $1.20 billion to $2.24 billion follows from assuming $120 million to $160 million of ARR and a 10x to 14x multiple. | 中 | SV001, SV023, SV025 |
| CV050 | A bull-case valuation band of roughly $2.04 billion to $3.52 billion follows from assuming $170 million to $220 million of ARR and a 12x to 16x multiple. | 中 | SV001, SV023, SV025 |
| CV051 | A bear-case valuation band of roughly $420 million to $1.00 billion follows from assuming $70 million to $100 million of ARR and a 6x to 10x multiple. | 中 | SV001, SV022, SV023, SV025 |
| CV052 | The gap between Auth0's roughly 32.5x 2021 scarcity pricing and the 2026 identity-software comp range shows why WorkOS needs either strong hidden ARR or unusually strong AI premium to clear the current $2 billion bar. | 中 | SV015, SV016, SV023, SV025 |
| 编号 | 出版方 | 标题 | 引文 |
|---|---|---|---|
| SO001 | WorkOS | About — WorkOS | WorkOS is a team of 100+ builders dedicated to spreading developer joy. |
| SO002 | WorkOS | WorkOS — Your app, Enterprise Ready. | WorkOS provides a single, elegant interface that abstracts dozens of enterprise integrations. |
| SO003 | WorkOS | Customer Stories — WorkOS | 9 months faster than building Single Sign-On and SCIM in-house. |
| SO004 | WorkOS | OpenAI customer story — WorkOS | |
| SO005 | WorkOS | WorkOS raises $100M Series C, hits $2B valuation — WorkOS | WorkOS has raised $100 million in Series C financing, valuing the company at $2 billion. |
| SO006 | WorkOS | WorkOS raises $80m in Series B financing, acquires Modulz — WorkOS | In less than 2 years the company already has over 200 paying customers across the globe. |
| SO007 | WorkOS | WorkOS raises $15m to build Stripe for enterprise-ready features — WorkOS | At WorkOS, we’re building “Stripe for enterprise-ready features.” |
| SO008 | WorkOS | AuthKit – WorkOS Docs | |
| SO009 | WorkOS | Multi-Factor Authentication – AuthKit – WorkOS Docs | |
| SO010 | WorkOS | Directory Sync – WorkOS Docs | |
| SO011 | WorkOS | Audit Logs – WorkOS Docs | |
| SO012 | WorkOS | Fine-Grained Authorization (FGA) – FGA – WorkOS Docs | |
| SO013 | WorkOS | Directory Sync — WorkOS | |
| SO014 | WorkOS | Audit Logs — WorkOS | |
| SO015 | WorkOS | Radar — WorkOS | |
| SO016 | WorkOS | Security — WorkOS | |
| SO017 | WorkOS | Security Advisories — WorkOS | This vulnerability applies only to users of Hosted AuthKit with password authentication and multi-factor authentication (MFA) enabled. |
| SO018 | WorkOS | Website Terms — WorkOS | Please read these Website Terms and Conditions offered by WorkOS, Inc. (“WorkOS”). |
| SO019 | WorkOS | Introducing AuthKit and User Management APIs — WorkOS | |
| SO020 | WorkOS | Radar | WorkOS | |
| SO021 | Fenwick & West LLP | Fenwick Represents WorkOS in $100M Series C Funding | Fenwick represented WorkOS, a developer-focused API platform, in its $100 million Series C funding. |
| SO022 | SiliconANGLE | JetStream Security, Guild.ai and WorkOS land fresh funding amid growing agentic AI infrastructure push | WorkOS’s $100 million Series C round was raised at a valuation of $2 billion and was led by Meritech Capital Partners LP and Sapphire Ventures. |
| SO023 | Sacra | WorkOS revenue, funding & news | Sacra | Sacra estimates that WorkOS hit $30M in annual recurring revenue (ARR) in October 2025 and crossed 1,000 paying customers in early 2025. |
| SO024 | Contrary Research | Report: WorkOS's Business Breakdown & Founding Story | Michael Grinich (CEO) founded WorkOS in 2019, roughly two years after leaving Nylas. |
| SO025 | IsDown | WorkOS status and outage tracker — IsDown | WorkOS last outage was on May 22, 2026 with the title “Elevated Dashboard Errors”. |
| SO026 | UpGuard | WorkOS Vendor Risk Report | WorkOS provides developer APIs and SDKs that enable applications to integrate enterprise features such as Single Sign-On, Directory Sync, SCIM provisioning, and user management. |
| SO027 | Nudge Security | WorkOS security profile — Nudge Security | Developer APIs / SDKs for enterprise-ready features like Single Sign-On (SSO/SAML), Passwordless Authentication, Directory Sync (SCIM), Audit Trail (SIEM), and more. |
| SO028 | ZoomInfo | WorkOS - Overview, News & Similar companies | ZoomInfo.com | WorkOS offers a set of building blocks for adding enterprise features to apps. |
| SO029 | StartupHub.ai | WorkOS lands $100M, hits $2B valuation | The company highlighted its growing adoption by leading AI firms, including OpenAI, Anthropic, and xAI. |
| SO030 | WorkOS | WorkOS Status | We're aware of a styling issue currently affecting the WorkOS Dashboard. |
| SO031 | OpenCVE | WorkOS CVEs and Security Vulnerabilities | Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. |
| SM001 | WorkOS | Pricing — WorkOS | A connection represents the relationship between WorkOS and any group of end users. Each enterprise customer you support with SSO or Directory Sync is counted as one connection. |
| SM002 | WorkOS | Customer Stories — WorkOS | 9 months faster than building Single Sign-On and SCIM in-house. |
| SM003 | WorkOS | WorkOS FGA: The authorization layer for AI agents — WorkOS | The identity industry is currently defining where agents fit in the IAM stack. |
| SM004 | WorkOS | Best SCIM providers for automated user provisioning in 2026 — WorkOS | Secure and seamless automated user provisioning is a fundamental requirement for any SaaS platform selling into the enterprise. |
| SM005 | MarketsandMarkets | Consumer Identity and Access Management (CIAM) Market by Solutions, Services, Authentication Type, and Vertical - Global Forecast to 2030 | |
| SM006 | Mordor Intelligence | Consumer Identity And Access Management Market Analysis by Mordor Intelligence | |
| SM007 | Fortune Business Insights | Consumer Identity and Access Management Market Size, Share, Forecast to 2034 | |
| SM008 | MarketsandMarkets | Identity and Access Management (IAM) Market by Technology, Type, Identity Type, Deployment Mode, Vertical - Global Forecast to 2030 | |
| SM009 | The Business Research Company | Global Identity And Access Management Market Report 2026 | |
| SM010 | Fairfield Market Research | Identity and Access Management Market Size, Trends 2026 | |
| SM011 | Coherent Market Insights | Access Management Market Size, Share and Forecast, 2026-2033 | |
| SM012 | RFC Editor / IETF | RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements | This document provides definitions and an overview of the System for Cross-domain Identity Management (SCIM). |
| SM013 | RFC Editor / IETF | RFC 7644: System for Cross-domain Identity Management: Protocol | SCIM's intent is to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol. |
| SM014 | OpenID Foundation | OpenID Connect Core 1.0 incorporating errata set 2 | |
| SM015 | OASIS Security Services TC | Security Assertion Markup Language (SAML) V2.0 Technical Overview | |
| SM016 | National Institute of Standards and Technology | NIST SP 800-63 Digital Identity Guidelines | |
| SM017 | National Institute of Standards and Technology | SP 800-207, Zero Trust Architecture | Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. |
| SM018 | Cybersecurity and Infrastructure Security Agency | Zero Trust Maturity Model | |
| SM019 | Office of Management and Budget | M-22-09 Federal Zero Trust Strategy | This strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA). |
| SM020 | AICPA & CIMA | System and Organization Controls: SOC Suite of Services | |
| SM021 | Verizon Business | 2026 Data Breach Investigations Report (DBIR) | |
| SM022 | Google Research | Zanzibar: Google's Consistent, Global Authorization System | |
| SM023 | Cloud Native Computing Foundation | OpenFGA | |
| SM024 | SSOtax.org | Wall of Shame - SSOtax.org | |
| SM025 | IdenWorks | GitHub - IdenWorks/scim-tax | This dataset surveys ~300 of the most-deployed SaaS apps to document who gates SCIM and what it costs. |
| SM026 | Stitchflow | SCIM vs. SSO Tax: Why IT Gets Uniquely Screwed by Vendor Strategy | We analyzed 721 SaaS apps. 42% lock SCIM behind enterprise pricing ... Only 9 apps (1.2%) include SCIM on their base tier. |
| SM027 | Auth0 | Pricing - Auth0 | |
| SM028 | Auth0 | Fine-Grained Authorization (FGA) at scale for developers - Auth0 | |
| SP001 | WorkOS | Pricing - WorkOS | |
| SP002 | WorkOS | AuthKit by WorkOS | |
| SP003 | WorkOS | Role-Based Access Control - WorkOS | |
| SP004 | Auth0 | Pricing - Auth0 | |
| SP005 | Auth0 | Scale your B2B SaaS Applications | Auth0 | |
| SP006 | Auth0 | Import and Export Users - Auth0 Docs | |
| SP007 | Clerk | Pricing - Clerk | |
| SP008 | Clerk | B2B SaaS with Clerk | |
| SP009 | Clerk | Organizations overview | Clerk Docs | |
| SP010 | Stytch | Modern authentication pricing | Stytch | |
| SP011 | Stytch | Stytch - A better way to build auth | |
| SP012 | PropelAuth | PropelAuth - Pricing Page | |
| SP013 | PropelAuth | PropelAuth - Authentication for B2B products | |
| SP014 | FusionAuth | FusionAuth Pricing | |
| SP015 | FusionAuth | Authentication & User Management Software - FusionAuth | |
| SP016 | Frontegg | Pricing | Frontegg | |
| SP017 | Frontegg | Frontegg | The Identity Layer for Every SaaS Entry Point | |
| SP018 | Descope | Pricing | Descope | |
| SP019 | Descope | Descope | Customer and Agentic Identity Platform | |
| SP020 | Permit.io | Pricing Packages and SaaS Models | Permit.io | |
| SP021 | Permit.io | Permit.io | Permissions for the AI Era | |
| SP022 | Cerbos | Cerbos pricing | |
| SP023 | Cerbos | Cerbos home | |
| SP024 | Amazon Web Services | Amazon Cognito - Pricing | |
| SP025 | Amazon Web Services | Amazon Cognito | |
| SP026 | Microsoft | Microsoft Entra External ID Overview | |
| SP027 | Keycloak | Keycloak | |
| SP028 | GitHub | keycloak/keycloak | |
| SP029 | GitHub | cerbos/cerbos | |
| SP030 | Scalekit | Best WorkOS Alternatives for B2B SaaS Enterprise Readiness | WorkOS is no longer the only option, and the alternatives have matured. Some offer comparable enterprise-readiness features at meaningfully lower cost. |
| SI001 | WorkOS | Pricing — WorkOS | A connection represents the relationship between WorkOS and any group of end users. Each enterprise customer you support with SSO or Directory Sync is counted as one connection. |
| SI002 | WorkOS | User Management — WorkOS | Free. Up to 1 million users. Per additional 1M users $2,500 / mo. |
| SI003 | WorkOS | Support Plans — WorkOS | All customers have access to documentation, email support, and in-product web support. Premium support options include expert guided integration and response time SLAs. |
| SI004 | WorkOS | WorkOS raises $15M to build “Stripe for enterprise-ready features” — WorkOS | Last year WorkOS quietly raised $15M, led by investor Lachy Groom... WorkOS has raised $19M to date. |
| SI005 | WorkOS | WorkOS raises $80m in Series B financing, acquires Modulz — WorkOS | WorkOS launched March 2020... in less than 2 years the company already has over 200 paying customers across the globe. |
| SI006 | WorkOS | WorkOS raises $100M Series C, hits $2B valuation — WorkOS | WorkOS has raised $100 million in Series C financing, valuing the company at $2 billion. |
| SI007 | WorkOS | About — WorkOS | We viewed WorkOS’ connections-based pricing as a more viable option aligned with our projected growth. |
| SI008 | WorkOS | Customers — WorkOS | Trusted by |
| SI009 | WorkOS | Website Terms — WorkOS | ...the website located at www.workos.com ... offered by WorkOS, Inc. (“WorkOS”)... |
| SI010 | WorkOS | Auth0 pricing: how it works and compares to WorkOS — WorkOS | Both SSO and SCIM connections are priced at a flat rate of $125/month. |
| SI011 | WorkOS | Clerk pricing: How it works and compares to WorkOS — WorkOS | User Management: Free for the first 1,000,000 MAUs... Single Sign-On (SSO): $125/connection/month... Directory Sync (SCIM): $125/connection/month. |
| SI012 | WorkOS | OpenAI customer story — WorkOS | We did consider open source, but WorkOS provided a far superior developer experience. |
| SI013 | WorkOS | Cursor customer story — WorkOS | The decision to use WorkOS was straightforward. We saw good feedback from existing customers and reviewing the documentation made us confident that our needs would be addressed. |
| SI014 | WorkOS | Vercel customer story — WorkOS | Features like single sign-on (SSO) were essential to closing these deals because SSO has become a fundamental requirement of enterprise companies. |
| SI015 | WorkOS | Careers — WorkOS | WorkOS provides a 3% match of your 401k contributions to help you save for retirement. |
| SI016 | WorkOS | A Guide to Enterprise Sales for Early-stage Founders — WorkOS | Increasingly, all sales are starting to resemble what we traditionally call “enterprise sales.” |
| SI017 | AuthKit by WorkOS | AuthKit by WorkOS | The world’s best login box, powered by WorkOS + Radix. |
| SI018 | TechCrunch | WorkOS raises $80M to add enterprise features to apps | Grinich claims that WorkOS has more than 200 paying customers today... noting that it brings WorkOS’ total raised to about $100 million. |
| SI019 | Fenwick | Fenwick Represents WorkOS in $100M Series C Funding | Fenwick represented WorkOS... in its $100 million Series C funding. The round was co-led by Meritech and Sapphire... |
| SI020 | U.S. Securities and Exchange Commission | EDGAR full-text search for “WorkOS, Inc.” | {"hits":{"total":{"value":0,"relation":"eq"},"max_score":null,"hits":[]}} |
| SI021 | Crunchbase | WorkOS - Crunchbase Company Profile & Funding | Legal Name WorkOS, Inc. WorkOS was founded in 2019 by Michael Grinich and is based in San Francisco, California, United States. |
| SI022 | Growjo | WorkOS: Revenue, Competitors, Alternatives | WorkOS’s estimated annual revenue is currently $12.8M per year... WorkOS has 88 Employees. |
| SI023 | Infisign | WorkOS Review 2025: Features, Pricing, and Alternatives | Can Be Expensive as Usage Scales: While the pricing is transparent, the per-connection model for SSO and Directory Sync can become costly for companies with a large number of enterprise customers. |
| SI024 | SaaSworthy | WorkOS | Free Trial Not Available... The pricing details were last updated on 11/01/2023 from the vendor website and may be different from actual. |
| SI025 | GetLatka | WorkOS Revenue 2025: $30M ARR, $60M Valuation | WorkOS has 89 total employees... They have 1K customers... WorkOS raised $0. |
| SE001 | WorkOS | Single Sign-On — WorkOS | Save months of development time integrating and debugging SAML and OpenID Connect protocols. |
| SE002 | WorkOS | Directory Sync — WorkOS | Quickly enable SCIM provisioning from all major corporate directory providers with a single integration. |
| SE003 | WorkOS | User Management — WorkOS | |
| SE004 | WorkOS | AuthKit by WorkOS | A fully-featured UI component system for building authentication flows into your app. |
| SE005 | WorkOS | Multi-Factor Authentication — WorkOS | |
| SE006 | WorkOS | Audit Logs — WorkOS | |
| SE007 | WorkOS | Admin Portal — WorkOS | |
| SE008 | WorkOS | Role-Based Access Control — WorkOS | |
| SE009 | WorkOS | Security — WorkOS | SOC 2 Type 2 certified. |
| SE010 | WorkOS | SDKs – WorkOS Docs | |
| SE011 | WorkOS | Single Sign-On – WorkOS Docs | |
| SE012 | WorkOS | Directory Sync – WorkOS Docs | |
| SE013 | WorkOS | AuthKit – WorkOS Docs | |
| SE014 | WorkOS | Multi-Factor Authentication – AuthKit – WorkOS Docs | |
| SE015 | WorkOS | Users and Organizations – AuthKit – WorkOS Docs | |
| SE016 | WorkOS | Roles and Permissions – AuthKit – WorkOS Docs | |
| SE017 | WorkOS | Fine-Grained Authorization (FGA) – WorkOS Docs | Sub-50ms p95 access checks. |
| SE018 | WorkOS | Sync data with webhooks – WorkOS Docs | WorkOS will consider the event delivery a failure and retry up to 6 times, with exponential backoff over 3 days. |
| SE019 | WorkOS | Using WorkOS with On-prem Customers – WorkOS Docs | Events can also be ingested with the Events API, which is the preferred method for event delivery in an on-prem deployment scenario since those requests will originate from your on-prem application infrastructure. |
| SE020 | WorkOS | Admin Portal – WorkOS Docs | |
| SE021 | WorkOS | Build vs buy part I: complexities of building SSO and SCIM in-house — WorkOS | Assuming the team will only support Okta ... the estimated time to launch SSO is about 3 months. |
| SE022 | WorkOS | 2023 Product Updates Recap — WorkOS | A recap of 40+ releases for WorkOS customers in 2023 including 99.99% availability, Events API, AuthKit, Domain Verification API, and more. |
| SE023 | GitHub / WorkOS | GitHub - workos/workos-node | |
| SE024 | GitHub / WorkOS | GitHub - workos/authkit-nextjs | |
| SE025 | WorkOS | workos-node README | |
| SE026 | WorkOS | authkit-nextjs README | |
| SE027 | Packagist | workos/workos-php - Packagist.org | |
| SE028 | Go Package Discovery | workos-go module - github.com/workos/workos-go/v4 - Go Packages | |
| SE029 | NuGet | WorkOS.net 4.0.1 | |
| SE030 | Postman / WorkOS | WorkOS Public Postman collection | |
| SE031 | Hacker News | AuthKit: Open-Source Auth UI by WorkOS | Hi HN - I'm the founder of WorkOS. Happy to answer questions about AuthKit and User Management. |
| SE032 | Stack Overflow | Why do I get "The endpoint only accepts POST requests. Received a GET request" error when authenticating with SSO on iOS App but not on Safari | We are using WorkOS to get the URL to login.microsoft.online which is where the user finishes up their auth. |
| SE033 | Stack Overflow | Error: The role is invalid. WorkOS not working | I think the problem might be with this role is not defined or not included in workos system. |
| SE034 | RubyGems.org | workos | RubyGems.org | |
| SU001 | WorkOS | Customer Stories — WorkOS | Cursor now completely runs on WorkOS. Login times are much faster, the signup page looks much better, and we’re not subject to Auth0's customer-hostile and opaque pricing anymore. |
| SU002 | WorkOS | How Vercel leverages WorkOS to land enterprise customers like The Washington Post | |
| SU003 | WorkOS | Scaling with modularity: integrating SCIM on top of SSO to close even larger customers | |
| SU004 | WorkOS | Netlify finds the SSO & SCIM solution to deliver flexibility to the enterprise | |
| SU005 | WorkOS | Indeed chooses WorkOS over Auth0 to strengthen their identity infrastructure | |
| SU006 | WorkOS | How Warp leveraged WorkOS for a modular and seamless SSO integration | |
| SU007 | WorkOS | How AI21 implemented SSO in days with WorkOS | |
| SU008 | WorkOS | Copy.ai picks WorkOS as the sole auth provider for SSO, SCIM, and User Management | |
| SU009 | WorkOS | How Chromatic successfully migrated from Passport.js | |
| SU010 | WorkOS | Unlocking growth: Hypercare’s migration from Auth0 to WorkOS | |
| SU011 | WorkOS | How Patch unblocked $1 million in enterprise GMV with WorkOS SSO | |
| SU012 | WorkOS | How Hopin Saved Two Months of Engineering Time with WorkOS | |
| SU013 | WorkOS | Pricing — WorkOS | |
| SU014 | WorkOS | Admin Portal — WorkOS | |
| SU015 | WorkOS | Directory Sync — WorkOS | |
| SU016 | WorkOS Status | WorkOS Status | CSS assets are failing to load, leaving the Dashboard in an unstyled and difficult-to-use state. Underlying APIs, authentication, and data are not impacted. |
| SU017 | Vercel | Enterprise – Vercel | |
| SU018 | Webflow | Webflow Enterprise | Build & Scale Enterprise Websites | |
| SU019 | Netlify | Netlify for enterprises | |
| SU020 | Warp | Warp for Enterprise | |
| SU021 | Perplexity | Perplexity Enterprise | |
| SU022 | OpenAI | ChatGPT for enterprise | |
| SU023 | incident.io | Enterprise | incident.io | |
| SU024 | Drata | Agentic Trust Management Platform | Drata | |
| SU025 | G2 | WorkOS Reviews | I think the pricing is too high. We want to offer Single Sign-On (SSO) to customers on all tiers but can't because the cost of WorkOS SSO for a single customer exceeds the price of our lowest tier! |
| SU026 | Product Hunt | WorkOS Reviews (2026) | Product Hunt | |
| SU027 | Apps Run The World | List of WorkOS Customers | |
| SU028 | Bloomberry | Companies that use WorkOS (active customer list) | |
| SR001 | WorkOS | Website Terms — WorkOS | IN NO EVENT WILL WORKOS’ TOTAL LIABILITY ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR FROM THE USE OF OR INABILITY TO USE THE WEBSITE EXCEED ONE HUNDRED DOLLARS ($100). |
| SR002 | WorkOS | Privacy Policy — WorkOS | Your personal data is collected to manage customer contracts, orders, deliveries, invoices, and follow-ups, and to respect our legal and regulatory obligations. |
| SR003 | WorkOS | Data Processing Addendum | Where required by Data Protection Laws, WorkOS will notify Subscriber prior to engaging any new Subprocessors by updating following website: www.workos.com/legal/subprocessors. |
| SR004 | WorkOS Trust Center | WorkOS Trust Center — Subprocessors | |
| SR005 | WorkOS | WorkOS — Enterprise SLA Agreement | The Covered Services will provide a Monthly Uptime Percentage to Customer of at least 99.99%. |
| SR006 | WorkOS | Security — WorkOS | SOC 2 Type 2 certified; GDPR & CCPA compliant; Annual 3rd-party security penetration tests; External code audits. |
| SR007 | WorkOS | Pricing — WorkOS | WorkOS User Management is free for up to 1 million monthly active users... Contact us to learn more about volume pricing. |
| SR008 | WorkOS | WorkOS Status | Dashboard and Docs unavailable ... Webhook delivery delays ... OIDC Errors ... Emails being delivered with empty copy. |
| SR009 | WorkOS | Single Sign-On – WorkOS Docs | It’s unsafe to validate using email domains as organizations might allow email addresses from outside their corporate domain. |
| SR010 | WorkOS | Directory Sync – WorkOS Docs | Each directory provider implements SCIM differently. Implementing SCIM is often a challenging process and can introduce security vulnerabilities into your app. |
| SR011 | WorkOS | Hosted UI – AuthKit – WorkOS Docs | While the hosted solution is the fastest way to get started, if you’d prefer to build and manage your own authentication UI, you can do so via the AuthKit API. |
| SR012 | WorkOS | Passkeys – AuthKit – WorkOS Docs | Developers should configure an AuthKit custom domain before enabling passkeys in production. Passkeys are bound to the domain they were registered on. |
| SR013 | WorkOS | 99.99% availability for SSO, Directory Sync, and Audit Logs | WorkOS | We are now providing 99.99% availability for all customers using SSO, Directory Sync, and Audit Logs. |
| SR014 | WorkOS | Trust Center | WorkOS | This includes SOC reports, penetration tests, the list of subprocessors, and more. |
| SR015 | WorkOS | WorkOS raises $100M Series C, hits $2B valuation — WorkOS | WorkOS has raised $100 million in Series C financing, valuing the company at $2 billion. |
| SR016 | WorkOS | Common SAML security vulnerabilities and how to defend against them — WorkOS Guides | If possible, avoid SAML altogether. Choose OpenID Connect (OIDC) instead. |
| SR017 | GitHub / WorkOS | authkit-nextjs CHANGELOG | add OAuth state verification on callback to prevent CSRF attacks; isolate concurrent PKCE flows to prevent cookie clobbering. |
| SR018 | GitHub / WorkOS | workos-node CHANGELOG | security: resolve miniflare and undici vulnerabilities. |
| SR019 | GitHub / WorkOS | workos-python CHANGELOG | v6 is a breaking release and now requires Python 3.10 or newer ... update dependency pyjwt to v2.12.0 [security]. |
| SR020 | GitHub / WorkOS | WorkOS Node SDK v9 Migration Guide | Minimum Node.js version is now 22.11.0+. v9 drops support for Node.js 20. The deprecated legacy Fine-Grained Authorization client was removed in v9. |
| SR021 | GitHub / WorkOS community | feature_flags JWT claim disagrees with dashboard targeting after rule changes · Issue #431 | We've hit two separate incidents where a feature flag toggle in the WorkOS dashboard did not propagate to the expected set of users. |
| SR022 | GitHub / WorkOS community | Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations · Issue #48 | The workos_organization_id from the previous user's session persists in sessionStorage and is incorrectly included in the authentication request for the new user. |
| SR023 | GitHub / WorkOS community | Double "Verify you are a human" Cloudflare prompt during sign in · Issue #49 | When using the hosted AuthKit with Email Password signin, I am challenged twice by Cloudflare during the sign in flow. |
| SR024 | GitHub / WorkOS community | Add Jitter to token refresh retry · Issue #63 | components/tokenStore.ts doesn't add jitter to the retry and causes that 5 minute pattern. |
| SR025 | GitHub / WorkOS community | Passkey progressive enrollment: does it work for OTP/magic-link-only users? · Issue #73 | After enabling Passkeys and Progressive Enrollment ... the "Create a passkey" prompt never appears during sign-in. |
| SR026 | GitHub / WorkOS community | Should users without existing account be bounced to sign up flow? · Issue #28 | The hosted AuthKit ... creates the user in WorkOS and completes the login if possible. |
| SR027 | GitHub / Laravel | laravel/workos | These Laravel WorkOS utilities are used by the Laravel starter kits to integrate with WorkOS AuthKit. |
| SR028 | GitHub / Hanko | teamhanko/hanko | Open source alternative to Auth0, Clerk, WorkOS, Stytch. |
| SR029 | GDPR-info.eu | Art. 28 GDPR – Processor | The controller shall use only processors providing sufficient guarantees ... The processor shall not engage another processor without prior specific or general written authorisation of the controller. |
| SR030 | RFC Editor | RFC 7643: SCIM Core Schema | The specification suite ... reduce[s] the cost and complexity of user management operations by providing a common user schema and extension model. |
| SR031 | RFC Editor | RFC 7644: SCIM Protocol | The SCIM specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier to support via a standardized service. |
| SR032 | OpenID Foundation | OpenID Connect Core 1.0 incorporating errata set 2 | OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. |
| SR033 | NIST | NIST Special Publication 800-63B | |
| SR034 | AICPA & CIMA | System and Organization Controls: SOC Suite of Services | SOC reports provide users with valuable information that is needed to assess and address the risks associated with outsourcing services. |
| SR035 | Auth0 | Pricing - Auth0 | Free ... Up to 25,000 monthly active users ... 1 Enterprise Connection. |
| SR036 | Clerk | Pricing — Free Up to 50K Users | Plans from $0/mo | Clerk pricing starts free for up to 50,000 monthly retained users. |
| SR037 | Stytch | Modern authentication pricing | Stytch | Our pricing does not include any hard caps or pricing cliffs. |
| SR038 | Microsoft | Microsoft Entra ID (Formerly Azure AD) | Microsoft Security | The free edition is included with a subscription of a commercial online service such as Azure, Microsoft 365, Dynamics 365, Intune, or Power Platform. |
| SR039 | Amazon Web Services | Amazon Cognito - Pricing | There is separate pricing for users who sign in directly ... and for users who sign in through an enterprise directory with SAML federation. |
| SR040 | Okta | Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation | A threat actor gained unauthorized access to files ... associated with 134 Okta customers ... The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers. |
| SR041 | BeyondTrust | Okta Support Unit Breach Update & Security Implications | The breach ... involved the theft of data from all Okta customer support system users potentially putting those users and customers at an increased risk of phishing and social engineering attacks. |
| SR042 | Nightfall AI | Okta Data Breach: What Happened, Impact, and Security Lessons Learned | When a security provider experiences a breach, the implications extend far beyond the immediate organization to affect their entire customer ecosystem. |
| SV001 | WorkOS | WorkOS raises $100M Series C, hits $2B valuation | WorkOS has raised $100 million in Series C financing, valuing the company at $2 billion. |
| SV002 | WorkOS | WorkOS — Your app, Enterprise Ready. | |
| SV003 | WorkOS | Customer Stories — WorkOS | |
| SV004 | TBPN Digest | WorkOS raises $100M Series C at $2B valuation, betting on AI agent identity infrastructure | WorkOS has raised $100 million in a Series C at a $2 billion valuation, marking its first outside capital in over four years. |
| SV005 | Securities and Exchange Commission | Okta annual report on Form 10-K for the fiscal year ended January 31, 2026 | |
| SV006 | CompaniesMarketCap | Okta (OKTA) - Market capitalization | |
| SV007 | Stock Analysis | Okta, Inc. (OKTA) Statistics & Valuation | |
| SV008 | CyberArk | CyberArk Announces Record Fourth Quarter and Full Year 2025 Results | Total ARR Grows 23% Year-Over-Year to Reach $1.440 Billion. |
| SV009 | CompaniesMarketCap | CyberArk Software (CYBR) - Market capitalization | |
| SV010 | Stock Analysis | CyberArk Software (CYBR) Statistics & Valuation | |
| SV011 | Securities and Exchange Commission | SailPoint annual report on Form 10-K for the fiscal year ended January 31, 2026 | |
| SV012 | CompaniesMarketCap | SailPoint (SAIL) - Market capitalization | |
| SV013 | Stock Analysis | SailPoint (SAIL) Statistics & Valuation | |
| SV014 | Auth0 | Okta Signs Definitive Agreement to Acquire Auth0 | Okta, Inc. announced on 3/3/2021 that it has entered into a definitive agreement to acquire Auth0 in a stock transaction valued at approximately $6.5 billion. |
| SV015 | Business Wire | Okta Signs Definitive Agreement to Acquire Auth0 to Provide Customer Identity for the Internet | |
| SV016 | TechCrunch | Okta acquires cloud identity startup Auth0 for $6.5B | |
| SV017 | One Identity | One Identity Acquires OneLogin, Adding Market-Leading Access Management Solutions to the Industry’s only Unified Identity Security Platform | |
| SV018 | TechCrunch | One Identity has acquired OneLogin, a rival to Okta and Ping in sign-on and identity access management | |
| SV019 | SailPoint | Thoma Bravo Completes Acquisition of SailPoint | SailPoint Technologies Holdings, Inc. today announced the completion of its acquisition by Thoma Bravo in an all-cash transaction valued at approximately $6.9 billion. |
| SV020 | Thoma Bravo | Thoma Bravo Completes Acquisition of SailPoint | |
| SV021 | Business Wire | Thoma Bravo Completes Acquisition of SailPoint | |
| SV022 | Reuters | US software stocks slammed on mounting fears over AI disruption, lose $1 trillion in week | The S&P 500 software and services index dropped 4.6%, having shed about $1 trillion in market value since January 28. |
| SV023 | Acquiry | SaaS Valuation Multiples in 2026: What the Data Actually Shows | |
| SV024 | Aventis Advisors | SaaS Valuation Multiples: 2015-2026 | |
| SV025 | Windsor Drake | SaaS Valuation Multiples: Where the Market Stands and What Drives Premium Pricing | |
| SV026 | Securities and Exchange Commission | CyberArk Form 6-K furnishing fourth-quarter and full-year 2025 results | |
| SV027 | SailPoint | SEC filings - SailPoint, Inc. | |
| SV028 | Securities and Exchange Commission | CrowdStrike annual report on Form 10-K for the fiscal year ended January 31, 2026 | |
| SV029 | CompaniesMarketCap | CrowdStrike (CRWD) - Market capitalization | |
| SV030 | Stock Analysis | CrowdStrike Holdings (CRWD) Statistics & Valuation | |
| SV031 | WorkOS | Blog — WorkOS |