What you can do
- Trigger automations from WorkOS events. Cover SSO + SCIM + magic-link + password reset workflows in one connection
- Auto-sync contacts into your audience. Every WorkOS event upserts the user / directory user into Brew with
workos_*custom fields you can filter and segment on - Sync SCIM users into Brew contacts. Directory-sync events stream user data straight into your audience without manual import
- Confirm sensitive changes. Fire a security confirmation the moment a password reset completes
How it works
- Brew mints a unique webhook URL for your brand and you paste it into your WorkOS Dashboard.
- WorkOS signs every webhook with a
WorkOS-Signature: t=<timestamp>,v1=<hmac>header. Brew verifies the HMAC against your per-endpoint signing secret, with a 180-second timestamp tolerance to block replays. - For each verified event Brew (a) starts every Published automation whose trigger matches and (b) upserts the WorkOS user (or SCIM-provisioned directory user) into your audience with
workos_*custom fields.
Setup
Generate your Brew webhook URL
In Brew, open Integrations, click the WorkOS card, and click Generate URL. Copy the URL Brew generates.
Create an endpoint in WorkOS
Open dashboard.workos.com, go to Webhooks → Create Endpoint, and paste the Brew URL into the Endpoint URL field.
Subscribe to the events Brew supports
Enable the user, authentication, password_reset, organization, organization_membership, dsync.user, connection, and invitation events listed below, then click Create.
Copy the endpoint Signing Secret
WorkOS reveals the per-endpoint signing secret on the endpoint detail page. Copy it — the value is opaque (no prefix).
Paste the Signing Secret into Brew
Paste the secret into the Brew connect form and click Connect. Brew verifies every webhook with the WorkOS
t=<timestamp>,v1=<hmac> envelope, with a 180-second timestamp tolerance.Triggering automations
Once connected, every WorkOS event below is provisioned automatically and available as a trigger in the automation builder. The Manage tab is a read-only catalogue plus a live Recent events stream — no per-event enable step. Whether an event fires is controlled by whether the bound automation is Published.Supported events
Brew supports the following 18 WorkOS events: Useruser.createduser.updateduser.deleted
authentication.email_verification_succeededauthentication.password_failedauthentication.magic_auth_succeededpassword_reset.succeeded
organization.createdorganization.updatedorganization.deleted
organization_membership.createdorganization_membership.updatedorganization_membership.deleted
dsync.user.createddsync.user.updateddsync.user.deleted
connection.activated
invitation.accepted
password_reset.succeeded is the canonical WorkOS event name — it lives at the top level, NOT under authentication.*. If you saw authentication.password_reset_succeeded referenced anywhere, that’s an old name no longer used.Common patterns
| Goal | WorkOS event |
|---|---|
| Welcome new user | user.created |
| Real welcome (after email verification) | authentication.email_verification_succeeded |
| Security confirmation on a password reset | password_reset.succeeded |
| Magic-link sign-in notification | authentication.magic_auth_succeeded |
| Welcome the workspace owner | organization.created |
| Welcome the new teammate | organization_membership.created or invitation.accepted |
| Mirror SCIM provisioning into Brew contacts | dsync.user.created / updated |
| Drop deprovisioned users from audiences | dsync.user.deleted |
| Ops alert when SSO is wired | connection.activated |
Personalization
| Variable | Example |
|---|---|
{{@trigger:output.payload.firstName}} | Alex |
{{@trigger:output.payload.lastName}} | Morgan |
{{@trigger:output.payload.organizationName}} | Acme Inc. |
{{@trigger:output.payload.role}} | member |
{{@trigger:output.payload.emailVerified}} | true |
Troubleshooting
An event arrived but no automation fired
An event arrived but no automation fired
Open the canvas and confirm at least one automation bound to this event is set to Published (not Draft). The Brew integration’s Manage → Recent events panel confirms the webhook is arriving — if it isn’t there, the issue is upstream (signing secret, clock skew, wrong endpoint URL). If the event is there but no email sent, the only remaining gate is
automation.published.WorkOS shows 401 with timestamp_invalid:out_of_tolerance
WorkOS shows 401 with timestamp_invalid:out_of_tolerance
Clock skew between WorkOS and Brew exceeds 180 seconds. Verify your platform’s clock with
date -u and re-deliver the webhook from the WorkOS Dashboard.Password-reset webhooks don't fire
Password-reset webhooks don't fire
WorkOS uses
password_reset.succeeded (top-level event), NOT authentication.password_reset_succeeded. Re-subscribe in the WorkOS endpoint to the canonical name.I want to test before going live
I want to test before going live
Trigger a WorkOS event (e.g. provision a directory user, send yourself a magic link) and watch the Manage → Recent events panel. Pre-publish your automation as a Draft, run a test send, then flip to Published once you’re happy.
Requirements
- A WorkOS account with admin access
- Permission to create webhook endpoints in the WorkOS Dashboard
Need Help?
Our team is ready to support you at every step of your journey with Brew. Choose the option that works best for you:- Self-Service Tools
- Talk to Our Team
Search Documentation
Type in the “Ask any question” search bar at the top left to instantly find relevant documentation pages.
ChatGPT/Claude Integration
Click “Open in ChatGPT” at the top right of any page to analyze documentation with ChatGPT or Claude for deeper insights.