Skip to content

refactor: Read org_id claim instead of organization_id for agent access tokens#1651

Merged
m0tzy merged 1 commit into
mainfrom
devin/1782937065-agent-org-id-claim
Jul 1, 2026
Merged

refactor: Read org_id claim instead of organization_id for agent access tokens#1651
m0tzy merged 1 commit into
mainfrom
devin/1782937065-agent-org-id-claim

Conversation

@m0tzy

@m0tzy m0tzy commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

The server is switching the canonical agent access token claim from organization_id to org_id (see workos/workos#64524). This PR updates the Node SDK to read org_id from the JWT payload.

Changes:

  • SerializedAgentAccessTokenClaims.organization_idorg_id
  • hasRequiredAgentClaims type guard checks org_id instead of organization_id
  • deserializeAgentAccessTokenClaims reads payload.org_id
  • Tests updated to use org_id in the token fixture

The public AgentAccessTokenClaims.organizationId field is unchanged — consumers are unaffected.

Documentation

[x] Yes

Docs PR: https://github.com/workos/workos/pull/64524

Link to Devin session: https://app.devin.ai/sessions/84b058ead3984651ae5e337002e3a837
Requested by: @m0tzy

The server now emits org_id as the canonical claim. Update the SDK to
read org_id from the JWT payload when validating agent access tokens.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@m0tzy m0tzy requested review from a team as code owners July 1, 2026 20:19
@m0tzy m0tzy requested a review from cmatheson July 1, 2026 20:19
@m0tzy m0tzy self-assigned this Jul 1, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor
Original prompt from madison.packer

Can we open a PR that adds the agent access_token claims to the docs page? I also want to update the claims to add org_id as a sibling to organization_id so that the latter can be marked deprecated.

@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot changed the title Read org_id claim instead of organization_id for agent access tokens refactor: Read org_id claim instead of organization_id for agent access tokens Jul 1, 2026
@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR updates agent access token parsing to use the new organization claim. The main changes are:

  • Requires org_id in verified agent JWT payloads.
  • Maps serialized org_id into the public organizationId claims field.
  • Updates the serialized claims interface from organization_id to org_id.
  • Updates agent credential tests and fixtures for the new claim name.

Confidence Score: 5/5

The changes are narrowly scoped to the agent access token claim rename and keep the public claims shape unchanged.

Updated parsing, type guard, serialized interface, and tests align around the new org_id JWT payload field with no issues identified in the modified code.

T-Rex T-Rex Logs

What T-Rex did

  • Reviewed the Before state of local SDK credential validation, noting that org_id-only payloads were treated as invalid with claims: null while organization_id-only payloads were accepted and mapped to organizationId.
  • Reviewed the After state of local SDK credential validation, noting that org_id-only payloads are now accepted with claims.organizationId: org_from_org_id_claim, while organization_id-only payloads are invalid as expected.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (1): Last reviewed commit: "Read org_id claim instead of organizatio..." | Re-trigger Greptile

@cmatheson cmatheson left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to support the old claim for backwards compat?

@devin-ai-integration

Copy link
Copy Markdown
Contributor

The server-side rollout is:

  1. workos#64524 adds org_id alongside organization_id (both emitted)
  2. workos#64532 drops organization_id entirely

Since Agent Auth is new and organization_id was never documented publicly, the backward compat window is small. But if we want to be safe during the transition, we could accept either claim here — something like:

typeof payload.org_id === 'string' || typeof payload.organization_id === 'string'

and read payload.org_id ?? payload.organization_id in the deserializer.

@m0tzy would you like me to add backward compat support for the old claim, or is the hard cutover fine given Agent Auth is new?

@m0tzy

m0tzy commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@cmatheson the previous organization_id change hasn't been released yet!

@m0tzy m0tzy merged commit 7aaf525 into main Jul 1, 2026
7 of 8 checks passed
@m0tzy m0tzy deleted the devin/1782937065-agent-org-id-claim branch July 1, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants