Skip to content

Update WorkOS example to use new AuthKit SDK #5394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update WorkOS example to use new AuthKit SDK #5394

wants to merge 2 commits into from

Conversation

nicknisi
Copy link
Contributor

@nicknisi nicknisi commented Oct 7, 2025
edited by coderabbitai bot
Loading

This PR updates the start-workos example to use the new @workos/authkit-tanstack-react-start SDK instead of the custom implementation.

What changed

  • Replaced custom AuthKit implementation with the official SDK package
  • Removed all the manual session management, cookie handling, and JWKS verification code
  • Updated routes to use the SDK's built-in getAuth() and getSignInUrl() server functions
  • Added AuthKitProvider for client-side auth state management

Why

We built an official SDK that handles all the AuthKit integration details, so this example should demonstrate the recommended approach rather than a custom implementation. Makes the example cleaner and easier to follow.

Summary by CodeRabbit

  • New Features
    • Added a Client demo route showcasing client-side authentication, tokens, and org switching.
    • Integrated AuthKit provider and middleware for seamless auth across the app.
  • Refactor
    • Migrated authentication to WorkOS AuthKit for TanStack Start; routes now load user data via library helpers.
  • Style
    • Applied Radix UI theme styles across the application.
  • Chores
    • Enabled .env support via dotenv in Vite config.
    • Updated SSR bundling to include Radix UI themes as noExternal.
    • Added typings for CSS URL imports.
    • Updated dependencies.

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 7, 2025
edited
Loading

Walkthrough

Replaces custom SSR AuthKit implementation with @workos/authkit-tanstack-react-start. Adds AuthKit middleware and provider, delegates callback handling to library, updates loaders to use getAuth/getSignInUrl, introduces a new “/client” demo route, adds Radix UI theme CSS, adjusts Vite SSR settings, and updates package dependencies and generated route types.

Changes

Cohort / File(s) Summary
AuthKit SSR removal
examples/react/start-workos/src/authkit/serverFunctions.ts, examples/react/start-workos/src/authkit/ssr/config.ts, examples/react/start-workos/src/authkit/ssr/interfaces.ts, examples/react/start-workos/src/authkit/ssr/session.ts, examples/react/start-workos/src/authkit/ssr/utils.ts, examples/react/start-workos/src/authkit/ssr/workos.ts		 Removes custom SSR auth config, session management, cookie/JWT utilities, WorkOS client init, and server functions in favor of external library.
Routing/types generation
examples/react/start-workos/src/routeTree.gen.ts		 Adds ClientRoute (/client) and wires it into all route maps/types; updates root children; references named startInstance options in typing.
Root layout and provider
examples/react/start-workos/src/routes/__root.tsx, examples/react/start-workos/src/app.css		 Wraps app with AuthKitProvider; replaces beforeLoad with loader using getAuth/getSignInUrl; links Radix UI stylesheet via CSS URL import.
Authenticated routing logic
examples/react/start-workos/src/routes/_authenticated.tsx, examples/react/start-workos/src/routes/_authenticated/account.tsx		 Switches from beforeLoad/context to loaders using getAuth; updates sign-in URL data shape to include { returnPathname }.
Auth callback and sign-out
examples/react/start-workos/src/routes/api/auth/callback.tsx, examples/react/start-workos/src/routes/logout.tsx		 Delegates GET to handleCallbackRoute; switches signOut import to external library.
New client demo route
examples/react/start-workos/src/routes/client.tsx		 Adds /client route demonstrating useAuth/useAccessToken, token refresh, org switching, and sign-out flows.
Index route
examples/react/start-workos/src/routes/index.tsx		 Loader now calls getAuth and getSignInUrl; removes context dependency; minor copy tweak.
Start/Vite config and typings
examples/react/start-workos/src/start.ts, examples/react/start-workos/vite.config.ts, examples/react/start-workos/src/vite-env.d.ts		 Adds startInstance with authkitMiddleware; loads .env and sets ssr.noExternal for @radix-ui/themes; declares *.css?url module and Vite types.
Package updates
examples/react/start-workos/package.json, packages/start-server-core/package.json		 Adds @workos/authkit-tanstack-react-start to example deps; adds vite devDependency to start-server-core; minor reordering.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant R as Router (TanStack Start)
  participant MW as AuthKit Middleware
  participant L as Route Loader
  participant AK as AuthKit (@workos/...-start)
  participant IdP as WorkOS/Auth

  U->>R: Navigate to protected route
  activate R
  R->>MW: Request middleware
  MW->>AK: Parse session from cookies
  AK-->>MW: Auth context (user/none)
  MW-->>R: Continue request
  R->>L: Run loader()
  alt No user
    L->>AK: getSignInUrl({ data: { returnPathname } })
    AK-->>L: Authorization URL
    L-->>U: Redirect to sign-in
    U->>IdP: Authenticate
    IdP-->>R: Redirect to /api/auth/callback?code&state
    R->>AK: handleCallbackRoute (GET)
    AK->>IdP: Exchange code for tokens
    IdP-->>AK: Tokens
    AK->>MW: Save session cookie
    AK-->>U: Redirect to returnPathname
  else User present
    L-->>U: Return data (user)
  end
  deactivate R
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

Suggested labels

package: react-router, package: react-start

Suggested reviewers

  • schiller-manuel
  • SeanCassiere

Poem

I nibbled old cookies, then bounced them away,
New trails through Start guide my hop-happy day.
A callback burrow, a client-side view—
I twitch for tokens fresh as morning dew.
With Radix leaves and routes aligned,
I thump: “All signed!” and peace of mind. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title clearly summarizes the primary change by stating that the WorkOS example is being updated to use the new AuthKit SDK, matches the PR objectives of replacing custom auth code with the official SDK, and is concise and specific without unnecessary detail.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Oct 7, 2025
edited
Loading

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution ↗ for commit 4a09897

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ❌ Failed 6m 47s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 1m 37s View ↗

☁️ Nx Cloud last updated this comment at 2025-10-07 14:03:24 UTC

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Oct 7, 2025

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/arktype-adapter@5394

@tanstack/directive-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/directive-functions-plugin@5394

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/eslint-plugin-router@5394

@tanstack/history

npm i https://pkg.pr.new/TanStack/router/@tanstack/history@5394

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/nitro-v2-vite-plugin@5394

@tanstack/react-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router@5394

@tanstack/react-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-devtools@5394

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-ssr-query@5394

@tanstack/react-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start@5394

@tanstack/react-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-client@5394

@tanstack/react-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-server@5394

@tanstack/router-cli

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-cli@5394

@tanstack/router-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-core@5394

@tanstack/router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools@5394

@tanstack/router-devtools-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools-core@5394

@tanstack/router-generator

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-generator@5394

@tanstack/router-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-plugin@5394

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-ssr-query-core@5394

@tanstack/router-utils

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-utils@5394

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-vite-plugin@5394

@tanstack/server-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/server-functions-plugin@5394

@tanstack/solid-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router@5394

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-devtools@5394

@tanstack/solid-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start@5394

@tanstack/solid-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-client@5394

@tanstack/solid-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-server@5394

@tanstack/start-client-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-client-core@5394

@tanstack/start-plugin-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-plugin-core@5394

@tanstack/start-server-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-core@5394

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-static-server-functions@5394

@tanstack/start-storage-context

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-storage-context@5394

@tanstack/valibot-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/valibot-adapter@5394

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/TanStack/router/@tanstack/virtual-file-routes@5394

@tanstack/zod-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/zod-adapter@5394

commit: 4a09897

coderabbitai[bot]
coderabbitai bot reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5fdf29 and 4a09897.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (20)
  • examples/react/start-workos/package.json (2 hunks)
  • examples/react/start-workos/src/app.css (1 hunks)
  • examples/react/start-workos/src/authkit/serverFunctions.ts (0 hunks)
  • examples/react/start-workos/src/authkit/ssr/config.ts (0 hunks)
  • examples/react/start-workos/src/authkit/ssr/interfaces.ts (0 hunks)
  • examples/react/start-workos/src/authkit/ssr/session.ts (0 hunks)
  • examples/react/start-workos/src/authkit/ssr/utils.ts (0 hunks)
  • examples/react/start-workos/src/authkit/ssr/workos.ts (0 hunks)
  • examples/react/start-workos/src/routeTree.gen.ts (8 hunks)
  • examples/react/start-workos/src/routes/__root.tsx (3 hunks)
  • examples/react/start-workos/src/routes/_authenticated.tsx (1 hunks)
  • examples/react/start-workos/src/routes/_authenticated/account.tsx (1 hunks)
  • examples/react/start-workos/src/routes/api/auth/callback.tsx (1 hunks)
  • examples/react/start-workos/src/routes/client.tsx (1 hunks)
  • examples/react/start-workos/src/routes/index.tsx (2 hunks)
  • examples/react/start-workos/src/routes/logout.tsx (1 hunks)
  • examples/react/start-workos/src/start.ts (1 hunks)
  • examples/react/start-workos/src/vite-env.d.ts (1 hunks)
  • examples/react/start-workos/vite.config.ts (2 hunks)
  • packages/start-server-core/package.json (1 hunks)
💤 Files with no reviewable changes (6)
  • examples/react/start-workos/src/authkit/ssr/utils.ts
  • examples/react/start-workos/src/authkit/ssr/session.ts
  • examples/react/start-workos/src/authkit/ssr/interfaces.ts
  • examples/react/start-workos/src/authkit/serverFunctions.ts
  • examples/react/start-workos/src/authkit/ssr/workos.ts
  • examples/react/start-workos/src/authkit/ssr/config.ts
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use TypeScript in strict mode with extensive type safety across the codebase

Files:

  • examples/react/start-workos/src/vite-env.d.ts
  • examples/react/start-workos/src/routes/index.tsx
  • examples/react/start-workos/src/routes/api/auth/callback.tsx
  • examples/react/start-workos/src/start.ts
  • examples/react/start-workos/src/routes/logout.tsx
  • examples/react/start-workos/src/routes/_authenticated/account.tsx
  • examples/react/start-workos/src/routeTree.gen.ts
  • examples/react/start-workos/src/routes/client.tsx
  • examples/react/start-workos/vite.config.ts
  • examples/react/start-workos/src/routes/_authenticated.tsx
  • examples/react/start-workos/src/routes/__root.tsx
examples/{react,solid}/**

📄 CodeRabbit inference engine (AGENTS.md)

Keep example applications under examples/react/ and examples/solid/

Files:

  • examples/react/start-workos/src/vite-env.d.ts
  • examples/react/start-workos/src/routes/index.tsx
  • examples/react/start-workos/src/app.css
  • examples/react/start-workos/src/routes/api/auth/callback.tsx
  • examples/react/start-workos/src/start.ts
  • examples/react/start-workos/src/routes/logout.tsx
  • examples/react/start-workos/src/routes/_authenticated/account.tsx
  • examples/react/start-workos/src/routeTree.gen.ts
  • examples/react/start-workos/package.json
  • examples/react/start-workos/src/routes/client.tsx
  • examples/react/start-workos/vite.config.ts
  • examples/react/start-workos/src/routes/_authenticated.tsx
  • examples/react/start-workos/src/routes/__root.tsx
**/src/routes/**

📄 CodeRabbit inference engine (AGENTS.md)

Place file-based routes under src/routes/ directories

Files:

  • examples/react/start-workos/src/routes/index.tsx
  • examples/react/start-workos/src/routes/api/auth/callback.tsx
  • examples/react/start-workos/src/routes/logout.tsx
  • examples/react/start-workos/src/routes/_authenticated/account.tsx
  • examples/react/start-workos/src/routes/client.tsx
  • examples/react/start-workos/src/routes/_authenticated.tsx
  • examples/react/start-workos/src/routes/__root.tsx
**/package.json

📄 CodeRabbit inference engine (AGENTS.md)

Use workspace:* protocol for internal dependencies in package.json files

Files:

  • packages/start-server-core/package.json
  • examples/react/start-workos/package.json
packages/{*-start,start-*}/**

📄 CodeRabbit inference engine (AGENTS.md)

Name and place Start framework packages under packages/-start/ or packages/start-/

Files:

  • packages/start-server-core/package.json
🧬 Code graph analysis (7)
examples/react/start-workos/src/routes/index.tsx (3)
examples/react/start-workos/src/routes/__root.tsx (1)
  • Route (12-39)
examples/react/start-workos/src/routes/_authenticated.tsx (1)
  • Route (4-14)
examples/react/start-workos/src/routes/_authenticated/account.tsx (1)
  • Route (5-27)
examples/react/start-workos/src/routes/api/auth/callback.tsx (2)
examples/react/start-workos/src/routes/__root.tsx (1)
  • Route (12-39)
examples/react/start-workos/src/routes/_authenticated.tsx (1)
  • Route (4-14)
examples/react/start-workos/src/routes/_authenticated/account.tsx (3)
examples/react/start-workos/src/routes/__root.tsx (1)
  • Route (12-39)
examples/react/start-workos/src/routes/_authenticated.tsx (1)
  • Route (4-14)
examples/react/start-workos/src/routes/index.tsx (1)
  • Route (6-13)
examples/react/start-workos/src/routeTree.gen.ts (2)
packages/router-core/src/router.ts (1)
  • Register (97-102)
examples/react/start-workos/src/router.tsx (1)
  • getRouter (4-11)
examples/react/start-workos/src/routes/client.tsx (6)
examples/react/start-workos/src/routes/__root.tsx (1)
  • Route (12-39)
examples/react/start-workos/src/routes/_authenticated.tsx (1)
  • Route (4-14)
examples/react/start-workos/src/routes/_authenticated/account.tsx (1)
  • Route (5-27)
examples/react/start-workos/src/routes/api/auth/callback.tsx (1)
  • Route (4-10)
examples/react/start-workos/src/routes/index.tsx (1)
  • Route (6-13)
examples/react/start-workos/src/routes/logout.tsx (1)
  • Route (4-9)
examples/react/start-workos/src/routes/_authenticated.tsx (3)
examples/react/start-workos/src/routes/__root.tsx (1)
  • Route (12-39)
examples/react/start-workos/src/routes/_authenticated/account.tsx (1)
  • Route (5-27)
examples/react/start-workos/src/routes/index.tsx (1)
  • Route (6-13)
examples/react/start-workos/src/routes/__root.tsx (1)
examples/react/start-workos/src/components/sign-in-button.tsx (1)
  • SignInButton (5-21)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview
🔇 Additional comments (8)
examples/react/start-workos/vite.config.ts (2)

21-23: LGTM!

The ssr.noExternal configuration for @radix-ui/themes is correct. Radix UI components need to be bundled during SSR rather than externalized, as they rely on client-side dependencies that must be transformed.

5-8: No action required: .env.example and README.md document the required environment variables.

examples/react/start-workos/src/vite-env.d.ts (1)

1-6: LGTM!

The Vite client typings and CSS URL module declaration are correctly configured. This enables TypeScript to properly type CSS imports with the ?url suffix (e.g., import appCssUrl from './app.css?url'), which is used in the root route.

examples/react/start-workos/src/app.css (1)

1-1: LGTM!

The Radix UI themes stylesheet import is correctly configured and will be loaded via the URL import pattern in the root route.

examples/react/start-workos/src/start.ts (1)

8-13: LGTM!

The Start instance configuration correctly integrates the AuthKit middleware. The middleware will run on every server request, providing authentication context to route loaders and server functions.

examples/react/start-workos/src/routes/logout.tsx (1)

2-2: LGTM!

The import change from local implementation to the external SDK is correct and aligns with the PR's objective of using the official AuthKit SDK. The signOut function usage remains unchanged, preserving existing behavior.

examples/react/start-workos/src/routes/api/auth/callback.tsx (1)

2-9: LGTM!

Delegating the OAuth callback handling to handleCallbackRoute from the external SDK simplifies the code significantly. The SDK now handles token exchange, session management, state validation, and redirects, reducing custom implementation complexity and potential security issues.

packages/start-server-core/package.json (1)

79-79: Vite devDependency is intentional: start-server-core defines a "build": "vite build" script and includes vite.config.ts, so adding "vite": "^7.1.7" is required.

Likely an incorrect or invalid review comment.

examples/react/start-workos/package.json
"@tanstack/react-router-devtools": "^1.132.47",
"@tanstack/react-start": "^1.132.47",
"@workos-inc/node": "^7.45.0",
"@workos/authkit-tanstack-react-start": "^0.1.0",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify stability and breaking change expectations for the 0.1.x SDK.

The @workos/authkit-tanstack-react-start package is at version ^0.1.0, which indicates it's in early development. Pre-1.0 versions may introduce breaking changes in minor/patch releases. Consider pinning to an exact version or documenting this dependency risk.

🌐 Web query:

What is the latest stable version of @workos/authkit-tanstack-react-start and its release stability policy?

💡 Result:

I couldn't find any published npm package named "@workos/authkit-tanstack-react-start". Searches of npm/GitHub and WorkOS docs show WorkOS publishes AuthKit packages under @workos-inc (e.g. @workos-inc/authkit-react and @workos-inc/authkit-react-router), and the TanStack Start docs include a WorkOS example (not a package with the name you gave). [1][2][3]

If you meant a different package name, or a workspace/example repo, tell me the exact npm/GitHub package or repo and I’ll look it up. References:

  • WorkOS AuthKit docs and packages. [1]
  • WorkOS GitHub (authkit-react, authkit-nextjs, authkit-react-router). [2]
  • TanStack Start React — WorkOS example (Start + WorkOS). [3]

Sources:
[1] https://workos.com/docs/authkit/react
[2] https://github.com/workos
[3] https://tanstack.com/start/latest/docs/framework/react/examples/start-workos

Correct invalid package dependency
The dependency "@workos/authkit-tanstack-react-start" isn’t published on npm; WorkOS AuthKit packages live under the @workos-inc scope (e.g. @workos-inc/authkit-react). Update line 21 of examples/react/start-workos/package.json to the correct package name and version.

🤖 Prompt for AI Agents 
examples/react/start-workos/package.json around line 21: Replace the invalid
dependency "@workos/authkit-tanstack-react-start" with the correct scoped
package name and version, e.g. "@workos-inc/authkit-react": "^0.1.0" (or the
exact published version you need), then save and run npm/yarn install to update
lockfiles.

@nicknisi nicknisi mentioned this pull request Oct 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees
No one assigned
Labels
package: start-server-core
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nicknisi