@inherence/workos bridges WorkOS-authenticated identity claims (org, role, permissions) into Inherence policy inputs. Every agent action gates against the compiled policy with the user's identity bound to the cryptographic receipt — your auditor sees who did what, under which policy, with verifiable proof.
import { gateWithWorkOSIdentity } from "@inherence/workos";
const decision = await gateWithWorkOSIdentity(
workOSSession,
{ tool_name: "stripe.issuing.authorize", args: { amount_usd: 15000, ... } },
{ apiKey: process.env.INHERENCE_API_KEY },
);
if (decision.kind === "deny") {
return res.status(403).json({ error: decision.rule_id, cite: decision.cite });
}The user's organization, role, and permissions are packaged into the gate call. Inherence's compiled policy can reference identity claims directly — a "trader role cannot exceed daily P&L" rule maps to a predicate over identity.role + tool-call args.
This adapter is an unilateral reference implementation. Not endorsed by WorkOS — yet. The intent is to seed a codesign conversation where Inherence supplies the policy compiler + proof generation; WorkOS supplies the identity vocabulary + SDK distribution.
If you're a WorkOS customer building an agent-driven product that needs auditor-grade compliance, your interest in this integration is the signal WorkOS would respond to.