Profile

A Profile is an object that represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized attributes.

After receiving the Profile for an authenticated user, use the Profile object attributes to persist relevant data to your application’s user model for the specific, authenticated user.

To surface additional attributes on the Profile, refer to the SSO custom attributes guide.

Get a Profile and Token

Get an access token along with the user Profile using the code passed to your Redirect URI.

cURL

 curl --request POST \
  --url "https://api.workos.com/sso/token" \
  --header "Content-Type: application/json" \
  -d @- <<'BODY'
    {
        "client_id": "client_01HZBC6N1EB1ZY7KG32X",
        "client_secret": "sk_example_123456789",
        "code": "authorization_code_value",
        "grant_type": "authorization_code"
    }
BODY

 {
  "token_type": "Bearer",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNzby...",
  "expires_in": 600,
  "profile": {
    "object": "profile",
    "id": "prof_01DMC79VCBZ0NY2099737PSVF1",
    "organization_id": "org_01EHQMYV6MBK39QC5PZXHY59C3",
    "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5",
    "connection_type": "GoogleOAuth",
    "idp_id": "103456789012345678901",
    "email": "todd@example.com",
    "first_name": "Todd",
    "last_name": "Rundgren",
    "role": {
      "slug": "admin"
    },
    "roles": [
      {
        "slug": "admin"
      }
    ],
    "groups": [
      "Engineering",
      "Admins"
    ],
    "custom_attributes": {},
    "raw_attributes": {}
  },
  "oauth_tokens": {
    "provider": "GoogleOAuth",
    "refresh_token": "1//04g...",
    "access_token": "ya29.a0ARrdaM...",
    "expires_at": 1735141800,
    "scopes": [
      "profile",
      "email",
      "openid"
    ]
  }
}

POST

`/sso/token`

`Parameters`

`Returns`

Get a User Profile

Exchange an access token for a user’s Profile. Because this profile is returned in the Get a Profile and Token endpoint your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user’s profile.

cURL

 curl "https://api.workos.com/sso/profile" \
  --header "Authorization: Bearer 01DMEK0J53CVMC32CK5SE0KZ8Q"

 {
  "object": "profile",
  "id": "prof_01DMC79VCBZ0NY2099737PSVF1",
  "organization_id": "org_01EHQMYV6MBK39QC5PZXHY59C3",
  "connection_id": "conn_01E4ZCR3C56J083X43JQXF3JK5",
  "connection_type": "GoogleOAuth",
  "idp_id": "103456789012345678901",
  "email": "todd@example.com",
  "first_name": "Todd",
  "last_name": "Rundgren",
  "role": {
    "slug": "admin"
  },
  "roles": [
    {
      "slug": "admin"
    }
  ],
  "groups": [
    "Engineering",
    "Admins"
  ],
  "custom_attributes": {},
  "raw_attributes": {}
}

GET

`/sso/profile`

`Returns`

Connection Continue to the next section

Up next

Profile

Get a Profile and Token

/sso/token

Parameters

client_id: string

client_secret: string

code: string

grant_type: "authorization_code"

Returns

token_type: "Bearer"

access_token: string

expires_in: integer

profile: object

oauth_tokens?: object

Get a User Profile

/sso/profile

Returns

profile: object

`/sso/token`

`Parameters`

`Returns`

`/sso/profile`

`Returns`