In the WorkOS dashboard, configure a webhook endpoint URL under Webhooks; WorkOS will deliver directory sync events as signed HTTP POST requests to this URL.
Alternatively, poll the Events API at GET /events with the event_type filter (e.g., dsync.user.created) and use a cursor-based after parameter to process events in order without missing any.
Handle dsync.user.created by creating or activating the user in your app and associating them with the directory_id and organization_id from the event payload.
Handle dsync.user.updated by diffing the changed attributes in the payload and updating the corresponding user record; pay attention to group membership changes included in the event.
Handle dsync.user.deleted by deprovisioning the user — disable the account or revoke sessions — as this event fires when a user is hard-deleted from the directory.
Respond to webhook deliveries with a 2xx status within your timeout window; WorkOS retries failed deliveries, so implement idempotency keyed on the event id to prevent duplicate provisioning.
Known gotchas
During the initial directory sync, WorkOS fires a dsync.user.created event for every existing user in the directory — your handler must be prepared for high volume on first connection, not just incremental changes.
The Events API uses cursor-based pagination; storing and advancing the after cursor is essential to avoid reprocessing old events or missing new ones after a service restart.
dsync.group.user.added and dsync.group.user.deleted are separate events from dsync.user.updated; you must handle group membership events independently if your app uses directory group memberships for authorization.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp