WRNexus
Platform features

Built for teams who care about quality

Every feature on this page ships on the WRNexus free tier. Paid plans unlock higher limits, custom roles and compliance controls — never core functionality.

Identity & access

One login surface for every WorkRoot product

WRNexus consolidates passwords, magic links, OAuth, passkeys, TOTP and SAML behind one SDK. Sign up once and inherit a verified identity across every product in your account.

  • Email + password with Argon2id and HIBP breach-check on signup
  • Magic links with single-use, 15-minute TTL tokens
  • OAuth 2.1 + PKCE for Google, GitHub and Microsoft
  • TOTP authenticator apps (Authy, 1Password, Google Authenticator)
  • WebAuthn passkeys with Touch ID, Face ID and hardware keys
  • SAML 2.0 SSO on Enterprise tier with attribute mapping
  • Recovery codes and admin-assisted MFA reset workflows
Sign-in surface preview
identity.typescript TypeScript 
import { WRNexusClient } from '@wrnexus/auth-client';

const wrn = new WRNexusClient({ apiKey: process.env.WRN_API_KEY! });

// Verify the session cookie on every request
const session = await wrn.sessions.resolve(request.headers.cookie);
if (!session) return Response.redirect(`${SSO_URL}/login`);
Workspaces

Personal and team contexts, side by side

Every user gets a personal workspace automatically and can join any number of team workspaces. Switching context is one click — no logout, no second session, no broken deep links.

  • Personal workspace provisioned on signup
  • Org workspaces with slug-based URLs and member invite flows
  • Multiple memberships per user, with last-used workspace remembered
  • Workspace-level plan, billing, audit log and API key isolation
  • Bulk invite via CSV, link or SCIM (Enterprise)
  • Soft-delete with 30-day undo for accidental workspace removal
Workspace switcher preview
workspaces.http HTTP 
POST /api/workspaces
Authorization: Bearer wrn_live_…
Content-Type: application/json

{
  "name": "Northwind Studios",
  "slug": "northwind",
  "plan": "team"
}
RBAC

Roles that fit the way your team actually works

Start with owner / admin / member / viewer and graduate to custom roles when your team needs them. Permissions are evaluated server-side on every request — no client-side bypass.

  • Built-in owner, admin, member and viewer roles
  • Custom roles with a JSON policy editor on Team and Enterprise
  • Permission introspection endpoint for your own UI
  • Optional role inheritance (e.g. "support" inherits from "viewer")
  • Just-in-time elevation with reason capture and audit-log entry
  • Compatible with our typed TypeScript guard helpers
Roles & permissions matrix preview
rbac.typescript TypeScript 
import { requirePermission } from '@wrnexus/auth-client/guards';

export const POST = requirePermission(
  'invoices:create',
  async ({ session, request }) => {
    // session.role and session.permissions are typed
    return Response.json(await createInvoice(request));
  },
);
Audit log

A trail your auditor will actually accept

Every sensitive action — sign-in, role change, key issuance, impersonation, plan change — is recorded with the actor, IP, user-agent and a hash chained back to the previous entry.

  • Append-only entries with tamper-evident SHA-256 chain
  • Filterable by actor, action, target, IP and time window
  • CSV and JSON export with signed download URLs
  • Warehouse streaming to BigQuery, Snowflake and Redshift (Enterprise)
  • Retention from 30 days (Starter) up to 7 years (Enterprise)
  • Impersonation flagging — every admin "view-as" is recorded
Audit log timeline preview
audit-log.json JSON 
{
  "id": "ae_01H9X…",
  "actor": { "type": "user", "id": "usr_01H8…", "email": "lena@northwind.com" },
  "action": "workspace.member.role_changed",
  "target": { "type": "membership", "id": "wsm_01H9…" },
  "metadata": { "from": "member", "to": "admin" },
  "ip": "203.0.113.42",
  "occurred_at": "2026-05-14T08:42:17Z",
  "prev_hash": "8c0f…91e3"
}
Billing

Stripe-powered billing without the boilerplate

WRNexus ships with Stripe checkout, Customer Portal, proration, dunning emails and signed webhook handlers — so you never write another invoice.paid handler.

  • Starter, Team and Enterprise tiers with seat-based pricing
  • Stripe Checkout and Customer Portal pre-integrated
  • Idempotent webhook handlers for subscription + invoice events
  • Dunning emails with one-click card update from the portal
  • Annual billing with prorated upgrades and downgrades
  • Tax automation via Stripe Tax (GST, VAT, US sales tax)
Billing & invoices preview
billing.http HTTP 
GET /api/billing/portal-session
Authorization: Bearer wrn_live_…

→ 200 OK
{
  "url": "https://billing.stripe.com/p/session/abc…"
}
Integrations

Plug into the tools your team already runs

Webhooks, signed payloads, Slack, Linear, Notion and a SCIM 2.0 endpoint — the WorkRoot/WRNexus integrations marketplace ships with 38+ first-party connectors, and the protocol is documented end-to-end for your own.

  • Signed outbound webhooks with HMAC-SHA256 verification
  • Slack alerts for new members, security events and billing changes
  • Linear / Jira issue creation from impersonation reports
  • SCIM 2.0 user and group provisioning (Enterprise)
  • Typed TypeScript and Python clients on npm and PyPI
  • OIDC token endpoint for any standards-compliant consumer
Integrations marketplace preview
integrations.bash Bash 
# Verify an incoming webhook with HMAC-SHA256
SIG=$(printf "%s" "$BODY" | openssl dgst -sha256 -hmac "$WRN_SECRET" | cut -d" " -f2)
test "$SIG" = "${WRN_SIGNATURE#sha256=}" && echo "ok"
Usage analytics

See exactly how your auth is being used

Sign-in funnels, MFA adoption, seat utilisation and per-product usage rolled into a workspace dashboard — plus a streaming feed to your warehouse on Enterprise.

  • Sign-in funnel: password vs magic link vs OAuth vs passkey
  • MFA adoption per role and per workspace
  • Seat utilisation with 30/60/90-day trailing usage
  • Per-API-key request counts and error rates
  • Anomaly alerts (sudden spike in failed logins, unusual geo)
  • Streaming to your warehouse via Segment, Snowflake or BigQuery
Usage analytics dashboard preview
analytics.typescript TypeScript 
const usage = await wrn.analytics.signInFunnel({
  workspaceId: 'wsp_01H9…',
  window: '30d',
});
// → { password: 142, magic_link: 318, oauth: 511, passkey: 96 }
Security

Secure by default — not by configuration

Defaults that meet the bar of any modern security review. Brute-force protection, breach-checked passwords, signed cookies and an instant kill-switch on every session live in WRNexus on day one.

  • HttpOnly, Secure, SameSite=Lax session cookies
  • HIBP k-anonymity breach-password check on signup and rotation
  • Per-IP and per-account brute-force rate limiting on auth endpoints
  • CSRF protection via SameSite cookies and signed form tokens
  • CSP, HSTS, X-Frame-Options and Permissions-Policy on every route
  • Instant cross-region session revocation (no JWT-TTL wait)
Security posture overview preview
security.http HTTP 
DELETE /api/sessions/sess_01H9…
Authorization: Bearer wrn_live_…

→ 204 No Content
# Effective in every WRNexus region within ~80 ms

All features, free to start

No trial expiry. No credit card. Full WRNexus platform access from day one. Upgrade only when you outgrow Starter.

Get started for free Compare plans