diff --git a/apps/blog-next/app/api/auth/workos/callback/route.ts b/apps/blog-next/app/api/auth/workos/callback/route.ts
new file mode 100644
index 00000000..ac9510e8
--- /dev/null
+++ b/apps/blog-next/app/api/auth/workos/callback/route.ts
@@ -0,0 +1,10 @@
+import { completeWorkosAuth } from '@holo-js/auth-workos'
+
+export async function GET(request: Request) {
+  const result = await completeWorkosAuth(request)
+  if (!result.ok) {
+    return Response.redirect(new URL(`/login?error=${encodeURIComponent(result.code)}`, request.url))
+  }
+
+  return Response.redirect(new URL('/admin', request.url))
+}
diff --git a/apps/blog-next/app/api/auth/workos/login/route.ts b/apps/blog-next/app/api/auth/workos/login/route.ts
new file mode 100644
index 00000000..3839061c
--- /dev/null
+++ b/apps/blog-next/app/api/auth/workos/login/route.ts
@@ -0,0 +1,5 @@
+import { loginWithWorkos } from '@holo-js/auth-workos'
+
+export async function GET(request: Request) {
+  return await loginWithWorkos(request)
+}
diff --git a/apps/blog-next/app/api/auth/workos/logout/route.ts b/apps/blog-next/app/api/auth/workos/logout/route.ts
new file mode 100644
index 00000000..d556de00
--- /dev/null
+++ b/apps/blog-next/app/api/auth/workos/logout/route.ts
@@ -0,0 +1,10 @@
+import { logoutWithWorkos } from '@holo-js/auth-workos'
+
+export async function POST(request: Request) {
+  const result = await logoutWithWorkos(request)
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
+
+  return Response.redirect(result.url, 303)
+}
diff --git a/apps/blog-next/app/api/auth/workos/register/route.ts b/apps/blog-next/app/api/auth/workos/register/route.ts
new file mode 100644
index 00000000..93ace66f
--- /dev/null
+++ b/apps/blog-next/app/api/auth/workos/register/route.ts
@@ -0,0 +1,5 @@
+import { registerWithWorkos } from '@holo-js/auth-workos'
+
+export async function GET(request: Request) {
+  return await registerWithWorkos(request)
+}
diff --git a/apps/blog-next/app/auth-nav.tsx b/apps/blog-next/app/auth-nav.tsx
index 98ce7f72..61dcd30d 100644
--- a/apps/blog-next/app/auth-nav.tsx
+++ b/apps/blog-next/app/auth-nav.tsx
@@ -18,6 +18,10 @@ const logoutButtonStyle = {
   padding: 0,
 } as const
 
+const logoutFormStyle = {
+  display: 'inline',
+} as const
+
 export function AuthNav() {
   const auth = useAuth()
   const [isLoggingOut, setIsLoggingOut] = useState(false)
@@ -57,6 +61,9 @@ export function AuthNav() {
     <>
       <span style={{ color: '#e5eef8' }}>{displayName}</span>
       <button type="button" disabled={isLoggingOut} onClick={logout} style={logoutButtonStyle}>Logout</button>
+      <form action="/api/auth/workos/logout" method="post" style={logoutFormStyle}>
+        <button type="submit" style={logoutButtonStyle}>Logout from WorkOS</button>
+      </form>
     </>
   )
 }
diff --git a/apps/blog-next/app/login/page.tsx b/apps/blog-next/app/login/page.tsx
index 2c396842..5b5c7f2d 100644
--- a/apps/blog-next/app/login/page.tsx
+++ b/apps/blog-next/app/login/page.tsx
@@ -47,6 +47,7 @@ export default function LoginPage() {
       <div style={{ display: 'grid', gap: '0.65rem' }}>
         <a href="/auth/google" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with Google</a>
         <a href="/auth/github" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with GitHub</a>
+        <a href="/api/auth/workos/login" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with WorkOS</a>
       </div>
 
       <form onSubmit={(event) => { event.preventDefault(); form.submit() }} style={{ display: 'grid', gap: '0.9rem' }}>
@@ -97,7 +98,7 @@ export default function LoginPage() {
       ) : null}
 
       <div style={{ display: 'flex', gap: '1rem', flexWrap: 'wrap' }}>
-        <Link href="/register" style={{ color: '#7dd3fc' }}>Create account</Link>
+      <Link href="/register" style={{ color: '#7dd3fc' }}>Create account</Link>
         <Link href="/forgot-password" style={{ color: '#7dd3fc' }}>Forgot password?</Link>
       </div>
     </section>
diff --git a/apps/blog-next/app/register/page.tsx b/apps/blog-next/app/register/page.tsx
index 1a744cf5..168396d9 100644
--- a/apps/blog-next/app/register/page.tsx
+++ b/apps/blog-next/app/register/page.tsx
@@ -100,6 +100,7 @@ export default function RegisterPage() {
       ) : null}
 
       <Link href="/login" style={{ color: '#7dd3fc' }}>Already have an account?</Link>
+      <a href="/api/auth/workos/register" style={{ color: '#7dd3fc' }}>Register with WorkOS</a>
     </section>
   )
 }
diff --git a/apps/blog-next/config/auth.ts b/apps/blog-next/config/auth.ts
index 2c9f962b..b54d336e 100644
--- a/apps/blog-next/config/auth.ts
+++ b/apps/blog-next/config/auth.ts
@@ -41,7 +41,6 @@ export default defineAuthConfig({
   personalAccessTokens: {
     defaultAbilities: [],
   },
-  socialEncryptionKey: env('AUTH_SOCIAL_ENCRYPTION_KEY'),
   social: {
     google: {
       clientId: env('AUTH_GOOGLE_CLIENT_ID'),
@@ -57,12 +56,11 @@ export default defineAuthConfig({
     },
   },
   workos: {
+    provider: env('AUTH_WORKOS_PROVIDER', 'dashboard'),
     dashboard: {
       clientId: env('WORKOS_CLIENT_ID'),
       apiKey: env('WORKOS_API_KEY'),
-      cookiePassword: env('WORKOS_COOKIE_PASSWORD'),
       redirectUri: env('WORKOS_REDIRECT_URI'),
-      sessionCookie: env('WORKOS_SESSION_COOKIE', "wos-session"),
     },
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
diff --git a/apps/blog-next/tests/run.mjs b/apps/blog-next/tests/run.mjs
index f66c5abf..6e144b65 100644
--- a/apps/blog-next/tests/run.mjs
+++ b/apps/blog-next/tests/run.mjs
@@ -40,6 +40,7 @@ let capturedOutput = ''
 function createChildEnv(overrides = {}) {
   const env = {
     ...process.env,
+    APP_NAME: '',
     HOLO_SECURITY_TRUST_PROXY: 'true',
     ...overrides,
   }
diff --git a/apps/blog-nuxt/app/app.vue b/apps/blog-nuxt/app/app.vue
index 76c87491..3f5562c6 100644
--- a/apps/blog-nuxt/app/app.vue
+++ b/apps/blog-nuxt/app/app.vue
@@ -21,6 +21,9 @@ async function logout() {
         <template v-if="authenticated">
           <span class="user-name">{{ displayName }}</span>
           <button type="button" class="logout-button" @click="logout">Logout</button>
+          <form action="/api/auth/workos/logout" method="post" class="logout-form">
+            <button type="submit" class="logout-button">Logout from WorkOS</button>
+          </form>
         </template>
         <template v-else>
           <NuxtLink to="/login">Login</NuxtLink>
@@ -70,6 +73,9 @@ async function logout() {
   cursor: pointer;
   font: inherit;
 }
+.logout-form {
+  display: inline;
+}
 a {
   color: #cbd5e1;
   text-decoration: none;
diff --git a/apps/blog-nuxt/app/pages/login.vue b/apps/blog-nuxt/app/pages/login/index.vue
similarity index 97%
rename from apps/blog-nuxt/app/pages/login.vue
rename to apps/blog-nuxt/app/pages/login/index.vue
index 30aa62d4..3b6cc2de 100644
--- a/apps/blog-nuxt/app/pages/login.vue
+++ b/apps/blog-nuxt/app/pages/login/index.vue
@@ -35,6 +35,7 @@ const form = useForm(loginForm, {
     <div class="social-links">
       <a href="/auth/google">Continue with Google</a>
       <a href="/auth/github">Continue with GitHub</a>
+      <a href="/api/auth/workos/login">Continue with WorkOS</a>
     </div>
 
     <form class="stack" @submit.prevent="form.submit()">
diff --git a/apps/blog-nuxt/app/pages/register.vue b/apps/blog-nuxt/app/pages/register/index.vue
similarity index 97%
rename from apps/blog-nuxt/app/pages/register.vue
rename to apps/blog-nuxt/app/pages/register/index.vue
index 46bdd341..90fdebee 100644
--- a/apps/blog-nuxt/app/pages/register.vue
+++ b/apps/blog-nuxt/app/pages/register/index.vue
@@ -69,6 +69,7 @@ const form = useForm(registerForm, {
     </div>
 
     <NuxtLink to="/login">Already have an account?</NuxtLink>
+    <a href="/api/auth/workos/register">Register with WorkOS</a>
   </section>
 </template>
 
diff --git a/apps/blog-nuxt/config/auth.ts b/apps/blog-nuxt/config/auth.ts
index 2c9f962b..b54d336e 100644
--- a/apps/blog-nuxt/config/auth.ts
+++ b/apps/blog-nuxt/config/auth.ts
@@ -41,7 +41,6 @@ export default defineAuthConfig({
   personalAccessTokens: {
     defaultAbilities: [],
   },
-  socialEncryptionKey: env('AUTH_SOCIAL_ENCRYPTION_KEY'),
   social: {
     google: {
       clientId: env('AUTH_GOOGLE_CLIENT_ID'),
@@ -57,12 +56,11 @@ export default defineAuthConfig({
     },
   },
   workos: {
+    provider: env('AUTH_WORKOS_PROVIDER', 'dashboard'),
     dashboard: {
       clientId: env('WORKOS_CLIENT_ID'),
       apiKey: env('WORKOS_API_KEY'),
-      cookiePassword: env('WORKOS_COOKIE_PASSWORD'),
       redirectUri: env('WORKOS_REDIRECT_URI'),
-      sessionCookie: env('WORKOS_SESSION_COOKIE', "wos-session"),
     },
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
diff --git a/apps/blog-nuxt/server/api/auth/workos/callback.get.ts b/apps/blog-nuxt/server/api/auth/workos/callback.get.ts
new file mode 100644
index 00000000..c7d0aa63
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/workos/callback.get.ts
@@ -0,0 +1,12 @@
+import { completeWorkosAuth } from '@holo-js/auth-workos'
+import { sendRedirect } from 'h3'
+
+export default defineEventHandler(async (event) => {
+  const result = await completeWorkosAuth(event)
+  if (!result.ok) {
+    const errCode = result.code ?? 'unknown_error'
+    return await sendRedirect(event, `/login?error=${encodeURIComponent(errCode)}`, 303)
+  }
+
+  return await sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-nuxt/server/api/auth/workos/login.get.ts b/apps/blog-nuxt/server/api/auth/workos/login.get.ts
new file mode 100644
index 00000000..465b7be5
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/workos/login.get.ts
@@ -0,0 +1,5 @@
+import { loginWithWorkos } from '@holo-js/auth-workos'
+
+export default defineEventHandler(async (event) => {
+  return await loginWithWorkos(event)
+})
diff --git a/apps/blog-nuxt/server/api/auth/workos/logout.post.ts b/apps/blog-nuxt/server/api/auth/workos/logout.post.ts
new file mode 100644
index 00000000..0dd8dac4
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/workos/logout.post.ts
@@ -0,0 +1,14 @@
+import { logoutWithWorkos } from '@holo-js/auth-workos'
+import { createError, sendRedirect } from 'h3'
+
+export default defineEventHandler(async (event) => {
+  const result = await logoutWithWorkos(event)
+  if (!result.ok) {
+    throw createError({
+      statusCode: 422,
+      statusMessage: result.message,
+    })
+  }
+
+  return await sendRedirect(event, result.url, 303)
+})
diff --git a/apps/blog-nuxt/server/api/auth/workos/register.get.ts b/apps/blog-nuxt/server/api/auth/workos/register.get.ts
new file mode 100644
index 00000000..0beb0684
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/workos/register.get.ts
@@ -0,0 +1,5 @@
+import { registerWithWorkos } from '@holo-js/auth-workos'
+
+export default defineEventHandler(async (event) => {
+  return await registerWithWorkos(event)
+})
diff --git a/apps/blog-nuxt/tests/run.mjs b/apps/blog-nuxt/tests/run.mjs
index 24fc1126..ee3117b4 100644
--- a/apps/blog-nuxt/tests/run.mjs
+++ b/apps/blog-nuxt/tests/run.mjs
@@ -43,6 +43,7 @@ let capturedOutput = ''
 function createChildEnv(overrides = {}) {
   const env = {
     ...process.env,
+    APP_NAME: '',
     HOLO_SECURITY_TRUST_PROXY: 'true',
     ...overrides,
   }
diff --git a/apps/blog-sveltekit/config/auth.ts b/apps/blog-sveltekit/config/auth.ts
index 2c9f962b..b54d336e 100644
--- a/apps/blog-sveltekit/config/auth.ts
+++ b/apps/blog-sveltekit/config/auth.ts
@@ -41,7 +41,6 @@ export default defineAuthConfig({
   personalAccessTokens: {
     defaultAbilities: [],
   },
-  socialEncryptionKey: env('AUTH_SOCIAL_ENCRYPTION_KEY'),
   social: {
     google: {
       clientId: env('AUTH_GOOGLE_CLIENT_ID'),
@@ -57,12 +56,11 @@ export default defineAuthConfig({
     },
   },
   workos: {
+    provider: env('AUTH_WORKOS_PROVIDER', 'dashboard'),
     dashboard: {
       clientId: env('WORKOS_CLIENT_ID'),
       apiKey: env('WORKOS_API_KEY'),
-      cookiePassword: env('WORKOS_COOKIE_PASSWORD'),
       redirectUri: env('WORKOS_REDIRECT_URI'),
-      sessionCookie: env('WORKOS_SESSION_COOKIE', "wos-session"),
     },
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
diff --git a/apps/blog-sveltekit/src/routes/+layout.svelte b/apps/blog-sveltekit/src/routes/+layout.svelte
index dc1f257d..87a94ab3 100644
--- a/apps/blog-sveltekit/src/routes/+layout.svelte
+++ b/apps/blog-sveltekit/src/routes/+layout.svelte
@@ -42,6 +42,9 @@
       {#if auth.authenticated}
         <span class="user-name">{displayName}</span>
         <button type="button" class="logout-button" disabled={isLoggingOut} aria-busy={isLoggingOut} onclick={logout}>Logout</button>
+        <form action="/api/auth/workos/logout" method="post" class="logout-form">
+          <button type="submit" class="logout-button">Logout from WorkOS</button>
+        </form>
       {:else}
         <a href="/login">Login</a>
         <a href="/register">Register</a>
@@ -94,6 +97,9 @@
     opacity: 0.6;
     pointer-events: none;
   }
+  .logout-form {
+    display: inline;
+  }
   a {
     color: #cbd5e1;
     text-decoration: none;
diff --git a/apps/blog-sveltekit/src/routes/api/auth/workos/callback/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/workos/callback/+server.ts
new file mode 100644
index 00000000..a95a47b1
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/workos/callback/+server.ts
@@ -0,0 +1,11 @@
+import { redirect, type RequestHandler } from '@sveltejs/kit'
+import { completeWorkosAuth } from '@holo-js/auth-workos'
+
+export const GET = (async (event) => {
+  const result = await completeWorkosAuth(event)
+  if (!result.ok) {
+    throw redirect(303, `/login?error=${encodeURIComponent(result.code)}`)
+  }
+
+  throw redirect(303, '/admin')
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/workos/login/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/workos/login/+server.ts
new file mode 100644
index 00000000..72ccebec
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/workos/login/+server.ts
@@ -0,0 +1,6 @@
+import { loginWithWorkos } from '@holo-js/auth-workos'
+import type { RequestHandler } from './$types'
+
+export const GET = (async (event) => {
+  return await loginWithWorkos(event)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/workos/logout/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/workos/logout/+server.ts
new file mode 100644
index 00000000..f1e93aca
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/workos/logout/+server.ts
@@ -0,0 +1,11 @@
+import { redirect, type RequestHandler } from '@sveltejs/kit'
+import { logoutWithWorkos } from '@holo-js/auth-workos'
+
+export const POST = (async (event) => {
+  const result = await logoutWithWorkos(event)
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
+
+  throw redirect(303, result.url)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/workos/register/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/workos/register/+server.ts
new file mode 100644
index 00000000..e271c22f
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/workos/register/+server.ts
@@ -0,0 +1,6 @@
+import { registerWithWorkos } from '@holo-js/auth-workos'
+import type { RequestHandler } from './$types'
+
+export const GET = (async (event) => {
+  return await registerWithWorkos(event)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/login/+page.svelte b/apps/blog-sveltekit/src/routes/login/+page.svelte
index 8a3523e6..4a472483 100644
--- a/apps/blog-sveltekit/src/routes/login/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/login/+page.svelte
@@ -30,6 +30,7 @@
   <div class="social-links">
     <a href="/auth/google">Continue with Google</a>
     <a href="/auth/github">Continue with GitHub</a>
+    <a href="/api/auth/workos/login">Continue with WorkOS</a>
   </div>
 
   <form class="stack" on:submit={(event) => { event.preventDefault(); form.submit() }}>
diff --git a/apps/blog-sveltekit/src/routes/register/+page.svelte b/apps/blog-sveltekit/src/routes/register/+page.svelte
index a7094569..2701da8d 100644
--- a/apps/blog-sveltekit/src/routes/register/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/register/+page.svelte
@@ -96,6 +96,7 @@
   {/if}
 
   <a href="/login" class="link">Already have an account?</a>
+  <a href="/api/auth/workos/register" class="link">Register with WorkOS</a>
 </section>
 
 <style>
diff --git a/apps/blog-sveltekit/tests/run.mjs b/apps/blog-sveltekit/tests/run.mjs
index 0902b94e..2eca0342 100644
--- a/apps/blog-sveltekit/tests/run.mjs
+++ b/apps/blog-sveltekit/tests/run.mjs
@@ -39,6 +39,7 @@ let capturedOutput = ''
 function createChildEnv(overrides = {}) {
   const env = {
     ...process.env,
+    APP_NAME: '',
     HOLO_SECURITY_TRUST_PROXY: 'true',
     ...overrides,
   }
diff --git a/apps/docs/docs/auth/workos.md b/apps/docs/docs/auth/workos.md
index cc7b6def..0bc3cde4 100644
--- a/apps/docs/docs/auth/workos.md
+++ b/apps/docs/docs/auth/workos.md
@@ -1,179 +1,119 @@
 # WorkOS
 
-WorkOS authentication keeps WorkOS as the hosted identity system while syncing the authenticated identity into a local
-application model.
-
-## What This Package Does
-
-`@holo-js/auth-workos` is designed for applications that need:
-
-- hosted sign-in and organization-aware identity flows
-- a local `User` or `Admin` model
-- synchronized identity linking
-- guard-aware authentication into the local model
-
-Think of the split like this:
-
-- WorkOS proves who the user is
-- Holo finds or creates your local user record
-- Holo signs that local user into your configured guard
-
-If you want the shortest answer to "how do I use this?":
-
-- easy Holo way: call `authenticate(request, 'dashboard')`
-- manual way: call `verifyRequest()`, then `syncIdentity()`, then `loginUsing()`
+`@holo-js/auth-workos` uses WorkOS/AuthKit as the hosted authentication UI, then syncs the authenticated WorkOS user into your local Holo user model and logs that local user into the normal Holo session.
 
 ## Configuration
 
 ```ts
-import { defineAuthConfig } from '@holo-js/config'
+import { defineAuthConfig, env } from '@holo-js/config'
 
 export default defineAuthConfig({
   workos: {
+    provider: env('AUTH_WORKOS_PROVIDER', 'dashboard'),
     dashboard: {
-      clientId: process.env.WORKOS_CLIENT_ID,
-      apiKey: process.env.WORKOS_API_KEY,
-      cookiePassword: process.env.WORKOS_COOKIE_PASSWORD,
-      redirectUri: 'https://app.example.com/auth/workos/callback',
-      sessionCookie: 'wos-session',
-      guard: 'web',
+      clientId: env('WORKOS_CLIENT_ID'),
+      apiKey: env('WORKOS_API_KEY'),
+      redirectUri: env('WORKOS_REDIRECT_URI'),
     },
   },
 })
 ```
 
-## Easy Holo Way
+`WORKOS_REDIRECT_URI` is the callback route registered in the WorkOS dashboard Redirect URIs list, for example `http://localhost:3000/api/auth/workos/callback`.
 
-This is the normal Holo flow. One call does everything:
+Do not configure a WorkOS cookie password or WorkOS session cookie name. Holo uses the app key for its own encryption needs, hides WorkOS hosted cookie internals, and authenticates the application through the normal Holo session cookie.
 
-- read the WorkOS session from the request
-- verify it
-- find or create the local user
-- link the hosted identity
-- create the local Holo session
+> **Session lifetime**
+>
+> After WorkOS login succeeds, Holo creates its own application session. To avoid users staying logged into Holo after their WorkOS session has already expired, configure the WorkOS session lifetime in the WorkOS dashboard to match your Holo session lifetime.
 
-```ts
-import { authenticate } from '@holo-js/auth-workos'
+## Routes
 
-export async function GET(request: Request) {
-  const result = await authenticate(request, 'dashboard')
+Login redirects the browser to the hosted WorkOS sign-in form:
 
-  if (!result) {
-    return Response.json({ message: 'Unauthenticated.' }, { status: 401 })
-  }
+```ts
+import { loginWithWorkos } from '@holo-js/auth-workos'
 
-  return Response.json({
-    authenticated: true,
-    user: result.user,
-  })
+export async function GET(request: Request) {
+  return await loginWithWorkos(request)
 }
 ```
 
-### What `authenticate()` Returns
+Register redirects the browser to the hosted WorkOS sign-up form:
 
 ```ts
-import { authenticate } from '@holo-js/auth-workos'
-```
-
-`authenticate()` returns:
-
-- `result.user`
-  Your local Holo user model after serialization. This is usually the value your app cares about most.
-- `result.status`
-  What happened during sync: `created`, `updated`, `linked`, or `relinked`.
-- `result.identity`
-  The stored hosted identity link row.
-- `result.session`
-  The verified WorkOS session data, including the hosted session token as `result.session.accessToken`.
-- `result.authSession`
-  The local Holo session that was established for the selected guard.
+import { registerWithWorkos } from '@holo-js/auth-workos'
 
-In practice:
-
-- if you just want the signed-in local user, use `result.user`
-- if you care whether the local user was newly created or reused, check `result.status`
-- if you need hosted WorkOS details, inspect `result.session`
-
-`result.session.accessToken` is the verified WorkOS session token. It is hosted-session state, not a Holo personal
-access token and not a social-provider OAuth token.
-
-## Manual Way
+export async function GET(request: Request) {
+  return await registerWithWorkos(request)
+}
+```
 
-Use the manual flow when you want to control each step yourself.
+The callback completes the WorkOS code exchange, syncs or creates the local user, links the WorkOS identity, and logs the user into Holo:
 
 ```ts
-import { loginUsing } from '@holo-js/auth'
-import { syncIdentity, verifyRequest } from '@holo-js/auth-workos'
+import { completeWorkosAuth } from '@holo-js/auth-workos'
 
 export async function GET(request: Request) {
-  const hosted = await verifyRequest(request, 'dashboard')
+  const result = await completeWorkosAuth(request)
 
-  if (!hosted) {
-    return Response.json({ message: 'Unauthenticated.' }, { status: 401 })
+  if (!result.ok) {
+    return Response.redirect(new URL(`/login?error=${result.code}`, request.url))
   }
 
-  const linked = await syncIdentity(hosted, 'dashboard')
-
-  if (linked.user.email !== 'allowed@app.test') {
-    return Response.json({ message: 'Forbidden.' }, { status: 403 })
-  }
-
-  const authSession = await loginUsing(linked.user)
-
-  return Response.json({
-    authenticated: true,
-    user: linked.user,
-    status: linked.status,
-  })
+  return Response.redirect(new URL('/admin', request.url))
 }
 ```
 
-### What Each Manual Step Returns
+In Nuxt server routes, pass the event directly:
 
-- `verifyRequest(request, 'dashboard')`
-  Returns the verified WorkOS session from the incoming request, or `null` if the request is not authenticated with WorkOS.
-- `syncIdentity(hosted, 'dashboard')`
-  Returns the local-user sync result. This includes `linked.user`, `linked.status`, `linked.identity`, and `linked.session`.
-- `loginUsing(linked.user)`
-  Returns the local Holo session result for your configured guard.
-
-Use the manual flow when you need to:
-
-- inspect the verified WorkOS session before local sign-in
-- run your own authorization checks after identity sync
-- allow WorkOS authentication but delay local login
-- shape the response differently depending on `linked.status`
-
-## Verifying A Token Instead Of A Request
+```ts
+import { completeWorkosAuth } from '@holo-js/auth-workos'
+import { sendRedirect } from 'h3'
 
-If your route already has the WorkOS token, use `verifySession(token, provider)` instead of `verifyRequest(request, provider)`.
+export default defineEventHandler(async (event) => {
+  const result = await completeWorkosAuth(event)
 
-```ts
-import { verifySession } from '@holo-js/auth-workos'
+  if (!result.ok) {
+    return await sendRedirect(event, `/login?error=${result.code}`, 303)
+  }
 
-const hosted = await verifySession(token, 'dashboard')
+  return await sendRedirect(event, '/admin', 303)
+})
 ```
 
-This returns the same kind of hosted WorkOS session object as `verifyRequest()`, but starts from a token string instead of an incoming `Request`.
+Logout clears the local Holo session and returns the hosted WorkOS logout URL. WorkOS redirects to the Sign-out redirect configured in the WorkOS dashboard:
 
-## Logging Out
+```ts
+import { logoutWithWorkos } from '@holo-js/auth-workos'
 
-Keep using the shared auth API:
+export async function POST(request: Request) {
+  const result = await logoutWithWorkos(request)
 
-```ts
-import { logout } from '@holo-js/auth'
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
 
-const signedOut = await logout()
+  return Response.redirect(result.url, 303)
+}
 ```
 
-When the guard is mapped to WorkOS, `logout()` clears:
+## Mapping Local Fields
 
-- the local Holo auth session
-- the configured WorkOS session cookie for that guard
+`completeWorkosAuth()` passes a fully typed WorkOS user to the optional mapper. Return any local user attributes you want Holo to save on create, update, or link.
 
-That prevents the next request from silently re-authenticating from the WorkOS cookie alone.
+```ts
+const result = await completeWorkosAuth(request, {
+  user: (workosUser) => ({
+    email: workosUser.email,
+    name: workosUser.name,
+    avatarUrl: workosUser.profilePictureUrl,
+    timezone: workosUser.metadata.timezone,
+    workosOrganizationId: workosUser.organizationId,
+  }),
+})
+```
 
-## Conflict Handling
+The normalized `workosUser` includes `name`, derived from `firstName` and `lastName`, falling back to email. It also exposes WorkOS fields such as `id`, `emailVerified`, `profilePictureUrl`, `organizationId`, `metadata`, and the raw WorkOS payload.
 
-WorkOS sync is intentionally conservative. If a hosted identity conflicts with an existing linked user in a way the
-runtime cannot safely resolve, the flow fails with an explicit error instead of silently reassigning ownership.
+If no mapper is provided, Holo saves `email` and `name` by default. If your mapper omits either field, Holo still fills the missing `email` or `name` before writing the local user.
diff --git a/packages/auth-workos/src/contracts.ts b/packages/auth-workos/src/contracts.ts
index 3179eaa6..5f2f30dc 100644
--- a/packages/auth-workos/src/contracts.ts
+++ b/packages/auth-workos/src/contracts.ts
@@ -1,16 +1,28 @@
-import type { AuthEstablishedSession, AuthUserLike } from '@holo-js/auth'
-import type { AuthWorkosProviderConfig } from '@holo-js/config'
+import type { AuthEstablishedSession, AuthLogoutResult, AuthUserLike } from '@holo-js/auth'
+import type { NormalizedAuthWorkosProviderConfig } from '@holo-js/config'
+
+export type WorkosJsonValue =
+  | string
+  | number
+  | boolean
+  | null
+  | readonly WorkosJsonValue[]
+  | { readonly [key: string]: WorkosJsonValue }
 
 export interface WorkosIdentityProfile {
   readonly id: string
-  readonly email?: string
-  readonly emailVerified?: boolean
+  readonly email: string
+  readonly name: string
+  readonly emailVerified: boolean
   readonly firstName?: string
   readonly lastName?: string
-  readonly name?: string
-  readonly avatar?: string
+  readonly profilePictureUrl?: string
+  readonly externalId?: string
   readonly organizationId?: string
-  readonly raw?: unknown
+  readonly metadata: Readonly<Record<string, WorkosJsonValue>>
+  readonly createdAt?: string
+  readonly updatedAt?: string
+  readonly raw: Readonly<Record<string, WorkosJsonValue>>
 }
 
 export interface WorkosVerifiedSession {
@@ -21,16 +33,52 @@ export interface WorkosVerifiedSession {
   readonly raw?: unknown
 }
 
+export interface WorkosLogoutSession {
+  readonly provider: string
+  readonly sessionId: string
+}
+
+export type WorkosCompleteAuthResult<TUser extends AuthUserLike = AuthUserLike> =
+  | Readonly<{
+    readonly ok: true
+    readonly provider: string
+    readonly guard: string
+    readonly authProvider: string
+    readonly status: WorkosSyncStatus
+    readonly user: TUser
+    readonly identity: HostedIdentityRecord
+    readonly session: WorkosVerifiedSession
+    readonly authSession?: AuthEstablishedSession
+  }>
+  | Readonly<{
+    readonly ok: false
+    readonly code: string
+    readonly message: string
+  }>
+
+export type WorkosLogoutResult =
+  | Readonly<{
+    readonly ok: true
+    readonly url: string
+    readonly local: AuthLogoutResult
+  }>
+  | Readonly<{
+    readonly ok: false
+    readonly code: 'workos_logout_failed' | 'workos_session_missing'
+    readonly message: string
+    readonly local?: AuthLogoutResult
+  }>
+
 export interface WorkosVerifyRequestContext {
   readonly provider: string
   readonly request: Request
-  readonly config: AuthWorkosProviderConfig
+  readonly config: NormalizedAuthWorkosProviderConfig
 }
 
 export interface WorkosVerifySessionContext {
   readonly provider: string
   readonly token: string
-  readonly config: AuthWorkosProviderConfig
+  readonly config: NormalizedAuthWorkosProviderConfig
 }
 
 export interface WorkosProviderRuntime {
@@ -81,6 +129,10 @@ export interface ConfigureWorkosAuthRuntimeOptions {
 }
 
 export interface WorkosAuthFacade {
+  loginWithWorkos(request: Request, options?: { readonly provider?: string }): Promise<Response>
+  registerWithWorkos(request: Request, options?: { readonly provider?: string }): Promise<Response>
+  logoutWithWorkos(request: Request, options?: { readonly provider?: string, readonly returnTo?: string }): Promise<WorkosLogoutResult>
+  completeWorkosAuth(request: Request, options?: { readonly provider?: string }): Promise<WorkosCompleteAuthResult>
   verifyRequest(request: Request, provider?: string): Promise<WorkosVerifiedSession | null>
   verifySession(token: string, provider?: string): Promise<WorkosVerifiedSession | null>
   syncIdentity(session: WorkosVerifiedSession, provider?: string): Promise<WorkosAuthenticationResult>
diff --git a/packages/auth-workos/src/index.ts b/packages/auth-workos/src/index.ts
index 4b3f5ada..333fbf78 100644
--- a/packages/auth-workos/src/index.ts
+++ b/packages/auth-workos/src/index.ts
@@ -1,8 +1,8 @@
 import { createPublicKey, verify as verifySignature } from 'node:crypto'
-import { authRuntimeInternals } from '@holo-js/auth'
+import { authRuntimeInternals, getAuthRuntime } from '@holo-js/auth'
 import type { AuthEstablishedSession, AuthUserLike } from '@holo-js/auth'
 import { parseCookieHeader } from '@holo-js/session'
-import type { AuthWorkosProviderConfig } from '@holo-js/config'
+import type { NormalizedAuthWorkosProviderConfig } from '@holo-js/config'
 export {
   WorkosAuthConflictError,
 } from './contracts'
@@ -13,7 +13,11 @@ export type {
   WorkosAuthBindings,
   WorkosAuthFacade,
   WorkosAuthenticationResult,
+  WorkosCompleteAuthResult,
   WorkosIdentityProfile,
+  WorkosJsonValue,
+  WorkosLogoutResult,
+  WorkosLogoutSession,
   WorkosProviderRuntime,
   WorkosSyncStatus,
   WorkosVerifiedSession,
@@ -26,7 +30,11 @@ import {
   type HostedIdentityRecord,
   type WorkosAuthBindings,
   type WorkosAuthenticationResult,
+  type WorkosCompleteAuthResult,
   type WorkosIdentityProfile,
+  type WorkosJsonValue,
+  type WorkosLogoutResult,
+  type WorkosLogoutSession,
   type WorkosProviderRuntime,
   type WorkosVerifiedSession,
   type WorkosVerifySessionContext,
@@ -38,17 +46,233 @@ type JwkKey = Readonly<Record<string, unknown>> & {
 
 type RuntimeAuthProviderAdapter = ReturnType<typeof authRuntimeInternals.getRuntimeBindings>['providers'][string]
 
-let workosBindings: ConfigureWorkosAuthRuntimeOptions | undefined
+type WorkosUserAttributeValue =
+  | string
+  | number
+  | boolean
+  | Date
+  | null
+  | undefined
+  | readonly WorkosUserAttributeValue[]
+  | { readonly [key: string]: WorkosUserAttributeValue }
+
+type WorkosUserAttributes = Readonly<Record<string, WorkosUserAttributeValue>>
+
+type WorkosDefaultUserAttributes = {
+  readonly email: string
+  readonly name: string
+}
+
+type CompleteWorkosAuthOptions<TUserAttributes extends WorkosUserAttributes = WorkosDefaultUserAttributes> = {
+  readonly provider?: string
+  readonly user?: (workosUser: WorkosIdentityProfile) => TUserAttributes
+}
+
+type WorkosRequestHeaders =
+  | Headers
+  | ReadonlyArray<readonly [string, string]>
+  | Record<string, string | readonly string[] | undefined>
+  | {
+    readonly get?: (name: string) => string | null | undefined
+    readonly forEach?: (callback: (value: string, key: string) => void) => void
+    readonly entries?: () => Iterable<readonly [string, string]>
+  }
+
+type WorkosRequestLike = {
+  readonly method?: string
+  readonly path?: string
+  readonly url?: string | URL
+  readonly headers?: WorkosRequestHeaders
+  readonly request?: Request
+  readonly req?: Request | {
+    readonly method?: string
+    readonly url?: string
+    readonly headers?: WorkosRequestHeaders
+  }
+  readonly node?: {
+    readonly req?: {
+      readonly method?: string
+      readonly url?: string
+      readonly headers?: WorkosRequestHeaders
+    }
+  }
+  readonly web?: {
+    readonly request?: Request
+  }
+}
+
+type WorkosRequestInput = Request | WorkosRequestLike
+
+type SerializedWorkosAuthUser = AuthUserLike & {
+  readonly id: string | number
+}
+
+type WorkosSessionPayload = {
+  readonly guard: string
+  readonly provider: string
+  readonly userId: string | number
+  readonly user: SerializedWorkosAuthUser
+  readonly workos: WorkosLogoutSession
+}
+
+interface WorkosRuntimeState {
+  bindings?: ConfigureWorkosAuthRuntimeOptions
+}
+
+const WORKOS_RUNTIME_STATE_KEY = '__holoJsAuthWorkosRuntime'
 const WORKOS_API_BASE_URL = 'https://api.workos.com'
+const WORKOS_AUTHORIZE_URL = `${WORKOS_API_BASE_URL}/user_management/authorize`
+const WORKOS_AUTHENTICATE_URL = `${WORKOS_API_BASE_URL}/user_management/authenticate`
+const WORKOS_LOGOUT_URL = `${WORKOS_API_BASE_URL}/user_management/sessions/logout`
 const workosDefaultProviderRuntimeCache = new Map<string, WorkosProviderRuntime>()
 const workosJwksCache = new Map<string, Promise<readonly JwkKey[]>>()
 const AUTH_PROVIDER_MARKER = Symbol.for('holo-js.auth.provider')
 
+function getRuntimeState(): WorkosRuntimeState {
+  const runtimeGlobal = globalThis as typeof globalThis & {
+    [WORKOS_RUNTIME_STATE_KEY]?: WorkosRuntimeState
+  }
+  if (!runtimeGlobal[WORKOS_RUNTIME_STATE_KEY]) {
+    Object.defineProperty(runtimeGlobal, WORKOS_RUNTIME_STATE_KEY, {
+      value: {},
+      enumerable: false,
+      configurable: true,
+      writable: true,
+    })
+  }
+
+  return runtimeGlobal[WORKOS_RUNTIME_STATE_KEY]!
+}
+
 function throwUnconfigured(): never {
   throw new Error('[@holo-js/auth-workos] WorkOS auth runtime is not configured yet.')
 }
 
+function isPlainHeaderRecord(value: unknown): value is Record<string, string | readonly string[] | undefined> {
+  return Boolean(value) && typeof value === 'object' && Object.getPrototypeOf(value) === Object.prototype
+}
+
+function appendKnownHeaders(headers: Headers, input: { readonly get?: (name: string) => string | null | undefined }): void {
+  for (const name of ['authorization', 'cookie', 'host', 'x-forwarded-host', 'x-forwarded-proto']) {
+    const value = input.get?.(name)
+    if (typeof value === 'string' && value) {
+      headers.set(name, value)
+    }
+  }
+}
+
+function hasHeaderForEach(input: WorkosRequestHeaders): input is { readonly forEach: (callback: (value: string, key: string) => void) => void } {
+  return !Array.isArray(input) && 'forEach' in input && typeof input.forEach === 'function'
+}
+
+function hasHeaderEntries(input: WorkosRequestHeaders): input is { readonly entries: () => Iterable<readonly [string, string]> } {
+  return !Array.isArray(input) && 'entries' in input && typeof input.entries === 'function'
+}
+
+function hasHeaderGet(input: WorkosRequestHeaders): input is { readonly get: (name: string) => string | null | undefined } {
+  return !Array.isArray(input) && 'get' in input && typeof input.get === 'function'
+}
+
+function normalizeRequestHeaders(input: WorkosRequestHeaders | undefined): Headers {
+  const headers = new Headers()
+  if (!input) {
+    return headers
+  }
+
+  if (input instanceof Headers || Array.isArray(input)) {
+    new Headers(input).forEach((value, name) => headers.append(name, value))
+    return headers
+  }
+
+  if (hasHeaderForEach(input)) {
+    input.forEach((value, name) => headers.append(name, value))
+    return headers
+  }
+
+  if (hasHeaderEntries(input)) {
+    for (const [name, value] of input.entries()) {
+      headers.append(name, value)
+    }
+    return headers
+  }
+
+  if (hasHeaderGet(input)) {
+    appendKnownHeaders(headers, input)
+    return headers
+  }
+
+  if (isPlainHeaderRecord(input)) {
+    for (const [name, value] of Object.entries(input)) {
+      if (typeof value === 'string') {
+        headers.append(name, value)
+        continue
+      }
+
+      if (Array.isArray(value)) {
+        const separator = name.toLowerCase() === 'cookie' ? '; ' : ','
+        const joined = value.filter((entry): entry is string => typeof entry === 'string').join(separator)
+        if (joined) {
+          headers.append(name, joined)
+        }
+      }
+    }
+  }
+
+  return headers
+}
+
+function getRequestFromLikeInput(input: WorkosRequestLike): Request | undefined {
+  return input.request ?? input.web?.request ?? (input.req instanceof Request ? input.req : undefined)
+}
+
+function getRequestLikeHeaders(input: WorkosRequestLike) {
+  return input.headers
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.headers : undefined)
+    ?? input.node?.req?.headers
+}
+
+function getRequestLikeMethod(input: WorkosRequestLike): string {
+  return input.method
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.method : undefined)
+    ?? input.node?.req?.method
+    ?? 'GET'
+}
+
+function getRequestLikeUrl(input: WorkosRequestLike, headers: Headers): string {
+  const url = (typeof input.url === 'string' ? input.url : input.url?.toString())
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.url : undefined)
+    ?? input.node?.req?.url
+    ?? input.path
+    ?? '/'
+
+  try {
+    return new URL(url).toString()
+  } catch {
+    const protocol = headers.get('x-forwarded-proto') ?? 'http'
+    const host = headers.get('x-forwarded-host') ?? headers.get('host') ?? 'localhost'
+    return new URL(url, `${protocol}://${host}`).toString()
+  }
+}
+
+function normalizeWorkosRequest(input: WorkosRequestInput): Request {
+  if (input instanceof Request) {
+    return input
+  }
+
+  const request = getRequestFromLikeInput(input)
+  if (request) {
+    return request
+  }
+
+  const headers = normalizeRequestHeaders(getRequestLikeHeaders(input))
+  return new Request(getRequestLikeUrl(input, headers), {
+    method: getRequestLikeMethod(input),
+    headers,
+  })
+}
+
 function getBindings(): WorkosAuthBindings {
+  const workosBindings = getRuntimeState().bindings
   if (!workosBindings?.identityStore) {
     throwUnconfigured()
   }
@@ -86,6 +310,15 @@ function parseJwt(token: string): {
   }
 }
 
+function getJwtStringClaim(token: string, claim: string): string | undefined {
+  try {
+    const value = parseJwt(token).payload[claim]
+    return typeof value === 'string' && value.trim() ? value : undefined
+  } catch {
+    return undefined
+  }
+}
+
 function verifyJwtSignatureWithJwk(
   token: ReturnType<typeof parseJwt>,
   jwk: JwkKey,
@@ -142,7 +375,7 @@ async function fetchWorkosJwks(clientId: string, options: {
 
 async function verifyWorkosSessionToken(
   token: string,
-  config: AuthWorkosProviderConfig,
+  config: NormalizedAuthWorkosProviderConfig,
 ): Promise<Readonly<Record<string, unknown>>> {
   const clientId = config.clientId?.trim()
   if (!clientId) {
@@ -179,6 +412,40 @@ async function verifyWorkosSessionToken(
   return parsed.payload
 }
 
+function toWorkosJsonValue(value: unknown): WorkosJsonValue | undefined {
+  if (
+    value === null
+    || typeof value === 'string'
+    || typeof value === 'number'
+    || typeof value === 'boolean'
+  ) {
+    return value
+  }
+
+  if (Array.isArray(value)) {
+    return value
+      .map(item => toWorkosJsonValue(item))
+      .filter((item): item is WorkosJsonValue => typeof item !== 'undefined')
+  }
+
+  if (value && typeof value === 'object' && Object.getPrototypeOf(value) === Object.prototype) {
+    return Object.freeze(Object.fromEntries(
+      Object.entries(value)
+        .map(([key, item]) => [key, toWorkosJsonValue(item)] as const)
+        .filter((entry): entry is readonly [string, WorkosJsonValue] => typeof entry[1] !== 'undefined'),
+    ))
+  }
+
+  return undefined
+}
+
+function toWorkosJsonObject(value: unknown): Readonly<Record<string, WorkosJsonValue>> {
+  const normalized = toWorkosJsonValue(value)
+  return normalized && typeof normalized === 'object' && !Array.isArray(normalized)
+    ? normalized as Readonly<Record<string, WorkosJsonValue>>
+    : Object.freeze({})
+}
+
 function normalizeWorkosUserProfile(user: Readonly<Record<string, unknown>>): WorkosIdentityProfile {
   const firstName = typeof user.firstName === 'string'
     ? user.firstName
@@ -192,32 +459,49 @@ function normalizeWorkosUserProfile(user: Readonly<Record<string, unknown>>): Wo
       : undefined
   const name = typeof user.name === 'string'
     ? user.name
-    : [firstName, lastName].filter(Boolean).join(' ').trim() || undefined
+    : [firstName, lastName].filter(Boolean).join(' ').trim()
+  const email = typeof user.email === 'string' ? user.email.trim() : ''
 
   return Object.freeze({
     id: String(user.id ?? ''),
-    email: typeof user.email === 'string' ? user.email : undefined,
+    email,
     emailVerified: user.emailVerified === true || user.email_verified === true,
     firstName,
     lastName,
-    name,
-    avatar: typeof user.profilePictureUrl === 'string'
+    name: name || email || String(user.id ?? ''),
+    profilePictureUrl: typeof user.profilePictureUrl === 'string'
       ? user.profilePictureUrl
       : typeof user.profile_picture_url === 'string'
         ? user.profile_picture_url
         : undefined,
+    externalId: typeof user.externalId === 'string'
+      ? user.externalId
+      : typeof user.external_id === 'string'
+        ? user.external_id
+        : undefined,
     organizationId: typeof user.organizationId === 'string'
       ? user.organizationId
       : typeof user.organization_id === 'string'
         ? user.organization_id
         : undefined,
-    raw: user,
+    metadata: toWorkosJsonObject(user.metadata),
+    createdAt: typeof user.createdAt === 'string'
+      ? user.createdAt
+      : typeof user.created_at === 'string'
+        ? user.created_at
+        : undefined,
+    updatedAt: typeof user.updatedAt === 'string'
+      ? user.updatedAt
+      : typeof user.updated_at === 'string'
+        ? user.updated_at
+        : undefined,
+    raw: toWorkosJsonObject(user),
   })
 }
 
 async function fetchWorkosUserProfile(
   userId: string,
-  config: AuthWorkosProviderConfig,
+  config: NormalizedAuthWorkosProviderConfig,
 ): Promise<WorkosIdentityProfile> {
   const apiKey = config.apiKey?.trim()
   if (!apiKey) {
@@ -237,7 +521,7 @@ async function fetchWorkosUserProfile(
   return normalizeWorkosUserProfile(await response.json() as Readonly<Record<string, unknown>>)
 }
 
-function createDefaultProviderRuntime(providerName: string, config: AuthWorkosProviderConfig): WorkosProviderRuntime {
+function createDefaultProviderRuntime(providerName: string, config: NormalizedAuthWorkosProviderConfig): WorkosProviderRuntime {
   const cacheKey = JSON.stringify([
     providerName,
     config.clientId ?? '',
@@ -287,7 +571,18 @@ function resolveConfiguredProviderName(provider?: string): string {
     return provider.trim()
   }
 
-  const configuredProviders = Object.keys(bindings.config.workos)
+  const configuredDefaultProvider = typeof bindings.config.workos.provider === 'string'
+    ? bindings.config.workos.provider.trim()
+    : ''
+  if (configuredDefaultProvider) {
+    return configuredDefaultProvider
+  }
+
+  const configuredProviders = Object.entries(bindings.config.workos).flatMap(([name, value]) => (
+    name !== 'provider' && typeof value === 'object' && value !== null
+      ? [name]
+      : []
+  ))
   if (configuredProviders.length === 0) {
     return 'default'
   }
@@ -305,18 +600,11 @@ function resolveConfiguredProviderName(provider?: string): string {
 
 function getConfiguredProviderConfig(provider?: string): {
   readonly name: string
-  readonly clientId?: string
-  readonly apiKey?: string
-  readonly cookiePassword?: string
-  readonly redirectUri?: string
-  readonly sessionCookie: string
-  readonly guard?: string
-  readonly mapToProvider?: string
-} {
+} & NormalizedAuthWorkosProviderConfig {
   const providerName = resolveConfiguredProviderName(provider)
   const authBindings = authRuntimeInternals.getRuntimeBindings()
   const configured = authBindings.config.workos[providerName]
-  if (!configured) {
+  if (!configured || typeof configured !== 'object') {
     throw new Error(`[@holo-js/auth-workos] WorkOS provider "${providerName}" is not configured in auth.workos.`)
   }
 
@@ -324,7 +612,6 @@ function getConfiguredProviderConfig(provider?: string): {
     name: providerName,
     clientId: configured.clientId,
     apiKey: configured.apiKey,
-    cookiePassword: configured.cookiePassword,
     redirectUri: configured.redirectUri,
     sessionCookie: configured.sessionCookie,
     guard: configured.guard,
@@ -338,6 +625,59 @@ function getProviderRuntime(provider?: string): WorkosProviderRuntime {
     ?? createDefaultProviderRuntime(providerName, getConfiguredProviderConfig(providerName))
 }
 
+function requireWorkosClientConfig(config: NormalizedAuthWorkosProviderConfig): {
+  readonly clientId: string
+  readonly apiKey: string
+  readonly redirectUri: string
+} {
+  const clientId = config.clientId?.trim()
+  const apiKey = config.apiKey?.trim()
+  const redirectUri = config.redirectUri?.trim()
+  if (!clientId) {
+    throw new Error('[@holo-js/auth-workos] WorkOS AuthKit requires clientId to be configured.')
+  }
+  if (!apiKey) {
+    throw new Error('[@holo-js/auth-workos] WorkOS AuthKit requires apiKey to be configured.')
+  }
+  if (!redirectUri) {
+    throw new Error('[@holo-js/auth-workos] WorkOS AuthKit requires redirectUri to be configured.')
+  }
+
+  return { clientId, apiKey, redirectUri }
+}
+
+function createAuthorizationUrl(config: NormalizedAuthWorkosProviderConfig, screenHint: 'sign-in' | 'sign-up'): string {
+  const { clientId, redirectUri } = requireWorkosClientConfig(config)
+  const url = new URL(WORKOS_AUTHORIZE_URL)
+  url.searchParams.set('provider', 'authkit')
+  url.searchParams.set('response_type', 'code')
+  url.searchParams.set('client_id', clientId)
+  url.searchParams.set('redirect_uri', redirectUri)
+  url.searchParams.set('screen_hint', screenHint)
+
+  return url.toString()
+}
+
+function createLogoutUrl(sessionId: string, request: Request, returnTo?: string): string {
+  const url = new URL(WORKOS_LOGOUT_URL)
+  url.searchParams.set('session_id', sessionId)
+  if (returnTo?.trim()) {
+    url.searchParams.set('return_to', new URL(returnTo, request.url).toString())
+  }
+
+  return url.toString()
+}
+
+function createWorkosErrorResponse(error: unknown, code: string): Response {
+  return Response.json({
+    ok: false,
+    code,
+    message: getErrorMessage(error),
+  } as const, {
+    status: error instanceof WorkosAuthConflictError ? 409 : 422,
+  })
+}
+
 function resolveGuardAndProvider(provider?: string): {
   readonly guard: string
   readonly authProvider: string
@@ -392,6 +732,57 @@ function requireUserRecord(user: unknown, message: string): Record<string, unkno
   return user as Record<string, unknown>
 }
 
+function requireSerializedUser(user: AuthUserLike, message: string): SerializedWorkosAuthUser {
+  if (typeof user.id === 'string' || typeof user.id === 'number') {
+    return user as SerializedWorkosAuthUser
+  }
+
+  throw new Error(message)
+}
+
+function createWorkosSessionPayload(
+  authenticated: Pick<WorkosAuthenticationResult, 'guard' | 'authProvider' | 'provider' | 'user'>,
+  session: WorkosVerifiedSession,
+): WorkosSessionPayload {
+  const user = requireSerializedUser(
+    authenticated.user,
+    '[@holo-js/auth-workos] WorkOS-authenticated local users must expose a serializable id.',
+  )
+
+  return Object.freeze({
+    guard: authenticated.guard,
+    provider: authenticated.authProvider,
+    userId: user.id,
+    user,
+    workos: Object.freeze({
+      provider: authenticated.provider,
+      sessionId: session.sessionId,
+    }),
+  })
+}
+
+function getWorkosLogoutSession(payload: unknown, providerName: string): WorkosLogoutSession | null {
+  if (!payload || typeof payload !== 'object' || !('workos' in payload)) {
+    return null
+  }
+
+  const workos = (payload as { readonly workos?: unknown }).workos
+  if (!workos || typeof workos !== 'object') {
+    return null
+  }
+
+  const provider = (workos as { readonly provider?: unknown }).provider
+  const sessionId = (workos as { readonly sessionId?: unknown }).sessionId
+  if (provider !== providerName || typeof sessionId !== 'string' || !sessionId.trim()) {
+    return null
+  }
+
+  return Object.freeze({
+    provider,
+    sessionId,
+  })
+}
+
 function serializeLocalUser(
   adapter: RuntimeAuthProviderAdapter,
   user: Record<string, unknown>,
@@ -415,17 +806,17 @@ function serializeLocalUser(
   return Object.freeze(result)
 }
 
-function resolveDisplayName(profile: WorkosIdentityProfile): string | undefined {
-  if (profile.name?.trim()) {
+function resolveDisplayName(profile: WorkosIdentityProfile): string {
+  if (typeof profile.name === 'string' && profile.name.trim()) {
     return profile.name.trim()
   }
 
   const fullName = [profile.firstName?.trim(), profile.lastName?.trim()].filter(Boolean).join(' ').trim()
-  return fullName || undefined
+  return fullName || profile.email || profile.id
 }
 
 function resolveEmailForCreation(profile: WorkosIdentityProfile): string {
-  const normalized = profile.email?.trim()
+  const normalized = typeof profile.email === 'string' ? profile.email.trim() : ''
   if (normalized) {
     return normalized
   }
@@ -433,6 +824,44 @@ function resolveEmailForCreation(profile: WorkosIdentityProfile): string {
   return `${profile.id}@workos.hosted.local`
 }
 
+function toAdapterInput(input: WorkosUserAttributes): Readonly<Record<string, unknown>> {
+  return Object.freeze(Object.fromEntries(
+    Object.entries(input).filter((entry) => typeof entry[1] !== 'undefined'),
+  ))
+}
+
+function withRequiredUserFields(input: WorkosUserAttributes, profile: WorkosIdentityProfile): WorkosUserAttributes {
+  return Object.freeze({
+    ...input,
+    email: typeof input.email === 'undefined' ? resolveEmailForCreation(profile) : input.email,
+    name: typeof input.name === 'undefined' ? resolveDisplayName(profile) : input.name,
+  })
+}
+
+function resolveCreateUserInput<TUserAttributes extends WorkosUserAttributes>(
+  profile: WorkosIdentityProfile,
+  mapper?: (workosUser: WorkosIdentityProfile) => TUserAttributes,
+): Readonly<Record<string, unknown>> {
+  return toAdapterInput(withRequiredUserFields({
+    password: null,
+    avatar: profile.profilePictureUrl ?? null,
+    email_verified_at: profile.emailVerified ? new Date() : null,
+    ...(mapper?.(profile) ?? {}),
+  }, profile))
+}
+
+function resolveUpdateUserInput<TUserAttributes extends WorkosUserAttributes>(
+  profile: WorkosIdentityProfile,
+  mapper?: (workosUser: WorkosIdentityProfile) => TUserAttributes,
+): Readonly<Record<string, unknown>> {
+  return toAdapterInput(withRequiredUserFields({
+    email: typeof profile.email === 'string' ? profile.email.trim() || undefined : undefined,
+    avatar: profile.profilePictureUrl,
+    email_verified_at: profile.emailVerified ? new Date() : undefined,
+    ...(mapper?.(profile) ?? {}),
+  }, profile))
+}
+
 function normalizeHostedProfile(profile: WorkosIdentityProfile): Readonly<Record<string, unknown>> {
   return Object.freeze({
     id: profile.id,
@@ -441,7 +870,7 @@ function normalizeHostedProfile(profile: WorkosIdentityProfile): Readonly<Record
     firstName: profile.firstName,
     lastName: profile.lastName,
     name: resolveDisplayName(profile),
-    avatar: profile.avatar,
+    profilePictureUrl: profile.profilePictureUrl,
     organizationId: profile.organizationId,
     raw: profile.raw,
   })
@@ -464,23 +893,11 @@ async function findUserByEmail(
 async function updateLocalUser(
   adapter: RuntimeAuthProviderAdapter,
   user: Record<string, unknown>,
-  input: {
-    readonly name?: string
-    readonly email?: string
-    readonly avatar?: string
-    readonly emailVerified?: boolean
-  },
+  input: Readonly<Record<string, unknown>>,
 ): Promise<{
   readonly user: Record<string, unknown>
   readonly changed: boolean
 }> {
-  const nextInput = {
-    name: input.name,
-    email: input.email,
-    avatar: typeof input.avatar === 'undefined' ? undefined : input.avatar,
-    email_verified_at: input.emailVerified === true ? new Date() : undefined,
-  }
-
   const current = user as {
     name?: string
     email?: string
@@ -488,12 +905,13 @@ async function updateLocalUser(
     email_verified_at?: Date | string | null
   }
 
-  const changed = (
-    (typeof nextInput.name !== 'undefined' && nextInput.name !== current.name)
-    || (typeof nextInput.email !== 'undefined' && nextInput.email !== current.email)
-    || (typeof nextInput.avatar !== 'undefined' && nextInput.avatar !== (current.avatar ?? undefined))
-    || (input.emailVerified === true && !current.email_verified_at)
-  )
+  const changed = Object.entries(input).some(([key, value]) => {
+    if (key === 'email_verified_at') {
+      return value instanceof Date && !current.email_verified_at
+    }
+
+    return !Object.is(value, user[key])
+  })
 
   if (!changed) {
     return { user, changed: false }
@@ -502,7 +920,7 @@ async function updateLocalUser(
   if (adapter.update) {
     return {
       user: requireUserRecord(
-        await adapter.update(user, nextInput),
+        await adapter.update(user, input),
         '[@holo-js/auth-workos] Auth provider updates must return object users.',
       ),
       changed: true,
@@ -520,7 +938,7 @@ async function ensureNoUnexpectedEmailCollision(
   profile: WorkosIdentityProfile,
   currentUserId: string | number,
 ): Promise<void> {
-  const email = profile.email?.trim()
+  const email = typeof profile.email === 'string' ? profile.email.trim() : ''
   if (!email) {
     return
   }
@@ -668,7 +1086,8 @@ export async function verifySession(token: string, provider?: string): Promise<W
   })
 }
 
-export async function verifyRequest(request: Request, provider?: string): Promise<WorkosVerifiedSession | null> {
+export async function verifyRequest(input: WorkosRequestInput, provider?: string): Promise<WorkosVerifiedSession | null> {
+  const request = normalizeWorkosRequest(input)
   const providerConfig = getConfiguredProviderConfig(provider)
   const runtime = getProviderRuntime(providerConfig.name)
 
@@ -688,17 +1107,101 @@ export async function verifyRequest(request: Request, provider?: string): Promis
   return verifySession(token, providerConfig.name)
 }
 
+function getStringField(input: Readonly<Record<string, unknown>>, ...names: readonly string[]): string | undefined {
+  for (const name of names) {
+    const value = input[name]
+    const normalized = typeof value === 'string' ? value.trim() : ''
+    if (normalized) {
+      return normalized
+    }
+  }
+
+  return undefined
+}
+
+function getRecordField(input: Readonly<Record<string, unknown>>, name: string): Readonly<Record<string, unknown>> | undefined {
+  const value = input[name]
+  return value && typeof value === 'object' && !Array.isArray(value)
+    ? value as Readonly<Record<string, unknown>>
+    : undefined
+}
+
+function getRequestIpAddress(request: Request): string | undefined {
+  return request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+    || request.headers.get('x-real-ip')?.trim()
+    || undefined
+}
+
+async function authenticateWorkosCode(
+  request: Request,
+  code: string,
+  config: NormalizedAuthWorkosProviderConfig,
+): Promise<WorkosVerifiedSession> {
+  const { clientId, apiKey } = requireWorkosClientConfig(config)
+  const body = {
+    grant_type: 'authorization_code',
+    client_id: clientId,
+    client_secret: apiKey,
+    code,
+    ip_address: getRequestIpAddress(request),
+    user_agent: request.headers.get('user-agent')?.trim() || undefined,
+  }
+
+  const response = await fetch(WORKOS_AUTHENTICATE_URL, {
+    method: 'POST',
+    headers: {
+      accept: 'application/json',
+      authorization: `Bearer ${apiKey}`,
+      'content-type': 'application/json',
+    },
+    body: JSON.stringify(body),
+  })
+  const payload = await response.json() as Readonly<Record<string, unknown>>
+  if (!response.ok) {
+    const message = getStringField(payload, 'message', 'error_description', 'error')
+      ?? `WorkOS callback authentication failed with status ${response.status}.`
+    throw new Error(message)
+  }
+
+  const user = getRecordField(payload, 'user')
+  if (!user) {
+    throw new Error('[@holo-js/auth-workos] WorkOS callback did not return a user.')
+  }
+
+  const accessToken = getStringField(payload, 'accessToken', 'access_token')
+  const session = getRecordField(payload, 'session')
+  const sessionId = getStringField(session ?? {}, 'id')
+    ?? getStringField(payload, 'sessionId', 'session_id')
+    ?? (accessToken ? getJwtStringClaim(accessToken, 'sid') : undefined)
+    ?? accessToken
+    ?? code
+
+  return Object.freeze({
+    sessionId,
+    identity: normalizeWorkosUserProfile({
+      ...user,
+      organizationId: getStringField(payload, 'organizationId', 'organization_id') ?? user.organizationId ?? user.organization_id,
+    }),
+    accessToken,
+    raw: toWorkosJsonObject(payload),
+  })
+}
+
 export async function syncIdentity(
   session: WorkosVerifiedSession,
   provider?: string,
+  options: {
+    readonly user?: (workosUser: WorkosIdentityProfile) => WorkosUserAttributes
+  } = {},
 ): Promise<WorkosAuthenticationResult> {
   const providerConfig = getConfiguredProviderConfig(provider)
   const providerName = providerConfig.name
   const profile = session.identity
   const { guard, authProvider, adapter } = resolveGuardAndProvider(providerName)
   const verificationRequired = isEmailVerificationRequired()
-  const verifiedEmail = profile.emailVerified === true && profile.email?.trim()
-    ? profile.email.trim()
+  const profileEmail = typeof profile.email === 'string' ? profile.email.trim() : ''
+  const verifiedEmail = profile.emailVerified === true && profileEmail
+    ? profileEmail
     : undefined
 
   if (verificationRequired && !verifiedEmail) {
@@ -724,21 +1227,13 @@ export async function syncIdentity(
       }
 
       if (!linkedUser) {
-        linkedUser = requireUserRecord(await adapter.create({
-          name: resolveDisplayName(profile),
-          email: resolveEmailForCreation(profile),
-          password: null,
-          avatar: profile.avatar ?? null,
-          email_verified_at: profile.emailVerified === true ? new Date() : null,
-        }), '[@holo-js/auth-workos] Auth provider create() must return an object user.')
+        linkedUser = requireUserRecord(
+          await adapter.create(resolveCreateUserInput(profile, options.user)),
+          '[@holo-js/auth-workos] Auth provider create() must return an object user.',
+        )
       }
 
-      const relinked = await updateLocalUser(adapter, linkedUser, {
-        name: resolveDisplayName(profile),
-        email: profile.email?.trim(),
-        avatar: profile.avatar,
-        emailVerified: profile.emailVerified === true,
-      })
+      const relinked = await updateLocalUser(adapter, linkedUser, resolveUpdateUserInput(profile, options.user))
       const relinkedUser = relinked.user
       const identity = createIdentityRecord({
         provider: providerName,
@@ -775,12 +1270,7 @@ export async function syncIdentity(
         '[@holo-js/auth-workos] Linked local users must expose a serializable id.',
       ),
     )
-    const updated = await updateLocalUser(adapter, linkedUser, {
-      name: resolveDisplayName(profile),
-      email: profile.email?.trim(),
-      avatar: profile.avatar,
-      emailVerified: profile.emailVerified === true,
-    })
+    const updated = await updateLocalUser(adapter, linkedUser, resolveUpdateUserInput(profile, options.user))
     const identity = createIdentityRecord({
       provider: providerName,
       guard,
@@ -812,12 +1302,7 @@ export async function syncIdentity(
 
   if (localUser) {
     await assertUserLinkAvailable(providerName, authProvider, adapter, localUser, profile.id)
-    const linked = await updateLocalUser(adapter, localUser, {
-      name: resolveDisplayName(profile),
-      email: profile.email?.trim(),
-      avatar: profile.avatar,
-      emailVerified: profile.emailVerified === true,
-    })
+    const linked = await updateLocalUser(adapter, localUser, resolveUpdateUserInput(profile, options.user))
     const identity = createIdentityRecord({
       provider: providerName,
       guard,
@@ -842,13 +1327,10 @@ export async function syncIdentity(
     })
   }
 
-  localUser = requireUserRecord(await adapter.create({
-    name: resolveDisplayName(profile),
-    email: resolveEmailForCreation(profile),
-    password: null,
-    avatar: profile.avatar ?? null,
-    email_verified_at: profile.emailVerified === true ? new Date() : null,
-  }), '[@holo-js/auth-workos] Auth provider create() must return an object user.')
+  localUser = requireUserRecord(
+    await adapter.create(resolveCreateUserInput(profile, options.user)),
+    '[@holo-js/auth-workos] Auth provider create() must return an object user.',
+  )
   const identity = createIdentityRecord({
     provider: providerName,
     guard,
@@ -873,7 +1355,8 @@ export async function syncIdentity(
   })
 }
 
-export async function authenticate(request: Request, provider?: string): Promise<WorkosAuthenticationResult | null> {
+export async function authenticate(input: WorkosRequestInput, provider?: string): Promise<WorkosAuthenticationResult | null> {
+  const request = normalizeWorkosRequest(input)
   const session = await verifyRequest(request, provider)
   if (!session) {
     return null
@@ -884,6 +1367,7 @@ export async function authenticate(request: Request, provider?: string): Promise
     ?? await authRuntimeInternals.establishSessionForUser(authenticated.user, {
       guard: authenticated.guard,
       provider: authenticated.authProvider,
+      payload: createWorkosSessionPayload(authenticated, session),
     })
   return Object.freeze({
     ...authenticated,
@@ -891,24 +1375,170 @@ export async function authenticate(request: Request, provider?: string): Promise
   })
 }
 
+function getErrorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : 'WorkOS authentication failed.'
+}
+
+export async function loginWithWorkos(
+  _input: WorkosRequestInput,
+  options: {
+    readonly provider?: string
+  } = {},
+): Promise<Response> {
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    return Response.redirect(createAuthorizationUrl(providerConfig, 'sign-in'), 302)
+  } catch (error) {
+    return createWorkosErrorResponse(error, 'workos_login_failed')
+  }
+}
+
+export async function registerWithWorkos(
+  _input: WorkosRequestInput,
+  options: {
+    readonly provider?: string
+  } = {},
+): Promise<Response> {
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    return Response.redirect(createAuthorizationUrl(providerConfig, 'sign-up'), 302)
+  } catch (error) {
+    return createWorkosErrorResponse(error, 'workos_register_failed')
+  }
+}
+
+async function readCurrentWorkosLogoutSession(guard: string, providerName: string): Promise<WorkosLogoutSession | null> {
+  const bindings = authRuntimeInternals.getRuntimeBindings()
+  const sessionId = bindings.context.getSessionId(guard)
+  if (!sessionId) {
+    return null
+  }
+
+  const record = await bindings.session.read(sessionId)
+  return getWorkosLogoutSession(authRuntimeInternals.readSessionPayload(record, guard), providerName)
+}
+
+export async function logoutWithWorkos(
+  input: WorkosRequestInput,
+  options: {
+    readonly provider?: string
+    readonly returnTo?: string
+  } = {},
+): Promise<WorkosLogoutResult> {
+  const request = normalizeWorkosRequest(input)
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    const providerName = providerConfig.name
+    const { guard } = resolveGuardAndProvider(providerName)
+    const requestSessionId = getHoloSessionIdFromRequest(request)
+    if (requestSessionId) {
+      authRuntimeInternals.getRuntimeBindings().context.setSessionId(guard, requestSessionId)
+    }
+    const workosSession = await readCurrentWorkosLogoutSession(guard, providerName)
+    if (!workosSession) {
+      return Object.freeze({
+        ok: false,
+        code: 'workos_session_missing',
+        message: 'The current Holo session was not created by WorkOS.',
+      } as const)
+    }
+
+    const local = await getAuthRuntime().guard(guard).logout()
+    return Object.freeze({
+      ok: true,
+      url: createLogoutUrl(workosSession.sessionId, request, options.returnTo),
+      local,
+    } as const)
+  } catch (error) {
+    return Object.freeze({
+      ok: false,
+      code: 'workos_logout_failed',
+      message: getErrorMessage(error),
+    } as const)
+  }
+}
+
+export async function completeWorkosAuth<TUserAttributes extends WorkosUserAttributes = WorkosDefaultUserAttributes>(
+  input: WorkosRequestInput,
+  options: CompleteWorkosAuthOptions<TUserAttributes> = {},
+): Promise<WorkosCompleteAuthResult> {
+  try {
+    const request = normalizeWorkosRequest(input)
+    const url = new URL(request.url)
+    const callbackError = url.searchParams.get('error')?.trim()
+    if (callbackError) {
+      return Object.freeze({
+        ok: false,
+        code: callbackError,
+        message: url.searchParams.get('error_description')?.trim() || 'WorkOS authentication failed.',
+      } as const)
+    }
+
+    const code = url.searchParams.get('code')?.trim()
+    if (!code) {
+      return Object.freeze({
+        ok: false,
+        code: 'workos_code_required',
+        message: 'WorkOS callback did not include an authorization code.',
+      } as const)
+    }
+
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    const session = await authenticateWorkosCode(request, code, providerConfig)
+    const authenticated = await syncIdentity(session, providerConfig.name, {
+      user: options.user,
+    })
+    const authSession = await authRuntimeInternals.establishSessionForUser(authenticated.user, {
+      guard: authenticated.guard,
+      provider: authenticated.authProvider,
+      payload: createWorkosSessionPayload(authenticated, session),
+    })
+
+    return Object.freeze({
+      ok: true,
+      provider: authenticated.provider,
+      guard: authenticated.guard,
+      authProvider: authenticated.authProvider,
+      status: authenticated.status,
+      user: authenticated.user,
+      identity: authenticated.identity,
+      session,
+      authSession,
+    } as const)
+  } catch (error) {
+    return Object.freeze({
+      ok: false,
+      code: error instanceof WorkosAuthConflictError ? error.code : 'workos_auth_failed',
+      message: getErrorMessage(error),
+    } as const)
+  }
+}
+
 export function configureWorkosAuthRuntime(bindings?: ConfigureWorkosAuthRuntimeOptions): void {
+  const runtimeState = getRuntimeState()
   if (!bindings) {
-    workosBindings = undefined
+    runtimeState.bindings = undefined
     return
   }
 
-  workosBindings = Object.freeze({
-    providers: bindings.providers ?? workosBindings?.providers,
-    identityStore: bindings.identityStore ?? workosBindings?.identityStore,
+  runtimeState.bindings = Object.freeze({
+    providers: bindings.providers ?? runtimeState.bindings?.providers,
+    identityStore: bindings.identityStore ?? runtimeState.bindings?.identityStore,
   })
 }
 
 export function resetWorkosAuthRuntime(): void {
-  workosBindings = undefined
+  getRuntimeState().bindings = undefined
+  workosDefaultProviderRuntimeCache.clear()
+  workosJwksCache.clear()
 }
 
 export const workosAuth = Object.freeze({
   authenticate,
+  completeWorkosAuth,
+  loginWithWorkos,
+  logoutWithWorkos,
+  registerWithWorkos,
   syncIdentity,
   verifyRequest,
   verifySession,
diff --git a/packages/auth-workos/tests/package.test.ts b/packages/auth-workos/tests/package.test.ts
index 8d5fb673..5ea61c37 100644
--- a/packages/auth-workos/tests/package.test.ts
+++ b/packages/auth-workos/tests/package.test.ts
@@ -1,18 +1,27 @@
 import { generateKeyPairSync, sign as signData } from 'node:crypto'
-import { afterEach, describe, expect, it, vi } from 'vitest'
+import { afterEach, describe, expect, expectTypeOf, it, vi } from 'vitest'
 import { configureSessionRuntime, getSessionRuntime, resetSessionRuntime } from '../../session/src/runtime'
 import { authRuntimeInternals, configureAuthRuntime, defineAuthConfig, logout, resetAuthRuntime } from '../../auth/src'
 import type { AuthProviderAdapter } from '../../auth/src'
 import {
   WorkosAuthConflictError,
   authenticate,
+  completeWorkosAuth,
   configureWorkosAuthRuntime,
+  loginWithWorkos,
+  logoutWithWorkos,
   resetWorkosAuthRuntime,
+  registerWithWorkos,
   syncIdentity,
   verifyRequest,
   verifySession,
   workosAuth,
   workosAuthInternals,
+  type WorkosAuthenticationResult,
+  type WorkosAuthFacade,
+  type WorkosCompleteAuthResult,
+  type WorkosJsonValue,
+  type WorkosVerifiedSession,
 } from '../src'
 
 const AUTH_PROVIDER_MARKER = Symbol.for('holo-js.auth.provider')
@@ -33,12 +42,18 @@ type SessionStore = {
   delete(sessionId: string): Promise<void>
 }
 
+type AssertExtends<TValue extends TExpected, TExpected> = true
+type IsOptionalProperty<TRecord, TKey extends keyof TRecord> = Record<never, never> extends Pick<TRecord, TKey>
+  ? true
+  : false
+
 type UserRecord = {
   id: number
   name?: string
   email: string
   password?: string | null
   avatar?: string | null
+  timezone?: string
   email_verified_at?: Date | null
 }
 
@@ -51,13 +66,38 @@ type WorkosSessionFixture = {
     readonly firstName?: string
     readonly lastName?: string
     readonly name?: string
-    readonly avatar?: string
+    readonly profilePictureUrl?: string
     readonly organizationId?: string
-    readonly raw?: unknown
+    readonly metadata?: Readonly<Record<string, WorkosJsonValue>>
+    readonly raw?: Readonly<Record<string, WorkosJsonValue>>
   }
   readonly raw?: unknown
 }
 
+function completeWorkosSessionFixture(session: WorkosSessionFixture | null): WorkosVerifiedSession | null {
+  if (!session) {
+    return null
+  }
+
+  const fullName = [session.identity.firstName, session.identity.lastName].filter(Boolean).join(' ')
+  const name = session.identity.name
+    ?? (fullName || undefined)
+    ?? session.identity.email
+    ?? session.identity.id
+
+  return {
+    ...session,
+    identity: {
+      ...session.identity,
+      email: session.identity.email ?? `${session.identity.id}@app.test`,
+      name,
+      emailVerified: session.identity.emailVerified ?? false,
+      metadata: session.identity.metadata ?? {},
+      raw: session.identity.raw ?? {},
+    },
+  }
+}
+
 class InMemorySessionStore implements SessionStore {
   readonly records = new Map<string, SessionRecord>()
   async read(sessionId: string): Promise<SessionRecord | null> {
@@ -92,6 +132,7 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     readonly email: string
     readonly password?: string | null
     readonly avatar?: string | null
+    readonly timezone?: string
     readonly email_verified_at?: Date | null
   }): Promise<UserRecord> {
     const created: UserRecord = {
@@ -100,6 +141,7 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
       email: input.email,
       password: input.password,
       avatar: input.avatar,
+      timezone: input.timezone,
       email_verified_at: input.email_verified_at,
     }
     this.nextId += 1
@@ -112,6 +154,7 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     readonly name?: string
     readonly email?: string
     readonly avatar?: string | null
+    readonly timezone?: string
     readonly email_verified_at?: Date | null
     readonly password?: string | null
   }): Promise<UserRecord> {
@@ -125,6 +168,9 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     if (typeof input.avatar !== 'undefined') {
       user.avatar = input.avatar
     }
+    if (typeof input.timezone !== 'undefined') {
+      user.timezone = input.timezone
+    }
     if (typeof input.email_verified_at !== 'undefined') {
       user.email_verified_at = input.email_verified_at
     }
@@ -149,6 +195,7 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
       name: user.name,
       email: user.email,
       avatar: user.avatar ?? null,
+      timezone: user.timezone,
       email_verified_at: user.email_verified_at ?? null,
     }
   }
@@ -177,6 +224,7 @@ class SnapshotProviderAdapter implements AuthProviderAdapter<UserRecord> {
     readonly email: string
     readonly password?: string | null
     readonly avatar?: string | null
+    readonly timezone?: string
     readonly email_verified_at?: Date | null
   }): Promise<UserRecord> {
     const created: UserRecord = {
@@ -185,6 +233,7 @@ class SnapshotProviderAdapter implements AuthProviderAdapter<UserRecord> {
       email: input.email,
       password: input.password,
       avatar: input.avatar,
+      timezone: input.timezone,
       email_verified_at: input.email_verified_at,
     }
     this.nextId += 1
@@ -203,6 +252,7 @@ class SnapshotProviderAdapter implements AuthProviderAdapter<UserRecord> {
       name: user.name,
       email: user.email,
       avatar: user.avatar ?? null,
+      timezone: user.timezone,
       email_verified_at: user.email_verified_at ?? null,
     }
   }
@@ -255,6 +305,7 @@ class InMemoryIdentityStore {
 function configureRuntime(options: {
   emailVerificationRequired?: boolean
   workosGuard?: 'web' | 'admin' | 'api'
+  defaultWorkosProvider?: string
   includeWorkosConfig?: boolean
   configureWorkosRuntime?: boolean
 } = {}) {
@@ -311,11 +362,11 @@ function configureRuntime(options: {
       workos: options.includeWorkosConfig === false
         ? undefined
         : {
+            provider: options.defaultWorkosProvider,
             dashboard: {
               clientId: 'workos-client',
               apiKey: 'workos-key',
-              cookiePassword: 'cookie-secret',
-              sessionCookie: 'workos-session',
+              redirectUri: 'https://app.test/api/auth/workos/callback',
               guard: options.workosGuard,
               mapToProvider: options.workosGuard === 'admin' ? 'admins' : undefined,
             },
@@ -337,7 +388,7 @@ function configureRuntime(options: {
       providers: {
         dashboard: {
           async verifySession({ token }) {
-            return sessions.get(token) ?? null
+            return completeWorkosSessionFixture(sessions.get(token) ?? null)
           },
         },
       },
@@ -382,12 +433,50 @@ function createSignedJwt(
   return `${signingInput}.${signature}`
 }
 
+function createUnsignedJwt(payload: Readonly<Record<string, unknown>>): string {
+  return [
+    encodeBase64Url(JSON.stringify({ alg: 'none', typ: 'JWT' })),
+    encodeBase64Url(JSON.stringify(payload)),
+    'signature',
+  ].join('.')
+}
+
 describe('@holo-js/auth-workos', () => {
   it('exports the WorkOS auth facade and helpers', () => {
     expect(workosAuth.authenticate).toBe(authenticate)
+    expect(workosAuth.completeWorkosAuth).toBe(completeWorkosAuth)
+    expect(workosAuth.loginWithWorkos).toBe(loginWithWorkos)
+    expect(workosAuth.logoutWithWorkos).toBe(logoutWithWorkos)
+    expect(workosAuth.registerWithWorkos).toBe(registerWithWorkos)
     expect(workosAuth.verifyRequest).toBe(verifyRequest)
     expect(workosAuth.verifySession).toBe(verifySession)
     expect(typeof workosAuthInternals.resolveEmailForCreation).toBe('function')
+
+    type CompleteWorkosAuthReturn = Awaited<ReturnType<WorkosAuthFacade['completeWorkosAuth']>>
+    type CompleteWorkosAuthSuccess = Extract<CompleteWorkosAuthReturn, { readonly ok: true }>
+    type CompleteWorkosAuthSessionOptional = IsOptionalProperty<CompleteWorkosAuthSuccess, 'authSession'>
+    type WorkosAuthenticationSessionOptional = IsOptionalProperty<WorkosAuthenticationResult, 'authSession'>
+    type _CompleteAuthSessionOptionalityMatches = AssertExtends<
+      CompleteWorkosAuthSessionOptional,
+      WorkosAuthenticationSessionOptional
+    >
+    type _AuthenticationSessionOptionalityMatches = AssertExtends<
+      WorkosAuthenticationSessionOptional,
+      CompleteWorkosAuthSessionOptional
+    >
+
+    expectTypeOf<CompleteWorkosAuthReturn>().toEqualTypeOf<WorkosCompleteAuthResult>()
+    expectTypeOf<CompleteWorkosAuthSuccess['authSession']>().toEqualTypeOf<WorkosAuthenticationResult['authSession']>()
+    expectTypeOf<IsOptionalProperty<CompleteWorkosAuthSuccess, 'authSession'>>()
+      .toEqualTypeOf<IsOptionalProperty<WorkosAuthenticationResult, 'authSession'>>()
+  })
+
+  it('resolves the configured default WorkOS provider', () => {
+    configureRuntime({
+      defaultWorkosProvider: 'dashboard',
+    })
+
+    expect(workosAuthInternals.resolveConfiguredProviderName()).toBe('dashboard')
   })
 
   it('merges partial runtime configuration updates', () => {
@@ -418,6 +507,16 @@ describe('@holo-js/auth-workos', () => {
     })
   })
 
+  it('creates a resettable WorkOS runtime state property', () => {
+    configureRuntime()
+
+    expect(Object.getOwnPropertyDescriptor(globalThis, '__holoJsAuthWorkosRuntime')).toMatchObject({
+      configurable: true,
+      enumerable: false,
+      writable: true,
+    })
+  })
+
   it('uses the built-in verifier when only the identity store is configured', async () => {
     const runtime = configureRuntime({
       configureWorkosRuntime: false,
@@ -480,6 +579,66 @@ describe('@holo-js/auth-workos', () => {
     })
   })
 
+  it('clears built-in WorkOS verifier caches when the runtime is reset', async () => {
+    const runtime = configureRuntime({
+      configureWorkosRuntime: false,
+    })
+    configureWorkosAuthRuntime({
+      identityStore: runtime.identityStore,
+    })
+
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+    })
+    const token = createSignedJwt({
+      sub: 'user_workos_reset',
+      sid: 'sess_workos_reset',
+      exp: Math.floor(Date.now() / 1000) + 3600,
+    }, privateKey)
+    const publicJwk = publicKey.export({ format: 'jwk' })
+    let jwksRequestCount = 0
+
+    vi.stubGlobal('fetch', async (input: RequestInfo | URL) => {
+      const url = String(input)
+      if (url === 'https://api.workos.com/sso/jwks/workos-client') {
+        jwksRequestCount += 1
+        return new Response(JSON.stringify({
+          keys: [{ ...publicJwk, kid: 'workos-test-key', alg: 'RS256', use: 'sig' }],
+        }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      }
+
+      if (url === 'https://api.workos.com/user_management/users/user_workos_reset') {
+        return new Response(JSON.stringify({
+          id: 'user_workos_reset',
+          email: 'reset@app.test',
+          email_verified: true,
+        }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      }
+
+      return new Response(null, { status: 404 })
+    })
+
+    await expect(verifySession(token)).resolves.toMatchObject({
+      sessionId: 'sess_workos_reset',
+    })
+
+    resetWorkosAuthRuntime()
+    configureWorkosAuthRuntime({
+      identityStore: runtime.identityStore,
+    })
+
+    await expect(verifySession(token)).resolves.toMatchObject({
+      sessionId: 'sess_workos_reset',
+    })
+    expect(jwksRequestCount).toBe(2)
+  })
+
   it('rejects built-in WorkOS JWTs before their not-before time', async () => {
     const runtime = configureRuntime({
       configureWorkosRuntime: false,
@@ -535,8 +694,6 @@ describe('@holo-js/auth-workos', () => {
           dashboard: {
             clientId: 'workos-client-future',
             apiKey: 'workos-key',
-            cookiePassword: 'cookie-secret',
-            sessionCookie: 'workos-session',
           },
         },
       }),
@@ -586,8 +743,6 @@ describe('@holo-js/auth-workos', () => {
           dashboard: {
             clientId: 'workos-client-rotate',
             apiKey: 'workos-key',
-            cookiePassword: 'cookie-secret',
-            sessionCookie: 'workos-session',
           },
         },
       }),
@@ -707,7 +862,7 @@ describe('@holo-js/auth-workos', () => {
 
     await expect(verifyRequest(new Request('https://app.test/me', {
       headers: {
-        cookie: 'workos-session=cookie-token',
+        cookie: 'wos-session=cookie-token',
       },
     }))).resolves.toMatchObject({
       sessionId: 'sess_2',
@@ -732,7 +887,7 @@ describe('@holo-js/auth-workos', () => {
         emailVerified: true,
         firstName: 'Create',
         lastName: 'User',
-        avatar: 'https://cdn.test/avatar.png',
+        profilePictureUrl: 'https://cdn.test/avatar.png',
         organizationId: 'org_123',
       },
     })
@@ -773,6 +928,166 @@ describe('@holo-js/auth-workos', () => {
     expect(sessionId).toBeTypeOf('string')
   })
 
+  it('returns hosted AuthKit redirects for login and register', async () => {
+    configureRuntime()
+
+    const login = await loginWithWorkos(new Request('https://app.test/login'))
+    expect(login.status).toBe(302)
+    expect(login.headers.get('location')).toContain('https://api.workos.com/user_management/authorize?')
+    expect(login.headers.get('location')).toContain('provider=authkit')
+    expect(login.headers.get('location')).toContain('screen_hint=sign-in')
+
+    const register = await registerWithWorkos({
+      node: {
+        req: {
+          method: 'GET',
+          url: '/register',
+          headers: {
+            host: 'app.test',
+          },
+        },
+      },
+    })
+    expect(register.status).toBe(302)
+    expect(register.headers.get('location')).toContain('screen_hint=sign-up')
+  })
+
+  it('completes the hosted WorkOS callback with typed user mapping', async () => {
+    const runtime = configureRuntime()
+    const accessToken = createUnsignedJwt({ sid: 'session_workos_callback' })
+    vi.stubGlobal('fetch', async (url: string | URL | Request, init?: RequestInit) => {
+      expect(String(url)).toBe('https://api.workos.com/user_management/authenticate')
+      expect(init?.method).toBe('POST')
+      expect(init?.headers).toMatchObject({
+        authorization: 'Bearer workos-key',
+        'content-type': 'application/json',
+      })
+      expect(JSON.parse(String(init?.body))).toMatchObject({
+        grant_type: 'authorization_code',
+        client_id: 'workos-client',
+        client_secret: 'workos-key',
+        code: 'code_123',
+      })
+
+      return new Response(JSON.stringify({
+        access_token: ` ${accessToken} `,
+        organization_id: 'org_123',
+        user: {
+          id: 'workos_callback',
+          email: ' callback@app.test ',
+          firstName: 'Callback',
+          lastName: 'User',
+          emailVerified: true,
+          profilePictureUrl: 'https://cdn.test/callback.png',
+          metadata: {
+            timezone: 'Africa/Cairo',
+          },
+        },
+      }), {
+        status: 200,
+        headers: {
+          'content-type': 'application/json',
+        },
+      })
+    })
+
+    const result = await completeWorkosAuth(new Request('https://app.test/api/auth/workos/callback?code=code_123'), {
+      user: workosUser => ({
+        email: workosUser.email,
+        name: workosUser.name,
+        avatar: workosUser.profilePictureUrl,
+        timezone: workosUser.metadata.timezone,
+      }),
+    })
+
+    expect(result).toMatchObject({
+      ok: true,
+      provider: 'dashboard',
+      guard: 'web',
+      authProvider: 'users',
+      status: 'created',
+      user: {
+        email: 'callback@app.test',
+        name: 'Callback User',
+        avatar: 'https://cdn.test/callback.png',
+        timezone: 'Africa/Cairo',
+      },
+      identity: {
+        provider: 'dashboard',
+        providerUserId: 'workos_callback',
+        email: 'callback@app.test',
+      },
+      session: {
+        sessionId: 'session_workos_callback',
+        accessToken,
+      },
+    })
+    expect(runtime.usersProvider.users.get(1)).toMatchObject({
+      email: 'callback@app.test',
+      name: 'Callback User',
+      avatar: 'https://cdn.test/callback.png',
+      timezone: 'Africa/Cairo',
+    })
+  })
+
+  it('logs out locally and returns the WorkOS hosted logout URL', async () => {
+    configureRuntime()
+    const accessToken = createUnsignedJwt({ sid: 'session_workos_logout' })
+    vi.stubGlobal('fetch', async () => new Response(JSON.stringify({
+      access_token: accessToken,
+      user: {
+        id: 'workos_logout_callback',
+        email: 'logout-callback@app.test',
+        emailVerified: true,
+      },
+    }), {
+      status: 200,
+      headers: {
+        'content-type': 'application/json',
+      },
+    }))
+
+    const callback = await completeWorkosAuth(new Request('https://app.test/api/auth/workos/callback?code=code_123'))
+    expect(callback.ok).toBe(true)
+    if (!callback.ok || !callback.authSession) {
+      throw new Error('Expected WorkOS callback to establish an auth session.')
+    }
+    const sessionCookie = callback.authSession.cookies[0]?.split(';', 1)[0]
+
+    authRuntimeInternals.getRuntimeBindings().context.setSessionId('web')
+    authRuntimeInternals.getRuntimeBindings().context.setCachedUser('web', null)
+
+    const result = await logoutWithWorkos(new Request('https://app.test/api/auth/workos/logout', {
+      method: 'POST',
+      headers: sessionCookie ? { cookie: sessionCookie } : undefined,
+    }))
+
+    expect(result).toMatchObject({
+      ok: true,
+      url: 'https://api.workos.com/user_management/sessions/logout?session_id=session_workos_logout',
+      local: {
+        guard: 'web',
+      },
+    })
+    expect(result.ok ? result.local.cookies : []).toContainEqual(expect.stringContaining('holo_session=;'))
+  })
+
+  it('returns typed callback failures without combining response behavior', async () => {
+    configureRuntime()
+
+    await expect(completeWorkosAuth(new Request('https://app.test/api/auth/workos/callback'))).resolves.toEqual({
+      ok: false,
+      code: 'workos_code_required',
+      message: 'WorkOS callback did not include an authorization code.',
+    })
+
+    await expect(completeWorkosAuth(new Request('https://app.test/api/auth/workos/callback?error=access_denied&error_description=Denied'))).resolves.toEqual({
+      ok: false,
+      code: 'access_denied',
+      message: 'Denied',
+    })
+  })
+
   it('reuses an existing Holo session when the request already carries the session cookie', async () => {
     const runtime = configureRuntime()
     runtime.sessions.set('repeat-token', {
@@ -834,7 +1149,7 @@ describe('@holo-js/auth-workos', () => {
     const loggedOut = await logout()
 
     expect(loggedOut.cookies).toContainEqual(expect.stringContaining('holo_session=;'))
-    expect(loggedOut.cookies).toContainEqual(expect.stringContaining('workos-session=;'))
+    expect(loggedOut.cookies).toContainEqual(expect.stringContaining('wos-session=;'))
   })
 
   it('updates existing linked users on subsequent WorkOS syncs and relinks missing local rows', async () => {
@@ -863,7 +1178,7 @@ describe('@holo-js/auth-workos', () => {
         email: 'sync@app.test',
         emailVerified: true,
         name: 'Updated Name',
-        avatar: 'https://cdn.test/updated.png',
+        profilePictureUrl: 'https://cdn.test/updated.png',
       },
     })
 
@@ -967,8 +1282,6 @@ describe('@holo-js/auth-workos', () => {
           dashboard: {
             clientId: 'workos-client',
             apiKey: 'workos-key',
-            cookiePassword: 'cookie-secret',
-            sessionCookie: 'workos-session',
           },
         },
       }),
@@ -1010,7 +1323,9 @@ describe('@holo-js/auth-workos', () => {
         email: 'sync@app.test',
         emailVerified: true,
         name: 'Updated Name',
-        avatar: 'https://cdn.test/updated.png',
+        profilePictureUrl: 'https://cdn.test/updated.png',
+        metadata: {},
+        raw: {},
       },
     }, 'dashboard')).rejects.toThrow('must implement update()')
     expect(usersProvider.users.get(1)).toMatchObject({
diff --git a/packages/auth/src/runtime/responseCookies.ts b/packages/auth/src/runtime/responseCookies.ts
index 1dccc31a..b3c885b4 100644
--- a/packages/auth/src/runtime/responseCookies.ts
+++ b/packages/auth/src/runtime/responseCookies.ts
@@ -13,7 +13,7 @@ type HostedProviderConfig = {
 type AuthCookieBindings = {
   readonly config: {
     readonly defaults: { readonly guard: string }
-    readonly workos: Readonly<Record<string, HostedProviderConfig>>
+    readonly workos: Readonly<Record<string, HostedProviderConfig | string | undefined>>
     readonly clerk: Readonly<Record<string, HostedProviderConfig>>
   }
   readonly session: {
@@ -46,7 +46,7 @@ function getHostedSessionCookieNamesForGuard(
   guardName: string,
 ): readonly string[] {
   const names = new Set<string>()
-  for (const provider of Object.values(config.workos)) {
+  for (const provider of Object.values(config.workos).filter(isHostedProviderConfig)) {
     if ((provider.guard ?? config.defaults.guard) === guardName) {
       names.add(provider.sessionCookie)
     }
@@ -60,6 +60,15 @@ function getHostedSessionCookieNamesForGuard(
   return [...names]
 }
 
+function isHostedProviderConfig(value: HostedProviderConfig | string | undefined): value is HostedProviderConfig {
+  return !!(
+    value
+    && typeof value === 'object'
+    && 'sessionCookie' in value
+    && typeof value.sessionCookie === 'string'
+  )
+}
+
 export function buildLogoutCookies(
   bindings: AuthCookieBindings,
   guardName: string,
diff --git a/packages/auth/tests/docs-smoke.test.ts b/packages/auth/tests/docs-smoke.test.ts
index 1979cda1..528a6ac3 100644
--- a/packages/auth/tests/docs-smoke.test.ts
+++ b/packages/auth/tests/docs-smoke.test.ts
@@ -64,8 +64,8 @@ describe('auth documentation smoke checks', () => {
     expect(social).toContain('redirect')
     expect(social).toContain('callback')
     expect(workos).toContain('@holo-js/auth-workos')
-    expect(workos).toContain('verifyRequest')
-    expect(workos).toContain('authenticate')
+    expect(workos).toContain('loginWithWorkos')
+    expect(workos).toContain('completeWorkosAuth')
     expect(clerk).toContain('@holo-js/auth-clerk')
     expect(clerk).toContain('verifyRequest')
     expect(clerk).toContain('authenticate')
diff --git a/packages/auth/tests/package.test.ts b/packages/auth/tests/package.test.ts
index 2393aa74..04e9ee89 100644
--- a/packages/auth/tests/package.test.ts
+++ b/packages/auth/tests/package.test.ts
@@ -3103,7 +3103,6 @@ describe('@holo-js/auth package runtime', () => {
         },
         workos: {
           dashboard: {
-            sessionCookie: 'wos-session',
             guard: 'web',
           },
         },
@@ -3130,6 +3129,35 @@ describe('@holo-js/auth package runtime', () => {
     expect(loggedOut.cookies).toContainEqual(expect.stringContaining('wos-session=;'))
   })
 
+  it('ignores malformed hosted provider cookie configs during logout', async () => {
+    const runtime = configureRuntime()
+    configureAuthRuntime({
+      ...authRuntimeInternals.getRuntimeBindings(),
+      config: {
+        ...authRuntimeInternals.getRuntimeBindings().config,
+        workos: {
+          dashboard: {
+            guard: 'web',
+          },
+        } as never,
+      },
+    })
+
+    const created = await runtime.usersProvider.create({
+      name: 'Ava',
+      email: 'ava@example.com',
+      password: null,
+      email_verified_at: new Date(),
+    })
+
+    await loginUsing(created)
+
+    const loggedOut = await logout()
+
+    expect(loggedOut.cookies).toContainEqual(expect.stringContaining('holo_session=;'))
+    expect(loggedOut.cookies).not.toContainEqual(expect.stringContaining('undefined=;'))
+  })
+
   it('supports logout with legacy session bindings that only expose named cookie helpers', async () => {
     const runtime = configureRuntime()
     const session = getSessionRuntime()
@@ -3241,7 +3269,6 @@ describe('@holo-js/auth package runtime', () => {
         },
         workos: {
           dashboard: {
-            sessionCookie: 'wos-session',
             guard: 'web',
           },
         },
@@ -3620,7 +3647,6 @@ describe('@holo-js/auth package runtime', () => {
         },
         workos: {
           dashboard: {
-            sessionCookie: 'wos-session',
             guard: 'web',
           },
         },
@@ -3664,7 +3690,6 @@ describe('@holo-js/auth package runtime', () => {
         },
         workos: {
           dashboard: {
-            sessionCookie: 'wos-session',
             guard: 'web',
           },
         },
@@ -5332,9 +5357,7 @@ describe('@holo-js/auth package runtime', () => {
           },
         },
         workos: {
-          dashboard: {
-            sessionCookie: 'wos-session',
-          },
+          dashboard: {},
         },
       },
     })
diff --git a/packages/cli/src/project/scaffold/config-renderers.ts b/packages/cli/src/project/scaffold/config-renderers.ts
index fbf1a072..b0f9bbde 100644
--- a/packages/cli/src/project/scaffold/config-renderers.ts
+++ b/packages/cli/src/project/scaffold/config-renderers.ts
@@ -746,7 +746,6 @@ export function renderAuthConfig(
     '  personalAccessTokens: {',
     '    defaultAbilities: [],',
     '  },',
-    `  socialEncryptionKey: ${envValue('AUTH_SOCIAL_ENCRYPTION_KEY')},`,
   ]
 
   if (socialProviders.length > 0) {
@@ -779,12 +778,11 @@ export function renderAuthConfig(
   if (features.workos) {
     lines.push(
       '  workos: {',
+      `    provider: ${envValue('AUTH_WORKOS_PROVIDER', 'dashboard')},`,
       '    dashboard: {',
       `      clientId: ${envValue('WORKOS_CLIENT_ID')},`,
       `      apiKey: ${envValue('WORKOS_API_KEY')},`,
-      `      cookiePassword: ${envValue('WORKOS_COOKIE_PASSWORD')},`,
       `      redirectUri: ${envValue('WORKOS_REDIRECT_URI')},`,
-      `      sessionCookie: ${envValue('WORKOS_SESSION_COOKIE', 'wos-session')},`,
       '    },',
       '  },',
       '  // Add a dedicated guard and provider if WorkOS users should resolve through a different model.',
diff --git a/packages/cli/src/project/scaffold/dependencies.ts b/packages/cli/src/project/scaffold/dependencies.ts
index 532490ac..1b9ff150 100644
--- a/packages/cli/src/project/scaffold/dependencies.ts
+++ b/packages/cli/src/project/scaffold/dependencies.ts
@@ -209,7 +209,9 @@ function authConfigUsesSocialProviders(
 function authConfigUsesWorkosProviders(
   loaded: Awaited<ReturnType<typeof loadConfigDirectory>>,
 ): boolean {
-  return Object.keys(loaded.auth.workos).length > 0
+  return Object.entries(loaded.auth.workos).some(([name, provider]) => (
+    name !== 'provider' && typeof provider === 'object' && provider !== null
+  ))
 }
 
 function authConfigUsesClerkProviders(
diff --git a/packages/cli/src/project/scaffold/project-renderers.ts b/packages/cli/src/project/scaffold/project-renderers.ts
index f9822019..37ddecab 100644
--- a/packages/cli/src/project/scaffold/project-renderers.ts
+++ b/packages/cli/src/project/scaffold/project-renderers.ts
@@ -28,7 +28,6 @@ export function renderAuthEnvFiles(
       ? ['google']
       : []
   const env = [
-    'AUTH_SOCIAL_ENCRYPTION_KEY=',
     'AUTH_EMAIL_VERIFICATION_ROUTE=/verify-email',
     'AUTH_PASSWORD_RESET_ROUTE=/reset-password',
     'SESSION_DRIVER=file',
@@ -54,11 +53,10 @@ export function renderAuthEnvFiles(
 
   if (features.workos) {
     env.push(
+      'AUTH_WORKOS_PROVIDER=dashboard',
       'WORKOS_CLIENT_ID=',
       'WORKOS_API_KEY=',
-      'WORKOS_COOKIE_PASSWORD=',
       'WORKOS_REDIRECT_URI=',
-      'WORKOS_SESSION_COOKIE=wos-session',
     )
   }
 
diff --git a/packages/cli/tests/cli.test.ts b/packages/cli/tests/cli.test.ts
index 265f5366..af2eeb3b 100644
--- a/packages/cli/tests/cli.test.ts
+++ b/packages/cli/tests/cli.test.ts
@@ -1146,10 +1146,10 @@ export default {
       workos: true,
       clerk: true,
     })
-    expect(projectInternals.renderAuthConfig()).toContain('socialEncryptionKey: env(\'AUTH_SOCIAL_ENCRYPTION_KEY\')')
+    expect(projectInternals.renderAuthConfig()).not.toContain('AUTH_SOCIAL_ENCRYPTION_KEY')
     expect(projectInternals.renderAuthConfig()).not.toContain('currentUserEndpoint')
     expect(projectInternals.renderAuthEnvFiles({ socialProviders: ['linkedin'] }).env).toContain('AUTH_LINKEDIN_CLIENT_ID=')
-    expect(projectInternals.renderAuthEnvFiles().env).toContain('AUTH_SOCIAL_ENCRYPTION_KEY=')
+    expect(projectInternals.renderAuthEnvFiles().env).not.toContain('AUTH_SOCIAL_ENCRYPTION_KEY=')
     expect(projectInternals.renderAuthEnvFiles().env).not.toContain('AUTH_CURRENT_USER_ENDPOINT=/api/auth/user')
     expect(projectInternals.renderAuthEnvFiles({}, 'primary').env).toContain('SESSION_CONNECTION=primary')
     expect(projectInternals.renderAuthEnvFiles().env).toContain('SESSION_DRIVER=file')
diff --git a/packages/config/src/defaults.ts b/packages/config/src/defaults.ts
index cfa0f62f..c9dde813 100644
--- a/packages/config/src/defaults.ts
+++ b/packages/config/src/defaults.ts
@@ -8,6 +8,7 @@ import type {
   AuthPasswordBrokerConfig,
   AuthProviderConfig,
   AuthSocialProviderConfig,
+  HoloAuthWorkosConfig,
   AuthWorkosProviderConfig,
   BaseBroadcastConnectionConfig,
   BroadcastConnectionOptionsConfig,
@@ -34,6 +35,7 @@ import type {
   NormalizedAuthPasswordBrokerConfig,
   NormalizedAuthProviderConfig,
   NormalizedAuthSocialProviderConfig,
+  NormalizedHoloAuthWorkosConfig,
   NormalizedAuthWorkosProviderConfig,
   NormalizedBroadcastConnectionOptionsConfig,
   NormalizedBroadcastWorkerConfig,
@@ -1467,15 +1469,74 @@ function normalizeWorkosProvider(
     name,
     clientId: config.clientId?.trim() || undefined,
     apiKey: config.apiKey?.trim() || undefined,
-    cookiePassword: config.cookiePassword?.trim() || undefined,
     redirectUri: config.redirectUri?.trim() || undefined,
-    sessionCookie: config.sessionCookie?.trim() || DEFAULT_WORKOS_SESSION_COOKIE,
+    sessionCookie: DEFAULT_WORKOS_SESSION_COOKIE,
     guard,
     mapToProvider,
   })
   /* v8 ignore stop */
 }
 
+function isWorkosProviderConfig(value: AuthWorkosProviderConfig | string | undefined): value is AuthWorkosProviderConfig {
+  return typeof value === 'object' && value !== null
+}
+
+function getWorkosProviderEntries(
+  config: HoloAuthWorkosConfig | undefined,
+): readonly (readonly [string, AuthWorkosProviderConfig])[] {
+  if (!config) {
+    return Object.freeze([])
+  }
+
+  const entries: [string, AuthWorkosProviderConfig][] = []
+  for (const [name, value] of Object.entries(config)) {
+    if (name === 'provider') {
+      if (typeof value !== 'undefined' && typeof value !== 'string') {
+        throw new Error('[Holo Auth] WorkOS provider key "provider" is reserved for the default provider name.')
+      }
+      continue
+    }
+    if (!isWorkosProviderConfig(value)) {
+      throw new Error(`[Holo Auth] WorkOS provider "${name}" must be an object.`)
+    }
+    entries.push([name, value])
+  }
+
+  return Object.freeze(entries)
+}
+
+function normalizeWorkosConfig(
+  config: HoloAuthWorkosConfig | undefined,
+  guards: Readonly<Record<string, NormalizedAuthGuardConfig>>,
+  providers: Readonly<Record<string, NormalizedAuthProviderConfig>>,
+): NormalizedHoloAuthWorkosConfig {
+  const providerEntries = getWorkosProviderEntries(config)
+  const provider = typeof config?.provider === 'string' ? config.provider.trim() || undefined : undefined
+  if (providerEntries.length === 0) {
+    if (provider) {
+      throw new Error(`[Holo Auth] WorkOS provider "${provider}" is not configured.`)
+    }
+
+    return holoAuthDefaults.workos
+  }
+
+  const normalizedEntries = providerEntries.map(([name, providerConfig]) => {
+    const normalizedName = normalizeConnectionName(name, 'Auth WorkOS provider name')
+    return [normalizedName, providerConfig] as const
+  })
+  if (provider && !normalizedEntries.some(([name]) => name === provider)) {
+    throw new Error(`[Holo Auth] WorkOS provider "${provider}" is not configured.`)
+  }
+
+  return Object.freeze({
+    ...(typeof provider === 'undefined' ? {} : { provider }),
+    ...Object.fromEntries(normalizedEntries.map(([name, providerConfig]) => [
+      name,
+      normalizeWorkosProvider(name, providerConfig, guards, providers),
+    ])),
+  })
+}
+
 function normalizeClerkProvider(
   name: string,
   config: AuthClerkProviderConfig,
@@ -1510,6 +1571,9 @@ function normalizeClerkProvider(
 
 export function normalizeAuthConfig(
   config: HoloAuthConfig = {},
+  _options: {
+    readonly appKey?: string
+  } = {},
 ): NormalizedHoloAuthConfig {
   const providers = !config.providers || Object.keys(config.providers).length === 0
     ? holoAuthDefaults.providers
@@ -1561,12 +1625,7 @@ export function normalizeAuthConfig(
       return [normalizedName, normalizeSocialProvider(normalizedName, provider, guards, providers)]
     })))
 
-  const workos = !config.workos || Object.keys(config.workos).length === 0
-    ? holoAuthDefaults.workos
-    : Object.freeze(Object.fromEntries(Object.entries(config.workos).map(([name, provider]) => {
-      const normalizedName = normalizeConnectionName(name, 'Auth WorkOS provider name')
-      return [normalizedName, normalizeWorkosProvider(normalizedName, provider, guards, providers)]
-    })))
+  const workos = normalizeWorkosConfig(config.workos, guards, providers)
 
   const clerk = !config.clerk || Object.keys(config.clerk).length === 0
     ? holoAuthDefaults.clerk
@@ -1594,7 +1653,7 @@ export function normalizeAuthConfig(
     personalAccessTokens: Object.freeze({
       defaultAbilities: Object.freeze([...(config.personalAccessTokens?.defaultAbilities ?? [])]),
     }),
-    socialEncryptionKey: config.socialEncryptionKey?.trim() || undefined,
+    socialEncryptionKey: config.socialEncryptionKey?.trim() || _options.appKey?.trim() || undefined,
     social,
     workos,
     clerk,
diff --git a/packages/config/src/loader.ts b/packages/config/src/loader.ts
index 8b37fbff..e5dd3060 100644
--- a/packages/config/src/loader.ts
+++ b/packages/config/src/loader.ts
@@ -267,7 +267,9 @@ function normalizeLoadedConfig<TCustom extends HoloConfigMap = HoloConfigMap>(
   const media = Object.freeze({ ...((resolvedRawConfig.media as HoloMediaConfig | undefined) ?? {}) })
   const session = normalizeSessionConfig(resolvedRawConfig.session as HoloSessionConfig | undefined, resolvedRedisConfig)
   const security = normalizeSecurityConfig(resolvedRawConfig.security as HoloSecurityConfig | undefined, resolvedRedisConfig)
-  const auth = normalizeAuthConfig(resolvedRawConfig.auth as HoloAuthConfig | undefined)
+  const auth = normalizeAuthConfig(resolvedRawConfig.auth as HoloAuthConfig | undefined, {
+    appKey: app.key,
+  })
 
   const customEntries = Object.entries(resolvedRawConfig).filter(([key]) => {
     return key !== 'app'
diff --git a/packages/config/src/types.ts b/packages/config/src/types.ts
index 431a034a..f6823662 100644
--- a/packages/config/src/types.ts
+++ b/packages/config/src/types.ts
@@ -620,13 +620,16 @@ export interface AuthSocialProviderConfig {
 export interface AuthWorkosProviderConfig {
   readonly clientId?: string
   readonly apiKey?: string
-  readonly cookiePassword?: string
   readonly redirectUri?: string
-  readonly sessionCookie?: string
   readonly guard?: string
   readonly mapToProvider?: string
 }
 
+export interface HoloAuthWorkosConfig {
+  readonly provider?: string
+  readonly [provider: string]: AuthWorkosProviderConfig | string | undefined
+}
+
 export interface AuthClerkProviderConfig {
   readonly publishableKey?: string
   readonly secretKey?: string
@@ -651,7 +654,7 @@ export interface HoloAuthConfig {
   readonly personalAccessTokens?: AuthPersonalAccessTokenConfig
   readonly socialEncryptionKey?: string
   readonly social?: Readonly<Record<string, AuthSocialProviderConfig>>
-  readonly workos?: Readonly<Record<string, AuthWorkosProviderConfig>>
+  readonly workos?: HoloAuthWorkosConfig
   readonly clerk?: Readonly<Record<string, AuthClerkProviderConfig>>
 }
 
@@ -692,13 +695,17 @@ export interface NormalizedAuthWorkosProviderConfig {
   readonly name: string
   readonly clientId?: string
   readonly apiKey?: string
-  readonly cookiePassword?: string
   readonly redirectUri?: string
   readonly sessionCookie: string
   readonly guard?: string
   readonly mapToProvider?: string
 }
 
+export interface NormalizedHoloAuthWorkosConfig {
+  readonly provider?: string
+  readonly [provider: string]: NormalizedAuthWorkosProviderConfig | string | undefined
+}
+
 export interface NormalizedAuthClerkProviderConfig {
   readonly name: string
   readonly publishableKey?: string
@@ -729,7 +736,7 @@ export interface NormalizedHoloAuthConfig {
   }
   readonly socialEncryptionKey?: string
   readonly social: Readonly<Record<string, NormalizedAuthSocialProviderConfig>>
-  readonly workos: Readonly<Record<string, NormalizedAuthWorkosProviderConfig>>
+  readonly workos: NormalizedHoloAuthWorkosConfig
   readonly clerk: Readonly<Record<string, NormalizedAuthClerkProviderConfig>>
 }
 
diff --git a/packages/config/tests/config.test.ts b/packages/config/tests/config.test.ts
index 5d746229..94c7b906 100644
--- a/packages/config/tests/config.test.ts
+++ b/packages/config/tests/config.test.ts
@@ -2575,12 +2575,11 @@ export default defineConfig({
         },
       },
       workos: {
+        provider: ' dashboard ',
         dashboard: {
           clientId: ' workos-client ',
           apiKey: ' workos-key ',
-          cookiePassword: ' cookie-secret ',
           redirectUri: ' https://app.test/auth/workos/callback ',
-          sessionCookie: ' workos-session ',
           guard: 'admin',
           mapToProvider: 'admins',
         },
@@ -2652,13 +2651,13 @@ export default defineConfig({
         },
       },
       workos: {
+        provider: 'dashboard',
         dashboard: {
           name: 'dashboard',
           clientId: 'workos-client',
           apiKey: 'workos-key',
-          cookiePassword: 'cookie-secret',
           redirectUri: 'https://app.test/auth/workos/callback',
-          sessionCookie: 'workos-session',
+          sessionCookie: 'wos-session',
           guard: 'admin',
           mapToProvider: 'admins',
         },
@@ -2764,6 +2763,34 @@ export default defineConfig({
         },
       },
     })).toThrow('references unknown provider "admins"')
+    expect(() => normalizeAuthConfig({
+      workos: {
+        provider: 'missing',
+        dashboard: {},
+      },
+    })).toThrow('WorkOS provider "missing" is not configured')
+    expect(() => normalizeAuthConfig({
+      workos: {
+        provider: 'dashboard',
+      },
+    })).toThrow('WorkOS provider "dashboard" is not configured')
+    expect(normalizeAuthConfig({
+      workos: {
+        provider: '   ',
+      },
+    }).workos).toEqual(normalizeAuthConfig().workos)
+    expect(() => normalizeAuthConfig({
+      workos: {
+        provider: {
+          clientId: 'workos-client',
+        },
+      } as never,
+    })).toThrow('WorkOS provider key "provider" is reserved for the default provider name')
+    expect(() => normalizeAuthConfig({
+      workos: {
+        dashboard: 'invalid' as never,
+      },
+    })).toThrow('WorkOS provider "dashboard" must be an object')
     expect(() => normalizeAuthConfig({
       workos: {
         dashboard: {
@@ -2966,9 +2993,7 @@ export default defineConfig({
         dashboard: {
           clientId: ' client ',
           apiKey: ' api ',
-          cookiePassword: ' cookie ',
           redirectUri: ' https://example.com/workos ',
-          sessionCookie: ' custom-workos ',
         },
       },
       clerk: {
@@ -3013,9 +3038,8 @@ export default defineConfig({
         dashboard: {
           clientId: 'client',
           apiKey: 'api',
-          cookiePassword: 'cookie',
           redirectUri: 'https://example.com/workos',
-          sessionCookie: 'custom-workos',
+          sessionCookie: 'wos-session',
         },
       },
       clerk: {
@@ -3054,7 +3078,6 @@ export default defineConfig({
         dashboard: {
           clientId: undefined,
           apiKey: undefined,
-          cookiePassword: undefined,
           redirectUri: undefined,
           sessionCookie: 'wos-session',
         },
@@ -3071,6 +3094,21 @@ export default defineConfig({
         },
       },
     })
+    const normalizedWithAppKey = normalizeAuthConfig({
+      workos: {
+        dashboard: {},
+      },
+    }, {
+      appKey: ' app-secret ',
+    })
+    expect(normalizedWithAppKey).toMatchObject({
+      workos: {
+        dashboard: {
+          sessionCookie: 'wos-session',
+        },
+      },
+    })
+    expect(normalizedWithAppKey.workos.dashboard).not.toHaveProperty('cookiePassword')
   })
 
   it('refreshes the config cache when config source files change', async () => {
diff --git a/packages/config/tests/config.type.test.ts b/packages/config/tests/config.type.test.ts
index 8ea44299..faaccce6 100644
--- a/packages/config/tests/config.type.test.ts
+++ b/packages/config/tests/config.type.test.ts
@@ -117,9 +117,9 @@ describe('@holo-js/config typing', () => {
         },
       },
       workos: {
+        provider: 'dashboard',
         dashboard: {
           clientId: 'workos-client',
-          sessionCookie: 'workos-session',
           guard: 'web',
         },
       },
@@ -159,7 +159,6 @@ describe('@holo-js/config typing', () => {
     const csrfField: string = accessors.useConfig('security.csrf.field')
     const authDefaultGuard: string = accessors.useConfig('auth.defaults.guard')
     const socialRedirectUri = accessors.useConfig('auth.social.google.redirectUri') as string | undefined
-    const workosSessionCookie = accessors.useConfig('auth.workos.dashboard.sessionCookie') as string | undefined
     const clerkSessionCookie = accessors.useConfig('auth.clerk.admin.sessionCookie') as string | undefined
     const nestedPath: DotPath<{
       app: HoloConfigRegistry['app']
@@ -195,7 +194,6 @@ describe('@holo-js/config typing', () => {
     void csrfField
     void authDefaultGuard
     void socialRedirectUri
-    void workosSessionCookie
     void clerkSessionCookie
     void nestedPath
     void queueDefault
diff --git a/packages/core/src/portable/holo.ts b/packages/core/src/portable/holo.ts
index f6d0ade2..f1da2522 100644
--- a/packages/core/src/portable/holo.ts
+++ b/packages/core/src/portable/holo.ts
@@ -1137,7 +1137,9 @@ function authConfigUsesSocialProviders<TCustom extends HoloConfigMap>(
 function authConfigUsesWorkosProviders<TCustom extends HoloConfigMap>(
   loadedConfig: LoadedHoloConfig<TCustom>,
 ): boolean {
-  return Object.keys(loadedConfig.auth.workos).length > 0
+  return Object.entries(loadedConfig.auth.workos).some(([name, provider]) => (
+    name !== 'provider' && typeof provider === 'object' && provider !== null
+  ))
 }
 
 function authConfigUsesClerkProviders<TCustom extends HoloConfigMap>(
diff --git a/packages/core/tests/auth-runtime.test.ts b/packages/core/tests/auth-runtime.test.ts
index 8beeeb2b..7be24be3 100644
--- a/packages/core/tests/auth-runtime.test.ts
+++ b/packages/core/tests/auth-runtime.test.ts
@@ -48,6 +48,7 @@ async function createProject(options: {
   social?: boolean
   socialEncryptionKey?: string
   workos?: boolean
+  workosProviderName?: string
   clerk?: boolean
 } = {}): Promise<string> {
   const root = await mkdtemp(join(tmpdir(), 'holo-core-auth-'))
@@ -59,6 +60,7 @@ import { defineAppConfig } from ${configEntry}
 
 export default defineAppConfig({
   name: 'Core Auth App',
+  key: 'core-auth-app-key',
   env: 'development',
   paths: {
     models: 'server/models',
@@ -136,7 +138,7 @@ export default defineAuthConfig({
     },
   },` : ''}
   ${options.workos ? `workos: {
-    dashboard: {
+    ${options.workosProviderName ?? 'dashboard'}: {
       clientId: 'client',
     },
   },` : ''}
@@ -1962,11 +1964,10 @@ export default undefined
     tableSpy.mockRestore()
   })
 
-  it('passes the social token encryption key into the configured social runtime', async () => {
+  it('passes the app key into the configured social runtime', async () => {
     const root = await createProject({
       auth: true,
       social: true,
-      socialEncryptionKey: 'phase-6-encryption-key',
     })
     const runtime = await createHolo(root, {
       processEnv: process.env,
@@ -1976,7 +1977,7 @@ export default undefined
     await runtime.initialize()
 
     const socialModule = await import('@holo-js/auth-social')
-    expect(socialModule.socialAuthInternals.getBindings().encryptionKey).toBe('phase-6-encryption-key')
+    expect(socialModule.socialAuthInternals.getBindings().encryptionKey).toBe('core-auth-app-key')
   })
 
   it('covers auth provider adapter credential branches for empty credentials, query builders, and partial where chains', async () => {
@@ -2480,6 +2481,30 @@ export default {
     await expect(clerkRuntime.initialize()).rejects.toThrow('Clerk auth config requires @holo-js/auth-clerk to be installed')
   })
 
+  it('detects WorkOS config when the provider is named defaultProvider', async () => {
+    const workosRoot = await createProject({
+      auth: true,
+      workos: true,
+      workosProviderName: 'defaultProvider',
+    })
+    const original = holoRuntimeInternals.moduleInternals.importOptionalModule
+    vi.spyOn(holoRuntimeInternals.moduleInternals, 'importOptionalModule')
+      .mockImplementation(async (specifier: string) => {
+        if (specifier === '@holo-js/auth-workos') {
+          return undefined
+        }
+
+        return original(specifier)
+      })
+
+    const workosRuntime = await createHolo(workosRoot, {
+      processEnv: process.env,
+      preferCache: false,
+    })
+
+    await expect(workosRuntime.initialize()).rejects.toThrow('WorkOS auth config requires @holo-js/auth-workos to be installed')
+  })
+
   it('boots when hosted auth packages are installed and lets apps configure verifier runtimes separately', async () => {
     const workosRoot = await createProject({
       auth: true,
diff --git a/tests/example-app-auth-flow.mjs b/tests/example-app-auth-flow.mjs
index 5eeb00fb..4068c3ca 100644
--- a/tests/example-app-auth-flow.mjs
+++ b/tests/example-app-auth-flow.mjs
@@ -238,12 +238,14 @@ export async function assertExampleAppAuthFlow({
   if (checkPages) {
     const registerPage = await fetchAuthText('/register')
     assert.match(registerPage.text, /Create account/i)
+    assert.match(registerPage.text, /Register with WorkOS/i)
     assertGuestNav(registerPage.text)
 
     const loginPage = await fetchAuthText('/login')
     assert.match(loginPage.text, /Sign in/i)
     assert.match(loginPage.text, /Continue with Google/i)
     assert.match(loginPage.text, /Continue with GitHub/i)
+    assert.match(loginPage.text, /Continue with WorkOS/i)
     assertGuestNav(loginPage.text)
 
     const forgotPasswordPage = await fetchAuthText('/forgot-password')
@@ -288,6 +290,17 @@ export async function assertExampleAppAuthFlow({
   assert.equal(missingGithubCallback.response.status, 400)
   assert.equal(missingGithubCallback.json.message, 'Missing OAuth state or code.')
 
+  const missingWorkosCallback = await fetchAuthText('/api/auth/workos/callback', {
+    allowFailure: true,
+  })
+  assertRedirectsTo(missingWorkosCallback, '/login')
+  const missingWorkosCallbackLocation = missingWorkosCallback.response.headers.get('location')
+  assert.ok(missingWorkosCallbackLocation, 'Expected WorkOS callback redirect to include a location header.')
+  assert.ok(
+    new URL(missingWorkosCallbackLocation, missingWorkosCallback.response.url).searchParams.has('error'),
+    'Expected WorkOS callback redirect to include an error query parameter.',
+  )
+
   const badCredentials = await fetchAuthJson('/api/login', {
     fields: {
       email,