workos · atainter · Sep 18, 2025 · Sep 17, 2025 · nholden · Sep 17, 2025
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 node_modules
 dist
 coverage/
+.idea
diff --git a/src/auth.spec.ts b/src/auth.spec.ts
@@ -108,6 +108,7 @@ describe('auth', () => {
       accessToken: 'new-access-token',
       organizationId: 'org_123456' as string | undefined,
       role: 'admin' as string | undefined,
+      roles: ['admin'] as string[] | undefined,
       permissions: ['read', 'write'] as string[] | undefined,
       entitlements: ['premium'] as string[] | undefined,
       featureFlags: ['flag-1', 'flag-2'] as string[] | undefined,
@@ -339,6 +340,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         featureFlags: ['flag-1', 'flag-2'],
@@ -361,6 +363,7 @@ describe('auth', () => {
         sessionId: mockClaims.sessionId,
         organizationId: mockClaims.organizationId,
         role: mockClaims.role,
+        roles: mockClaims.roles,
         permissions: mockClaims.permissions,
         entitlements: mockClaims.entitlements,
         featureFlags: mockClaims.featureFlags,
@@ -395,6 +398,7 @@ describe('auth', () => {
         sessionId: 'session-123',
         organizationId: 'org-456',
         role: 'admin',
+        roles: ['admin'],
         permissions: ['read', 'write'],
         entitlements: ['feature-1', 'feature-2'],
         featureFlags: ['flag-1', 'flag-2'],

diff --git a/src/auth.ts b/src/auth.ts
@@ -51,6 +51,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     entitlements,
     featureFlags,
     role,
+    roles,
     exp = 0,
   } = getClaimsFromAccessToken(session.accessToken);
 
@@ -70,6 +71,7 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,

diff --git a/src/interfaces.ts b/src/interfaces.ts
@@ -55,6 +55,7 @@ export interface AccessToken {
   sid: string;
   org_id?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   feature_flags?: string[];
@@ -65,6 +66,7 @@ export interface UserInfo {
   sessionId: string;
   organizationId?: string;
   role?: string;
+  roles?: string[];
   permissions?: string[];
   entitlements?: string[];
   featureFlags?: string[];
@@ -77,6 +79,7 @@ export interface NoUserInfo {
   sessionId?: undefined;
   organizationId?: undefined;
   role?: undefined;
+  roles?: undefined;
   permissions?: undefined;
   entitlements?: undefined;
   featureFlags?: undefined;
@@ -110,6 +113,7 @@ export interface AuthorizedData {
   sessionId: string;
   organizationId: string | null;
   role: string | null;
+  roles: string[] | null;
   permissions: string[];
   entitlements: string[];
   featureFlags: string[];
@@ -121,6 +125,7 @@ export interface UnauthorizedData {
   sessionId: null;
   organizationId: null;
   role: null;
+  roles: null;
   permissions: null;
   entitlements: null;
   featureFlags: null;

diff --git a/src/session.spec.ts b/src/session.spec.ts
@@ -293,6 +293,7 @@ describe('session', () => {
           entitlements: null,
           featureFlags: null,
           role: null,
+          roles: null,
           sessionId: null,
         });
       });
@@ -359,6 +360,7 @@ describe('session', () => {
           sid: 'test-session-id',
           org_id: 'org-123',
           role: 'admin',
+          roles: ['admin'],
           permissions: ['read', 'write'],
           entitlements: ['premium'],
           feature_flags: ['flag-1', 'flag-2'],
@@ -411,6 +413,7 @@ describe('session', () => {
           entitlements: ['premium'],
           featureFlags: ['flag-1', 'flag-2'],
           role: 'admin',
+          roles: ['admin'],
           sessionId: 'test-session-id',
         });
       });
@@ -559,6 +562,7 @@ describe('session', () => {
               sid: 'test-session-id',
               org_id: 'org-123',
               role: null,
+              roles: [],
               permissions: [],
               entitlements: [],
               feature_flags: [],
@@ -569,6 +573,7 @@ describe('session', () => {
               sid: 'new-session-id',
               org_id: 'org-123',
               role: 'user',
+              roles: ['user'],
               permissions: ['read'],
               entitlements: ['basic'],
               feature_flags: ['flag-1'],
@@ -594,6 +599,7 @@ describe('session', () => {
             sessionId: 'new-session-id',
             organizationId: 'org-123',
             role: 'user',
+            roles: ['user'],
             permissions: ['read'],
             entitlements: ['basic'],
             featureFlags: ['flag-1'],
@@ -738,6 +744,7 @@ describe('session', () => {
         sid: 'new-session-id',
         org_id: 'org-123',
         role: 'user',
+        roles: ['user'],
         permissions: ['read'],
         entitlements: ['basic'],
         feature_flags: ['flag-1'],
@@ -763,6 +770,7 @@ describe('session', () => {
         accessToken: 'new.valid.token',
         organizationId: 'org-123',
         role: 'user',
+        roles: ['user'],
         permissions: ['read'],
         entitlements: ['basic'],
         featureFlags: ['flag-1'],

diff --git a/src/session.ts b/src/session.ts
@@ -72,6 +72,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       sessionId,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -83,6 +84,7 @@ export async function refreshSession(request: Request, { organizationId }: { org
       accessToken,
       organizationId: newOrgId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -332,6 +334,7 @@ export async function authkitLoader<Data = unknown>(
         entitlements: null,
         featureFlags: null,
         role: null,
+        roles: null,
         sessionId: null,
       };
 
@@ -343,6 +346,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId = null,
       role = null,
+      roles = null,
       permissions = [],
       entitlements = [],
       featureFlags = [],
@@ -365,6 +369,7 @@ export async function authkitLoader<Data = unknown>(
       sessionId,
       organizationId,
       role,
+      roles,
       permissions,
       entitlements,
       featureFlags,
@@ -497,6 +502,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sid: sessionId,
     org_id: organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     feature_flags: featureFlags,
@@ -510,6 +516,7 @@ export function getClaimsFromAccessToken(accessToken: string) {
     sessionId,
     organizationId,
     role,
+    roles,
     permissions,
     entitlements,
     featureFlags,
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ @@
     node_modules
     dist
     coverage/
+    .idea