Single Sign-On (SSO)

Manage team authentication, user invitations, and password resets through WorkOS powered SSO.

Overview

Forz uses WorkOS AuthKit for user authentication and organization management. When you add a user to Forz, WorkOS handles the invitation email, password setup, and login flow. Admins can manage invitations, reset passwords, and control organization memberships, all from within Forz.

Before You Begin

Prerequisites:

  1. You have the Admin role in Forz. Your Forz account has an organization name configured in Settings > Company.

How Authentication Works

Forz uses WorkOS for the entire authentication lifecycle:

  • Organization creation — when your Forz account is set up, Forz creates a matching WorkOS organization.

  • User invitations — adding a user in Forz sends a WorkOS invitation email.

  • Login — users authenticate through WorkOS AuthKit, which issues a session token.

  • Session management — Forz validates tokens using WorkOS JWKS and refreshes sessions automatically.

Inviting a New User

  1. Click Settings in the sidebar navigation.

  1. Click the Users tab.

  1. Click Add User.

  1. Enter the user's First Name, Last Name, and Email.

  1. Select a Role for the user.

  1. Click Save.

Expected result: Forz creates the user record and sends a WorkOS invitation email. The user receives an email with a link to set up their password and log in.

Note: If the user's email is already associated with a WorkOS account (from another Forz organization), Forz creates an organization membership instead of a new user. The user can switch between organizations after logging in.

Resending an Invitation

  1. Navigate to Settings > Users.

  2. Find the user whose invitation is pending.

  3. Click the user's name to open their profile.

  4. Click Resend Invitation.

Expected result: Forz revokes the previous invitation (if still pending) and sends a new invitation email. The new link replaces the old one.

Tip: Invitation links expire. If a user reports that their link is expired, resend the invitation to generate a fresh link.

Resetting a User's Password

  1. Navigate to Settings > Users.

  2. Click the user's name to open their profile.

  3. Click Reset Password.

Expected result: WorkOS sends a password reset email to the user. The user clicks the link and sets a new password.

Disabling a User

  1. Navigate to Settings > Users.

  1. Click the user's name to open their profile.

  1. Click on the three dots on the top right then click Disable User.

Expected result: Forz deactivates the user's WorkOS organization membership. The user can no longer log in to this Forz organization. If the membership was "pending" (invitation not yet accepted), Forz deletes the membership instead of deactivating it.

Reactivating a User

  1. Navigate to Settings > Users.

  2. Find the deactivated user.

  3. Click the user's name and then click Reactivate.

Expected result: Forz reactivates the user's WorkOS membership. The user can log in again with their existing credentials.

What Happens Behind the Scenes

When Forz manages users through WorkOS:

  • Invitation sent — WorkOS creates the user (if new) and sends an email with a sign-up link.

  • Email verified — Forz marks the user's email as verified in WorkOS after invitation.

  • User logs in — WorkOS issues an access token via OAuth code exchange; Forz validates the token using JWKS.

  • Session refresh — when the access token expires, Forz uses the refresh token to get a new one.

  • Email changed — if a user's email is updated in Forz, WorkOS updates the user record or creates a new membership.

Warning: Deleting a user from Forz also removes their WorkOS account and all organization memberships. This action cannot be undone.

Common Scenarios

Onboarding a new dispatcher at an HVAC company

The office manager adds a new dispatcher, Sarah Chen, in Settings > Users with the "Dispatcher" role. Sarah receives an invitation email, clicks the link, sets her password, and logs in to Forz. She can immediately see the dispatch board, create jobs, and manage the schedule.

Transferring a technician between branches

A plumbing company has two Forz organizations (North Branch and South Branch). When technician James Rivera transfers to the South Branch, the North Branch admin deactivates his account. The South Branch admin adds James with his same email address. Because his email already exists in WorkOS, Forz creates a new organization membership instead of a duplicate user. James logs in and sees the South Branch organization.

Troubleshooting

Problem

Solution

"User did not receive invitation email"

Check the email address for typos. Verify the user's spam/junk folder. Resend the invitation from Settings > Users.

"Invitation link expired"

Resend the invitation to generate a new link. Invitation links have a limited validity window.

"User sees 'Email already invited' error"

The email has a pending invitation. Forz automatically revokes the old invitation and sends a new one when you resend.

"User cannot log in after reactivation"

Verify the membership status in the user profile. If the membership was deleted (not deactivated), the user needs a new invitation.