From e2f928e2ed65c30ae24cd396e997416d18b5aa4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABlle=20Huisman?= <danielle@huisman.me>
Date: Thu, 20 Nov 2025 10:30:43 +0100
Subject: [PATCH] feat(user-management): authenticate with session cookie

---
 src/user_management/operations.rs             |  2 +
 .../authenticate_with_session_cookie.rs       | 62 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 src/user_management/operations/authenticate_with_session_cookie.rs

diff --git a/src/user_management/operations.rs b/src/user_management/operations.rs
index 17013ec..0d1f412 100644
--- a/src/user_management/operations.rs
+++ b/src/user_management/operations.rs
@@ -6,6 +6,7 @@ mod authenticate_with_magic_auth;
 mod authenticate_with_organization_selection;
 mod authenticate_with_password;
 mod authenticate_with_refresh_token;
+mod authenticate_with_session_cookie;
 mod authenticate_with_totp;
 mod create_magic_auth;
 mod create_organization_membership;
@@ -50,6 +51,7 @@ pub use authenticate_with_magic_auth::*;
 pub use authenticate_with_organization_selection::*;
 pub use authenticate_with_password::*;
 pub use authenticate_with_refresh_token::*;
+pub use authenticate_with_session_cookie::*;
 pub use authenticate_with_totp::*;
 pub use create_magic_auth::*;
 pub use create_organization_membership::*;
diff --git a/src/user_management/operations/authenticate_with_session_cookie.rs b/src/user_management/operations/authenticate_with_session_cookie.rs
new file mode 100644
index 0000000..0a18ea0
--- /dev/null
+++ b/src/user_management/operations/authenticate_with_session_cookie.rs
@@ -0,0 +1,62 @@
+use async_trait::async_trait;
+use serde::Serialize;
+
+use crate::user_management::{
+    AuthenticateWithSessionCookieError, AuthenticateWithSessionCookieResponse, UserManagement,
+};
+
+/// The parameters for [`AuthenticateWithSessionCookie`].
+#[derive(Debug, Serialize)]
+pub struct AuthenticateWithSessionCookieOptions<'a> {
+    /// WorkOS session cookie value from the user's browser.
+    pub session_data: &'a str,
+
+    /// Password used to unseal the session cookie.
+    ///
+    /// Must be the same as the password used to seal the cookie.
+    pub cookie_password: &'a str,
+}
+
+/// [WorkOS Docs: Authenticate with session cookie](https://workos.com/docs/reference/user-management/authentication/session-cookie)
+#[async_trait]
+pub trait AuthenticateWithSessionCookie {
+    /// Authenticates a user using an AuthKit session cookie.
+    ///
+    /// [WorkOS Docs: Authenticate with session cookie](https://workos.com/docs/reference/user-management/authentication/session-cookie)
+    ///
+    /// # Examples
+    ///
+    /// ```
+    /// # use workos::user_management::*;
+    /// use workos::{ApiKey, WorkOs};
+    ///
+    /// # async fn run() -> Result<(), AuthenticateWithSessionCookieError> {
+    /// let workos = WorkOs::new(&ApiKey::from("sk_example_123456789"));
+    ///
+    /// let AuthenticateWithSessionCookieResponse { user, .. } = workos
+    ///     .user_management()
+    ///     .authenticate_with_session_cookie(&AuthenticateWithSessionCookieOptions {
+    ///         session_data: "sealed_session_cookie_data",
+    ///         cookie_password: "password_previously_used_to_seal_session_cookie",
+    ///     })
+    ///     .await?;
+    /// # Ok(())
+    /// # }
+    /// ```
+    async fn authenticate_with_session_cookie(
+        &self,
+        options: &AuthenticateWithSessionCookieOptions<'_>,
+    ) -> Result<AuthenticateWithSessionCookieResponse, AuthenticateWithSessionCookieError>;
+}
+
+#[async_trait]
+impl AuthenticateWithSessionCookie for UserManagement<'_> {
+    async fn authenticate_with_session_cookie(
+        &self,
+        options: &AuthenticateWithSessionCookieOptions<'_>,
+    ) -> Result<AuthenticateWithSessionCookieResponse, AuthenticateWithSessionCookieError> {
+        let session = self.load_sealed_session(options.session_data, options.cookie_password);
+
+        session.authenticate().await
+    }
+}