By NHI Mgmt Group Editorial TeamPublished 2025-10-13Domain: Best PracticesSource: WorkOS

TL;DR: Web app identity surfaces can be internationalised quickly without treating translation as a separate project, according to WorkOS. WorkOS describes how it localized AuthKit into 90 languages in five weeks by combining extracted strings, FormatJS, accept-language negotiation, and LLM translation workflows, showing how quickly web app identity surfaces can be internationalised without treating translation as a separate project. The deeper lesson is that identity UX now extends into localisation, where governance failures show up as broken trust, inconsistent sign-in flows, and unmanaged text drift.

At a glance

What this is: This is a WorkOS how-to on localizing AuthKit into 90 languages, with the key finding that string extraction, locale negotiation, and LLM-assisted translation can make identity UX scale quickly across regions.

Why it matters: It matters because login, sign-up, and transactional identity flows are part of the control plane for human identity, and inconsistent localization can undermine both conversion and user trust across IAM programmes.

By the numbers:

👉 Read WorkOS's guide to localizing AuthKit across 90 languages

Context

Localization is the practice of adapting a digital product to the language, region, and formatting expectations of its users. In identity systems, that means sign-in, sign-up, email, and error flows have to feel native without weakening the consistency of the underlying authentication experience.

For IAM teams, the governance issue is not just translation quality. It is whether identity UX, content extraction, and fallback behaviour are controlled well enough that users receive the right language at the right moment, across both customer-facing and internal access journeys.

Key questions

Q: How should teams implement localization for identity flows without creating security drift?

A: Start by extracting every user-facing string in sign-in, sign-up, recovery, and transactional email flows into a governed translation workflow. Then resolve locale from browser or user settings, test fallback behaviour, and keep translated security text under the same release discipline as authentication logic.

Q: Why do localized identity experiences matter for IAM programmes?

A: Because identity screens are where users decide whether a flow feels trustworthy and usable. If language, directionality, or wording is inconsistent, completion drops and support burden rises. For IAM teams, localization is part of access experience governance, not just front-end polish.

Q: What breaks when identity strings are not managed centrally?

A: Unmanaged strings are easy to miss during development, which leaves English-only labels, inconsistent error messages, and untranslated fallback text in production. That creates a fragmented identity journey and makes it harder to verify whether the user is seeing the approved security message.

Q: How do security teams know whether localized identity UX is working?

A: Track completion rates, support tickets, locale coverage, and visual defects across supported languages. If users in one locale abandon sign-up more often or report confusing labels, the localization layer is failing the identity journey even if authentication itself is functioning.

Technical breakdown

BCP 47 language tags and locale selection

BCP 47 language tags let applications distinguish between a broad language, such as en, and a regional variant, such as en-GB. The article’s key architectural point is that apps should not try to hand-parse every possible tag combination. Instead, locale negotiation should derive the best supported match from browser signals such as accept-language, then fall back cleanly when an exact locale is unavailable. That approach reduces manual routing logic and keeps localization aligned to what the user actually prefers rather than what the application assumes.

Practical implication: build deterministic locale fallback rules so identity screens resolve to the closest supported language instead of breaking at the edge cases.

FormatJS string extraction for React-based identity flows

FormatJS centralises translation strings with the code that uses them, which is why the article uses it for AuthKit. The important technical advantage is not just convenience. It is that extraction, translation IDs, and linting turn user-facing strings into governed assets that can be found, reviewed, and replaced systematically. That matters in identity interfaces because labels, tooltips, and error states are security-relevant text, not decorative copy. When those strings are tracked in code, they become easier to localise and harder to leave behind in English.

Practical implication: treat identity text as code-managed content so untranslated labels do not leak into sign-in and recovery journeys.

Right-to-left layout, fonts, and UI overflow

Localization is not only about words. Right-to-left languages change layout direction, chevron orientation, and sometimes the suitability of the font stack itself. The article also notes that translated strings can be materially longer than the source text, which can cause button overflow or awkward wrapping. In identity products, that creates a practical risk because short authentication labels often sit inside tight UI components. If the layout does not flex, the localized experience becomes brittle even when the translation itself is correct.

Practical implication: test directionality, typography, and component sizing together, especially in sign-in and account-management interfaces.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity localization is now part of the control surface, not a cosmetic layer. Sign-in and sign-up text shapes trust, comprehension, and completion rates, which means localization failures become access problems, not just content problems. In practice, that pushes identity teams to govern locale handling the same way they govern MFA prompts and recovery flows. The practitioner takeaway is to treat localized identity UX as governed access experience.

String extraction turns identity copy into an auditable asset class. Once labels, errors, and helper text are pulled into structured translation workflows, the organisation can see what was previously hidden in JSX and defaults. That is a useful governance shift for human IAM programmes because it reduces the chance that untranslated or inconsistent security text ships unnoticed. The practitioner takeaway is to manage identity strings through code, linting, and review, not manual spot checks.

Localization exposes a distinct failure mode: inconsistent trust wording across authentication journeys. Even when credentials and policies are correct, mismatched language in account creation, recovery, or transactional email can make users doubt whether they are in the right flow. This is a human identity governance issue because the user’s confidence in the process affects whether the access journey completes safely. The practitioner takeaway is to align translated identity messaging with the approved security journey, not just the product catalogue.

Locale breadth should be chosen from real usage data, not aspirational coverage. The article’s traffic-driven approach shows that language support is a prioritisation problem as much as a translation problem. That matters because broad but shallow coverage can consume engineering effort without improving the experiences users actually see. The practitioner takeaway is to base localization scope on request data and audience composition, then expand deliberately.

Fonts, directionality, and layout are part of identity assurance. A login page that renders poorly in Arabic or Chinese may still authenticate users, but it degrades usability enough to create friction and support overhead. That is a governance signal for teams that localised access experiences need the same QA discipline as authentication back ends. The practitioner takeaway is to include visual regression and locale-specific review in release gates for identity surfaces.

From our research:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • Our research also finds that 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
  • That pattern is why teams should also read Analysis of Claude Code Security for the adjacent problem of governing AI-enabled identity surfaces and runtime access.

What this signals

Localized identity UX is becoming a governance signal as much as a design concern. When login and recovery experiences are translated at scale, the question is whether the programme can keep security wording, fallback behaviour, and layout integrity aligned across every locale. Teams should treat language coverage as part of release assurance, not a one-time internationalisation project.

The next maturity step is to connect localization workflows to identity telemetry and support feedback. That lets IAM leads spot where a language pack is creating friction, where a fallback is leaking English into a regulated journey, and where regional usage justifies deeper coverage. For broader context on governed access experiences, see Analysis of Claude Code Security and the OWASP Agentic AI Top 10.

For practitioners

  • Inventory every user-facing identity string Extract labels, placeholders, error messages, emails, and helper text from sign-in, sign-up, recovery, and account-management flows before translating anything. Keep the extracted string set under source control so changes are visible during release review.
  • Negotiate locale from request signals Use accept-language and explicit user settings to resolve the best supported locale, then define deterministic fallbacks for unsupported variants. Test browser and app behaviour together so the identity experience does not drift across regions.
  • Build locale-specific UI QA into release gates Check right-to-left rendering, chevron direction, font coverage, and button overflow in every supported language before shipping. Review translated identity flows with the same scrutiny you apply to authentication and recovery logic.
  • Govern translations as product-security content Route translated identity text through the same review discipline used for security-sensitive copy. That includes checking that fallback strings, error wording, and transactional email content stay consistent across locales.
  • Prioritise languages from traffic data Use real request telemetry to decide which locales to support first, then revisit the list as audience patterns change. This keeps localization spend tied to actual adoption rather than speculative coverage.

Key takeaways

  • Localized identity flows are part of access governance, because language and layout shape whether users trust and complete authentication journeys.
  • Extracting strings into a governed workflow makes identity copy auditable, testable, and far less likely to ship untranslated.
  • Teams should prioritize localization using real traffic data and release QA that covers directionality, typography, and fallback behaviour.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Localized sign-in and recovery flows affect digital identity usability and assurance.
NIST CSF 2.0PR.AT-1User awareness and clarity depend on consistent security communication across locales.
NIST Zero Trust (SP 800-207)PR.AC-1Locale handling sits inside the broader access experience that users trust during authentication.

Review localized authentication journeys for usability, recovery consistency, and clear user messaging.

Key terms

  • Localization: Localization is the process of adapting a digital experience so it works naturally for a specific language, region, and culture. In identity programmes, it covers sign-in text, recovery messages, email content, directionality, and formatting so the access journey remains clear and trustworthy for each user group.
  • Accept-Language: Accept-Language is an HTTP request header that tells an application which languages the user prefers. Identity systems can use it to select the best supported locale automatically, then fall back to a broader language variant when an exact match is unavailable.
  • Translation extraction: Translation extraction is the practice of pulling user-facing strings out of source code into a governed workflow for review, translation, and release. For identity UX, it makes security-sensitive copy easier to audit, reduces hidden English-only text, and keeps localized messages tied to the code that renders them.
  • Right-to-left layout: Right-to-left layout is the rendering mode used for languages such as Arabic and Hebrew. It affects the direction of text, icons, and spacing in identity screens, which means authentication interfaces need separate visual testing to avoid broken navigation cues or unreadable controls.

Deepen your knowledge

Localization for sign-in, sign-up, and recovery flows is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is extending identity experiences across regions, this is a practical place to build shared governance language.

This post draws on content published by WorkOS: LLMs are très bien at localization. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org