User Authentication
Everything you need. Secure by default.
Simple and secure user authentication, complete with everything you need out-of-the-box to provide a secure experience for your users.
Create an accountSOC 2 Type 2
Clerk follows the highest standards in security compliance to ensure your customer data stays safe.
HIPAA
Clerk complies with the Health Insurance Portability and Accountability Act (HIPAA). This means it's safe to store even the most sensitive user data.
Bot & Brute force detection
Let Clerk worry about every emergent security attack vector, while you focus on building your business.
Password leak protection
Enforce best practices by configuring custom password policies, and leveraging automatic HaveIBeenPwned leak detection.
Social SSO
Add high-conversion Social SSO to your application in seconds
When available, 53% of users choose to sign in with SSO instead of the alternatives. With Social SSO, Clerk makes it extremely simple to offer authentication the way your users want.
- Sign in with Google
Convert faster with SSO
SSO averages 1.3 times faster than passwords, and 5.2 times faster than other passwordless authentication solutions like magic links.
One-click integration
Don't spoil SSO's impressive performance with common mistakes. Clerk handles edge cases gracefully, so you don't have to.
Pick your providers
Clerk supports a wide range of SSO providers and is always adding more. If you need a provider that isn't listed, please submit a request here.
Automatic Account Linking
If a user signs in with SSO after creating their account a different way, they are automatically linked to the original.
Clerk Components
Pre-built components, ready for everything
Simply add <SignIn />, <SignUp />, <UserButton />, <UserProfile /> anywhere in your React codebase. Keep users on your own domain, and bring your own CSS to align to your brand.
Explore UI components
Multi-factor authentication
MFA is the best way to prevent account takeovers.
Stop 99.9% of account takeovers in their tracks and provide the level of security your users have come to expect.
SMS Passcodes.
A text-based digital handshake, securely verifying identity with a unique, randomly generated code delivered straight to your mobile phone.
Authenticator apps (TOTP).
Personal digital locksmiths, creating dynamic, time-based one-time passwords (TOTPs) to secure your online access points.
Hardware keys.
Hardware keys are your personal digital padlocks, physically securing your data by requiring a unique key from a physical device to unlock your accounts.
Recovery codes.
Your digital lifeline, granting you access to your account when other forms of authentication are unavailable.
Passwordless
Convert your users to your product in seconds.
Eliminate forgotten passwords and credential stuffing attacks by going passwordless.
Social SSO.
Virtual passports, allowing you to swiftly navigate through various platforms using a single trusted account.
Magic Links.
One-click gateways, offering a seamless and password-free method to authenticate and access your digital domains securely.
Email-based OTP.
Exclusive digital stamps, presenting a one-time-use password for secure access, delivered directly to your inbox.
SMS-based OTP.
Your personalized digital keys, sent directly to your mobile device for secure one-time access.
Enterprise SSO
Easily implement Enterprise-grade tools like SAML and OpenID Connect
Forget the pain of having to manually implement SAML auth flows into your app. Now implementing a compliant SAML flow is as simple as filling out a form in Clerk's Dashboard.
Advanced security
Take the security burden off your shoulders
Working with Clerk means integrating an enterprise-ready solution that considers security, privacy, and compliance our crucial responsibility and a top priority in everything we build.
Pen tests & source code review
Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
XSS leak protection
Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.
CSRF protection
Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.
Session fixation protection
Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.
Password protection and rules
Clerk uses NIST guidelines to determine the character rules for passwords and contracts with HaveIBeenPwned to review prospective passwords. Additionally, Clerk leverages bcrypt, an industry standard hashing algorithm for storage.
Session leak protection
Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.
Security, Privacy, and Compliance in one tool
SOC2 Type II
HIPAA
CCPA
Session management
Speed up your application with sub-millisecond authentication
Clerk manages the full session lifecycle, including critical security features like active device monitoring and session revocation.
Don’t let auth slow your critical path
Clerk’s session architecture is purpose-built to be extremely performant and low-latency across the globe. Avoid the effort and complexity it takes to build session management infrastructure and let us obsess about it instead.
Stop account takeovers in their tracks
Our team is constantly assessing and protecting against the latest threats so you don’t have to. Never again compromise on critical features like session revocation because they take too long to build – Clerk provides them out of the box.
Multi-account, multi-device, multi-session by default
Most modern applications expect users to have separate accounts for business and personal contexts. Clerk’s session management enables users to sign into many accounts at once, and switch as needed.
