Modern Authentication for AI applications
Bot and abuse protection included in every plan. Industry-forward pricing, like only charging for users after their first day of activity. And more.
Bot and abuse protection
We focus on blocking bad actors, so you can focus on innovating with AI.
Clerk deploys advanced bot and multi-account protection to detect and neutralize attacks in real time. Dramatically reduce fraudulent sign-ups with our continually updated machine learning.
Get startedFingerprinting
Network and device analysis provide an invisible barrier to authenticate humans and filter out automated access attempts.
CAPTCHA
Cloudflare Turnstile is built-in and completely invisible for 99.9% of users, only appearing when extra verification is needed.
Rate Limiting
When humans circumvent CAPTCHAs simply by being human, IP rate limits are a simple yet effective backstop against free trial abuse.
Disposable Email Detection
Stop fraudulent sign-ups by blocking high-risk disposable email domains, or limit email subaddresses that leverage the "+" separator.
Migrating our authentication to Clerk was a breeze. We loved the white-glove support, bot detection, and clear pricing that scales effectively with our growth.
First day free
We only want to charge for users who are truly active.
First Day Free means no charges for users who sign-up but never return. Users are only counted as active when they come back after 24 hours.
Get startedSession Management
Fully managed infrastructure, with sub-millisecond authentication
Clerk securely manages the full session lifecycle, with features like active device monitoring, session revocation, and sub-millisecond authentication.
Get startedLow latency
Don’t let auth slow your critical path. Let us obsess about the complexities of session management infrastructure, so you don’t have to. Clerk’s session architecture is purpose-built for extreme performance and low-latency across the globe.
Stop account takeovers in their tracks
Clerk provides features like session revocation out of the box. It’s time-consuming to build features that help you stay secure – let us fixate on assessing and protecting against the latest threats, so you can focus on your core product.
Multi-account, multi-device, multi-session
Multi-account, multi-device, multi-session by default. Clerk’s session management allows users to sign into and switch between multiple accounts, creating seamless separation between business and personal contexts.
Clerk components
Pre-built components, customized and deployed in minutes
Simply add <SignIn />, <SignUp />, <UserButton />, <UserProfile /> to implement complete user management. Keep the default styling or bring your own CSS, and deploy everything on your own domain – making it easier on you and your users.
Social SSO
Authentication your users want, configured with a single click
Clerk’s high-conversion Social SSO is engineered to optimize developer and end-user experience. Simply select the providers you want to enable and help your users sign up at least 1.3x faster.
Advanced Security
Enterprise-ready security, out of the box
Clerk enables you to integrate an enterprise-ready solution, where security, privacy, and compliance are not only a top priority, but our crucial responsibility.
Get startedPen test & source code review
Clerk’s third-party testing and assessments are guided by the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
XSS leak protection
Clerk ensures that credentials cannot be leaked during XSS attacks by using HttpOnly cookies for authenticated requests to our Frontend API in order to minimize potential attack surface area.
CSRF protection
Clerk configures cookies with the SameSite flag in order to configure tokens in a way that protects against Cross Site Request Forgery (CSRF) attacks.
Session fixation protection
Clerk protects against hijacking of user sessions via session fixation by resetting the session token each time a user signs in or out of a browser, meaning that old session tokens are invalidated when the session is reset, and they can no longer be used for authentication.
Password protection and rules
To ensure that passwords are effective, Clerk contracts with HaveIBeenPwned to review prospective passwords and uses NIST guidelines to determine the character rules. To ensure that passwords are kept safe once they are set, Clerk leverages bcrypt, an industry standard hashing algorithm for storage.
Session leak protection
To protect against session leaks, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), rather than sharing cookies across subdomains. This means that an attack on Clerk cannot be chained into an attack on your application.
Start now, no strings attached.
Integrate complete user management in minutes. Free for your first 10,000 monthly active users and 100 monthly active orgs. No credit card required.