Clerk Changelog

MFA w/ Authenticator apps

Adding MFA to your app has never been easier... If you've already implemented Clerk, all you have to do is flip a switch.

We've extended our MFA offering to include Time-based one-time-passwords, also known as "TOTP", or, "authenticator apps." TOTP works with almost all modern authenticator apps, such as google authenticator, authy, 1password, hardware devices, and more.

While we've always had MFA w/ SMS, TOTP is a more secure alternative, although harder for some customers to use, and the best security is often security that someone uses1

For this reason, in our own "Clerk Dashboard" We're allowing MFA with either TOTP or SMS. So, go make your clerk account more secure, then let your customers do the same for your app!

You can enable TOTP by going to the clerk dashboard and then:

Configure > Users & Authentication > Multi-factor > Authenticator Apps

How it looks in our new user profile component:

Thanks to the contributors: Mark Pitsilos, Haris Chaniotakis

Updated Settings

On the Clerk dashboard you'll notice a few things moved. Webhooks now have their own home in the sidebar, as do instance-level settings.

We're going to be exposing smaller beta features through this settings page. As of now we have introduced the following settings

• Disable "Have I Been Pwned" password protection

• Enable test mode (this lets you use "fake" emails and phone numbers to sign in, very useful for E2E Testing, on by default for dev instances)

Thanks to the contributors: John Raptis, Sokratis Vidros

Customizable Session tokens

You could always generate custom JWTs with Clerk, but now you can add new claims directly to the Session token encoded in the HTTPOnly cookie.

This token is guaranteed to be up-to-date, and will impose no latency on any requests you make.

You can find this new option in your Dashboard. Navigate to:

Settings > Sessions > Customize Session Token

Thanks to the contributors: Haris Chaniotakis

Clerk Playground

We've created a new "Playground" that lets you easily explore Clerk's React SDK and our APIs. We've tried to keep the examples pared down and simple, so that you can use them as a reference when building your own custom flows. Our plan is to continually add to this repository of examples as a resource to help developers get going quickly with Clerk.

See the live example⁠, or go straight to the repo⁠

If there's a custom flow you want to see built, let us know in our discord

Thanks to the contributors: Ian McPhail, Charles Wefso

Data Processing Agreement

To be in compliance with GDPR, we've updated our data processing agreement and established a formal local presence in the EU.

Read the full agreement here.

Thanks to the contributors: Braden Sidoti

Redesigned components enter beta

Our redesigned components have entered private beta! This upgrade includes:

1. Improved default styles - Everything feels a bit more balanced and modern and by default.
2. Vastly more customizability - We're introducing an "appearance" prop that enables components to be customized with Tailwind, CSS Modules, or any styling solution that uses classnames.

To join the beta, please join our Discord⁠ and reach out in the #components-beta channel.

Thanks to the contributors: Nikos Douvlis

Free plan migration

Next week, we will be migrating customers from our old free plan to our new free plan that launched three weeks ago. This plan has a different set of features – more in some places, less in others – so we encourage everyone to verify the new plan still works for their business.

Impacted customers will also be notified by email.

WAF infrastructure upgrade

Behind the scenes this week, we migrated to a new "Web Application Firewall."

As Clerk has grown, attacks on our service have (unfortunately) also grown more frequent. We use a Web Application Firewall to help prevent against account takeovers by brute force attack⁠.

All customers received this update for free and we did not detect any impact to latency, or to non-automated traffic.

Next.js 12.2

We've upgraded our @clerk/nextjs package to support Next.js 12.2, Make sure you're on version 3.7.1 or greater.

Thanks to the contributors: Peter Perlepes

Emails w/ High Deliverability

We're testing out a new email flow. Our core verification emails are sent through Sendgrid, from your domain. Even though we follow all of the best practices, there are a few things we can't account for that still causes some verification/sign-in emails to go to spam.

For people having trouble, this new email flow should solve your problems:

• Emails are sent from Postmark.
• Emails are sent from verifications@clerk.dev
• Will only send OTP verifications, since these have historically had less deliverability issues.

If you're having issues, send us an email at support@clerk.dev to enable.

Thanks to the contributors: Agis Anastasopoulos

Sign in with Line

Allow your users to sign in via Line https://line.me/en/⁠

Thanks to the contributors: Haris Chaniotakis

Backend API updates

• Custom Session Token - Clerk automatically keeps session tokens alive, now you can customize what data goes into these tokens. Previously, this was only possible by creating a custom JWT template, and sending it to your backend manually.
• Filter invitations by status

Thanks to the contributors: Giannis Katsanos, Agis Anastasopoulos

Organizations

We've officially launched V1 of our Organizations product! It's been stress tested by a bunch of design partners over the past couple weeks (thank you for your help!), and we're really excited to finally get open up this functionality publically.

Supporting "organization auth" comes with a number of challenges that exist both in the frontend and backend. Clerk makes all of this simple by giving you easy-to-use react hooks, and the perfect "Organization abstraction" I've you're building a B2B SaaS, an internal tool, or any sort of app with user-grouping, your life just got a whole lot easier. Our initial

• The Organization object
• Role Based Access Control
• Invitation flows
• SAML is coming soon!

https://clerk.com/docs/organizations/overview⁠

(Note: Clerk's organizations functionality works great with the Open Source use-stripe-subscription⁠ package we created. It gives you the majority of the building blocks you need for a complete SaaS!)

Thanks to the contributors: Alex Ntousias, Giannis Katsanos, Peter Perlepes

Verify after sign up

This has oddly been one of our most sought-after features, and it's finally here. In most cases, you don't need to verify your users email addresses or phone numbers right at sign up. You want to get users in your app as quickly as possible, and then asynchronously verify them.

One of the best implementations of this we've seen are the masters over at Stripe:

And now, you can easily recreate this onboarding flow simply by turning it on in the dashboard!

Thanks to the contributors: Haris Chaniotakis

Email upgrades

1. Metadata in emails

You can now include user and organization metadata directly in your email templates. This gives you the ability to personal verification and invitation emails to a much higher degree.

Note: The following features didn't quite make the Friday deadline, but they will be out first thing Monday!

2. Customizable "from name"

In order to ensure deliverability, you should be sending your emails from an email address that actually exists. Because we send emails from your domain i.e. notifications@example.com, you can now also change the "from name" portion, so that it maps to an acutal email account. (i.e. support@example.com)

3. BYO Email/SMS provider

Additionally, if you don't want Clerk to deliver your emails at all, and you'd rather do it yourself -- you can turn off "Delivered by Clerk", and listen to the new "email.created" and "sms.created" webhooks. You will even receive the templated emails, so all you have to do is pass along the subject/body to your provider! You can also just use the raw-data and create your own custom email using this approach.

4. "High Deliverability emails" (coming soon)

It's always frustrating when an email isn't delivered properly. One part of email deliverability is "Domain reputation", and when building a new project, you usually have a new domain with negative reputation. It takes time to build up that reputation so GMail and MS Outlook (and others) don't send your verification and invitation emails to the dreaded "Promotions" tab, or even worse, to spam.

In order to alleviate this, we'll optionally allow verification and invitaiton emails to be sent from "@clerk.dev", which has a bullet-proof reputation because it sends a lot of verification emails, and it only sends verification emails. This will make it so your verification/invitations always land in your users inbox.

Thanks to the contributors: Mark Pitsilos

Side-by-side Web2 & Web3 auth

Until this week, our support for Web3 has been all-or-nothing. You couldn't configure an application to have both Web3 authentication factors and Web2 authentication factors.

Now, developers can enable any combination of Web2 and Web3 they like, from the moment they create a new application:

This has been the top requested feature for Web3 applications since we originally launched support. Now that it's complete, it clears the way for us to begin adding additional wallet support.

Thanks to the contributors: Agis Anastasopoulos, Mark Pitsilos, Haris Chaniotakis

Strict sign-up requirements

This week we added an explicit "Required" toggle to four user management settings:

1. Email address
2. Phone number
3. Username
4. Name (First and Last)

Previously, we assumed what developers wanted as strictly required based on their other choices in the dashboard.

Critically, when users signed up with any Social Login vendor in the past, every other user attribute was considered optional. With this assumption, we found there were edge cases where this behavior wasn't necessarily desirable.

The most common edge-case comes from Social Login providers like Facebook, which do not necessarily return an email address from the oauth process. 99% of Facebook users will return an email address, but the other 1% will only return a phone number. For this 1% of cases, should Clerk prompt the user for an email address, or should we let them proceed without one?

With our new dashboard settings, we no longer need to guess!

Thanks to the contributors: Agis Anastasopoulos, Mark Pitsilos, Haris Chaniotakis

Brand new documentation

The past several weeks we've been scouring historical support requests to learn how we can better write and organize our documentation.

We launched brand new documentation to better support developers. There's a new organization to make content more discoverable, and a ton of new writing to surface things that were missing.

Thanks to the contributors: Ian McPhail, Marcel Cruz, Charles Wefso, Braden Sidoti

use-stripe-subscription

We launched use-stripe-subscription⁠ to make it easier for React developers to implement Stripe Billing. This open source package will serve as the foundation of our eventual Stripe integration, which is slated to launch in Q3.

We also wrote a blog post about our experience refactoring Stripe's API for frontend access.

Thanks to the contributors: Colin Sidoti, Braden Sidoti

Inaugural weekly office hours

We held our first weekly office hours this week! We had a great time on Twitch fielding questions from the audience, sharing more about roadmap, and discussing technology trends a bit more colloquially.

The exact time for office hours will likely float from week to week. The best way to learn the time is to follow our Twitter⁠.

Thanks to the contributors: Ian McPhail, Colin Sidoti