MFA w/ Authenticator apps, and introducing a new settings page, with some new options.
MFA w/ Authenticator apps
Adding MFA to your app has never been easier... If you've already implemented Clerk, all you have to do is flip a switch.
We've extended our MFA offering to include Time-based one-time-passwords, also known as "TOTP", or, "authenticator apps." TOTP works with almost all modern authenticator apps, such as google authenticator, authy, 1password, hardware devices, and more.
While we've always had MFA w/ SMS, TOTP is a more secure alternative, although harder for some customers to use, and the best security is often security that someone uses1
For this reason, in our own "Clerk Dashboard" We're allowing MFA with either TOTP or SMS. So, go make your clerk account more secure, then let your customers do the same for your app!
You can enable TOTP by going to the clerk dashboard and then:
Customizable Session tokens, Clerk playground, and an updated Data Processing Agreement.
Customizable Session tokens
You could always generate custom JWTs with Clerk, but now you can add new claims directly to the Session token encoded in the HTTPOnly cookie.
This token is guaranteed to be up-to-date, and will impose no latency on any requests you make.
You can find this new option in your Dashboard. Navigate to:
Settings > Sessions > Customize Session Token
Thanks to the contributors: Haris Chaniotakis
Clerk Playground
We've created a new "Playground" that lets you easily explore Clerk's React SDK and our APIs. We've tried to keep the examples pared down and simple, so that you can use them as a reference when building your own custom flows. Our plan is to continually add to this repository of examples as a resource to help developers get going quickly with Clerk.
Redesigned components enter beta with improved default styles and vastly more customizability! Plus, we're migrating free plans and we upgraded our WAF.
Redesigned components enter beta
Our redesigned components have entered private beta! This upgrade includes:
Improved default styles - Everything feels a bit more balanced and modern and by default.
Vastly more customizability - We're introducing an "appearance" prop that enables components to be customized with Tailwind, CSS Modules, or any styling solution that uses classnames.
To join the beta, please join our Discord and reach out in the #components-beta channel.
Thanks to the contributors: Nikos Douvlis
Free plan migration
Next week, we will be migrating customers from our old free plan to our new free plan that launched three weeks ago. This plan has a different set of features – more in some places, less in others – so we encourage everyone to verify the new plan still works for their business.
Impacted customers will also be notified by email.
WAF infrastructure upgrade
Behind the scenes this week, we migrated to a new "Web Application Firewall."
As Clerk has grown, attacks on our service have (unfortunately) also grown more frequent. We use a Web Application Firewall to help prevent against account takeovers by brute force attack.
All customers received this update for free and we did not detect any impact to latency, or to non-automated traffic.
Next.js 12.2, Emails with high deliverability, Sign in with Line, Odds and ends.
Next.js 12.2
We've upgraded our @clerk/nextjs package to support Next.js 12.2, Make sure you're on version 3.7.1 or greater.
Thanks to the contributors: Peter Perlepes
Emails w/ High Deliverability
We're testing out a new email flow. Our core verification emails are sent through Sendgrid, from your domain. Even though we follow all of the best practices, there are a few things we can't account for that still causes some verification/sign-in emails to go to spam.
For people having trouble, this new email flow should solve your problems:
Emails are sent from Postmark.
Emails are sent from verifications@clerk.dev
Will only send OTP verifications, since these have historically had less deliverability issues.
If you're having issues, send us an email at support@clerk.dev to enable.
Custom Session Token - Clerk automatically keeps session tokens alive, now you can customize what data goes into these tokens. Previously, this was only possible by creating a custom JWT template, and sending it to your backend manually.
Organizations, "verify after sign up", and big email upgrades.
Organizations
We've officially launched V1 of our Organizations product! It's been stress tested by a bunch of design partners over the past couple weeks (thank you for your help!), and we're really excited to finally get open up this functionality publically.
Supporting "organization auth" comes with a number of challenges that exist both in the frontend and backend. Clerk makes all of this simple by giving you easy-to-use react hooks, and the perfect "Organization abstraction" I've you're building a B2B SaaS, an internal tool, or any sort of app with user-grouping, your life just got a whole lot easier. Our initial
(Note: Clerk's organizations functionality works great with the Open Source use-stripe-subscription package we created. It gives you the majority of the building blocks you need for a complete SaaS!)
Thanks to the contributors: Alex Ntousias, Giannis Katsanos, Peter Perlepes
Verify after sign up
This has oddly been one of our most sought-after features, and it's finally here. In most cases, you don't need to verify your users email addresses or phone numbers right at sign up. You want to get users in your app as quickly as possible, and then asynchronously verify them.
One of the best implementations of this we've seen are the masters over at Stripe:
And now, you can easily recreate this onboarding flow simply by turning it on in the dashboard!
Thanks to the contributors: Haris Chaniotakis
Email upgrades
1. Metadata in emails
You can now include user and organization metadata directly in your email templates. This gives you the ability to personal verification and invitation emails to a much higher degree.
Note: The following features didn't quite make the Friday deadline, but they will be out first thing Monday!
2. Customizable "from name"
In order to ensure deliverability, you should be sending your emails from an email address that actually exists. Because we send emails from your domain i.e. notifications@example.com, you can now also change the "from name" portion, so that it maps to an acutal email account. (i.e. support@example.com)
3. BYO Email/SMS provider
Additionally, if you don't want Clerk to deliver your emails at all, and you'd rather do it yourself -- you can turn off "Delivered by Clerk", and listen to the new "email.created" and "sms.created" webhooks. You will even receive the templated emails, so all you have to do is pass along the subject/body to your provider! You can also just use the raw-data and create your own custom email using this approach.
4. "High Deliverability emails" (coming soon)
It's always frustrating when an email isn't delivered properly. One part of email deliverability is "Domain reputation", and when building a new project, you usually have a new domain with negative reputation. It takes time to build up that reputation so GMail and MS Outlook (and others) don't send your verification and invitation emails to the dreaded "Promotions" tab, or even worse, to spam.
In order to alleviate this, we'll optionally allow verification and invitaiton emails to be sent from "@clerk.dev", which has a bullet-proof reputation because it sends a lot of verification emails, and it only sends verification emails. This will make it so your verification/invitations always land in your users inbox.
Side-by-side Web2 & Web3 auth, strict sign up requirements, brand new documentation, use-stripe-subscription, inaugural weekly office hours
Side-by-side Web2 & Web3 auth
Until this week, our support for Web3 has been all-or-nothing. You couldn't configure an application to have both Web3 authentication factors and Web2 authentication factors.
Now, developers can enable any combination of Web2 and Web3 they like, from the moment they create a new application:
This has been the top requested feature for Web3 applications since we originally launched support. Now that it's complete, it clears the way for us to begin adding additional wallet support.
Thanks to the contributors: Agis Anastasopoulos, Mark Pitsilos, Haris Chaniotakis
Strict sign-up requirements
This week we added an explicit "Required" toggle to four user management settings:
Email address
Phone number
Username
Name (First and Last)
Previously, we assumed what developers wanted as strictly required based on their other choices in the dashboard.
Critically, when users signed up with any Social Login vendor in the past, every other user attribute was considered optional. With this assumption, we found there were edge cases where this behavior wasn't necessarily desirable.
The most common edge-case comes from Social Login providers like Facebook, which do not necessarily return an email address from the oauth process. 99% of Facebook users will return an email address, but the other 1% will only return a phone number. For this 1% of cases, should Clerk prompt the user for an email address, or should we let them proceed without one?
With our new dashboard settings, we no longer need to guess!
Thanks to the contributors: Agis Anastasopoulos, Mark Pitsilos, Haris Chaniotakis
Brand new documentation
The past several weeks we've been scouring historical support requests to learn how we can better write and organize our documentation.
We launched brand new documentation to better support developers. There's a new organization to make content more discoverable, and a ton of new writing to surface things that were missing.
Thanks to the contributors: Ian McPhail, Marcel Cruz, Charles Wefso, Braden Sidoti
use-stripe-subscription
We launched use-stripe-subscription to make it easier for React developers to implement Stripe Billing. This open source package will serve as the foundation of our eventual Stripe integration, which is slated to launch in Q3.
Thanks to the contributors: Colin Sidoti, Braden Sidoti
Inaugural weekly office hours
We held our first weekly office hours this week! We had a great time on Twitch fielding questions from the audience, sharing more about roadmap, and discussing technology trends a bit more colloquially.
The exact time for office hours will likely float from week to week. The best way to learn the time is to follow our Twitter.
Thanks to the contributors: Ian McPhail, Colin Sidoti