We've launched three additional JWT templates for Convex, Grafbase, and Nhost. Now you can easiliy sync the authenticated user with all of these tools!
In addition to the allowlist, we now support a blocklist. Use this to stop individuals or groups of individuals from signing up.
User bans
Users that already have an account can also now be banned. This action signs out the user from any existing sessions, and prevents them from signing in again.
MFA w/ Authenticator apps, and introducing a new settings page, with some new options.
MFA w/ Authenticator apps
Adding MFA to your app has never been easier... If you've already implemented Clerk, all you have to do is flip a switch.
We've extended our MFA offering to include Time-based one-time-passwords, also known as "TOTP", or, "authenticator apps." TOTP works with almost all modern authenticator apps, such as google authenticator, authy, 1password, hardware devices, and more.
While we've always had MFA w/ SMS, TOTP is a more secure alternative, although harder for some customers to use, and the best security is often security that someone uses1
For this reason, in our own "Clerk Dashboard" We're allowing MFA with either TOTP or SMS. So, go make your clerk account more secure, then let your customers do the same for your app!
You can enable TOTP by going to the clerk dashboard and then:
Customizable Session tokens, Clerk playground, and an updated Data Processing Agreement.
Customizable Session tokens
You could always generate custom JWTs with Clerk, but now you can add new claims directly to the Session token encoded in the HTTPOnly cookie.
This token is guaranteed to be up-to-date, and will impose no latency on any requests you make.
You can find this new option in your Dashboard. Navigate to:
Settings > Sessions > Customize Session Token
Thanks to the contributors: Haris Chaniotakis
Clerk Playground
We've created a new "Playground" that lets you easily explore Clerk's React SDK and our APIs. We've tried to keep the examples pared down and simple, so that you can use them as a reference when building your own custom flows. Our plan is to continually add to this repository of examples as a resource to help developers get going quickly with Clerk.
Redesigned components enter beta with improved default styles and vastly more customizability! Plus, we're migrating free plans and we upgraded our WAF.
Redesigned components enter beta
Our redesigned components have entered private beta! This upgrade includes:
Improved default styles - Everything feels a bit more balanced and modern and by default.
Vastly more customizability - We're introducing an "appearance" prop that enables components to be customized with Tailwind, CSS Modules, or any styling solution that uses classnames.
To join the beta, please join our Discord and reach out in the #components-beta channel.
Thanks to the contributors: Nikos Douvlis
Free plan migration
Next week, we will be migrating customers from our old free plan to our new free plan that launched three weeks ago. This plan has a different set of features – more in some places, less in others – so we encourage everyone to verify the new plan still works for their business.
Impacted customers will also be notified by email.
WAF infrastructure upgrade
Behind the scenes this week, we migrated to a new "Web Application Firewall."
As Clerk has grown, attacks on our service have (unfortunately) also grown more frequent. We use a Web Application Firewall to help prevent against account takeovers by brute force attack.
All customers received this update for free and we did not detect any impact to latency, or to non-automated traffic.
Next.js 12.2, Emails with high deliverability, Sign in with Line, Odds and ends.
Next.js 12.2
We've upgraded our @clerk/nextjs package to support Next.js 12.2, Make sure you're on version 3.7.1 or greater.
Thanks to the contributors: Peter Perlepes
Emails w/ High Deliverability
We're testing out a new email flow. Our core verification emails are sent through Sendgrid, from your domain. Even though we follow all of the best practices, there are a few things we can't account for that still causes some verification/sign-in emails to go to spam.
For people having trouble, this new email flow should solve your problems:
Emails are sent from Postmark.
Emails are sent from verifications@clerk.dev
Will only send OTP verifications, since these have historically had less deliverability issues.
If you're having issues, send us an email at support@clerk.dev to enable.
Custom Session Token - Clerk automatically keeps session tokens alive, now you can customize what data goes into these tokens. Previously, this was only possible by creating a custom JWT template, and sending it to your backend manually.
Organizations, "verify after sign up", and big email upgrades.
Organizations
We've officially launched V1 of our Organizations product! It's been stress tested by a bunch of design partners over the past couple weeks (thank you for your help!), and we're really excited to finally get open up this functionality publically.
Supporting "organization auth" comes with a number of challenges that exist both in the frontend and backend. Clerk makes all of this simple by giving you easy-to-use react hooks, and the perfect "Organization abstraction" I've you're building a B2B SaaS, an internal tool, or any sort of app with user-grouping, your life just got a whole lot easier. Our initial
(Note: Clerk's organizations functionality works great with the Open Source use-stripe-subscription package we created. It gives you the majority of the building blocks you need for a complete SaaS!)
Thanks to the contributors: Alex Ntousias, Giannis Katsanos, Peter Perlepes
Verify after sign up
This has oddly been one of our most sought-after features, and it's finally here. In most cases, you don't need to verify your users email addresses or phone numbers right at sign up. You want to get users in your app as quickly as possible, and then asynchronously verify them.
One of the best implementations of this we've seen are the masters over at Stripe:
And now, you can easily recreate this onboarding flow simply by turning it on in the dashboard!
Thanks to the contributors: Haris Chaniotakis
Email upgrades
1. Metadata in emails
You can now include user and organization metadata directly in your email templates. This gives you the ability to personal verification and invitation emails to a much higher degree.
Note: The following features didn't quite make the Friday deadline, but they will be out first thing Monday!
2. Customizable "from name"
In order to ensure deliverability, you should be sending your emails from an email address that actually exists. Because we send emails from your domain i.e. notifications@example.com, you can now also change the "from name" portion, so that it maps to an acutal email account. (i.e. support@example.com)
3. BYO Email/SMS provider
Additionally, if you don't want Clerk to deliver your emails at all, and you'd rather do it yourself -- you can turn off "Delivered by Clerk", and listen to the new "email.created" and "sms.created" webhooks. You will even receive the templated emails, so all you have to do is pass along the subject/body to your provider! You can also just use the raw-data and create your own custom email using this approach.
4. "High Deliverability emails" (coming soon)
It's always frustrating when an email isn't delivered properly. One part of email deliverability is "Domain reputation", and when building a new project, you usually have a new domain with negative reputation. It takes time to build up that reputation so GMail and MS Outlook (and others) don't send your verification and invitation emails to the dreaded "Promotions" tab, or even worse, to spam.
In order to alleviate this, we'll optionally allow verification and invitaiton emails to be sent from "@clerk.dev", which has a bullet-proof reputation because it sends a lot of verification emails, and it only sends verification emails. This will make it so your verification/invitations always land in your users inbox.
