Clerk Changelog

User Impersonation

User Impersonation has been a top 5 request feature since the week Clerk launched. This feature allows admins to sign in as an another user, and experience the application as the user would.

From the Clerk dashboard, admins can now easily sign in as their users with the "Impersonate User" button:

Impersonation is commonly used within customer support and engineering teams to help with debugging. It's helpful to "see what user sees" in these contexts, especially as applications have become more complex and personalized to individual customers.

Keeping impersonation safe

Like every other Clerk feature, our top piority while developing User Impersonation was security.

Unsafe implementations of User Impersonation are often called "God-mode" because they empower admins to impersonate another user without leaving a trace. This is not the case with Clerk.

Impersonation sessions are automatically logged and can be retrieved from the Session List endpoint of our API.

We've made it possible to detect impersonated sessions as they are happening, so developers can easily choose to prevent actions while a user is being impersonated.

The detection is available on both the frontend and the backend.

Frontend

On the frontend, information about the impersonator (a.k.a. the "actor") is available through the useAuth() hook. When actor is not null, it's an impersonation session.

const { userId, actor } = useAuth()

Backend

On the backend, it's available through the "auth" helper for the framework of your choice (Next.js shown).

import { withAuth } from "@clerk/nextjs/api";

export default withAuth(async (req) => {
  const { userId, actor } = req.auth;
  //...
});

If you do not use one of our SDKs, the data is available on the "act" claim of the authentication JWT in compliance with RFC 8693⁠.

Since the impersonator data is ultimately transmitted through the JWT, this additional context is available with no additional latency.

Technical deep dive coming soon

In the coming weeks, we'll continue to share more details about impersonation's design and all of it's capabilities.

Meanwhile, you can learn more in the impersonation documentation.

Thanks to the contributors: Alex Ntousias, Giannis Katsanos, George Desipris

Component Localization (i18n)

Our components now accept a localization prop, which enables internationalization and customization of our default English strings.

Check out the documentation for more details.

Grafbase, Convex, Nhost integrations

We've launched three additional JWT templates for Convex, Grafbase, and Nhost. Now you can easiliy sync the authenticated user with all of these tools!

Looking for another integration? We're eager to add more, reach out to our team!

Blocklist

In addition to the allowlist, we now support a blocklist. Use this to stop individuals or groups of individuals from signing up.

User bans

Users that already have an account can also now be banned. This action signs out the user from any existing sessions, and prevents them from signing in again.

MFA w/ Authenticator apps

Adding MFA to your app has never been easier... If you've already implemented Clerk, all you have to do is flip a switch.

We've extended our MFA offering to include Time-based one-time-passwords, also known as "TOTP", or, "authenticator apps." TOTP works with almost all modern authenticator apps, such as google authenticator, authy, 1password, hardware devices, and more.

While we've always had MFA w/ SMS, TOTP is a more secure alternative, although harder for some customers to use, and the best security is often security that someone uses1

For this reason, in our own "Clerk Dashboard" We're allowing MFA with either TOTP or SMS. So, go make your clerk account more secure, then let your customers do the same for your app!

You can enable TOTP by going to the clerk dashboard and then:

Configure > Users & Authentication > Multi-factor > Authenticator Apps

How it looks in our new user profile component:

Thanks to the contributors: Mark Pitsilos, Haris Chaniotakis

Updated Settings

On the Clerk dashboard you'll notice a few things moved. Webhooks now have their own home in the sidebar, as do instance-level settings.

We're going to be exposing smaller beta features through this settings page. As of now we have introduced the following settings

• Disable "Have I Been Pwned" password protection

• Enable test mode (this lets you use "fake" emails and phone numbers to sign in, very useful for E2E Testing, on by default for dev instances)

Thanks to the contributors: John Raptis, Sokratis Vidros

Customizable Session tokens

You could always generate custom JWTs with Clerk, but now you can add new claims directly to the Session token encoded in the HTTPOnly cookie.

This token is guaranteed to be up-to-date, and will impose no latency on any requests you make.

You can find this new option in your Dashboard. Navigate to:

Settings > Sessions > Customize Session Token

Thanks to the contributors: Haris Chaniotakis

Clerk Playground

We've created a new "Playground" that lets you easily explore Clerk's React SDK and our APIs. We've tried to keep the examples pared down and simple, so that you can use them as a reference when building your own custom flows. Our plan is to continually add to this repository of examples as a resource to help developers get going quickly with Clerk.

See the live example⁠, or go straight to the repo⁠

If there's a custom flow you want to see built, let us know in our discord

Thanks to the contributors: Ian McPhail, Charles Wefso

Data Processing Agreement

To be in compliance with GDPR, we've updated our data processing agreement and established a formal local presence in the EU.

Read the full agreement here.

Thanks to the contributors: Braden Sidoti

Redesigned components enter beta

Our redesigned components have entered private beta! This upgrade includes:

1. Improved default styles - Everything feels a bit more balanced and modern and by default.
2. Vastly more customizability - We're introducing an "appearance" prop that enables components to be customized with Tailwind, CSS Modules, or any styling solution that uses classnames.

To join the beta, please join our Discord⁠ and reach out in the #components-beta channel.

Thanks to the contributors: Nikos Douvlis

Free plan migration

Next week, we will be migrating customers from our old free plan to our new free plan that launched three weeks ago. This plan has a different set of features – more in some places, less in others – so we encourage everyone to verify the new plan still works for their business.

Impacted customers will also be notified by email.

WAF infrastructure upgrade

Behind the scenes this week, we migrated to a new "Web Application Firewall."

As Clerk has grown, attacks on our service have (unfortunately) also grown more frequent. We use a Web Application Firewall to help prevent against account takeovers by brute force attack⁠.

All customers received this update for free and we did not detect any impact to latency, or to non-automated traffic.

Next.js 12.2

We've upgraded our @clerk/nextjs package to support Next.js 12.2, Make sure you're on version 3.7.1 or greater.

Thanks to the contributors: Peter Perlepes

Emails w/ High Deliverability

We're testing out a new email flow. Our core verification emails are sent through Sendgrid, from your domain. Even though we follow all of the best practices, there are a few things we can't account for that still causes some verification/sign-in emails to go to spam.

For people having trouble, this new email flow should solve your problems:

• Emails are sent from Postmark.
• Emails are sent from verifications@clerk.dev
• Will only send OTP verifications, since these have historically had less deliverability issues.

If you're having issues, send us an email at support@clerk.dev to enable.

Thanks to the contributors: Agis Anastasopoulos

Sign in with Line

Allow your users to sign in via Line https://line.me/en/⁠

Thanks to the contributors: Haris Chaniotakis

Backend API updates

• Custom Session Token - Clerk automatically keeps session tokens alive, now you can customize what data goes into these tokens. Previously, this was only possible by creating a custom JWT template, and sending it to your backend manually.
• Filter invitations by status

Thanks to the contributors: Giannis Katsanos, Agis Anastasopoulos