Build custom role based access control (RBAC) systems by managing organization roles and permissions via an API.
You can now completely manage permissions and roles through the Clerk Backend API. Build sophisticated access control systems tailored to your application's needs — whether you're syncing roles from external systems, automating permission assignments, or creating custom admin interfaces.
What's new
The following endpoints are now available on Clerk's backend API:
Organization Permissions
Endpoint
Description
GET /v1/organization_permissions
List all permissions with pagination and filtering
Last Friday, Troy Hunt shared that 625 million never-before-leaked passwords had been added to Have I Been Pwned, the password leak detection service. The update brought relief to our team at Clerk, which had been fighting credential stuffing attacks for the two weeks prior.
Attackers were attempting to test millions of stolen passwords in quick bursts, with seemingly endless rotating IPs and TLS fingerprints to slip past rate limiters.
While we were able to mitigate the vast majority of the attack, leaks of this scale mean that even 99.9% effectiveness isn’t enough.
So we decided to kill credential stuffing for good, with a mechanism we’re calling Client Trust.
Introducing Client Trust
Client Trust is Clerk’s new defense against credential stuffing. It works by treating every new device as untrusted until the user has signed in on it.
Here’s what that means in practice:
If a user enters a valid password
and hasn’t enabled two-factor authentication
and is signing in from a new client (device)
Then Clerk will automatically require a second factor, with either a one-time passcode or a magic link, depending on the application’s settings.
That’s it. No extra configuration and no guesswork. Just automatic protection from day one.
Security that adapts to reality
We know that developers don’t want to choose between user experience and security. Client Trust is designed to make that trade-off obsolete.
It’s invisible when it should be, and decisive when it must be. No more leaked-password panics. No more hoping users turned on 2FA.
With Client Trust, your users are protected even when their password is included in a 0-day credential leak.
Free for everyone
Client Trust is included in all Clerk plans, and automatically enabled for new applications.
Existing applications must enable the update manually from the Updates page of the dashboard. For most customers, it’s available as one-click update.
You can now update billing plan prices even when the plan has active paid subscriptions.
What changed?
Previously, when a billing plan had active paid subscriptions, the price fields in the dashboard were disabled and couldn't be modified. This was a protective measure to prevent accidental changes that could affect existing subscribers.
With this update, you now have full control over your plan pricing, regardless of subscription status.
How pricing updates work
When you update the price of a plan with active subscriptions:
Existing subscriptions continue at their current price
New subscriptions use the updated pricing immediately
We're working on additional functionality that will give you even more control over pricing updates. In a future release, you'll be able to automatically transition existing subscriptions to updated pricing at their next billing date.
The Clerk Expo SDK now supports native Sign in with Apple, providing a seamless authentication experience for iOS users.
Clerk's Expo SDK now includes native Sign in with Apple support, allowing iOS users to authenticate using their Apple ID directly within your Expo applications. This integration provides a streamlined, privacy-focused authentication method that meets Apple's requirements for apps offering third-party sign-in options.
Native integration benefits
Unlike web-based OAuth flows, the native Sign in with Apple implementation offers:
Faster authentication - No browser redirects or context switching
Better user experience - Native iOS UI that users recognize and trust
Privacy features - Support for Apple's Hide My Email functionality
App Store compliance - Meets Apple's guidelines for apps with social login
Getting started
To enable Sign in with Apple in your Expo app, configure the OAuth provider in your Clerk Dashboard and add the authentication strategy to your sign-in flow. The SDK handles the native integration automatically on iOS devices, falling back to web-based flows on other platforms
Custom OIDC providers and custom social connections now support PKCE for enhanced security in native and mobile applications.
You can now enable PKCE (Proof Key for Code Exchange) when configuring custom OIDC providers and custom social connections. This enhancement provides better security for applications that cannot securely store client secrets.
What is PKCE?
PKCE is a security extension to the OAuth 2.0 Authorization Code flow. It was originally designed for public clients like mobile and native applications, but is now recommended for all OAuth 2.0 clients as a best practice.
Instead of relying on a static client secret, PKCE creates a cryptographically random secret for each authorization request. This means even if an authorization code is intercepted, it cannot be exchanged for tokens without the original secret.
When to use PKCE
Enable PKCE for:
Native and mobile apps - These applications cannot securely store client secrets since their code can be reverse-engineered
Single-page applications (SPAs) - Modern best practice recommends PKCE for browser-based apps
Any public client - Applications where the source code is accessible to end users
