Clerk Billing now supports linking an existing Stripe account.
You can now link and use an existing Stripe account for Clerk Billing, as long as the account is not associated with another platform.
Head to your billing settings in the Clerk Dashboard to get started today.
Last Friday, Troy Hunt shared that 625 million never-before-leaked passwords had been added to Have I Been Pwned, the password leak detection service. The update brought relief to our team at Clerk, which had been fighting credential stuffing attacks for the two weeks prior.
Attackers were attempting to test millions of stolen passwords in quick bursts, with seemingly endless rotating IPs and TLS fingerprints to slip past rate limiters.
While we were able to mitigate the vast majority of the attack, leaks of this scale mean that even 99.9% effectiveness isn’t enough.
So we decided to kill credential stuffing for good, with a mechanism we’re calling Client Trust.
Client Trust is Clerk’s new defense against credential stuffing. It works by treating every new device as untrusted until the user has signed in on it.
Here’s what that means in practice:
Then Clerk will automatically require a second factor, with either a one-time passcode or a magic link, depending on the application’s settings.
That’s it. No extra configuration and no guesswork. Just automatic protection from day one.
We know that developers don’t want to choose between user experience and security. Client Trust is designed to make that trade-off obsolete.
It’s invisible when it should be, and decisive when it must be. No more leaked-password panics. No more hoping users turned on 2FA.
With Client Trust, your users are protected even when their password is included in a 0-day credential leak.
Client Trust is included in all Clerk plans, and automatically enabled for new applications.
Existing applications must enable the update manually from the Updates page of the dashboard. For most customers, it’s available as one-click update.
You can now update billing plan prices even when the plan has active paid subscriptions.
Previously, when a billing plan had active paid subscriptions, the price fields in the dashboard were disabled and couldn't be modified. This was a protective measure to prevent accidental changes that could affect existing subscribers.
With this update, you now have full control over your plan pricing, regardless of subscription status.
When you update the price of a plan with active subscriptions:
We're working on additional functionality that will give you even more control over pricing updates. In a future release, you'll be able to automatically transition existing subscriptions to updated pricing at their next billing date.
To update pricing for an active plan:
The Clerk Expo SDK now supports native Sign in with Apple, providing a seamless authentication experience for iOS users.
Clerk's Expo SDK now includes native Sign in with Apple support, allowing iOS users to authenticate using their Apple ID directly within your Expo applications. This integration provides a streamlined, privacy-focused authentication method that meets Apple's requirements for apps offering third-party sign-in options.
Unlike web-based OAuth flows, the native Sign in with Apple implementation offers:
To enable Sign in with Apple in your Expo app, configure the OAuth provider in your Clerk Dashboard and add the authentication strategy to your sign-in flow. The SDK handles the native integration automatically on iOS devices, falling back to web-based flows on other platforms
For detailed setup instructions and implementation guidance, check out the Expo OAuth documentation or the Integration Guide
Custom OIDC providers and custom social connections now support PKCE for enhanced security in native and mobile applications.
You can now enable PKCE (Proof Key for Code Exchange) when configuring custom OIDC providers and custom social connections. This enhancement provides better security for applications that cannot securely store client secrets.
PKCE is a security extension to the OAuth 2.0 Authorization Code flow. It was originally designed for public clients like mobile and native applications, but is now recommended for all OAuth 2.0 clients as a best practice.
Instead of relying on a static client secret, PKCE creates a cryptographically random secret for each authorization request. This means even if an authorization code is intercepted, it cannot be exchanged for tokens without the original secret.
Enable PKCE for:
To enable PKCE for your custom OAuth provider:
Once enabled, Clerk will automatically use the Authorization Code with PKCE flow for authentication with that provider.
New API Version available with Clerk Billing updates
/billing path to replace the legacy /commerce endpoints for all billing-related functionality.More details can be found in the upgrade guide linked above.