Skip to main content

Domain verification

Clerk can verify that a domain belongs to an Organization in two ways. Each proves something different and unlocks different features.

MethodHow it worksProvesUsed for
AffiliationA verification code sent to an email at the domainThe user controls an email address at the domainVerified Domains enrollment (automatic invitations and suggestions)
OwnershipA DNS TXT record that Clerk checksThe user controls the domain itself (a higher bar)Assigning a domain to an enterprise SSO connection through self-serve SSO

Affiliation and ownership are tracked separately on the OrganizationDomain object, so a single domain can have both.

Domain affiliation

Affiliation verification confirms that a user controls an email address at the domain. The user adds a domain, Clerk sends a verification code to an email address at that domain, and the user enters the code. If the user already has a verified email at that domain on their account, Clerk verifies the affiliation automatically.

This is the verification behind Verified Domains, which powers automatic invitations and suggestions. Its verification strategy is email_code.

To verify affiliation programmatically, use prepareAffiliationVerification() and attemptAffiliationVerification() on the OrganizationDomain object.

Domain ownership

Ownership verification confirms that the Organization controls the domain itself, which is a higher bar than affiliation. It's required before a domain can be assigned to an enterprise SSO connection through self-serve SSO.

When ownership verification starts, Clerk issues a DNS TXT record for each domain (a txtRecordName and txtRecordValue). An admin publishes the record with their DNS provider, and Clerk scans for it to confirm ownership.

Ownership can be established in a few ways, reflected in the verification strategy:

  • txt: The standard flow described above, proven by publishing the DNS TXT record.
  • legacy: Granted implicitly to domains that predate the TXT verification flow.
  • manual_override: Granted manually by a Clerk admin through the Backend API or Clerk Dashboard, bypassing the DNS challenge.

You can verify ownership through:

  • The Security tab of <OrganizationProfile />, as part of the self-serve SSO flow.
  • The Backend API.
  • The frontend SDK, using the Organization's prepareOwnershipVerification() and attemptOwnershipVerification() methods. These verify domains in bulk: pass the domain IDs, and each domain's result reports success or an error independently, so one bad domain doesn't fail the batch.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub