User Authentication

Everything you need. Secure by default.

Simple and secure user authentication, complete with everything you need out-of-the-box to provide a secure experience for your users.

Create an account
  • Soc 2 Type 2

    Clerk follows the highest standards in security compliance to ensure your customer data stays safe.

  • HIPAA

    Clerk complies with the Health Insurance Portability and Accountability Act (HIPAA). This means it’s safe to store even the most sensitive user data.

  • Bot & Brute force detection

    Let Clerk worry about every emergent security attack vector, while you focus on building your business.

  • Password leak protection

    Enforce best practices by configuring custom password policies, and leveraging automatic HaveIBeenPwned leak detection.

Social SSO

Add high-conversion Social SSO to your application in seconds

When available, 53% of users choose to sign in with SSO instead of the alternatives. With Social SSO, Clerk makes it extremely simple to offer authentication the way your users want.

  • Sign in with Google
  • Convert faster with SSO

    SSO averages 1.3 times faster than passwords, and 5.2 times faster than other passwordless authentication solutions like magic links.

  • One-click integration

    Don’t spoil SSO’s impressive performance with common mistakes. Clerk handles edge cases gracefully, so you don’t have to.

  • Pick your providers

    Clerk supports a wide range of SSO providers and is always adding more. If you need a provider that isn’t listed, please submit a request here.

  • Automatic Account Linking

    If a user signs in with SSO after creating their account a different way, they are automatically linked to the original.

Clerk Components

Pre-built components, ready for everything

Simply add <SignIn />, <SignUp />, <UserButton />, <UserProfile /> anywhere in your React codebase. Keep users on your own domain, and bring your own CSS to align to your brand.

Explore UI components
Sign in to Acme Co
Welcome back! Please sign in to continue
Google
GitHub
or
Email address
Continue

Multi-factor authentication

MFA is the best way to prevent account takeovers.

Stop 99.9% of account takeovers in their tracks and provide the level of security your users have come to expect.

  • SMS Passcodes.

    A text-based digital handshake, securely verifying identity with a unique, randomly generated code delivered straight to your mobile phone.

  • Authenticator apps (TOTP).

    Personal digital locksmiths, creating dynamic, time-based one-time passwords (TOTPs) to secure your online access points.

  • Hardware keys.

    Hardware keys are your personal digital padlocks, physically securing your data by requiring a unique key from a physical device to unlock your accounts.

  • Recovery codes.

    Your digital lifeline, granting you access to your account when other forms of authentication are unavailable.

Passwordless

Convert your users to your product in seconds.

Eliminate forgotten passwords and credential stuffing attacks by going passwordless.

  • Social SSO.

    Virtual passports, allowing you to swiftly navigate through various platforms using a single trusted account.

  • Magic Links.

    One-click gateways, offering a seamless and password-free method to authenticate and access your digital domains securely.

  • Email-based OTP.

    Exclusive digital stamps, presenting a one-time-use password for secure access, delivered directly to your inbox.

  • SMS-based OTP.

    Your personalized digital keys, sent directly to your mobile device for secure one-time access.

Enterprise SSO

Easily implement Enterprise-grade tools like SAML and OpenID Connect

Forget the pain of having to manually implement SAML auth flows into your app. Now implementing a compliant SAML flow is as simple as filling out a form in Clerk's Dashboard.

Connection details
Service provider details
Identity provider information
Enterprise SSO

Advanced security

Take the security burden off your shoulders

Working with Clerk means integrating an enterprise-ready solution that considers security, privacy, and compliance our crucial responsibility and a top priority in everything we build.

  • Pen tests & source code review

    Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.

  • XSS leak protection

    Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.

  • CSRF protection

    Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.

  • Session fixation protection

    Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.

  • Password protection and rules

    Clerk uses NIST guidelines to determine the character rules for passwords and contracts with HaveIBeenPwned to review prospective passwords. Additionally, Clerk leverages bcrypt, an industry standard hashing algorithm for storage.

  • Session leak protection

    Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.

Security, Privacy, and Compliance in one tool

  • SOC2 Type II

  • HIPAA

  • CCPA

Session management

Speed up your application with sub-millisecond authentication

Clerk manages the full session lifecycle, including critical security features like active device monitoring and session revocation.

  • Don’t let auth slow your critical path

    Clerk’s session architecture is purpose-built to be extremely performant and low-latency across the globe. Avoid the effort and complexity it takes to build session management infrastructure and let us obsess about it instead.

  • Stop account takeovers in their tracks

    Our team is constantly assessing and protecting against the latest threats so you don’t have to. Never again compromise on critical features like session revocation because they take too long to build – Clerk provides them out of the box.

  • Multi-account, multi-device, multi-session by default

    Most modern applications expect users to have separate accounts for business and personal contexts. Clerk’s session management enables users to sign into many accounts at once, and switch as needed.

072567
072567
072567
072567
072567
072567