# Clerk Glossary ## Access Control List (ACL) - URL: https://clerk.com/glossary.md#access-control-list-acl - Date: 2025-10-01 - Category: Authentication & Authorization - Description: An access control list (ACL) is a resource-scoped policy that lists which principals (users, groups, service accounts) have which permissions on that resource. Each access control entry (ACE) names a subject and a set of allowed or denied actions (`read`, `write`, `execute`, `delete`), optionally with inheritance. At request time, the system resolves the caller and evaluates ACEs in a defined order with default-deny. ACLs are fine-grained but resource-scoped and hard to operate across thousands or millions of resources, causing many teams to adopt [RBAC](/blog/role-based-access-control-with-clerk-orgs) or [ABAC](/blog/authentication-vs-authorization). **Related terms:** - Role Based Access Control (RBAC) - Custom Permissions - Authorization - Custom Roles --- ## Access Token - URL: https://clerk.com/glossary.md#access-token - Date: 2024-07-24 - Category: Authentication & Authorization - Description: An Access Token is a credential used to access protected resources in an API, typically issued by an authorization server and used in OAuth and OpenID Connect protocols. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - OAuth - JSON Web Token - Authentication --- ## Account Linking - URL: https://clerk.com/glossary.md#account-linking - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Account Linking is the process of connecting multiple user accounts from different services or platforms, allowing users to access various services with a single set of credentials. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - User Management - User Profile - OAuth --- ## Account Portal - URL: https://clerk.com/glossary.md#account-portal - Date: 2024-07-24 - Category: User & Session Management - Description: An Account Portal is a user interface that allows users to manage their account settings, personal information, and preferences within an application. **Related terms:** - User Management - User Profile - Authentication - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - User Experience --- ## Account Protection - URL: https://clerk.com/glossary.md#account-protection - Date: 2026-03-19 - Category: Security - Description: Account protection encompasses the security measures and strategies used to prevent unauthorized access to user accounts, including multi-factor authentication, bot detection, brute force prevention, and credential stuffing mitigation. **Related terms:** - Multi-factor Authentication (MFA) - Account Recovery - Account Takeover - Brute Force Detection - Bot Detection - [Credential Stuffing](https://clerk.com/glossary/credential-stuffing.md) --- ## Account Recovery - URL: https://clerk.com/glossary.md#account-recovery - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Account recovery refers to controlled verification flows that let a legitimate user regain access to their account when primary factors are lost or unavailable—typically via OTP, email link, backup/recovery codes, a trusted device, or passkey recovery. **Related terms:** - Email Links - One-Time Passcodes (Email / SMS) - Recovery Codes - Passkeys --- ## Account Security - URL: https://clerk.com/glossary.md#account-security - Date: 2026-03-19 - Category: Security - Description: Account security refers to the practices and technologies that safeguard user accounts from compromise, including strong authentication methods, session management, and proactive threat detection. **Related terms:** - Account Recovery - Account Takeover - Multi-factor Authentication (MFA) - Brute Force Detection - Session Management --- ## Account Takeover - URL: https://clerk.com/glossary.md#account-takeover - Date: 2024-07-24 - Category: Authentication & Authorization - Description: An Account Takeover refer to the unauthorized access and control of a user’s account by malicious actors. This security breach often involves exploiting weak passwords, phishing attacks, or other vulnerabilities to gain access to personal information, financial data, or other sensitive content. Preventing account takeovers is crucial for maintaining user trust and safeguarding data integrity. **Related terms:** - Credential Stuffing Attacks - Multi-factor Authentication (MFA) - Bot Detection - Authorization - Account Protection - Account Security --- ## Action Function - URL: https://clerk.com/glossary.md#action-function - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: An Action Function is a function that handles user actions, such as form submissions or button clicks, often performing tasks like data processing or API calls. **Related terms:** - Loader Function - Middleware - Server-Side Rendering (SSR) - API Integration - Data Fetching --- ## Active Device Monitoring - URL: https://clerk.com/glossary.md#active-device-monitoring - Date: 2024-07-24 - Category: Security - Description: Active Device Monitoring is a continuous security practice that involves tracking and analyzing the behavior of devices connected to a network. This technique helps in identifying suspicious activities, unauthorized access attempts, and potential security threats in real-time. Implementing active device monitoring enhances the overall security posture by ensuring only trusted devices can access sensitive information. **Related terms:** - AI Authentication - Authentication - Bot Detection - Security Assertion Markup Language (SAML) - Security Monitoring --- ## Admin Dashboard - URL: https://clerk.com/glossary.md#admin-dashboard - Date: 2024-07-24 - Category: User & Session Management - Description: An Admin Dashboard is a user interface that provides administrators with access to various tools and data for managing and monitoring an application, including user management, analytics, and settings. **Related terms:** - User Management - User Profile - Roles - Organizations - Analytics --- ## Aggregated Claims - URL: https://clerk.com/glossary.md#aggregated-claims - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Aggregated claims in OIDC are third-party user claims that the OpenID Provider returns inside UserInfo as an embedded, signed JWT. The response includes `_claim_names` and `_claim_sources` to show which claims came from which external issuer. The client validates that embedded JWT and then uses the claims, no extra fetch required. **Related terms:** - Claim - JSON Web Token - Identity Provider SSO (IdP SSO) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) --- ## AI Authentication - URL: https://clerk.com/glossary.md#ai-authentication - Date: 2024-07-24 - Category: Authentication & Authorization - Description: AI Authentication leverages artificial intelligence to enhance the security and efficiency of the authentication process. By analyzing patterns, behaviors, and biometric data, AI authentication can provide a more secure and seamless user experience. This advanced method reduces the risk of fraud and unauthorized access by continuously learning and adapting to new threats. **Related terms:** - Artificial Intelligence (AI) - Active Device Monitoring - Authentication - Bot Detection --- ## Allowlist/Blocklist - URL: https://clerk.com/glossary.md#allowlist-denylist - Date: 2025-10-01 - Category: Security & Privacy - Description: Allowlist/Blocklist (also called Denylist) are explicit sets of permitted or blocked values (e.g., emails, domains, phone numbers, Web3 addresses) enforced at sensitive points like sign-up and sign-in. It's good practice to adopt a default-deny stance (permit only allowlisted values) and reserve the blocklist for explicit hard blocks. **Related terms:** - Rate Limiting - Bot Detection - Disposable Email Detection - Brute Force Detection --- ## API Authentication - URL: https://clerk.com/glossary.md#api-authentication - Date: 2025-02-13 - Category: Authentication & Authorization - Description: API authentication is the process of verifying the identity of a client — whether a user, application, or service — before granting access to an API's protected resources. Unlike browser-based authentication, which typically relies on sessions and cookies, API authentication is usually stateless: credentials or tokens are sent with every request, most commonly in the HTTP Authorization header. Common methods include API keys, HTTP Basic Authentication, Bearer tokens (often JWTs), and OAuth 2.0 flows. API authentication confirms who is making the request; API authorization then determines what that caller is permitted to do. Choosing the right method depends on the trust model — API keys suit simple server-to-server identification, while OAuth 2.0 is better suited for delegated access on behalf of a user. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Bearer Token - JSON Web Token - OAuth - Authorization - API Security --- ## API Gateway - URL: https://clerk.com/glossary.md#api-gateway - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: An API gateway centralizes request routing to backend services, rate limiting, caching, and TLS termination. In auth contexts, it verifies tokens and applies per-route policies. Note: Clerk is not an API gateway but provides authentication middleware that integrates with API gateways to handle JWT verification and authorization checks. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Rate Limiting - Authorization - Middleware --- ## API Integration - URL: https://clerk.com/glossary.md#api-integration - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: API integration is the process of connecting different software systems through their application programming interfaces, enabling them to exchange data and functionality seamlessly. **Related terms:** - Application Programming Interface - API Authentication - API Gateway - [API Key](https://clerk.com/glossary/api-key.md) - Webhook - Integration - Endpoint --- ## API Key - URL: https://clerk.com/glossary/api-key.md - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: An API Key is a unique identifier used to authenticate a user, developer, or calling program to an API (Application Programming Interface). API keys are essential for controlling access to the API, tracking usage, and preventing unauthorized access. Proper management and security of API keys are critical to protect sensitive data and maintain the integrity of the API. **Related terms:** - Application Programming Interface - Access Token - Endpoint - OAuth API keys are fundamental building blocks of modern software development that enable secure communication between applications and services. These unique identifiers authenticate and authorize applications accessing an API, providing a straightforward way to control access to resources, monitor usage, and maintain security. Understanding API keys is important for developers who need to integrate external services or protect their own APIs. API keys serve multiple purposes: they are used to authenticate requests, track usage metrics, and enforce rate limits. While they offer simplicity and ease of implementation, API keys also require careful management to prevent security vulnerabilities. This guide explores how API keys work, their benefits and limitations, and best practices for implementation. ## What is an API key An API key is a unique identifier that serves as a means to authenticate and authorize applications accessing an [Application Programming Interface (API)](https://en.wikipedia.org/wiki/API). It functions as a secret code that allows API providers to verify the identity of requesting parties and ensure interactions are legitimate and permissible. API keys are usually long, alphanumeric strings generated by API providers and distributed to developers of applications requiring access. When making an API request, applications include the API key in a request header or as a body parameter. This inclusion allows the [API to authenticate](/blog/how-to-authenticate-api-requests-with-clerk-express) the request and authorize access to specified resources. Here's an example of an API key in a HTTP request: ```txt GET /v1/resource HTTP/1.1 Host: api.example.com Authorization: Bearer YOUR_API_KEY_HERE ``` ## What are API keys used for API keys are used to facilitate secure authentication and access control. Key use cases include: - **Authentication**: Since each API key is unique and secret, it can be used to verify which application is making a request. - **Usage monitoring**: API keys are used to track the number of requests made by each application. This data assists in usage analysis, billing, and identifying trends or potential abuse. - **Authorization and access control**: API keys can restrict or grant access to specific parts of an API, and ensure applications can only read or write resources if they have permission. - **Rate limiting**: API providers can implement rate limits based on API keys. This prevents a single application from overwhelming the service with too many requests in a short time. ## Evolution of API keys The history of API keys parallels the development of web services and distributed computing. As software systems became more interconnected, the need for secure access to remote services emerged. The late 1990s and early 2000s saw the rise of web APIs, and API keys emerged as an elegant solution for managing and securing access to web services. Companies like Salesforce, eBay, and Amazon pioneered the use of API keys to manage access to their services, establishing them as a standard security mechanism. Modern API keys support sophisticated features like rate limiting, access restrictions, and usage tracking. While they remain widely used, the evolution of security requirements has led to complementary authentication methods like [JSON Web Tokens (JWT)](/docs/backend-requests/making/jwt-templates) and OAuth 2.0, offering enhanced security features for more complex scenarios. ## How do API keys work API keys operate through a straightforward process of generation, distribution, and validation. The workflow follows these steps: 1. Generation: API providers create unique keys using secure random number generators. 2. Distribution: Keys are securely shared with authorized developers or applications. 3. Implementation: Developers include keys in API requests through headers or parameters. 4. Validation: API servers verify keys and process requests based on associated permissions. ## Security best practices To maximize API key security: - Store keys securely using environment variables or secret management tools. - Implement HTTPS to prevent key interception. - Use rate limiting to prevent abuse. - Rotate keys frequently. - Monitor key usage for suspicious activity. - Implement additional security layers for sensitive operations. - Keep keys out of version control and public repositories. ## Secret API keys vs publishable API keys Some services offer both secret and publishable API keys. In these cases, secret keys are for backend environments and must be kept confidential. They enable direct access to sensitive operations.On the other hand, publishable keys are used in public contexts for untrusted operations, like collecting user input. Typically, actions that use a publishable key are used in tandem with a secret key. For example, in the case of collecting a payment, a an API request requiring the secret key will be used to specify the purchase amount, while an API request requiring the public key will used to collect the user's credit card information. This ensures that the user is not trusted to set the payment amount. ## API keys in Clerk Clerk's authentication service implements a dual-key system using publishable and secret keys. Publishable keys (prefixed with `pk_test_` or `pk_live_`) handle client-side operations and are expected to be exposed in frontend environments. Secret keys (prefixed with `sk_test_` or `sk_live_`) manage sensitive server-side operations and must remain confidential. Developers typically store API keys as environment variables, which are supported across most development and production environments. In the [Next.js](/docs/quickstarts/nextjs) development environment, applications use the pair of API keys labeled with `test`, and store them in the .env.local file. In the [Vercel](/docs/deployments/deploy-to-vercel) production environment, applications use the API keys labeled with `live` and store them as Vercel Environment Variables. The API keys can be retrieved from Clerk's dashboard on the API keys page. --- ## API Rate Limits - URL: https://clerk.com/glossary.md#api-rate-limits - Date: 2025-10-01 - Category: Security & Privacy - Description: API rate limits are policies that cap the volume of requests a client (application, user, IP, etc.) can send to specific API endpoints over a defined time interval. Limits may be per token / API key, IP address, user account, or tenant (or a combination). **Related terms:** - Rate Limiting - API Gateway - Bot Detection - Brute Force Detection - API Security --- ## API Security - URL: https://clerk.com/glossary.md#api-security - Date: 2026-03-19 - Category: Security - Description: API security encompasses the practices and tools used to protect application programming interfaces from unauthorized access, data breaches, and abuse, including authentication, rate limiting, and encryption. **Related terms:** - API Authentication - [API Key](https://clerk.com/glossary/api-key.md) - API Rate Limits - API Gateway - Bearer Token - Access Token - TLS --- ## API Testing - URL: https://clerk.com/glossary.md#api-testing - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: API testing is the process of verifying that application programming interfaces function correctly, securely, and performantly, often using specialized tokens and tools to simulate authenticated requests. **Related terms:** - Testing Tokens - API Authentication - [API Key](https://clerk.com/glossary/api-key.md) --- ## App Router - URL: https://clerk.com/glossary/app-router.md - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: An App Router is a routing system in a web application framework that manages the navigation and rendering of different views or pages based on URL paths. **Related terms:** - Route-Specific Authentication - [Frontend API](https://clerk.com/glossary/frontend-api.md) - Middleware - URL Routing - Application Architecture The [App Router](https://nextjs.org/docs/app) is a filesystem-based router in Next.js, a framework for building performant applications. It organizes routes with directories and files in the `app` directory. Each directory represents a URL segment, while the files define how requests to that route are handled. The App Router supports React Server Components, nested routes, and reusable layouts, among many other features. ## App router reserved filenames Most files in the App Router are not automatically exposed to the internet by Next.js, and instead need to be imported by other files. The filenames that are reserved for special behavior include: 1. `page.tsx` - Renders the default exported React component when a GET request is received at the URL segment defined by the directory. 2. `layout.tsx` - Used as the layout for the directory, as well as any children directories. `page.tsx` is nested as the deepest child node within all parent layouts. Except for the `app` directory itself which requires a “root layout”, `layout.tsx` is not necessary. 3. `route.tsx` - Implements custom request handlers that skip the default layout and page handling. It is normally used for non-GET requests, although GET requests are supported if desired. 4. `loading.tsx` - The sibling or nearest parent `loading.tsx` renders within its sibling and parent layouts while awaiting any children to complete asynchronous operations. 5. `error.tsx` - The sibling or nearest parent `error.tsx` renders within its sibling and parent layouts when a Javascript error is thrown. These files establish a clear and organized routing structure. ## Differences between app router and pages router The App Router was introduced in Next.js version 13 in 2022, and is considered the successor to the Pages Router. The App Router offers more advanced capabilities and flexibility than the Pages Router. ### File structure and convention Both the Pages Router and App Router use a filesystem-driven router. However, the Pages Router uses a `pages` directory with a different file- and directory- naming convention for routing. ### Routing flexibility The App Router supports advanced routing capabilities like route groups, parallel routes, and intercepting routes, which do not have native support in the Pages Router. ### Simplified data loading The App Router supports React Server Components, where data can be loaded simply by calling `fetch()` within a component. The Pages Router requires the use of `getServerSideProps` and a serialization layer, which adds significant complexity to data loading. ### Performance optimization The directory structure and server-driven nature of the App Router enables Next.js to reduce waterfalls during page loading, and cache individual route segments, which leads to higher performance applications. The App Router also supports streaming for faster loading speeds. ### Migration considerations A single application can use the App Router and Pages Router at the same time, which enables developers to migrate page-by-page more easily. For more in-depth understanding, visit the [Next.js documentation](https://nextjs.org/docs). ## Implementation and usage Create routes in the App Router by adding directories and files in the `app` folder. The hierarchy corresponds directly to address paths. ### Basic route creation ```tsx // app/blog/page.tsx export default function BlogPage() { return (

Blog Posts

Welcome to our blog section

) } ``` This file creates a route at `/blog` with a welcome page. ### Dynamic routes Dynamic routes accept parameters by using brackets in the directory name: ```tsx // app/posts/[id]/page.tsx export default function Post({ params }) { return

Post: {params.id}

} ``` This design handles routes like `/posts/1`. ### Layouts and nesting The App Router provides shared layouts with a `layout.tsx` file. The "root layout" is the top-most layout and must contain the `` tag: ```tsx // app/layout.tsx export default function RootLayout({ children }) { return ( {children} ) } ``` ## Integration with Clerk The App Router works with [Clerk's authentication system](/docs/references/nextjs/overview) for user management. Clerk middleware and helpers we're all designed to integrate well with the App Router. ### Authentication implementation ```ts // middleware.ts import { clerkMiddleware } from '@clerk/nextjs/server' export default clerkMiddleware() export const config = { matcher: [ // Skip Next.js internals and all static files, unless found in search params '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)', // Always run for API routes '/(api|trpc)(.*)', ], } ``` ### Protected routes ```tsx // app/dashboard/page.tsx import { auth } from '@clerk/nextjs/server' export default async function DashboardPage() { const { userId } = await auth() if (!userId) { return
Not signed in
} return
Protected Dashboard Content
} ``` ## Performance and optimization The App Router enhances application performance through: 1. Automatic code splitting based on routes. 2. Built-in data caching and revalidation. 3. Parallel route rendering. 4. Streaming Server-Side Rendering (SSR). These features create faster, more responsive applications while reducing server load. ## Building for the future The App Router is a solid base for modern web apps. Learn its concepts for maintaining and optimizing apps. For more detailed documentation, visit the [Next.js documentation](https://nextjs.org/docs) and [our Next.js Overview](/docs/references/nextjs/overview). --- ## Application Architecture - URL: https://clerk.com/glossary.md#application-architecture - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Application architecture defines the structural design of a software application, including how components are organized, how data flows between layers, and how concerns like authentication, routing, and data access are separated. **Related terms:** - Framework - Middleware - [App Router](https://clerk.com/glossary/app-router.md) - React Server Components - Action Function - Loader Function - Route-Specific Authentication --- ## Application Programming Interface - URL: https://clerk.com/glossary.md#application-programming-interface - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: An Application Programming Interface (API) is a set of rules and protocols that allows different software applications to communicate with each other, enabling integration and data exchange. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Endpoint - Integration - Documentation - API Integration --- ## Artificial Intelligence (AI) - URL: https://clerk.com/glossary.md#artificial-intelligence-ai - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Artificial Intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think, learn, and perform tasks typically requiring human intelligence. AI encompasses a variety of technologies, including machine learning, natural language processing, and robotics. In web development and security, AI is used to enhance user experiences, automate processes, and improve threat detection. **Related terms:** - AI Authentication - Machine Learning - Automation - Data Analysis --- ## Assertion Consumer Service (ACS) - URL: https://clerk.com/glossary.md#assertion-consumer-service-acs - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Assertion Consumer Service (ACS) is a service-provider endpoint that receives SAML assertions from the identity provider. It validates signature, audience, issuer, and time bounds before a session is established. **Related terms:** - Security Assertion Markup Language (SAML) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - Identity Provider SSO (IdP SSO) - Session --- ## Attribute Mapping - URL: https://clerk.com/glossary.md#attribute-mapping - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Attribute mapping translates identity data from an external IdP into Clerk's user schema. During SAML/OIDC sign-in or JIT provisioning, incoming attributes (e.g., `email`, `given_name`, `family_name`) are mapped to Clerk User properties. Additional claims can be mapped to `publicMetadata` by prepending `public_metadata_`. Clerk also allows setting default values for missing claims when IdPs return non-standard formats. **Related terms:** - Claim - Identity Provider SSO (IdP SSO) - Custom Roles - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) --- ## Audit Logs - URL: https://clerk.com/glossary.md#audit-logs - Date: 2025-10-01 - Category: Security & Privacy - Description: Audit Logs are records of security-relevant events (sign-ins, factor changes, role edits, administrative actions) that are timestamped, immutable, and can be queried for investigation and compliance purposes. In Clerk, making [authenticated requests](/docs/references/backend/overview) to the backend enables you to keep an audit log of which device the user is performing actions from. **Related terms:** - Session Management - User Management - Custom Roles - Organizations - Analytics - Compliance - Security Monitoring --- ## Authentication - URL: https://clerk.com/glossary.md#authentication - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Authentication is the process of verifying the identity of a user, device, or application before granting access to a system or resource. This critical security measure ensures that only authorized individuals can access sensitive information. Authentication methods can include passwords, biometrics, tokens, and multi-factor authentication (MFA) to enhance security and user trust. **Related terms:** - Multi-factor Authentication (MFA) - Security Questions - Session Management - User Verification --- ## Authentication Challenge - URL: https://clerk.com/glossary.md#authentication-challenge - Date: 2024-07-24 - Category: Authentication & Authorization - Description: An Authentication Challenge is a request for additional verification during the authentication process, often used in multi-factor authentication to ensure the user’s identity. **Related terms:** - Authorization - Authentication Challenge - Multi-factor Authentication (MFA) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - User Verification --- ## Authentication Context - URL: https://clerk.com/glossary.md#authentication-context - Date: 2025-10-01 - Category: Authentication & Authorization - Description: In Clerk, authentication context includes session information like user ID, organization, and factor verification freshness. The `fva` (factor verification age) array tracks how long since each factor was verified. Clerk supports reverification policies (`strict`, `moderate`, `lax`) to require re-authentication before sensitive actions based on time since last verification. Note: Clerk uses proprietary claims instead of standard OIDC `amr`/`acr`/`auth_time` or SAML `AuthnContextClassRef`. **Related terms:** - Authentication - Multi-factor Authentication (MFA) - Session - Authorization Code Flow --- ## Authenticator Apps (TOTP) - URL: https://clerk.com/glossary.md#authenticator-apps-totp - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Authenticator Apps using TOTP (Time-Based One-Time Password) generate temporary, time-sensitive passcodes used for two-factor authentication (2FA). These apps, such as Google Authenticator or Authy, provide an additional layer of security by requiring users to enter a code from the app in addition to their password. This method significantly reduces the risk of unauthorized access by ensuring that only users with access to the physical device can log in. **Related terms:** - One-Time Passcodes (Email / SMS) - Multi-factor Authentication (MFA) - Email Links - Recovery Codes --- ## Authorization - URL: https://clerk.com/glossary.md#authorization - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Authorization — sometimes abbreviated as authz — is the process of determining what an authenticated user, device, or application is allowed to access or do within a system. While authentication verifies who you are, authorization determines what you're permitted to do. Authentication always happens first; authorization follows. In practice, authorization is enforced through models like Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Access Control Lists (ACLs), or via OAuth scopes and claims embedded in access tokens. These policies are evaluated at request time — in middleware, API gateways, or application logic — to grant or deny access to specific resources or actions. **Related terms:** - Authentication - Admin Dashboard - Roles - Access Control List (ACL) --- ## Authorization Code Flow - URL: https://clerk.com/glossary.md#authorization-code-flow - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Authorization Code Flow is Clerk's recommended OAuth 2.0 flow for web and mobile applications. Users authenticate through Clerk's hosted UI, which then redirects them back to your application's registered callback URL with a temporary authorization code appended as a query parameter. Your backend extracts this code from the redirect and exchanges it server-side for access and ID tokens, keeping credentials secure and out of browser history. PKCE is required for client-side apps to prevent authorization code interception. **Related terms:** - OAuth - Access Token - JSON Web Token - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) --- ## Authorization Server - URL: https://clerk.com/glossary.md#authorization-server - Date: 2025-10-01 - Category: Authentication & Authorization - Description: An Authorization Server is the OAuth 2.0/OpenID Connect component responsible for authenticating users (or delegating authentication), obtaining authorization consent, and issuing security tokens. It exposes standardized endpoints (`/authorize`, `/token`, `/userinfo`, `/revoke`, `/introspect`) that clients use to initiate authorization flows, exchange authorization codes for tokens, and manage token lifecycles. The authorization server determines token claims and permissions via scopes, enforces security policies, and issues access tokens, ID tokens, and refresh tokens with configurable expiration times. In Clerk, Clerk functions as your authorization server. **Related terms:** - OAuth - Access Token - OAuth Scopes - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) --- ## Automation - URL: https://clerk.com/glossary.md#automation - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Automation in software systems refers to the use of programmatic triggers, webhooks, and scheduled processes to perform tasks without manual intervention, such as syncing user directories or processing authentication events. **Related terms:** - Webhook - Directory Sync --- ## B2B SSO - URL: https://clerk.com/glossary.md#b2b-sso - Date: 2025-10-01 - Category: Authentication & Authorization - Description: B2B single sign-on (SSO) enables multi-tenant applications where each customer organization connects its own identity provider (IdP) to your app via SAML or OpenID Connect (OIDC). Users redirect to their organization's IdP for authentication, which returns a signed assertion/token containing user attributes and group memberships. Your app validates the signature, maps groups to roles, and provisions accounts automatically via just-in-time (JIT) provisioning, with SCIM available for full lifecycle management. This gives enterprise customers centralized access control while providing seamless login experiences. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - Identity Provider SSO (IdP SSO) - Organizations - Security Assertion Markup Language (SAML) --- ## Back-Channel Logout - URL: https://clerk.com/glossary.md#back-channel-logout - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Back-Channel Logout is an OpenID Connect server-to-server logout method where the Identity Provider directly notifies each Relying Party's logout endpoint with a signed JWT logout token when a user signs out. Relying Parties verify the signature and terminate sessions without browser involvement. More reliable than front-channel logout because it works even if the browser is closed, JavaScript is blocked, or network connectivity is lost. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - Session Management - JSON Web Token --- ## Backend as a Service (BaaS) - URL: https://clerk.com/glossary.md#backend-as-a-service-baas - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Backend as a Service (BaaS) is a cloud computing model that provides developers with pre-built backend infrastructure including databases, authentication, and APIs, reducing the need to manage server-side code and infrastructure. **Related terms:** - Firebase - Supabase - Convex --- ## Backend Development - URL: https://clerk.com/glossary.md#backend-development - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Backend development involves building and maintaining the server-side logic, databases, and APIs that power web and mobile applications, handling tasks like authentication, data processing, and business logic. **Related terms:** - Framework - Rails - React Router (Framework) - Redwood - Next.js --- ## Backoff/Retry Policy - URL: https://clerk.com/glossary.md#backoff-retry-policy - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: A Backoff/Retry Policy defines rules for automatically retrying failed API requests to authentication services. When requests fail due to transient issues (network timeouts, server overload, rate limits), the policy determines whether to retry, how long to wait, and how many attempts to make. Standard implementations use exponential backoff with jitter—doubling the wait time between attempts (1s, 2s, 4s, 8s) with random delays to prevent synchronized retry storms—typically limiting to 3-5 total attempts. Policies only retry transient errors (5xx server errors, 429 rate limits, timeouts) and fail immediately on permanent errors (401 unauthorized, 400 bad request). This ensures legitimate requests eventually succeed while preventing service overload. **Related terms:** - Rate Limiting - API Gateway - Endpoint - Application Programming Interface --- ## Backup Codes - URL: https://clerk.com/glossary.md#backup-codes - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Backup Codes are single-use recovery codes generated during MFA enrollment that allow account access when primary factors (authenticator app, SMS) are unavailable. Users receive 8-10 codes to store securely, as they bypass MFA verification. Can be regenerated anytime, invalidating previous codes. **Related terms:** - Recovery Codes - Multi-factor Authentication (MFA) - Account Recovery - One-Time Passcodes (Email / SMS) --- ## Bearer Token - URL: https://clerk.com/glossary.md#bearer-token - Date: 2025-10-01 - Category: Authentication & Authorization - Description: A bearer token — also called token authentication — is an access credential where possession alone grants authorization: any party that presents the token can use it to access protected resources, without proving ownership of a cryptographic key. Bearer tokens are the predominant access token type in OAuth 2.0, defined in RFC 6750, and are sent in the HTTP Authorization header as `Authorization: Bearer `. The token itself may be an opaque string or a structured JSON Web Token (JWT). Because anyone with the token can use it, bearer tokens require HTTPS transport, short expiration times, and narrow scopes to limit exposure risk. This distinguishes them from proof-of-possession tokens (such as DPoP), which cryptographically bind the token to a specific client. **Related terms:** - Access Token - JSON Web Token - OAuth - [API Key](https://clerk.com/glossary/api-key.md) - API Security --- ## Biometric Authentication - URL: https://clerk.com/glossary.md#biometric-authentication - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Biometric authentication verifies users by measuring unique physical or behavioral traits (fingerprint, face, voice) and comparing them to stored templates. Modern implementations process biometrics locally in secure hardware with liveness detection to prevent spoofing. Best used to unlock cryptographic keys—such as passkeys via WebAuthn—rather than transmitting to servers. Unlike passwords, biometrics cannot be changed if compromised, making secure local storage and fallback authentication methods essential. **Related terms:** - Passkeys - Hardware Keys - Multi-factor Authentication (MFA) - Authentication - Passwordless Login - WebAuthn --- ## Bot Detection - URL: https://clerk.com/glossary.md#bot-detection - Date: 2025-10-01 - Category: Security & Privacy - Description: Bot Detection identifies and blocks automated attacks on authentication systems—such as credential stuffing, brute force login attempts, and fake account creation—while allowing legitimate automated traffic like search crawlers. Techniques include IP reputation analysis, behavioral patterns (mouse movement, typing cadence), rate limiting, device fingerprinting, and challenge mechanisms like CAPTCHAs. Critical for protecting login endpoints and preventing account takeover attacks. **Related terms:** - [CAPTCHA](https://clerk.com/glossary/captcha.md) - Rate Limiting - Credential Stuffing Attacks - Brute Force Detection - Account Protection --- ## Browser Fingerprinting - URL: https://clerk.com/glossary.md#browser-fingerprinting-advanced - Date: 2025-10-01 - Category: Security & Privacy - Description: Browser Fingerprinting is a technique that derives a likely-unique identifier from a device's and browser's characteristics (e.g., user agent, screen size, fonts, canvas/WebGL output, plugins, GPU) to recognize repeat visitors. It can persist across cookie clears and is used for fraud prevention and tracking, but accuracy varies and it is constrained by privacy controls and changing client signals. **Related terms:** - Fingerprinting - Bot Detection - Active Device Monitoring - Session Management --- ## Browser Sessions - URL: https://clerk.com/glossary.md#browser-sessions - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Browser sessions and application sessions are distinct concepts often confused in authentication. A browser session is the browser's native lifetime for a tab/window—storing session cookies (no expiration set), `sessionStorage`, and in-memory data that typically clear when all windows close. An application session is your app's authenticated state, tracked independently via session cookies or tokens with explicit security policies: idle timeouts, absolute expiration, rotation, and per-device isolation. Understanding this distinction is critical—application sessions must be managed by your authentication logic, not reliant on browser session behavior. **Related terms:** - Session - Session Management - Session Lifecycle - HttpOnly cookies --- ## Browser Storage - URL: https://clerk.com/glossary.md#browser-storage-local-session - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: Browser storage is the set of ways a website can store data on the user's device for a specific origin. It includes cookies (sent with requests; configurable via `Secure`, `HttpOnly`, `SameSite`), Web Storage (`localStorage` and `sessionStorage` for synchronous key-value data not sent with HTTP), `IndexedDB` (asynchronous, large structured data), and Cache Storage (request/response pairs via service workers). Choose storage based on payload size, access pattern (sync vs async), and data retention. Do not store long-lived secrets in JavaScript-accessible storage; put session tokens in `Secure`, `HttpOnly` cookies. **Related terms:** - HttpOnly cookies - Session - [Frontend API](https://clerk.com/glossary/frontend-api.md) - Cross-Site Scripting (XSS) --- ## Brute Force Detection - URL: https://clerk.com/glossary.md#brute-force-detection - Date: 2024-07-24 - Category: Security - Description: Brute Force Detection is the practice of identifying and preventing repeated attempts to guess user credentials by monitoring login attempts and blocking suspicious activities to enhance security. **Related terms:** - Rate Limiting - Multi-factor Authentication (MFA) - [CAPTCHA](https://clerk.com/glossary/captcha.md) - Security Monitoring - Account Protection --- ## BYOK (Bring Your Own Key) - URL: https://clerk.com/glossary.md#byok-bring-your-own-key - Date: 2025-10-01 - Category: Security & Privacy - Description: BYOK (Bring Your Own Key) is a key management model where the customer generates and controls the encryption key used to protect their data, rather than the service provider. The organization is responsible for key creation, rotation, revocation, and deletion, providing stronger assurance that only they can decrypt their data. **Related terms:** - Hash - Environment Keys - Secret Key - Publishable Key --- ## California Consumer Privacy Act (CCPA) - URL: https://clerk.com/glossary.md#california-consumer-privacy-act-ccpa - Date: 2024-07-24 - Category: Compliance & Privacy - Description: The California Consumer Privacy Act (CCPA) is a state law that grants California residents new rights regarding their personal information, including the right to know, delete, and opt-out of the sale of their data. **Related terms:** - Data Protection - Privacy Policy - GDPR - User Consent - Data Privacy - Compliance --- ## CAPTCHA - URL: https://clerk.com/glossary/captcha.md - Date: 2024-07-24 - Category: Security - Description: CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure used to differentiate between human users and automated bots, often by presenting challenges that are easy for humans but difficult for bots. **Related terms:** - Bot Detection - Brute Force Detection - Security Questions - User Verification In the battle against automated threats, CAPTCHAs stand as the digital gatekeepers of the internet. These automated tests protect websites from bots that attempt to create fake accounts, spread spam, or launch automated attacks. While you might find them annoying when trying to log into your favorite website, CAPTCHAs serve as a critical first line of defense in web security. They work by presenting problems that are easy for humans to solve but difficult for computers. CAPTCHAs originated in the late 1990s at Carnegie Mellon University and became important for protecting websites from automated abuse. The technology has evolved significantly since then, moving from simple text-based puzzles to sophisticated systems that can analyze user behavior. Today, CAPTCHAs help secure everything from social media platforms to e-commerce sites, blocking millions of automated attacks daily. ## What is CAPTCHA? CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It functions as a reverse Turing test, where a computer system verifies whether a user is human. CAPTCHAs utilize human cognitive abilities like pattern recognition and interpretation - tasks that computers struggle to replicate accurately. The system works by presenting obstacles that exploit the gap between human and machine capabilities. For example, text-based CAPTCHAs show distorted characters that confound Optical Character Recognition (OCR) technology, while image-based versions ask users to identify specific objects that current AI systems find difficult to recognize consistently. ## How CAPTCHAs protect websites CAPTCHAs defend websites against several common security threats: 1. Automated account creation 2. Spam comments and form submissions 3. Brute force login attempts 4. Ticket scalping bots 5. Web scraping By requiring human verification, CAPTCHAs prevent bots from performing these automated tasks at scale. This protection is particularly important for user authentication systems, where preventing automated attacks helps maintain platform integrity and user trust. ## Types of CAPTCHAs ### Text-based CAPTCHAs The original CAPTCHA type presents distorted text that users must accurately type. While these were initially effective, advances in OCR technology have made them more vulnerable to automated solving. Modern text-based CAPTCHAs use additional complexity like overlapping characters and background noise to maintain security, though this can affect user experience. ### Image-based CAPTCHAs Image recognition CAPTCHAs ask users to identify specific objects within photos or select images matching a given category. These tests are more engaging than text-based versions but face obstacles from improving AI image recognition capabilities. Some systems now use advanced techniques like image distortion and semantic relationships to stay ahead of automated solvers. ### Modern CAPTCHA solutions Contemporary CAPTCHA systems like Google's reCAPTCHA, Cloudflare's Turnstile, and hCaptcha use sophisticated approaches that combine multiple verification methods. These systems analyze user behavior patterns, device information, and interaction data to assess whether a visitor is human. Many can operate invisibly in the background, only showing tasks to suspicious traffic. ## Accessibility and user experience Historically, CAPTCHAs presented major accessibility challenges, particularly for users with disabilities. Text- and image-based CAPTCHAs can be difficult for visually impaired users, while audio alternatives may not work well for those with hearing impairments. Modern CAPTCHA systems address these issues by: - Working in the background for the majority of users, and only presenting a challenge in cases of suspicious traffic - Multiple CAPTCHA options for different abilities - Improved audio quality in sound-based tests - Keyboard navigation support - Compliance with [Web Content Accessibility Guidelines (WCAG)](https://www.w3.org/TR/WCAG21/) The key is finding the right balance between security and accessibility, ensuring that security measures don't create barriers for legitimate users. ## CAPTCHAs and Clerk Clerk integrates [CAPTCHA protection](/docs/customization/elements/reference/sign-up#captcha) into its user management platform to prevent automated attacks while maintaining a smooth user experience. Clerk offers both visible and invisible [CAPTCHA options](/docs/security/bot-protection) that developers can enable through the Clerk Dashboard. The system uses smart CAPTCHA detection that only shows verification tasks to suspicious traffic. This approach helps maintain security without creating unnecessary friction for legitimate users. Developers can choose between different CAPTCHA types based on their security requirements and user experience preferences. ## The future of human verification As AI technology advances, traditional CAPTCHA methods face increasing pressure from sophisticated bots. The future of human verification probably lies in more nuanced approaches that combine multiple signals: - Behavioral analysis - Device fingerprinting - Biometric data - Context-aware issues These methods need to balance strong security with user privacy and accessibility. While CAPTCHAs may evolve significantly, the core goal remains the same: protecting online platforms from automated abuse while providing a smooth experience for real users. --- ## Certificate Pinning - URL: https://clerk.com/glossary.md#certificate-pinning - Date: 2025-10-01 - Category: Security & Privacy - Description: Certificate Pinning is a security technique in which a client (e.g. mobile app or service) pins a known certificate or public key to a server and rejects TLS/SSL connections that present anything else. It helps prevent man-in-the-middle attacks using fraudulent or misissued certificates, though it can break connectivity if the server's certificate changes without updating the pin. **Related terms:** - Hash - Hardware Keys - Cross Site Request Forgery (CSRF) - Cross-Site Scripting (XSS) --- ## Challenge–Response - URL: https://clerk.com/glossary.md#challenge-response - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Challenge–response is an authentication pattern where the server sends a fresh, unpredictable challenge (nonce) and the client returns a response computed with a secret or private key (for example, an HMAC or a digital signature). The server verifies the response to confirm possession of the credential without ever transmitting the secret. This resists replay and eavesdropping; examples include WebAuthn/passkeys (the authenticator signs the server challenge with origin binding) and SCRAM/HTTP Digest. To stay secure, challenges must be unique, time-bound, and tied to the session or origin to prevent reuse or relay. **Related terms:** - Authentication Challenge - Passkeys - Authenticator Apps (TOTP) - Multi-factor Authentication (MFA) - WebAuthn --- ## Claim - URL: https://clerk.com/glossary.md#claim - Date: 2024-12-12 - Category: Security - Description: A claim represents a piece of information about a user or entity that is encoded within a JSON Web Token (JWT). When a token is created, claims are added to provide specific details about the token's subject, such as user ID, permissions, or expiration time. Claims are typically key-value pairs that describe attributes of the authenticated entity. The claims are digitally signed as part of the token, ensuring they cannot be altered without invalidating the token. One JWT can, and typically does, contain multiple claims that provide different types of information about the user or session. **Related terms:** - JSON Web Token - Access Token --- ## Claims Transformation - URL: https://clerk.com/glossary.md#claims-transformation - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Claims Transformation is the process of mapping attributes or claims issued by an identity provider (IdP) or external system into the schema or fields your application consumes (for example, translating `groups` into `departments`). Transformation rules are deterministic and maintain the provenance of each mapped attribute, so you can trace where each output came from. **Related terms:** - Claim - Attribute Mapping - Custom Roles - Identity Provider SSO (IdP SSO) --- ## ClerkProvider - URL: https://clerk.com/glossary.md#clerkprovider - Date: 2024-07-24 - Category: User & Session Management - Description: ClerkProvider is a component in Clerk’s authentication library that wraps the application, providing context and configuration for authentication and user management. **Related terms:** - Authentication - User Management - Session Management - Identity Provider SSO (IdP SSO) --- ## Client Credentials Flow - URL: https://clerk.com/glossary.md#client-credentials-flow - Date: 2025-10-01 - Category: Authentication & Authorization - Description: The Client Credentials Flow is an OAuth 2.0 grant for machine-to-machine (M2M) authentication, where a client (e.g. backend service or daemon) authenticates on its own behalf rather than on behalf of a user. The client sends credentials (such as `client_id` and `client_secret`) to the token endpoint and receives an access token, which it then uses to call APIs or services under its own identity. **Related terms:** - OAuth - Access Token - [API Key](https://clerk.com/glossary/api-key.md) - Authorization Server --- ## Client Secret - URL: https://clerk.com/glossary.md#client-secret - Date: 2025-10-01 - Category: Authentication & Authorization - Description: A `client_secret` is a confidential credential issued to an OAuth confidential client and known only to that client and the authorization server. The client presents it when authenticating at the token endpoint (and sometimes at introspection or revocation endpoints) using methods like `client_secret_basic` or `client_secret_post`. It's best practice to store secrets server-side (for example, in a secret manager) and rotate them regularly, especially since SPAs and native mobile apps expose their code and storage and thus can't truly keep secrets. For such public clients, you should not issue a `client_secret`; instead register them as public clients and use the Authorization Code flow with PKCE. In Clerk, setting up OAuth/Social Connections is straightforward: you enter your external `client_id` and `client_secret` in the Clerk dashboard, and Clerk handles the token exchange for you (so you don't have to write and manage boilerplate code). **Related terms:** - Secret Key - OAuth - Authorization Server - [API Key](https://clerk.com/glossary/api-key.md) --- ## Client-Side Routing - URL: https://clerk.com/glossary.md#client-side-routing - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Client-side routing is a technique where navigation between pages or views is handled entirely in the browser using JavaScript, without requiring full page reloads from the server. **Related terms:** - Hash Routing - Path Routing - Virtual Routing - [App Router](https://clerk.com/glossary/app-router.md) - Data Router - Pages Router --- ## Cloud Services - URL: https://clerk.com/glossary.md#cloud-services - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Cloud services are computing resources and platforms delivered over the internet, providing scalable infrastructure, databases, authentication, and other backend capabilities without requiring on-premise hardware management. **Related terms:** - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - Data Residency - Firebase - Supabase - Convex --- ## CNAME / Custom Domains - URL: https://clerk.com/glossary.md#cname-custom-domains-auth - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: CNAME / Custom Domains let an organization map a subdomain they control (e.g. `auth.example.com`) to a vendor-hosted service so authentication pages and API endpoints appear under the organization's domain. To do this, you create a DNS `CNAME` record pointing that subdomain to the vendor's domain. Adding a custom domain (e.g. `auth.myapp.com`) to Clerk is straightforward: you just need to create a `CNAME` record pointing that subdomain to Clerk's provided domain, then Clerk handles verification, TLS certificate provisioning, and routes the traffic so authentication flows use your custom domain seamlessly. However, `CNAME` records can't be placed on a root (apex) domain, so many DNS providers support `ALIAS` or `ANAME` records (or use `A`/`AAAA` records) to achieve the same aliasing behavior at the apex. **Related terms:** - Custom Onboarding - HttpOnly cookies - Endpoint - [Frontend API](https://clerk.com/glossary/frontend-api.md) --- ## Code Exchange (PKCE) - URL: https://clerk.com/glossary.md#code-exchange-pkce - Date: 2025-10-01 - Category: Authentication & Authorization - Description: PKCE (Proof Key for Code Exchange) is an OAuth 2.0 extension that binds an authorization code to the specific client instance using a one-time `code_verifier` and its hashed `code_challenge` (`S256`). The client sends the challenge in the authorization request and later presents the verifier at the token endpoint; the server then recomputes and matches before issuing tokens, which blocks code interception and replay. PKCE is required for public clients like SPAs and mobile apps, and recommended for all clients using the Authorization Code flow. **Related terms:** - OAuth - Authorization Code Flow - Cross Site Request Forgery (CSRF) - Access Token --- ## Component Library - URL: https://clerk.com/glossary.md#component-library - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: A Component Library is a collection of reusable UI components that developers can use to build applications, ensuring consistency, efficiency, and ease of maintenance in the development process. **Related terms:** - User Interface Components - Design System - Frontend Development - React Components - Libraries --- ## Conditional Access - URL: https://clerk.com/glossary.md#conditional-access - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Conditional Access is a policy-based access control pattern that evaluates runtime context to decide whether to allow access, deny, or require additional verification from the user. Policies ingest signals such as user or group membership, role, device compliance, location or network, application sensitivity, and risk scores. Based on these signals, the system can require MFA, block noncompliant devices, limit session scopes or lifetimes, force reauthentication for sensitive operations, or deny access outright. Policies are typically expressed as simple "if–then" rules and can trigger both at initial sign-in and at step-up moments within the application. **Related terms:** - Multi-factor Authentication (MFA) - Active Device Monitoring - Authorization - Custom Permissions - Zero Trust Architecture --- ## Consent Screen - URL: https://clerk.com/glossary.md#consent-screen - Date: 2025-10-01 - Category: Authentication & Authorization - Description: A Consent Screen (also called a permissions prompt or authorization interface) is the UI presented during an OAuth/OIDC flow that asks a user to approve the scopes or permissions an application is requesting. It shows what data or actions will be accessed (like profile, email, read/write), who is requesting access, and gives a clear option to accept or deny. The purpose is to ensure transparency and let users make informed decisions. Consent screens can appear at first sign-in or whenever app requests change (new scopes), and for trusted or first-party apps it may sometimes be possible to skip. **Related terms:** - OAuth - OAuth Scopes - Custom Permissions - User Management --- ## Content Security Policy (CSP) - URL: https://clerk.com/glossary.md#content-security-policy-csp - Date: 2025-10-01 - Category: Security & Privacy - Description: Content Security Policy is a browser-security standard (via HTTP headers or meta tags) that tells the browser which sources of content are allowed on a page or app. It defines directives such as `script-src`, `img-src`, `style-src`, etc., which specify trusted origins or allowlists for different content types. CSP helps prevent attacks like Cross-Site Scripting (XSS), data injection, or clickjacking by rejecting or blocking content from untrusted sources. A policy can run in enforcement mode (blocking violations) or report-only mode (just logging them) to help test without breaking functionality. **Related terms:** - Cross-Site Scripting (XSS) - Cross Site Request Forgery (CSRF) - HttpOnly cookies - Hash - Security Best Practices --- ## Control Components - URL: https://clerk.com/glossary.md#control-components - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Control Components are components in a user interface that manage user input and interactions, such as buttons, forms, and sliders. **Related terms:** - User Interface Components - Component Library - Design System - React Components --- ## Convex - URL: https://clerk.com/glossary.md#convex - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Convex is a backend platform that provides real-time data synchronization and serverless functions, enabling developers to build dynamic and responsive web applications. **Related terms:** - Framework - Backend Development - API Integration - Serverless Architecture - Database - Backend as a Service (BaaS) --- ## Credential Management API - URL: https://clerk.com/glossary.md#credential-management-api - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: The Credential Management API is a browser standard (accessible via `navigator.credentials`) that lets websites programmatically create, store, retrieve, and use credentials, such as username/password, federated login, OTPs, or public-key credentials. It helps lower friction in cross-platform sign-in flows (e.g. enabling auto sign-in, remembering federated accounts, or restoring sessions after expiry) while ensuring these operations happen in secure contexts (HTTPS). **Related terms:** - Passkeys - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - [Frontend API](https://clerk.com/glossary/frontend-api.md) - Authentication --- ## Credential Stuffing - URL: https://clerk.com/glossary/credential-stuffing.md - Date: 2025-01-27 - Category: Security - Description: Credential stuffing is a cyberattack where attackers use stolen username-password pairs from data breaches to gain unauthorized access to user accounts by automating login attempts across multiple websites and services. **Related terms:** - Account Takeover - Bot Detection - Brute Force Detection - Rate Limiting - Multi-factor Authentication (MFA) - Account Protection - Security Best Practices Credential stuffing attacks exploit the common practice of password reuse. When users reuse the same passwords across different platforms, a single data breach can compromise accounts on multiple services. ## What is credential stuffing Credential stuffing is a type of cyberattack where attackers use automated tools to test large volumes of stolen username-password pairs across multiple websites and applications. Unlike [brute force attacks](/glossary/brute-force-detection), which attempt to guess passwords, credential stuffing relies on passwords that have already been compromised in previous data breaches. The attack works because many users reuse the same passwords across multiple services. When a data breach occurs at one service, attackers obtain username-password pairs that may work on other platforms where users have created accounts with the same credentials. Attackers typically obtain these credential lists from data breaches, dark web marketplaces, or credential dumps. They then use specialized tools and bots to automate login attempts, making thousands of requests per minute across multiple targets. To avoid detection, attackers distribute requests across multiple IP addresses, use proxy networks, and rotate user agents to mimic legitimate traffic patterns. ## How credential stuffing differs from brute force attacks While both attack methods target authentication systems, they differ in important ways. Credential stuffing uses stolen, real credentials from data breaches, while brute force attacks attempt to guess passwords through trial and error. Credential stuffing is typically faster and more successful because it uses real credentials, whereas brute force attacks rely on probability and can take much longer. Credential stuffing attacks can also be more difficult to detect because they use legitimate-looking credentials, while brute force attacks often show clear patterns of failed attempts. ## Preventing credential stuffing Organizations can implement multiple layers of defense to protect against credential stuffing. [Rate limiting](/glossary/rate-limiting) restricts the number of login attempts from a single IP address or user account within a specific time period, making automated attacks more difficult and slower to execute. [Bot detection](/glossary/bot-detection) systems identify automated login attempts by analyzing behavioral patterns, such as mouse movements, typing cadence, and request timing. Advanced bot detection can distinguish between legitimate users and automated scripts. [Multi-factor authentication (MFA)](/glossary/multi-factor-authentication-mfa) adds an additional layer of security beyond passwords. Even if attackers obtain valid credentials, they cannot access accounts without the second authentication factor. Other prevention strategies include implementing [CAPTCHA](/glossary/captcha) challenges, encouraging users to create unique passwords for each service, monitoring login attempts for suspicious patterns, and checking user passwords against known breach databases during registration or password changes. ## Credential stuffing protection in Clerk Clerk provides multiple security features to help protect applications against credential stuffing attacks. Clerk's authentication system includes advanced [bot detection](/glossary/bot-detection) capabilities that identify and block automated login attempts. Clerk also implements rate limiting on authentication endpoints to prevent rapid-fire credential testing. Clerk also supports multiple MFA methods, including TOTP, SMS, and email-based authentication, adding layers of protection beyond passwords. Most importantly, Clerk includes [Client Trust](/changelog/2025-11-14-client-trust-credential-stuffing-killer), which automatically requires a second factor for new devices, even if the password is valid. Developers can also implement additional security measures, such as IP allowlisting, device fingerprinting, and custom rate limiting rules, to further protect against credential stuffing attacks. --- ## Credential Stuffing Attacks - URL: https://clerk.com/glossary.md#credential-stuffing-attacks - Date: 2024-07-24 - Category: Security - Description: Credential Stuffing Attacks involve using stolen username-password pairs to gain unauthorized access to user accounts by automating login attempts across multiple websites and services. **Related terms:** - Account Takeover - Bot Detection - Security Monitoring - Authentication --- ## Cross Site Request Forgery (CSRF) - URL: https://clerk.com/glossary.md#cross-site-request-forgery-csrf - Date: 2024-07-24 - Category: Security - Description: Cross Site Request Forgery (CSRF) is an attack that tricks a user into performing actions on a web application without their consent, often by exploiting the user’s authenticated session. **Related terms:** - Cross-Site Scripting (XSS) - OWASP Testing Guide/Security Verification - Session Management - Security Best Practices --- ## Cross-Platform Development - URL: https://clerk.com/glossary.md#cross-platform-development - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Cross-platform development is the practice of building applications that run on multiple operating systems or platforms from a single codebase, using frameworks and tools that abstract platform-specific differences. **Related terms:** - Expo - React - Software Development Kit (SDK) --- ## Cross-Site Scripting (XSS) - URL: https://clerk.com/glossary.md#cross-site-scripting-xss - Date: 2024-07-24 - Category: Security - Description: Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, and other exploits. **Related terms:** - Cross Site Request Forgery (CSRF) - OWASP Testing Guide/Security Verification - Input Validation - Security Best Practices --- ## Cryptographic Nonce - URL: https://clerk.com/glossary.md#cryptographic-nonce - Date: 2025-10-01 - Category: Security & Privacy - Description: A cryptographic nonce is a unique, unpredictable value generated for one-time use in a cryptographic operation or protocol to bind a request and its response. In OpenID Connect, a nonce is sent in the authentication request and echoed in the ID Token to prevent replay attacks. In OAuth flows, the `state` parameter plays a related role by binding the redirect request to its response (protecting against CSRF). A nonce must never be reused and is typically random, time-variant, or both, so that stale or duplicated values are detected and rejected. **Related terms:** - Cross Site Request Forgery (CSRF) - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - OAuth - Hash --- ## CSS Framework - URL: https://clerk.com/glossary.md#css-framework - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: A CSS framework is a pre-built collection of CSS styles, utilities, and components that provides a consistent design system for building user interfaces, reducing the need to write custom styling from scratch. **Related terms:** - [Tailwind CSS](https://clerk.com/glossary/tailwind-css.md) - Framework --- ## Custom Onboarding - URL: https://clerk.com/glossary.md#custom-onboarding - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Custom Onboarding refers to the process of creating a tailored user onboarding experience, guiding new users through initial setup and familiarization with an application. **Related terms:** - User Onboarding - User Experience - Authentication - User Management --- ## Custom Permissions - URL: https://clerk.com/glossary.md#custom-permissions - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Custom Permissions allow developers to define specific access rights for different users within an application, providing fine-grained control over what each user can do based on their role. **Related terms:** - Role Based Access Control (RBAC) - Roles - Authorization - Access Control List (ACL) --- ## Custom Roles - URL: https://clerk.com/glossary.md#custom-roles - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Custom Roles enable developers to create specific roles with tailored permissions for different user types, ensuring that users have appropriate access levels within an application. **Related terms:** - Role Based Access Control (RBAC) - User Management - Authorization - Access Control List (ACL) --- ## Customizable Session Tokens - URL: https://clerk.com/glossary.md#customizable-session-tokens - Date: 2024-07-24 - Category: Security - Description: Customizable Session Tokens are session tokens that can be configured to include specific data or metadata, enhancing the flexibility and security of session management. **Related terms:** - Session Management - JSON Web Token - Authentication - Security Best Practices --- ## Data Fetching - URL: https://clerk.com/glossary.md#data-fetching - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Data fetching is the process of retrieving data from servers, databases, or APIs for use in application rendering, often handled through dedicated loader functions or server components in modern web frameworks. **Related terms:** - Loader Function - Action Function - Root Loader - Data Router --- ## Data Privacy - URL: https://clerk.com/glossary.md#data-privacy - Date: 2026-03-19 - Category: Security - Description: Data privacy is the practice of protecting personal information from unauthorized access and ensuring that data collection, storage, and processing comply with applicable regulations and user expectations. **Related terms:** - California Consumer Privacy Act (CCPA) - Health Insurance Portability & Accountability Act (HIPAA) - Data Residency - Data Retention - Evidence of Consent - Encryption at Rest / In Transit --- ## Data Protection - URL: https://clerk.com/glossary.md#data-protection - Date: 2026-03-19 - Category: Security - Description: Data protection refers to the technical and organizational measures used to safeguard data from unauthorized access, corruption, or loss, including encryption, access controls, and secure storage practices. **Related terms:** - Encryption at Rest / In Transit - E2E Encryption - TLS - Data Residency - Data Retention - California Consumer Privacy Act (CCPA) --- ## Data Residency - URL: https://clerk.com/glossary.md#data-residency - Date: 2025-10-01 - Category: Security & Privacy - Description: Data Residency refers to the geographical or physical location where an organization's data is stored, processed, or maintained (for example, in which country, region, or data center). When cloud or hosted services are used, it determines which jurisdiction(s) control or regulate that data. This matters for legal, regulatory, and contractual compliance because different regions have laws about how data may be handled, transferred, or accessed. **Related terms:** - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - SOC 2 - California Consumer Privacy Act (CCPA) - Health Insurance Portability & Accountability Act (HIPAA) - Data Management - Cloud Services --- ## Data Retention - URL: https://clerk.com/glossary.md#data-retention - Date: 2025-10-01 - Category: Security & Privacy - Description: Data retention defines how long an organization can store customer or user data, including authentication records such as logs, sessions, tokens, and audit trails. Retention periods are determined by legal, regulatory, and operational requirements, and are essential for supporting investigations, ensuring compliance, and maintaining privacy standards. For instance, HIPAA mandates a six-year minimum retention for audit logs related to protected health information, while PCI DSS requires audit trail logs to be retained for at least one year. **Related terms:** - Audit Logs - Session Management - Health Insurance Portability & Accountability Act (HIPAA) - Data Management - Data Privacy - Database --- ## Data Retention - URL: https://clerk.com/glossary.md#data-retention-auth-data - Date: 2025-10-01 - Category: Security & Privacy - Description: Data Retention defines how long authentication records such as logs, sessions, tokens, and audit trails are kept before deletion or archival. Retention periods support investigations, meet legal and compliance requirements, and respect privacy constraints. **Related terms:** - Audit Logs - Session Management - SOC 2 - California Consumer Privacy Act (CCPA) --- ## Data Router - URL: https://clerk.com/glossary.md#data-router - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Data Router is a routing system that manages data fetching and rendering based on URL paths, ensuring that the necessary data is available for each route. **Related terms:** - Data Management - API Integration - [Frontend API](https://clerk.com/glossary/frontend-api.md) - State Management - React Router (Library) - Client-Side Routing --- ## Database - URL: https://clerk.com/glossary.md#database - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: A database is a structured system for storing, organizing, and retrieving data, serving as the foundation for application state, user records, and authentication data in web and mobile applications. **Related terms:** - Supabase - Convex - Data Retention --- ## DDoS Mitigation - URL: https://clerk.com/glossary.md#ddos-mitigation-auth-endpoints - Date: 2025-10-01 - Category: Security & Privacy - Description: DDoS (Distributed Denial-of-Service) mitigation consists of strategies and defenses designed to protect services against distributed denial-of-service attacks, where many compromised systems send massive amounts of traffic to overwhelm a target. For authentication systems, these attacks can overwhelm login, signup, and token services, preventing legitimate users from signing in or creating accounts. Effective mitigation relies on detecting unusual traffic, filtering out malicious requests, applying rate limits, challenging suspicious activity (e.g., CAPTCHAs or bot checks), and routing traffic through specialized filtering services to distinguish between real users and malicious requests. **Related terms:** - Rate Limiting - Bot Detection - Brute Force Detection - [CAPTCHA](https://clerk.com/glossary/captcha.md) --- ## Delegated Admin - URL: https://clerk.com/glossary.md#delegated-admin - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Delegated Admin refers to a role-based (RBAC) administrative model where certain management privileges are granted to users or groups without giving them full organizational or system-wide administrative access. This allows tasks such as managing users, groups, or resources within specific scopes like a department, team, or application, while maintaining overall security and limiting exposure. Delegated administration helps organizations enforce separation of duties by empowering trusted individuals to perform targeted administrative tasks without granting complete control. **Related terms:** - Admin Dashboard - Custom Roles - Organizations - User Management --- ## Design System - URL: https://clerk.com/glossary.md#design-system - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: A design system is a collection of reusable components, patterns, and guidelines that ensure visual and functional consistency across an application or suite of products. **Related terms:** - Component Library - Elements - Primitives - Control Components - User Interface Components - [Tailwind CSS](https://clerk.com/glossary/tailwind-css.md) --- ## Deterministic Encryption - URL: https://clerk.com/glossary.md#deterministic-encryption - Date: 2025-10-01 - Category: Security & Privacy - Description: Deterministic encryption is a cryptographic method where the same plaintext input always produces the same ciphertext output when encrypted with a given key. This allows for operations such as equality checks, deduplication, or indexing on encrypted data without decryption. While convenient for search and comparison, deterministic encryption can leak patterns, such as repeated values, making it less secure than probabilistic encryption for sensitive data. It's often used when structured queries on encrypted fields are required while still providing a level of confidentiality. **Related terms:** - Hash - HttpOnly cookies - Secret Key - Environment Keys --- ## Developer Velocity - URL: https://clerk.com/glossary.md#developer-velocity - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Developer Velocity refers to the speed and efficiency with which developers can deliver software, often enhanced by tools, processes, and practices that streamline development workflows. **Related terms:** - Agile Development - Continuous Integration - DevOps - Software Development Lifecycle --- ## Device Binding - URL: https://clerk.com/glossary.md#device-binding - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Device Binding is a security technique that associates a user's authentication credentials or cryptographic keys with a specific device. By linking access tokens, certificates, or cryptographic secrets to a device, systems can ensure that only requests originating from the trusted device are accepted. This reduces the risk of credential theft or replay attacks, as stolen credentials alone are insufficient to gain access without the bound device. Device binding is commonly used in multi-factor authentication, mobile banking, and enterprise security to strengthen trust in user-device relationships. **Related terms:** - Active Device Monitoring - Session Management - Hardware Keys - Passkeys --- ## Device Fingerprint - URL: https://clerk.com/glossary.md#device-fingerprint - Date: 2025-10-01 - Category: Security & Privacy - Description: A device fingerprint is a unique identifier created from a combination of a device's attributes, such as browser type, operating system, screen resolution, installed fonts, and hardware characteristics, that can be used to recognize or track a device across sessions. Unlike traditional identifiers like cookies, device fingerprints don't rely on client-side storage and are harder to tamper with. They're commonly used for fraud detection, risk-based authentication, and security monitoring, helping systems detect unusual login attempts or account takeover attempts by identifying unfamiliar or suspicious devices. **Related terms:** - Fingerprinting - Browser Fingerprinting - Bot Detection - Active Device Monitoring --- ## Directory Sync - URL: https://clerk.com/glossary.md#directory-sync - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Directory Sync is the process of synchronizing user identities, groups, and related attributes between an organization's identity provider (such as Active Directory, OneLogin, or LDAP) and another system or application. This ensures that user accounts, roles, and permissions remain consistent across platforms, reducing administrative overhead and minimizing the risk of stale or incorrect identity or permission data. Directory synchronization can be one-way or bidirectional and is commonly used to automate onboarding, offboarding, and access updates in enterprise environments. **Related terms:** - Identity Provider SSO (IdP SSO) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - User Management - Organizations - Automation - Identity Management --- ## Discovery Document (OIDC) - URL: https://clerk.com/glossary.md#discovery-document-oidc - Date: 2025-10-01 - Category: Authentication & Authorization - Description: In OpenID Connect (OIDC), the Discovery Document is a JSON file published by the identity provider that describes its configuration, endpoints, and capabilities. It typically includes URLs for authorization, token, userinfo, and JSON Web Key Sets (JWKS), supported scopes, response types, grant types, and signing algorithms. Clients use this document to automatically configure themselves, ensuring they know where and how to make requests without requiring manual setup or hardcoding of endpoints. **Related terms:** - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - OAuth - JSON Web Token - Authorization Server --- ## Disposable Email Detection - URL: https://clerk.com/glossary.md#disposable-email-detection - Date: 2024-07-24 - Category: Security - Description: Disposable Email Detection identifies and blocks the use of temporary email addresses, which are often used for fraudulent activities, ensuring that only legitimate users can sign up and interact with an application. **Related terms:** - User Verification - Account Security - Spam Prevention - Data Protection --- ## DKIM - URL: https://clerk.com/glossary/dkim.md - Date: 2026-02-25 - Category: Security & Privacy - Description: DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing messages, allowing receiving servers to verify that the email was sent by an authorized server and has not been altered in transit. **Related terms:** - [SPF](https://clerk.com/glossary/spf.md) - [DMARC](https://clerk.com/glossary/dmarc.md) - Email Spoofing - Public-Key Cryptography [SPF](./spf) verifies that a message came from an authorized server, but it says nothing about whether the message itself was tampered with after it left that server. DKIM fills this gap by attaching a cryptographic signature to every outgoing email that receivers can independently verify. ## What is DKIM DKIM uses [public-key cryptography](/glossary#public-key-cryptography). The sending mail server signs each outgoing message using a private key, and the corresponding public key is published as a DNS TXT record. When the message arrives, the receiving server looks up the public key and uses it to verify the signature. The signature covers specific headers and the message body, so any modification in transit — even a single changed character — causes verification to fail. A DKIM DNS record is published at a selector-specific subdomain: ``` selector._domainkey.yourdomain.com ``` The selector is an arbitrary label (like `s1` or `clerk`) that lets a domain use multiple DKIM keys simultaneously, which is useful when sending through multiple services. ## How DKIM works When a mail server sends an email, it: 1. Selects which headers and the body content to sign. 2. Generates a hash of that content. 3. Encrypts the hash with its private key. 4. Attaches the result as a `DKIM-Signature` header on the message. The receiving server: 1. Reads the `DKIM-Signature` header to find the signing domain and selector. 2. Looks up the public key via DNS at `selector._domainkey.yourdomain.com`. 3. Decrypts the signature using the public key. 4. Hashes the same headers and body content independently. 5. Compares its hash to the decrypted signature. If they match, the email passes DKIM. The DKIM result is then factored into DMARC evaluation if a DMARC record exists for the domain. ## DKIM and Clerk Clerk configures DKIM records automatically as part of production instance setup. This ensures that every verification email sent from your domain carries a valid cryptographic signature. For more details on email authentication setup, see [Email deliverability](/docs/guides/development/troubleshooting/email-deliverability#spf-and-dkim-email-authentication). --- ## DMARC - URL: https://clerk.com/glossary/dmarc.md - Date: 2026-02-25 - Category: Security & Privacy - Description: DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that ties SPF and DKIM together and tells receiving mail servers what to do when a message fails authentication — nothing, quarantine it, or reject it outright. **Related terms:** - [SPF](https://clerk.com/glossary/spf.md) - [DKIM](https://clerk.com/glossary/dkim.md) - Email Spoofing - Encryption at Rest / In Transit [SPF](./spf) and [DKIM](./dkim) each verify a different aspect of an email's origin, but neither tells the receiving server what to do when a check fails. DMARC fills that gap. It lets domain owners publish a policy that instructs receivers to monitor, quarantine, or reject unauthenticated messages — and it requires that the domain in the visible `From:` header aligns with the domain that passed those checks. ## What is DMARC DMARC is a DNS TXT record published at `_dmarc.yourdomain.com`. It contains a policy (`p=`) that tells receiving servers how to handle emails that fail SPF and DKIM alignment: - **`p=none`** — Take no action. Used during initial rollout to collect data without affecting delivery. - **`p=quarantine`** — Route failing messages to the recipient's spam or junk folder. - **`p=reject`** — Drop failing messages entirely. The strongest policy, and the end goal for most domains. DMARC also introduces the concept of alignment. The domain in the `From:` header must match the domain that passed SPF or DKIM. Without alignment, an attacker could pass SPF using their own domain while spoofing yours in the `From:` field. ## How DMARC works When a mail server receives a message, it checks whether the sending domain has a DMARC record. If one exists, the server evaluates whether the message passed SPF or DKIM with proper alignment. If both checks fail alignment, the server applies the published policy. DMARC records can also include reporting addresses: - **`rua`** — Receives aggregate reports summarizing authentication results across all messages from your domain. These reports are XML files sent daily by receiving providers. - **`ruf`** — Receives forensic (failure) reports for individual messages that failed authentication. Not all providers send these. A typical DMARC record looks like this: ``` v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com ``` The `pct` field controls what percentage of failing messages the policy applies to, which is useful for gradual rollouts. ## DMARC and Clerk Clerk configures SPF and DKIM automatically during production instance setup, but DMARC is the domain owner's responsibility. At minimum, you need a `p=none` record to satisfy Gmail and Yahoo's bulk sender requirements. For actual protection against spoofing, work toward `p=reject`. For setup instructions, see [Setup DMARC email authentication](/docs/guides/development/troubleshooting/email-deliverability#setup-dmarc-email-authentication). For guidance on DMARC during domain warm-up, see [New domain reputation and email warm-up](/docs/guides/development/troubleshooting/email-domain-name-warmup). --- ## Dynamic Client Registration - URL: https://clerk.com/glossary.md#dynamic-client-registration - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Dynamic Client Registration is an OAuth 2.0 and OpenID Connect feature that allows clients (applications) to register with an authorization server automatically at runtime, rather than requiring manual registration by an administrator. During this process, the client receives credentials such as a `client_id` and, if applicable, a `client_secret`. This enables scalable onboarding of new applications and automated workflows in environments where many clients need to connect to an identity provider without manual intervention. **Related terms:** - OAuth - Authorization Server - Client Secret - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) --- ## E2E Encryption - URL: https://clerk.com/glossary.md#e2e-encryption-application-auth - Date: 2025-10-01 - Category: Security & Privacy - Description: End-to-End Encryption is a security approach where data is encrypted on the sender's device and only decrypted on the recipient's device, ensuring that no intermediate systems (including servers, service providers, or network nodes) can read the data in transit. This protects sensitive information from eavesdropping, interception, or unauthorized access. E2E encryption is commonly used in messaging apps, file storage, and authentication flows to ensure that only intended parties can access the plaintext data, even if the communication channel or server is compromised. **Related terms:** - Hash - Deterministic Encryption - HttpOnly cookies - Secret Key --- ## Elements - URL: https://clerk.com/glossary.md#elements - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Elements refer to the library of unstyled, composable components for building custom UIs, allowing developers to create tailored authentication experiences that fit their application’s design. **Related terms:** - User Interface Components - Design System - Component Library - React Components - Frontend Development --- ## Email Links - URL: https://clerk.com/glossary.md#email-links - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Email Links are a passwordless authentication method where users receive a link via email that, when clicked, automatically logs them into the application. **Related terms:** - One-Time Passcodes (Email / SMS) - Multi-factor Authentication (MFA) - Authentication - Passwordless Login --- ## Email OTP - URL: https://clerk.com/glossary.md#email-otp - Date: 2025-10-01 - Category: Authentication & Authorization - Description: An Email OTP (One-Time Password) is a single-use, time-limited code sent to a user's email address as part of an authentication or verification process. Users enter the OTP to prove ownership of the email account and complete actions such as sign-in, account recovery, or sensitive transactions. Email OTPs provide a simple, passwordless or multi-factor authentication method, but their security depends on the email account being secure, as interception or compromise of the inbox could allow unauthorized access. **Related terms:** - One-Time Passcodes (Email / SMS) - Email Links - Multi-factor Authentication (MFA) - Account Recovery - Passwordless Login - User Verification --- ## Email Spoofing - URL: https://clerk.com/glossary.md#email-spoofing - Date: 2025-10-01 - Category: Security & Privacy - Description: Email spoofing is a technique where attackers forge the sender address of an email to make it appear as if it comes from a trusted source, often to carry out phishing or fraud. To combat this, organizations use authentication protocols like SPF, DKIM, and DMARC. SPF (Sender Policy Framework) specifies which mail servers are allowed to send emails on behalf of a domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing recipients to verify the message hasn't been altered and is from the claimed sender. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to provide domain owners with policies for handling unauthenticated emails and reporting on suspicious activity. Together, these mechanisms reduce the risk of spoofed emails reaching users and help protect brand reputation and security. **Related terms:** - Email Links - Email OTP - Disposable Email Detection - Account Recovery --- ## Embedded Login vs Hosted - URL: https://clerk.com/glossary.md#embedded-login-vs-hosted - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Embedded login refers to authentication flows that appear directly within your application's UI, for example `app.company.com/login`, allowing users to authenticate without leaving the app. This provides full control over the UI and UX but requires careful handling of credentials and other security tradeoffs. Hosted login, in contrast, redirects users to a provider-managed page, such as `auth.provider.com`, to handle sign-in, registration, or password recovery. The provider manages credentials and token issuance, reducing your app's exposure to sensitive data, though with less control over the user experience. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - Custom Onboarding - User Interface Components - [Frontend API](https://clerk.com/glossary/frontend-api.md) - User Experience --- ## Encrypted Cookies - URL: https://clerk.com/glossary.md#encrypted-cookies - Date: 2025-10-01 - Category: Security & Privacy - Description: Encrypted cookies are HTTP cookies whose contents are encrypted before being sent to the client, ensuring that sensitive data such as session identifiers, authentication tokens, or user preferences cannot be read or tampered with by unauthorized parties. By encrypting the cookie payload, the server protects against data leakage and manipulation while still allowing the client to store and return the cookie on subsequent requests. Secure management of encryption keys and proper use of cookie attributes like `Secure` and `HttpOnly` are essential to maintain confidentiality and integrity. **Related terms:** - HttpOnly cookies - Session - Hash - Secret Key --- ## Encryption at Rest / In Transit - URL: https://clerk.com/glossary.md#encryption-at-rest-in-transit - Date: 2025-10-01 - Category: Security & Privacy - Description: Encryption at rest refers to the practice of encrypting data while it's stored on disk or in persistent storage, protecting it from unauthorized access if the storage medium is compromised. Encryption in transit secures data as it moves across networks, such as between clients, servers, and APIs, preventing eavesdropping or tampering. Together, these encryption strategies ensure that sensitive information like authentication tokens, personal data, or application secrets remains confidential and intact, both when stored and while being transmitted. **Related terms:** - Hash - Deterministic Encryption - E2E Encryption - Secret Key - Data Protection --- ## Endpoint - URL: https://clerk.com/glossary.md#endpoint - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: An Endpoint is a specific URL where an API can be accessed by a client application, serving as a communication point between different systems or components. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Application Programming Interface - Access Token - Integration - API Integration --- ## Entitlements - URL: https://clerk.com/glossary.md#entitlements - Date: 2025-10-01 - Category: Authentication & Authorization - Description: Entitlements are fine-grained rights assigned to a subject or resource, for example `"invoice.read"` on tenant X, used by authorization engines to determine access. They are often modeled as attributes separate from broader roles, enabling precise control over what actions a user or system can perform. **Related terms:** - Custom Permissions - Role Based Access Control (RBAC) - Custom Roles - Authorization --- ## Environment Keys - URL: https://clerk.com/glossary.md#environment-keys - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Environment Keys are configuration settings stored in environment variables, used to manage different environments (development, testing, production) in software applications. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Configuration Management - Security Best Practices - Environment Variables --- ## Environment Variables - URL: https://clerk.com/glossary.md#environment-variables - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Environment Variables are dynamic values that can affect the behavior of running processes, commonly used to configure applications without hardcoding sensitive information. **Related terms:** - Configuration Management - Security Best Practices - Deployment - Application Settings --- ## Ephemeral Keys - URL: https://clerk.com/glossary.md#ephemeral-keys - Date: 2025-10-01 - Category: Security & Privacy - Description: Ephemeral Keys are short-lived cryptographic keys created for temporary use in a specific session, handshake, or transaction and then destroyed. They limit blast radius if compromised and enable forward secrecy by ensuring that past encrypted data remains secure even if long-term keys are later compromised. Common use cases include TLS session keys, one-time API tokens, and temporary encryption keys for secure data exchange between clients and servers. **Related terms:** - Hardware Keys - Session Management - Hash - Secret Key --- ## Event Audit Trail - URL: https://clerk.com/glossary.md#event-audit-trail - Date: 2025-10-01 - Category: Security & Privacy - Description: An event audit trail is a chronological record of actions and events within a system, capturing details such as who performed an action, what was done, when it occurred, and from where. In authentication and authorization contexts, audit trails often include logins, logouts, token usage, permission changes, and administrative actions. Maintaining detailed audit trails enable security teams to investigate incidents, verify compliance with regulations, and hold users or systems accountable for their actions. **Related terms:** - Audit Logs - Session Lifecycle - User Management - Session Management - Security Monitoring --- ## Event Webhooks - URL: https://clerk.com/glossary.md#event-webhooks-security - Date: 2025-10-01 - Category: Development Tools & Concepts - Description: Event webhooks are signed HTTP callbacks that notify external systems when specific events occur within an application or service. Instead of polling for updates, a system can subscribe to events and receive real-time notifications via HTTP requests to a configured endpoint. Payloads are authenticated with a shared secret or key pair and include timestamps/ids to detect replay. **Related terms:** - Webhook - Hash - Secret Key - Audit Logs - Automation --- ## Evidence of Consent - URL: https://clerk.com/glossary.md#evidence-of-consent - Date: 2025-10-01 - Category: Security & Privacy - Description: Evidence of consent is a record that demonstrates a user has knowingly and voluntarily granted permission for an application or service to access their data or perform specific actions on their behalf. This may include timestamps, the scopes or permissions granted, the interface where consent was given, and the user or device identity. This creates an auditable trail that organizations can reference during privacy reviews, compliance audits, or if users later dispute their consent decisions. **Related terms:** - Consent Screen - Audit Logs - California Consumer Privacy Act (CCPA) - User Management - Data Privacy --- ## Expo - URL: https://clerk.com/glossary.md#expo - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Expo is a framework and platform for universal React applications, providing tools and services to build, deploy, and manage native apps for iOS and Android. **Related terms:** - React Native - Mobile Development - Framework - Cross-Platform Development - JavaScript --- ## Fingerprinting - URL: https://clerk.com/glossary.md#fingerprinting - Date: 2024-07-24 - Category: Security - Description: Fingerprinting is a technique used to uniquely identify devices and users based on their browser and device characteristics, enhancing security measures and preventing unauthorized access. **Related terms:** - User Tracking - Security Monitoring - Privacy Concerns - Data Protection --- ## Firebase - URL: https://clerk.com/glossary.md#firebase - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Firebase is a platform developed by Google for creating mobile and web applications, offering services like real-time databases, authentication, and cloud storage. **Related terms:** - Backend as a Service (BaaS) - Cloud Services - Real-Time Database - Authentication --- ## First Day Free - URL: https://clerk.com/glossary.md#first-day-free - Date: 2024-07-24 - Category: User & Session Management - Description: First Day Free means no charges for users who sign up but never return. Users are only counted as active when they come back after 24 hours, ensuring fair and user-friendly billing practices. **Related terms:** - Free Trial - Subscription Model - Pricing Strategy - User Acquisition - Monthly Active Users (MAUs) - Monthly Retained Users (MRUs) - Monthly Retained Organizations (MROs) --- ## Framework - URL: https://clerk.com/glossary.md#framework - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: A Framework is a platform for developing software applications that provides foundational structures and tools, such as React, Next.js, React Router (Framework), and Expo to streamline the development process. **Related terms:** - Web Development - Software Development - Application Architecture - Libraries - Vue.js --- ## Frontend API - URL: https://clerk.com/glossary/frontend-api.md - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Frontend API is an interface that allows client-side applications to interact with backend services, providing secure and straightforward methods for implementing features directly within the application’s frontend. **Related terms:** - API Integration - Client-Side Development - React - Vue.js - Frontend Development Frontend APIs enable web applications to communicate with server-side services, making web applications interactive and dynamic. They serve as the bridge between user interfaces and server-side resources, allowing applications to fetch, send, and manipulate data without page refreshes. This capability has transformed web development, enabling the creation of responsive, data-centric applications that meet user expectations for immediate feedback and real-time updates. The evolution of Frontend APIs reflects broader changes in web development. From early XML-based protocols to modern REST and GraphQL implementations, these APIs have become more efficient and developer-friendly. Understanding Frontend APIs is important for building web applications that deliver smooth user experiences while maintaining reliable architectures. ## What's a Frontend API? A Frontend API is an interface that enables client-side applications to communicate with server-side services, facilitating the exchange of data and functionality between the user interface and server-side components. It provides a structured way for web applications to interact with external services and internal server-side systems, enabling developers to create dynamic, interactive user experiences. Technologies like AJAX are often used with Frontend APIs to fetch data asynchronously without refreshing the page, improving the user experience significantly ([source](/blog/how-httponly-cookies-help-mitigate-xss-attacks)). ### Core components Frontend APIs consist of several key components that work together to enable client-server communication: 1. **API Interface** - Defines the protocol, endpoints, and methods for interacting with the API. 2. **API Controller** - Manages request flow, authentication, and error handling. 3. **API Runtime** - Executes business logic and processes requests. 4. **Data Bridge** - Facilitates communication between the API and data storage systems. 5. **API Gateway** - Routes requests and manages load balancing in complex architectures. These components create a strong framework for handling client-server interactions, ensuring applications remain responsive and efficient while maintaining security and data integrity. ## Differences between Frontend and Back-end APIs Frontend and server-side APIs serve different purposes, and their differences are rooted in their roles within the application architecture. ### Frontend APIs - **Purpose**: Facilitate communication between the client-side (user interface) and the server-side (server). They enable the frontend to send and receive data from the server, allowing dynamic interactions and updates on the user interface ([source](/blog/webhooks-v-bapi)). - **Usage**: Frontend developers use APIs to retrieve data from the server, such as user information, shopping cart contents, or other dynamic elements displayed on the client-side. This interaction is done using HTTP requests (GET, POST, PUT, DELETE) to fetch or update data. - **Technologies**: JavaScript frameworks like React, Angular, or Vue.js provide tools for making API calls and handling responses. Libraries like Axios or Fetch API are frequently used for making HTTP requests. - **Examples**: - A user logs in and the frontend sends a request to the server API to authenticate the user. - A shopping cart application sends requests to the server API to update the cart contents or process payments. ### Server-side APIs - **Purpose**: Responsible for managing server-side logic, database interactions, and other server-side functionalities. They handle complex operations like data storage, retrieval, and processing. - **Usage**: Server-side developers create APIs to expose functionalities to the frontend, like user authentication, data storage, or business logic operations. These APIs handle server-side tasks efficiently and securely ([source](/blog/webhooks-v-bapi)). - **Technologies**: Programming languages like Java, Python, Ruby, and PHP create server-side logic and APIs. Frameworks like Django (Python), Ruby on Rails (Ruby), and Express (Node.js) build reliable server-side APIs. - **Examples**: - A user registration process involves the server-side API handling user data validation, storing data in a database, and returning a response to the frontend. - A social media platform's server-side API manages posting, commenting, and liking operations by interacting with the database and returning updated data to the frontend. ### Key differences - **Visibility**: Frontend APIs are directly accessible through the client-side interface, whereas server-side APIs interact with the frontend through APIs without direct user access. - **Functionality**: Frontend APIs focus on retrieving and updating data for display, while server-side APIs handle complex operations like data storage and business logic. - **Security**: Server-side APIs involve comprehensive security measures like encryption and authentication systems to protect sensitive data and services. ## Implementation strategies Implementing Frontend APIs requires careful consideration of security, performance, and maintainability. Developers must also handle [CORS](/blog/skip-cors-options-preflight) to ensure secure and efficient cross-origin requests. Here is an example using Clerk for making HTTP requests: ```tsx import { clerkClient, getAuth } from '@clerk/nextjs/server' import type { NextApiRequest, NextApiResponse } from 'next' export default async function handler(req: NextApiRequest, res: NextApiResponse) { const { userId } = getAuth(req) const user = userId ? await clerkClient.users.getUser(userId) : null return res.status(200).json({ user }) } ``` For more information, see [Clerk's documentation](/docs/references/nextjs/get-auth). Security considerations are paramount when implementing Frontend APIs. Developers should: - Use HTTPS for all API communications. - Implement proper authentication and authorization. - Validate and sanitize all user inputs. - Apply rate limiting to prevent abuse. - Use security headers to protect against common vulnerabilities. ## Benefits and difficulties Frontend APIs offer major advantages for web development: - **Enhanced User Experience**: APIs enable real-time updates and dynamic content loading, creating applications that engage users. - **Development Productivity**: Standardized interfaces for common functionalities reduce development time, enabling developers to focus on features. - **Scalability**: Frontend APIs support modular architectures, easing application scaling and feature addition. However, developers must address several obstacles: - **Security Concerns**: APIs increase security risks. Proper authentication, authorization, and data validation are important. - **Performance Optimization**: Efficient API request management requires caching and network optimization. - **Error Handling**: Effective error handling and recovery mechanisms maintain application stability. ## Frontend APIs in Practice Popular services demonstrate the practical application of Frontend APIs. [Clerk](/docs/references/nextjs/get-auth) is a prime example. It offers comprehensive authentication and user management APIs. These APIs allow developers to integrate secure user authentication flows without extensive server-side expertise. Clerk's API provides: - Secure authentication flows - Session management - User profile handling - Social login integration - Multi-factor authentication Clerk supports a variety of [SDKs](/docs/references/sdk/overview) designed for different frameworks and programming environments, improving developer experience by providing pre-built components for handling authentication workflows directly in client-side applications. ## Looking forward Frontend APIs continue to evolve with web development trends. GraphQL adoption is growing, offering more flexible data querying. WebSocket APIs enable real-time communication, and edge computing is changing how APIs are deployed. Security is a primary focus, with zero-trust architectures and enhanced authentication methods becoming standard. As applications become more complex, Frontend APIs are set to play a significant role in managing this complexity while maintaining performance and user experience. To stay current with Frontend API development: - Study modern API design patterns. - Learn about new security standards. - Discover new protocols and specifications. - Practice building secure, efficient implementations. Frontend APIs form the foundation of modern web applications. Understanding their implementation, security requirements, and best practices helps developers create reliable applications that deliver excellent user experiences. --- ## Frontend Development - URL: https://clerk.com/glossary.md#frontend-development - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Frontend development is the practice of building the user-facing portion of web and mobile applications, including UI components, routing, state management, and client-server interaction. **Related terms:** - React - React Server Components - Component Library - Elements - [Frontend API](https://clerk.com/glossary/frontend-api.md) - [Tailwind CSS](https://clerk.com/glossary/tailwind-css.md) - User Interface Components --- ## Full Stack Development - URL: https://clerk.com/glossary.md#full-stack-development - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Full stack development encompasses both frontend and backend engineering, involving the design and implementation of complete applications from user interface to server logic and data storage. **Related terms:** - Framework - Next.js - Redwood - React Router (Framework) --- ## Gatsby - URL: https://clerk.com/glossary.md#gatsby - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Gatsby is a React-based open-source framework for building fast, scalable, and secure static websites and applications with a focus on performance and developer experience. **Related terms:** - Static Site Generator - React - Web Development - Framework - JavaScript - Static Site Generation (SSG) --- ## GitHub Repository - URL: https://clerk.com/glossary.md#github-repository - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A GitHub Repository is a storage space on GitHub where code, documentation, and other project files are managed and shared, facilitating collaboration and version control among developers. **Related terms:** - Version Control - Source Code Management - Collaboration - Software Development --- ## Hardware Keys - URL: https://clerk.com/glossary.md#hardware-keys - Date: 2024-07-24 - Category: Security - Description: Hardware Keys are physical devices used for authentication that generate and store cryptographic keys, providing an additional layer of security. Examples include USB security keys like YubiKey, which are used in two-factor authentication (2FA) and multi-factor authentication (MFA) processes to ensure secure access to systems and data. **Related terms:** - Multi-factor Authentication (MFA) - Security Tokens - Authentication - Access Control List (ACL) - WebAuthn --- ## Hash - URL: https://clerk.com/glossary.md#hash - Date: 2024-12-12 - Category: Security - Description: Hashing is a way of converting data into a unique, fixed-length code that acts like a digital fingerprint. When a piece of information is run through a hashing process, it creates a specific string of characters that uniquely represents the original data. The hash can verify that the original data hasn't been changed, and cannot be 'decoded' to recreate the original information. The same input will always produce the same hash, and different inputs will typically produce different hashes. One piece of data can have multiple types of hashes generated from it depending on the specific purpose, such as checking if a password is correct or ensuring a file hasn't been tampered with. **Related terms:** - Security Best Practices - Authentication - Fingerprinting --- ## Hash Routing - URL: https://clerk.com/glossary.md#hash-routing - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Hash Routing is a routing method that uses the URL hash (fragment identifier) to manage navigation and rendering of components in a single-page application. **Related terms:** - Client-Side Routing - URL Management - Frontend Development - React Router (Library) --- ## Health Insurance Portability & Accountability Act (HIPAA) - URL: https://clerk.com/glossary.md#health-insurance-portability-accountability-act-hipaa - Date: 2024-07-24 - Category: Compliance & Privacy - Description: The Health Insurance Portability & Accountability Act (HIPAA) is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers. **Related terms:** - Data Privacy - Compliance - Patient Rights - Security Standards --- ## HttpOnly cookies - URL: https://clerk.com/glossary.md#httponly-cookies - Date: 2024-07-24 - Category: Security - Description: HttpOnly cookies are a type of browser cookie that is inaccessible to JavaScript, providing an additional layer of security by mitigating the risk of client-side script attacks like Cross-Site Scripting (XSS). **Related terms:** - Security Best Practices - Session Management - Web Security - Cookie Attributes --- ## Identity Management - URL: https://clerk.com/glossary.md#identity-management - Date: 2026-03-19 - Category: Authentication & Authorization - Description: Identity management is the framework of policies, processes, and technologies used to manage digital identities and control access to resources, encompassing user provisioning, authentication, and directory services. **Related terms:** - Identity Provider SSO (IdP SSO) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - User Management - Directory Sync - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - Authorization Server --- ## Identity Provider SSO (IdP SSO) - URL: https://clerk.com/glossary.md#identity-provider-sso-idp-sso - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Identity Provider Single Sign-On (IdP SSO) is a service that allows users to authenticate once and gain access to multiple applications and services without needing to log in separately to each one. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - OAuth - Security Assertion Markup Language (SAML) - Authentication - Authorization Server - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - Identity Management --- ## Integration - URL: https://clerk.com/glossary.md#integration - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Integration refers to the process of connecting different systems, applications, or services to work together seamlessly, enabling data exchange and functional cooperation. **Related terms:** - API Integration - Application Programming Interface - Software Development - System Integration --- ## IP Warming - URL: https://clerk.com/glossary.md#ip-warming - Date: 2026-02-25 - Category: Security & Privacy - Description: IP warming (also called IP address warming) is the practice of gradually increasing the volume of email sent from a new or dormant IP address to build a positive sending reputation with email providers. Sending too much email too quickly from an unfamiliar IP address can trigger spam filters and delivery throttling. A controlled ramp-up allows providers to observe consistent, legitimate sending patterns and establish trust over time. **Related terms:** - [SPF](https://clerk.com/glossary/spf.md) - [DKIM](https://clerk.com/glossary/dkim.md) - [DMARC](https://clerk.com/glossary/dmarc.md) - Email Spoofing --- ## Isolated user-pool - URL: https://clerk.com/glossary.md#isolated-user-pool - Date: 2024-07-24 - Category: User & Session Management - Description: An Isolated user-pool is a user management system where each application has its own separate pool of user accounts, ensuring isolation and independence between applications. **Related terms:** - User Management - Security Best Practices - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - Authentication --- ## JSON Web Token - URL: https://clerk.com/glossary.md#json-web-token - Date: 2024-07-24 - Category: Security - Description: A JSON Web Token (JWT) is a compact, URL-safe token used for securely transmitting information between parties as a JSON object, commonly used in authentication and authorization. **Related terms:** - Access Token - Authentication - API Security - Session Management - Token Expiration --- ## LDAP - URL: https://clerk.com/glossary.md#ldap - Date: 2025-02-13 - Category: Authentication & Authorization - Description: LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral application protocol for accessing and maintaining directory services over a TCP/IP network. A directory service stores identity data — such as usernames, passwords, email addresses, group memberships, and access privileges — in a hierarchical tree structure, where each entry is identified by a Distinguished Name (DN). LDAP provides the standard language that applications use to query and update this data. For authentication, a client sends a bind request containing user credentials to the LDAP server, which validates them against the directory and grants or denies access. LDAP is not a directory service itself — it is the protocol used to communicate with one. Microsoft Active Directory, for example, is a directory service that uses LDAP as one of its primary access protocols. In enterprise environments, LDAP remains foundational for centralized authentication, directory sync, and integrating on-premises identity infrastructure with modern applications via SSO and SAML. **Related terms:** - Directory Sync - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - Security Assertion Markup Language (SAML) - Identity Provider SSO (IdP SSO) - Identity Management --- ## Least Privilege Access - URL: https://clerk.com/glossary.md#least-priveledge-access - Date: 2024-12-11 - Category: Security - Description: Least Privilege Access is a security principle where users, applications, and systems are granted the minimum access necessary to perform their tasks, reducing risk. **Related terms:** - Role Based Access Control (RBAC) - Zero Trust Architecture - Access Control List (ACL) - Identity and Access Management (IAM) --- ## Libraries - URL: https://clerk.com/glossary.md#libraries - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Libraries are reusable collections of pre-written code that provide specific functionality, allowing developers to build applications more efficiently without implementing common features from scratch. **Related terms:** - Software Development Kit (SDK) - Component Library - Framework --- ## Loader Function - URL: https://clerk.com/glossary.md#loader-function - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Loader Function is a function that fetches or prepares data needed for rendering a component or page in a web application. **Related terms:** - Action Function - Middleware - Data Fetching - Server-Side Rendering (SSR) --- ## Middleware - URL: https://clerk.com/glossary.md#middleware - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Middleware is software that acts as a bridge between an operating system or database and applications, especially on a network, enabling communication and data management. **Related terms:** - API Integration - Server-Side Logic - Web Development - Application Architecture --- ## Monthly Active Users (MAUs) - URL: https://clerk.com/glossary.md#monthly-active-users-maus - Date: 2024-07-24 - Category: User & Session Management - Description: Monthly Active Users (MAUs) is a metric that counts the number of unique users who interact with an application or service within a given month, indicating user engagement and growth. **Related terms:** - User Engagement - Analytics - Key Performance Indicators (KPIs) - User Retention - Monthly Retained Users (MRUs) --- ## Monthly Retained Organizations (MROs) - URL: https://clerk.com/glossary.md#monthly-retained-organizations-mros - Date: 2026-03-19 - Category: User & Session Management - Description: Monthly Retained Organizations (MROs) is a usage metric that counts organizations with at least one active user session during a given month. This metric is used alongside Monthly Retained Users (MRUs) to measure usage for applications that leverage multi-tenant or B2B SaaS organization structures. **Related terms:** - Organizations - Monthly Active Users (MAUs) - Monthly Retained Users (MRUs) - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - B2B SSO - First Day Free --- ## Monthly Retained Users (MRUs) - URL: https://clerk.com/glossary.md#monthly-retained-users-mrus - Date: 2026-03-19 - Category: User & Session Management - Description: Monthly Retained Users (MRUs) is a usage metric that counts users who have at least one active session during a given month. Unlike Monthly Active Users (MAUs), which can count any user interaction, MRUs specifically track users who maintain authenticated sessions, providing a more accurate reflection of meaningful application usage. **Related terms:** - Monthly Active Users (MAUs) - Monthly Retained Organizations (MROs) - Session - Session Management - First Day Free --- ## Multi-factor Authentication (MFA) - URL: https://clerk.com/glossary.md#multi-factor-authentication-mfa - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Multi-factor Authentication (MFA) is a security process that requires users to provide two or more verification factors to gain access to a resource, enhancing security beyond just a username and password. **Related terms:** - Authenticator Apps (TOTP) - Security Best Practices - User Verification - Account Protection - Zero Trust Architecture --- ## Multi-Tenancy - URL: https://clerk.com/glossary/multi-tenancy.md - Date: 2024-07-24 - Category: User & Session Management - Description: Multi-Tenancy is an architecture in which a single instance of software serves multiple customers (tenants), with each tenant’s data isolated and invisible to others. **Related terms:** - User Management - Software as a Service (SaaS) - Cloud Services - Application Architecture - Monthly Retained Organizations (MROs) Multi-tenancy enables one application instance to serve multiple customers efficiently. Each customer remains isolated, using shared computing resources securely. Understanding this approach is important for developers building applications focused on resource optimization and cost-effectiveness. ## What is Multi-Tenancy Multi-tenancy is a software architecture where a single instance of an application serves multiple customers, known as tenants. This model allows organizations to share resources while maintaining the privacy and security of each tenant's data. In a multi-tenant system, tenants use the same application infrastructure, yet their data and user experiences remain isolated. Multi-tenancy lets multiple customers utilize the same software or infrastructure, reducing operational costs and increasing scalability. By sharing resources like servers, databases, and application instances, companies maximize hardware utilization and improve maintenance processes. This shared environment is prevalent in many SaaS applications, where each organization operates as a tenant within a larger environment. ## Multi-Tenant vs Single-Tenant Architecture ### Multi-tenant architecture In multi-tenant architecture, a single instance of the software and its supporting infrastructure serves multiple customers. Each customer's data is isolated, but the underlying resources are shared among users. **Benefits**: - Resource Sharing: Resources shared among customers reduce overall costs. - Scalability: Supports scaling efficiently. - Simplified Maintenance: Centralized updates and maintenance reduce burdens on individual tenants. **Drawbacks**: - Security Risks: Shared resources can lead to data breaches if not managed. - Limited Customization: Customizations are often more generic as they affect all tenants. ### Single-tenant architecture In contrast, single-tenant architecture dedicates resources of an application instance to one customer. Each client has their own database and codebase, offering more security and customization options. **Benefits**: - Enhanced Security: Isolated instances keep data separate. - Customization: Allows greater adaptability. - Reliability: Dedicated resources result in consistent performance. **Drawbacks**: - Higher Costs: More resources are required, increasing expenses. - Maintenance Management: Individual maintenance needs increase operational tasks. ## Technical Implementation Multi-tenancy implementation involves technologies and approaches that enable resource sharing while maintaining security between tenants. ### Virtualization and containerization Virtualization creates multiple virtual machines (VMs) on a single physical server, providing strong isolation between tenants through hypervisor technology. Containerization offers a lighter-weight alternative by isolating applications at the process level while sharing the host operating system kernel. Tools like Kubernetes manage container orchestration, simplifying deployment and scaling in cloud environments. ### Database Architecture Multi-tenant databases can be structured in several ways: 1. Separate Databases: Each tenant gets a dedicated database for maximum isolation but requires more resources. 2. Shared Database, Separate Schemas: Tenants share a database but maintain separate schemas, balancing isolation and resource optimization. 3. Shared Database, Shared Schema: All tenants share the same database and schema, using tenant identifiers to separate data. This offers high resource optimization but requires careful security implementation. ## Security and Data Isolation Security in multi-tenant environments requires careful data isolation, access controls, and encryption. Each tenant's data must remain private and protected from unauthorized access. ### Access control and authentication Role-based access control (RBAC) systems ensure users only access resources within their tenant boundary. [Clerk](/) provides reliable authentication and authorization solutions for multi-tenant applications, including features like: - Organization switching for users belonging to multiple tenants - Fine-grained permission controls - Secure session management - CSRF protection [Clerk's Organizations](/b2b-saas) feature enhances multi-tenancy by allowing users to create and manage teams within applications. This capability includes inviting other users, managing roles, and switching between organizations, which simplifies user permission controls and improves collaboration. ### Data privacy and compliance Multi-tenant applications must comply with various data protection regulations while serving customers from different regions or industries. This includes implementing: - Data encryption at rest and in transit - Regular security audits - Compliance monitoring - Geographic data residency requirements ## Benefits and Obstacles Multi-tenancy offers several advantages for both service providers and customers: - Reduced costs through shared infrastructure - Improved resource utilization and scalability - Simplified updates and maintenance Organizations must also address certain obstacles: - Ensuring proper data isolation and security - Managing resource contention between tenants - Maintaining performance consistency - Implementing tenant-specific customizations ## Clerk's contributions to multi-tenancy [Clerk Organizations](/docs/organizations/overview) exemplifies a modern multi-tenancy solution, providing tools that simplify organization management for SaaS applications. Clerk's organization components offer: - Pre-built components for organization profiles and security management - Features like ``, ``, and `` to manage and create organizations - Customizable roles and permissions for specific needs ## The Future of Multi-Tenancy Multi-tenancy continues to evolve with cloud computing advances. Edge computing brings processing closer to users, while AI optimizes resource allocation. These developments enable more efficient and secure multi-tenant architectures. Successful multi-tenant applications depend on selecting the right architecture, implementing security measures, and using tools that simplify tenant management. Understanding these principles and leveraging technologies like Clerk helps developers build reliable multi-tenant applications for modern businesses. --- ## Next.js - URL: https://clerk.com/glossary.md#next-js - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Next.js is a React-based framework that enables server-side rendering and static site generation for building fast, scalable web applications. **Related terms:** - React - Server-Side Rendering (SSR) - Static Site Generation (SSG) - Web Development - Framework - Full Stack Development - JavaScript --- ## Node Package Manager - URL: https://clerk.com/glossary.md#node-package-manager - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Node Package Manager (NPM) is a package manager for JavaScript that allows developers to install, share, and manage dependencies for their projects. **Related terms:** - JavaScript - Package Management - Dependency Management --- ## OAuth - URL: https://clerk.com/glossary.md#oauth - Date: 2024-07-24 - Category: Authentication & Authorization - Description: OAuth is an open standard for access delegation commonly used as a way to grant websites or applications limited access to user information without exposing passwords. **Related terms:** - Authorization - Authentication - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - API Security --- ## OAuth Scopes - URL: https://clerk.com/glossary.md#oauth-scopes - Date: 2024-12-11 - Category: Authentication & Authorization - Description: OAuth Scopes define the specific permissions granted to a client application, determining the actions or resources it can access when interacting with a protected API. **Related terms:** - Authorization - Access Token - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) --- ## One-Time Passcodes (Email / SMS) - URL: https://clerk.com/glossary.md#one-time-passcodes-email-sms - Date: 2024-07-24 - Category: Authentication & Authorization - Description: One-Time Passcodes (OTP) are temporary codes sent via email or SMS that users enter to verify their identity, commonly used in two-factor authentication processes. **Related terms:** - Multi-factor Authentication (MFA) - Authenticator Apps (TOTP) - User Verification - Security Best Practices - Email OTP - [SMS passcodes](https://clerk.com/glossary/sms-passcodes.md) --- ## Opaque Token - URL: https://clerk.com/glossary.md#opaque-token - Date: 2025-08-20 - Category: Authentication & Authorization - Description: An opaque token is a type of access token that is not human-readable and cannot be easily inspected or decoded. It is used to authenticate requests to a protected resource. Opaque tokens are normally verified with a network call to the issuer rather than a digital signature verification, and can be revoked immediately -- both properties that are different from JWTs. **Related terms:** - Access Token - JSON Web Token - OAuth - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) --- ## OpenID Connect (OIDC) - URL: https://clerk.com/glossary/openid-connect.md - Date: 2024-07-24 - Category: Authentication & Authorization - Description: OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on authentication performed by an authorization server. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - OAuth - Authentication - Identity Management OpenID Connect (OIDC) provides a simple, reliable user authentication process, built on top of OAuth 2.0, to verify identities and retrieve user details. The most well-known example of a OpenID Connect flow is the “Sign in with Google” button that is nearly ubiquitous across the internet today. OIDC serves web applications by enabling a secure and user-friendly [single sign-on (SSO)](/docs/authentication/social-connections/oauth) method, used in both enterprise and consumer contexts. It's trusted by major tech companies and leverages [JSON Web Tokens (JWT)](/docs/backend-requests/making/jwt-templates) for integration into user management systems. ## What is OIDC OIDC is an identity layer built on OAuth 2.0. It allows secure user authentication and identity information in a standardized format. OIDC enables clients to verify end-user identities through authentication performed by an authorization server, obtaining profile details in an interoperable manner. OIDC uses OAuth 2.0 but adds authentication with ID tokens. These tokens, structured as JWTs, contain claims about the authenticated user, like their email and name. OIDC supports various flows, making it suitable for different application types, from web applications to mobile apps. ## Comparison of OIDC and SAML OIDC and [Security Assertion Markup Language (SAML)](/docs/authentication/enterprise-connections/overview) are key protocols for identity management and SSO. Here's how they compare: ### Origin and purpose - **SAML**: Developed in the early 2000s for enterprise SSO, SAML is widely used in enterprises and government applications for secure identity assertions. - **OIDC**: Built on OAuth 2.0 for modern web and mobile applications, OIDC integrates identity assertions into diverse tech environments. ### Data format and complexity - **SAML**: Uses XML for data formatting and transport. - **OIDC**: Utilizes RESTful HTTP and lightweight JWTs, making it easier to implement in modern applications. ### Security - **Both Protocols**: Provide strong security mechanisms. SAML uses XML encryption and digital signatures, while OIDC uses encrypted JWTs. ### Use cases - **SAML**: Suitable for enterprise SSO. - **OIDC**: Suitable for enterprise SSO and social sign-in such as Google. ### Implementation and integration - **SAML**: Requires more effort to support a wide variety of configurations. - **OIDC**: Simpler because it's more standardized. ## Comparison of OIDC and OAuth 2.0 Although OIDC is technically built on top of OAuth 2.0, the extension only focuses on a small subset of OAuth 2.0 functionality. As a result, OIDC and OAuth 2.0 tend to serve different purposes: ### Purpose - **OAuth 2.0**: Focuses on authorization, allowing access to resources without the resource owner's credentials. - **OIDC**: Focuses on authentication to confirm user identity. ### Tokens - **OAuth 2.0**: Issues access tokens and refresh tokens. - **OIDC**: Issues ID tokens, in addition to access and refresh tokens. ### Security - **Both Protocols**: Leverage the OAuth 2.0 for security. ### Implementation - **OAuth 2.0**: Different providers offer different scopes, and research is required to understand how to work with scopes.- **OIDC**: Simpler because the scopes are standardized across providers. ## Technical foundation and core components OIDC extends OAuth 2.0, adding standardized elements for authentication and profile information. ### Key components The OIDC framework includes: 1. **OpenID Provider (OP)**: The server that verifies user identity and issues ID tokens. 2. **Relying Party (RP)**: The application requesting authentication. 3. **ID Token**: A JWT containing user claims. 4. **UserInfo Endpoint**: A REST endpoint for additional user profile information. ### Authentication flows OIDC supports these flows: **[Authorization code flow](/blog/oauth2-react-user-authorization)**: Optimal for server-side applications. The process involves redirecting the user to the authorization endpoint and receiving a code to exchange for tokens. **Implicit flow**: Designed for client-side applications; less secure and not recommended for new apps. **Hybrid flow**: combines Authorization Code and Implicit flows for immediate token access. ## Implementation and security considerations Implementing OIDC involves security best practices and proper configuration. ### Security best practices - Validate all tokens and verify signatures. - Use HTTPS for endpoints. - Protect against code interception, such as with PKCE for mobile and native apps. - Verify token expiration and audience claims. - Store tokens securely. - Implement proper session management. ### Common implementation issues Common issues include token validation, refresh token management, handling token expiration, secure session management, and [error handling](/docs/custom-flows/error-handling). ## Important factors to consider when choosing an OIDC provider Choosing an OIDC provider requires careful evaluation of various factors. ### Reputation and security measures Assess the provider's reputation and security measures. Choose providers with strong security records and standards compliance. ### Support for multiple platforms Ensure the provider supports all platforms, including web, mobile, and desktop environments, ensuring a consistent user experience. ### Documentation and community support Good documentation and community support can simplify the integration process. ### Scopes and permissions Ensure that the provider allows you to specify the necessary scopes for your application to avoid privacy concerns. ### User consent and data sharing OIDC includes built-in consent mechanisms. Ensure that the provider facilitates user consent. ### Authentication methods The provider should offer various authentication methods to accommodate diverse user preferences. ### Integration with existing systems Check if the provider can integrate with your existing identity systems, supporting hybrid approaches. ### Multi-factor authentication (MFA) The ability to request MFA from the provider enhances security. ### Identity provider support Ensure that the chosen IdP supports OIDC and aligns with your application needs. By considering these factors, you can select an OIDC provider that supports your application’s authentication needs. ## Integration with Clerk Clerk supports OIDC, simplifying secure authentication. Clerk manages [token and session](/docs/backend-requests/resources/session-tokens) handling while ensuring security and smooth integration through OIDC endpoints. Clerk offers: - Support for common OIDC providers like Google, Microsoft, GitHub, and many more for SSO in a consumer context. - Support for common Google and Microsoft OIDC for EASIE SSO in an enteprise context. - Support for custom OIDC providers, for both enterprise and consumer contexts. - Built-in token validation and management. - Secure session handling. - User profile synchronization. - Automated access token refresh. Access guides in [Clerk Docs](/docs/authentication/social-connections/custom-provider). --- ## Organizations - URL: https://clerk.com/glossary.md#organizations - Date: 2024-07-24 - Category: User & Session Management - Description: Organizations in user management refer to groups or entities that manage multiple users, roles, and permissions within a larger structure, often used in enterprise applications. **Related terms:** - Roles - Custom Roles - Role Based Access Control (RBAC) - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - Delegated Admin - Monthly Retained Organizations (MROs) --- ## OWASP Application Security Verification Standard (ASVS) - URL: https://clerk.com/glossary.md#owasp-application-security-verification-standard - Date: 2024-07-24 - Category: Security - Description: The OWASP Application Security Verification Standard (ASVS) is a framework for testing the security of web applications and ensuring they meet specific security requirements. It provides a basis for designing, building, and testing secure applications by defining levels of security controls. ASVS is widely used by developers and security professionals to standardize security requirements and assessments. **Related terms:** - Pen Test - Source Code --- ## OWASP Testing Guide / Security Verification - URL: https://clerk.com/glossary.md#owasp-testing-guide-security-verification - Date: 2024-07-24 - Category: Security - Description: The OWASP Testing Guide and Application Security Verification Standard (ASVS) provide comprehensive frameworks for testing and verifying the security of web applications, covering authentication, session management, access control, and input validation. **Related terms:** - OWASP Application Security Verification Standard (ASVS) - Security Best Practices - Pen Test - Source Code --- ## Pages Router - URL: https://clerk.com/glossary.md#pages-router - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Pages Router is a routing mechanism that maps URLs to specific pages or components in a web application, often used in frameworks like Next.js. **Related terms:** - [App Router](https://clerk.com/glossary/app-router.md) - Next.js - Middleware - Server-Side Rendering (SSR) --- ## Passkeys - URL: https://clerk.com/glossary.md#passkeys - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Passkeys are cryptographic keys used for secure authentication, replacing traditional passwords with more secure alternatives like biometrics or hardware tokens. **Related terms:** - OWASP Testing Guide / Security Verification - Security Best Practices - Pen Test - Testing Tokens - WebAuthn - Biometric Authentication - Hardware Keys - Multi-factor Authentication (MFA) - Challenge–Response - Passwordless Login --- ## Passwordless Login - URL: https://clerk.com/glossary.md#passwordless-login - Date: 2026-03-19 - Category: Authentication & Authorization - Description: Passwordless login is an authentication approach that eliminates traditional passwords in favor of more secure and user-friendly methods such as passkeys, email links, biometric verification, or one-time passcodes. **Related terms:** - Passkeys - Email Links - WebAuthn - Email OTP - One-Time Passcodes (Email / SMS) - Biometric Authentication --- ## Path Routing - URL: https://clerk.com/glossary.md#path-routing - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Path Routing is a routing method that uses the URL path to determine which component or page to render in a web application. **Related terms:** - User Interface Components - Design System - Component Library - React Components - React Router (Library) - Client-Side Routing --- ## Pen Test - URL: https://clerk.com/glossary.md#pen-test - Date: 2024-07-24 - Category: Security - Description: A Pen Test (Penetration Test) is a simulated cyber attack against a system to check for exploitable vulnerabilities, helping to identify and fix security weaknesses. **Related terms:** - OWASP Testing Guide / Security Verification - OWASP Application Security Verification Standard (ASVS) - Brute Force Detection - Security Best Practices - Cross-Site Scripting (XSS) - API Testing --- ## Personal Account - URL: https://clerk.com/glossary.md#personal-account - Date: 2024-08-26 - Category: Authentication & Authorization - Description: A personal account is a user’s unique, individual space within the application, independent of any organization. **Related terms:** - Organizations --- ## Primitives - URL: https://clerk.com/glossary.md#primitives - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Primitives are the basic building blocks or fundamental elements used in programming and design, such as data types in a programming language or basic UI components in a design system. **Related terms:** - [API Key](https://clerk.com/glossary/api-key.md) - Payment Processing - Security Best Practices - Authorization --- ## PTR Record - URL: https://clerk.com/glossary.md#ptr-record - Date: 2026-02-25 - Category: Security & Privacy - Description: A PTR (pointer) record is a DNS record that maps an IP address to a hostname, enabling reverse DNS lookups. Email providers use PTR records to verify that a sending server's IP address resolves to a legitimate hostname. When the hostname also resolves forward to the same IP — a check called forward-confirmed reverse DNS (FCrDNS) — it proves that the IP owner and hostname owner are the same entity. Gmail requires valid FCrDNS for all email senders, and other major providers use it as a trust signal. **Related terms:** - [SPF](https://clerk.com/glossary/spf.md) - [DKIM](https://clerk.com/glossary/dkim.md) - [DMARC](https://clerk.com/glossary/dmarc.md) - Email Spoofing --- ## Public Metadata - URL: https://clerk.com/glossary.md#public-metadata - Date: 2024-07-24 - Category: User & Session Management - Description: Public Metadata refers to metadata that is publicly accessible and can be used to store additional information about users or resources in a transparent manner. **Related terms:** - User Profile - Data Privacy - Application Programming Interface - Data Management --- ## Public-Key Cryptography - URL: https://clerk.com/glossary.md#public-key-cryptography - Date: 2026-02-25 - Category: Security & Privacy - Description: Public-key cryptography (also called asymmetric cryptography) is an encryption system that uses a pair of mathematically related keys — a public key that can be shared openly and a private key that must be kept secret. Data encrypted with one key can only be decrypted with the other. This property enables secure communication, digital signatures, and identity verification without requiring both parties to share a secret in advance. Public-key cryptography underpins TLS, DKIM, SSH, and most modern authentication protocols. **Related terms:** - [DKIM](https://clerk.com/glossary/dkim.md) - Hash - Encryption at Rest / In Transit - Certificate Pinning --- ## Publishable Key - URL: https://clerk.com/glossary.md#publishable-key - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Publishable Key is a public API key used to identify a client application in API requests, typically safe to expose in client-side code. **Related terms:** - URL Management - Frontend Development - Client-Side Routing - React Router (Library) --- ## Rails - URL: https://clerk.com/glossary.md#rails - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Rails (Ruby on Rails) is a server-side web application framework written in Ruby, designed to make web development faster and easier by providing default structures for databases, web services, and pages. **Related terms:** - Application Programming Interface - Server-Side Rendering (SSR) - Backend Development --- ## Rate Limiting - URL: https://clerk.com/glossary.md#rate-limiting - Date: 2024-07-24 - Category: Security - Description: Rate Limiting is a technique used to control the amount of incoming or outgoing traffic to or from a network, API, or web service, preventing abuse and ensuring fair usage. **Related terms:** - API Rate Limits - DDoS Mitigation - Brute Force Detection - Bot Detection - Backoff/Retry Policy --- ## React - URL: https://clerk.com/glossary.md#react - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: React is a popular JavaScript library for building user interfaces, particularly single-page applications, using a component-based architecture. **Related terms:** - React Server Components - Next.js - Component Library - Framework - Expo - Frontend Development - JavaScript - React Components - Web Development --- ## React Components - URL: https://clerk.com/glossary.md#react-components - Date: 2026-03-19 - Category: Development Frameworks & Libraries - Description: React components are reusable, self-contained building blocks for user interfaces in React applications, encapsulating markup, styling, and behavior into composable units that can be rendered on the client or server. **Related terms:** - React - React Server Components - Component Library - Elements - Control Components - User Interface Components - Primitives --- ## React Router (Framework) - URL: https://clerk.com/glossary.md#react-router-framework - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: React Router (formerly Remix) is a full-stack web framework that enables developers to build fast, scalable, and dynamic web applications with a focus on user experience and performance. **Related terms:** - Framework - React - Loader Function - Full Stack Development - JavaScript - Server-Side Rendering (SSR) - Backend Development --- ## React Router (Library) - URL: https://clerk.com/glossary.md#react-router-library - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: React Router is a client-side routing library for React applications that enables navigation between views, URL management, and data loading patterns without full page reloads. **Related terms:** - [App Router](https://clerk.com/glossary/app-router.md) - Data Router - Hash Routing - Path Routing - Virtual Routing --- ## React Server Components - URL: https://clerk.com/glossary.md#react-server-components - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: React Server Components are a feature in React that allows developers to build components that run on the server, providing better performance and improved user experience. **Related terms:** - Frontend Development - JavaScript Library - User Interface Components - Web Development - React Components - Server-Side Rendering (SSR) --- ## Recovery Codes - URL: https://clerk.com/glossary.md#recovery-codes - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Recovery Codes are backup codes provided during the setup of two-factor authentication, allowing users to regain access to their accounts if they lose their primary authentication method. **Related terms:** - Backup Codes - Account Recovery - Multi-factor Authentication (MFA) - Authenticator Apps (TOTP) --- ## Refresh Token - URL: https://clerk.com/glossary.md#refresh-token - Date: 2025-02-13 - Category: Authentication & Authorization - Description: A refresh token is a long-lived credential issued alongside an access token during an OAuth 2.0 or OpenID Connect flow that allows a client to obtain a new access token without requiring the user to re-authenticate. Access tokens are intentionally short-lived (minutes to hours) to limit exposure if compromised; when one expires, the client sends the refresh token to the authorization server's token endpoint to receive a fresh access token. Refresh tokens are typically requested by including the offline_access scope in the initial authorization request. Because a refresh token effectively grants persistent access, it must be stored securely — in server-side storage or secure device storage, never in browser localStorage. To reduce the risk of token theft, many implementations use refresh token rotation, which issues a new refresh token with each exchange and invalidates the previous one. If a previously used refresh token is presented again, the authorization server can detect the reuse and revoke the entire token family. **Related terms:** - Access Token - Bearer Token - JSON Web Token - OAuth - Token Expiration --- ## Role Based Access Control (RBAC) - URL: https://clerk.com/glossary.md#role-based-access-control-rbac - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Role Based Access Control (RBAC) is a security model that restricts system access based on roles assigned to users, ensuring that users have appropriate permissions for their roles. **Related terms:** - Authentication - Middleware - Roles - Access Control List (ACL) --- ## Roles - URL: https://clerk.com/glossary.md#roles - Date: 2024-07-24 - Category: User & Session Management - Description: Roles define a set of permissions and access levels assigned to users within an application, determining what actions they can perform and what resources they can access. **Related terms:** - Role Based Access Control (RBAC) - Custom Roles - Custom Permissions - Authorization - Entitlements --- ## Root Loader - URL: https://clerk.com/glossary.md#root-loader - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Root Loader is a function or component that loads initial data or performs setup tasks when the root of an application or route is accessed. **Related terms:** - Authentication - Middleware - User Management - Session Management - Data Fetching --- ## rootAuthLoader - URL: https://clerk.com/glossary.md#rootauthloader - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: rootAuthLoader is a specific loader function responsible for handling authentication logic at the root level of an application, ensuring that user authentication state is properly managed. **Related terms:** - User Management - Role Based Access Control (RBAC) - Authorization - Access Control List (ACL) --- ## Route-Specific Authentication - URL: https://clerk.com/glossary.md#route-specific-authentication - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Route-Specific Authentication is the practice of applying authentication requirements to specific routes or endpoints within an application, ensuring secure access to sensitive resources. **Related terms:** - Roles - Authorization - Security Best Practices - Access Control List (ACL) - Zero Trust Architecture --- ## Secret Key - URL: https://clerk.com/glossary.md#secret-key - Date: 2024-07-24 - Category: Security - Description: A Secret Key is a cryptographic key used to secure data, often involved in encryption, decryption, and authentication processes, and should be kept confidential. **Related terms:** - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) - Identity Management - OAuth - Authentication --- ## Security Assertion Markup Language (SAML) - URL: https://clerk.com/glossary.md#security-assertion-markup-language-saml - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. **Related terms:** - Session Management - Security Best Practices - Authentication - Web Security --- ## Security Best Practices - URL: https://clerk.com/glossary.md#security-best-practices - Date: 2026-03-19 - Category: Security - Description: Security Best Practices are the established guidelines, patterns, and strategies that organizations follow to protect their applications, data, and users from threats and vulnerabilities. In authentication systems, this includes implementing defense-in-depth with multiple verification layers, validating inputs at every data access point, enforcing rate limiting on sensitive endpoints, and keeping dependencies patched against known vulnerabilities. Following security best practices reduces the risk of common attacks like credential stuffing, cross-site request forgery, and session hijacking while ensuring compliance with industry standards. **Related terms:** - WebAuthn - Multi-factor Authentication (MFA) - Rate Limiting - Brute Force Detection - Cross Site Request Forgery (CSRF) - Content Security Policy (CSP) - [Credential Stuffing](https://clerk.com/glossary/credential-stuffing.md) - Session Management - OWASP Application Security Verification Standard (ASVS) --- ## Security Monitoring - URL: https://clerk.com/glossary.md#security-monitoring - Date: 2026-03-19 - Category: Security - Description: Security monitoring is the continuous observation and analysis of system activity to detect, investigate, and respond to security threats, unauthorized access attempts, and suspicious behavior in real time. **Related terms:** - Audit Logs - Event Audit Trail - Active Device Monitoring - Bot Detection - Brute Force Detection --- ## Server-Side Rendering (SSR) - URL: https://clerk.com/glossary.md#server-side-rendering-ssr - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Server-side rendering (SSR) is a technique where web pages are generated on the server for each request, delivering fully rendered HTML to the browser for improved performance, SEO, and initial load times. **Related terms:** - React Server Components - Next.js - [App Router](https://clerk.com/glossary/app-router.md) - Pages Router - React Router (Framework) --- ## Session - URL: https://clerk.com/glossary.md#session - Date: 2024-12-12 - Category: Security - Description: A session represents an instance in which a user has signed in and is authenticated. Normally, when a user signs in successfully, a session is created and typically stored in a database, along with the user's ID, a status (active, revoked, expired, etc) and an expiration time, at miniumum. The session must be active and not expired in order for the user to be seen as authenticated. One user can, and typically does, have multiple sessions. Each time the user signs in, whether on the same or a different device, creates a new session. **Related terms:** - Session Management - Session Leak Protection - Session Revocation - Authentication --- ## Session Fixation - URL: https://clerk.com/glossary.md#session-fixation - Date: 2024-07-24 - Category: Security - Description: Session Fixation is a security vulnerability where an attacker tricks a user into using a known session ID, allowing the attacker to hijack the session once the user logs in. **Related terms:** - Session Management - Security Best Practices - Authentication - Data Protection --- ## Session Leak Protection - URL: https://clerk.com/glossary.md#session-leak-protection - Date: 2024-07-24 - Category: Security - Description: Session Leak Protection involves measures to prevent the unintended exposure of session identifiers, which could be exploited by attackers to hijack user sessions. **Related terms:** - Session Management - Authentication - Security Best Practices - Token Expiration --- ## Session Lifecycle - URL: https://clerk.com/glossary.md#session-lifecycle - Date: 2024-07-24 - Category: Security - Description: Session Lifecycle refers to the stages a user session goes through from creation, maintenance, and termination, including management of session state and expiration. **Related terms:** - Session Revocation - Session Fixation - Security Best Practices - Authentication - Token Expiration --- ## Session Management - URL: https://clerk.com/glossary.md#session-management - Date: 2024-07-24 - Category: Security - Description: Session Management is the process of handling user sessions in a web application, ensuring secure creation, maintenance, and termination of sessions to prevent unauthorized access. **Related terms:** - Session Management - Security Best Practices - Authentication - Token Expiration --- ## Session Revocation - URL: https://clerk.com/glossary.md#session-revocation - Date: 2024-07-24 - Category: Security - Description: Session Revocation is the process of invalidating a user session, typically used to force logout a user or end a session due to security concerns. **Related terms:** - Identity Provider SSO (IdP SSO) - OAuth - Authentication - Access Control List (ACL) - Token Expiration --- ## Shared user-pool - URL: https://clerk.com/glossary.md#shared-user-pool - Date: 2024-07-24 - Category: User & Session Management - Description: A Shared user-pool is a user management system where multiple applications share the same pool of user accounts, allowing for centralized authentication and user management. **Related terms:** - Compliance - Security Standards - Data Protection - Risk Management --- ## Single Sign-On (SSO) - URL: https://clerk.com/glossary/single-sign-on-sso.md - Date: 2024-07-24 - Category: Authentication & Authorization - Description: Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials, simplifying user management and enhancing security. **Related terms:** - B2B SSO - Security Assertion Markup Language (SAML) - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - Identity Provider SSO (IdP SSO) - OAuth - Identity Management Managing many sign-in credentials is tedious and carries increased security risks. Single Sign-On (SSO) allows users to access multiple applications through one set of credentials to improve both user experience and security. There are two common forms of SSO: enterprise and social. With enterprise SSO, employees are required to access applications by signing in through their employee directory, usually Microsoft Active Directory, Google Workspace, or Okta. With social SSO, users are given the option to sign in through an account they already have with a different service, like the “Sign in with Google” button. ## What is single sign-on At the highest level, SSO is the process of signing into one application using the details of an account with another application. The same foundational technology is used in two distinct contexts: enterprise SSO and social SSO. With enterprise SSO, employees are forced to sign into tools and services using their employee directory account. This is mandated by IT teams, since it makes it easier to provision and pay for those tools, as well as ensure that employees only have access to the tools they absolutely need. With social SSO, any application can give users the option to sign into the application using an account that they already have, normally with a popular provider like Google. This takes the form of a “Sign in with Google” button on a sign-in screen, and is usually offered because it reduces friction during sign-up and sign-in. ## How SSO works There are three main protocols used to facilitate SSO: SAML, OAuth 2.0, and OpenID Connect. SAML is only used in enterprise SSO contexts, while OAuth 2.0 and OpenID Connect are used in both enterprise SSO and social SSO contexts. Each protocol relies on similar concepts. The application being signed into is considered the Service Provider (SP), while the application being relied on for account details is considered the Identity Provider (IdP). When a user accesses a SP, they're redirected to the IdP for authentication. After success, the IdP communicates the user's profile data back to the SP according to the selected protocol. The primary difference between the protocols is their rigidity. SAML can be configured in many ways, while OAuth 2.0 can be configured in fewer, and OIDC is rigid. In fact, OIDC is an extension of OAuth 2.0 that standardizes specifically how it should be used for authentication, since the broader OAuth 2.0 protocol is flexible enough to also be used for authorization. For developers, the rigidity translates into simplicity, and OIDC has been growing in popularity as a result. OIDC uses JSON Web Tokens (JWTs) as a streamlined, secure, and standardized mechanism for transmitting user details. Security measures protect the SSO process through token encryption, expiration policies, and multi-factor authentication. These measures prevent unauthorized access and maintain smooth authentication across applications. The combination of security features and simplified access makes SSO effective for modern application architectures. ## Comparison with other authentication strategies Single Sign-On (SSO) is one of several approaches to authentication, each offering different benefits and drawbacks. Here’s a look at how SSO compares to other strategies like Password Authentication and Email One-Time Passcode Authentication: ### Password authentication Password authentication remains the most prevalent method of authenticating users. Users create a password that is used to gain access to an application, and sign in with it alongside an identifier, like a username or email address. Despite its widespread use, password authentication carries notable drawbacks. Passwords can be weak, reused, or even compromised in data breaches, leading to a security risk. Implementing strong password policies and hashing techniques can mitigate some risks, but the convenience factor often falls short for users. Password authentication also requires ongoing management, such as password leak detection and password recovery mechanisms. Despite its drawbacks, many applications still rely on password-based methods due to their simplicity and familiarity to users. ### Email one-time passcode authentication Email one-time passcode (OTP) authentication offers a more secure alternative to passwords by issuing temporary codes to users. By sending a single-use code to the user’s registered email address, OTP enhances security compared to static passwords, reducing risks like replay attacks. The dynamic nature of OTPs means they have a limited lifespan, minimizing the potential for abuse. However, email OTPs require an email to be delivered, and the user to open their email to retrieve the code. This process adds a significant delay to the authentication process that SSO and passwords do not have. ### Choosing the right strategy SSO excels at providing a simplified user experience by reducing the need for multiple credentials. In contrast, password authentication is common but less secure, while OTP-based solutions offer security improvements but are often too slow. Applications should weigh their specific requirements to choose the most suitable authentication strategy. ## Enterprise SSO Enterprise SSO is a specialized implementation of single sign-on focusing on large organizations with complex authentication needs. Enterprises often need strong identity management systems that integrate with existing infrastructure and adhere to strict security and compliance standards. Enterprise environments often use protocols like SAML, which support centralized authentication across diverse applications and systems. Enterprise SSO solutions must accommodate multiple user accounts, roles, and permissions to fit within organizational structures. They address requirements such as scaling, integration with on-premise systems, and providing access to cloud services. ### Clerk and enterprise SSO Clerk offers enterprise-ready SSO solutions for businesses requiring advanced security and compliance. Clerk supports [enterprise connections](/docs/authentication/enterprise-connections/saml/custom-provider) using SAML, allowing organizations to integrate with identity management systems like Microsoft Azure Entra ID. To create a SAML connection in Clerk, developers configure their identity provider and service provider settings within the [Clerk Dashboard](https://dashboard.clerk.com). Clerk supports both service provider-initiated and identity provider-initiated flows, which offer flexibility in deployment scenarios. Clerk ensures enterprise-grade security protections such as CSRF and XSS protection, session fixation, and password safety through industry-standard practices. Enterprises can utilize Clerk's session architecture and support for multiple accounts and devices to fit into complex environments without sacrificing performance or security. Clerk's [EASIE SSO](/changelog/2024-11-20-easie) solution further elevates enterprise SSO by offering a multi-tenant OpenID provider, blending simplicity and strong security features. EASIE allows for effortless setup with email domain-based enrollment and mandatory sign-ins through designated OIDC providers. This streamlined setup eliminates SSO fees, making enterprise SSO more accessible and efficient. With plans to expand its adoption across various industries, [EASIE SSO](https://easie.dev/) enables organizations to manage user authentication, providing a smooth experience with heightened security. ## Social SSO Social SSO simplifies the sign-in process by allowing users to sign in to applications using their existing accounts from popular platforms like Google, Facebook, or GitHub. This approach is particularly useful for consumer-facing applications where reducing friction during user sign-up and sign-in is important. Integrating Social SSO can improve user experience and reduce drop-off rates during sign-up, and provides a smooth transition for users already signed into their social accounts. Clerk supports a wide range of Social SSO providers, enabling developers to [integrate with a single click](/user-authentication) and configure high-conversion authentication options that are ready out of the box. As users demand more convenient access methods, integrating Social SSO represents a strategic choice for applications aiming to broaden their user base while maintaining strong security measures. ## Moving Forward with SSO SSO is a standard for modern applications prioritizing security and user experience. Its ability to centralize authentication, reduce password management, and strengthen security is valuable. The scalability of SSO, supported by protocols like SAML and OpenID Connect, provides a foundation for growing ecosystems. For teams ready to implement SSO, Clerk offers a reliable starting point. Clerk's [documentation](/docs/authentication/social-connections/overview) and [Discord community](https://clerk.com/discord) resources help developers understand implementation difficulties and create secure authentication flows. By leveraging Clerk's SSO features, teams can focus on building applications while providing users with a smooth authentication experience. --- ## SMS passcodes - URL: https://clerk.com/glossary/sms-passcodes.md - Date: 2024-07-24 - Category: Authentication & Authorization - Description: SMS Passcodes are one-time codes sent via SMS to a user’s mobile phone, used for verifying identity and enhancing security in two-factor authentication processes. **Related terms:** - Multi-factor Authentication (MFA) - User Verification - Security Best Practices - One-Time Passcodes (Email / SMS) SMS passcodes also known as SMS OTPs (one-time passcodes), are verification codes delivered through text messages to authenticate users during sign-in or before sensitive actions. These codes form a vital component of many authentication systems, particularly in two-factor authentication (2FA) implementations where additional security beyond passwords or email verification is required. ## How SMS passcodes work When a user attempts to sign in or perform a sensitive action, the authentication system generates a unique, time-limited code and sends it via SMS to their registered phone number. This process creates a verification layer, as users must demonstrate have possession of their mobile device to receive the code. As per [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html), the guidelines for digital identity management produced by the United States government, the passcode shall remain valid for 10 minutes, and contain at least 6 decimal digits (approximately 20 bits of entropy). Once received, users input this code into the authentication system interface. The system then validates the entered code against the generated one, considering factors like expiration time and previous usage. Only after successful validation does the system grant access or authorize the requested action. ## Security implications SMS codes present distinct advantages for authentication security. Their temporary nature means that even if intercepted, they become useless. The requirement for physical device possession also creates a barrier for remote attackers who might have obtained password credentials through data breaches or phishing attempts. However, SMS-based authentication faces several security obstacles. The SMS protocol lacks end-to-end encryption, making messages vulnerable to interception. [SIM swapping](https://en.wikipedia.org/wiki/SIM_swap_scam) attacks, where criminals convince mobile carriers to transfer a victim's phone number to a new SIM card, also pose a significant threat. These attacks can bypass SMS-based security entirely by redirecting verification messages to attacker-controlled devices. Network reliability issues can also affect SMS authentication effectiveness. Users in areas with poor cellular coverage or those traveling internationally may experience delays or failures in receiving verification codes. This dependency on cellular infrastructure can create accessibility problems and user frustration. ## Implementation best practices Effective SMS passcode implementation requires careful attention to several key aspects. First, verifying the users phone number verification during registration prevents delivery failures in the future. Clear, concise verification messages improve user understanding and reduce confusion. Implementing rate limiting and exponential backoff for code requests prevents abuse while managing costs. Security-conscious implementations should incorporate additional protective measures. Device fingerprinting can help identify suspicious login attempts, while IP-based restrictions and geolocation checks add extra security layers. Supporting alternative verification methods, such as authenticator apps or backup codes, ensures users maintain account access even when SMS delivery fails. Cost management becomes particularly important at scale. Keeping messages concise reduces expenses, while implementing intelligent retry logic prevents unnecessary message sends. International implementations should consider varying SMS costs and regulations across different regions. ## SMS toll-fraud attacks SMS toll-fraud attacks, also called SMS pumping, occur when bad actors generate unauthorized charges by requesting passcodes be sent to premium-rate text messages recipients. These attacks typically involve a malicious application or script that request a high volume SMS passcodes, often without the applications knowledge, to a premium service number, resulting in substantial charges on the application's SMS bill. The attacker then receives commission (or “kickbacks”) for generating the premium rate SMS messages. To block these attacks, it is important to implement rate limiting and bot detection, or otherwise leverage a service like Twilio Verify or Prelude with built-in protection. ## SMS passcodes and Clerk Clerk provides strong support for SMS codes as part of its comprehensive authentication solutions. By leveraging Clerk, developers can integrate SMS-based verification into their applications without the hassle of building these systems from scratch. Clerk handles the intricacies of generating, sending, and validating codes, enabling developers to focus on core features. Clerk’s implementation includes advanced features such as rate limiting and retries to guard against abuse. Developers also benefit from easy integration with other Clerk services like like [social sign-ons](/docs/authentication/configuration/sign-up-sign-in-options#social-connections-o-auth) and other multi-factor authentication options, creating a flexible and secure user authentication experience. Clerk also prioritizes user experience by ensuring verification messages are straightforward and comprehensible. By providing fallback options, including backup codes, passkeys, or time-based one-time passcodes (TOTPs), Clerk ensures users always have a way to access their accounts even when SMS delivery issues arise. ## Future-proofing authentication systems While SMS passcodes remain widely used, authentication technology continues to evolve. Modern systems often combine SMS verification with other security measures like biometrics, push notifications, or hardware security keys. Simplifying authentication and user management for developers requires staying current with security best practices while maintaining compatibility with existing systems. Applications implementing SMS Passcodes should plan for future authentication needs. This includes designing systems that can incorporate new verification methods and phase out older ones as security requirements change. Regular security audits and updates ensure authentication systems remain effective against new threats while continuing to serve user needs. --- ## SOC 2 - URL: https://clerk.com/glossary.md#soc-2 - Date: 2024-07-24 - Category: Security - Description: SOC 2 (Service Organization Control 2) is a set of standards for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy. **Related terms:** - Health Insurance Portability & Accountability Act (HIPAA) - California Consumer Privacy Act (CCPA) - Audit Logs - Data Residency - Security Best Practices - Compliance --- ## Social Login - URL: https://clerk.com/glossary.md#social-login - Date: 2025-02-13 - Category: Authentication & Authorization - Description: Social login — also called social sign-in, social sign-on, or social authentication — is a form of passwordless authentication that lets users sign in to an application using an existing account from a provider like Google, Apple, Facebook, GitHub, or LinkedIn. Rather than creating a new username and password, the user clicks a "Sign in with…" button, authorizes a permissions request, and is authenticated via OAuth or OpenID Connect (OIDC). This reduces sign-up friction, lowers password fatigue, and can improve conversion rates, while the provider handles credential storage and verification. Social login is often combined with account linking to let users connect multiple social identities to a single application account. **Related terms:** - OAuth - [OpenID Connect (OIDC)](https://clerk.com/glossary/openid-connect.md) - Account Linking - [Single Sign-On (SSO)](https://clerk.com/glossary/single-sign-on-sso.md) --- ## Software Development Kit (SDK) - URL: https://clerk.com/glossary.md#software-development-kit-sdk - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Software Development Kit (SDK) is a collection of tools, libraries, and documentation that developers use to create applications for specific platforms or frameworks. **Related terms:** - Application Programming Interface - Integration - Node Package Manager - Framework - Libraries - Cross-Platform Development --- ## Source Code - URL: https://clerk.com/glossary.md#source-code - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Source Code is the human-readable set of instructions that define what a software program does, written in a programming language and maintained in a version control system. **Related terms:** - API Security - Authentication - Encryption - Access Control List (ACL) - Source Code Management --- ## Source Code Management - URL: https://clerk.com/glossary.md#source-code-management - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Source code management (SCM) encompasses the tools and practices used to track, version, and collaborate on code changes across development teams, enabling parallel development and change history. **Related terms:** - Source Code - GitHub Repository --- ## SPF - URL: https://clerk.com/glossary/spf.md - Date: 2026-02-25 - Category: Security & Privacy - Description: SPF (Sender Policy Framework) is a DNS-based email authentication protocol that specifies which mail servers are authorized to send email on behalf of a domain, helping receivers detect forged sender addresses. **Related terms:** - [DKIM](https://clerk.com/glossary/dkim.md) - [DMARC](https://clerk.com/glossary/dmarc.md) - Email Spoofing - Encryption at Rest / In Transit When an email arrives claiming to be from your domain, the receiving server has no built-in way to know whether the sending server was actually authorized to send it. SPF provides that authorization by listing approved senders in a DNS record that anyone can look up. ## What is SPF SPF is a TXT record published in your domain's DNS. It declares which IP addresses and mail servers are permitted to send email on behalf of your domain. Any server not listed is considered unauthorized. A typical SPF record looks like this: ``` v=spf1 include:_spf.google.com include:sendgrid.net ~all ``` - **`v=spf1`** — Identifies this as an SPF record. - **`include:`** — Delegates authorization to another domain's SPF record. This is how third-party senders like SendGrid or Google Workspace are authorized. - **`~all`** — A soft fail for any server not explicitly listed. The stricter `-all` (hard fail) tells receivers to reject unauthorized senders outright. ## How SPF works When a mail server receives a message, it extracts the domain from the envelope sender (the `MAIL FROM` address used during the SMTP transaction, which may differ from the visible `From:` header). It then performs a DNS lookup for that domain's SPF record and checks whether the sending server's IP address is listed. The result is one of several statuses: pass, fail, soft fail, or neutral. This result feeds into [DMARC](./dmarc) evaluation if a DMARC record exists. SPF has a 10-lookup limit — if your record requires more than 10 DNS queries to fully resolve (counting nested `include:` directives), the check automatically fails. This limit exists to prevent SPF from being used as a denial-of-service vector. ## SPF and Clerk Clerk configures SPF records automatically as part of production instance setup. The records authorize Clerk's email sending infrastructure to send email on behalf of your domain. For more details on email authentication setup, see [Email deliverability](/docs/guides/development/troubleshooting/email-deliverability#spf-and-dkim-email-authentication). --- ## Static Site Generation (SSG) - URL: https://clerk.com/glossary.md#static-site-generation-ssg - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Static site generation (SSG) is a build-time rendering strategy where HTML pages are pre-generated and served as static files, offering fast load times, improved security, and simplified hosting. **Related terms:** - Next.js - Gatsby - Framework --- ## Supabase - URL: https://clerk.com/glossary.md#supabase - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Supabase is an open-source backend-as-a-service that provides developers with a real-time database, authentication, and storage solutions, simplifying the creation of modern web applications. **Related terms:** - User Management - [Multi-Tenancy](https://clerk.com/glossary/multi-tenancy.md) - Authentication - Security Best Practices - Database - Backend as a Service (BaaS) --- ## Tailwind CSS - URL: https://clerk.com/glossary/tailwind-css.md - Date: 2024-07-24 - Category: Development Frameworks & Libraries - Description: Tailwind CSS is a utility-first CSS framework that provides low-level utility classes to build custom designs directly in the markup, offering flexibility and efficiency in styling web applications. **Related terms:** - UI Framework - Design System - Frontend Development - CSS Framework Styling web applications requires balancing flexibility with maintainability. Traditional CSS frameworks often involve overriding existing styles or adding custom CSS, complicating the design process. Tailwind CSS offers a different solution by providing low-level utility classes that can be combined directly in your HTML. Many developers have found this approach quicker to build and easier to maintain. The utility-first approach of Tailwind CSS allows developers to apply specific styles, like margins and colors, directly in HTML using class names. Since its release in 2017, Tailwind has been widely adopted due to its ability to address common CSS issues, providing precise design control without unnecessary overhead. ## What is Tailwind CSS? [Tailwind CSS](https://tailwindcss.com/) is a CSS framework offering utility classes for building unique designs. Unlike component-based frameworks, it enables developers to apply specific styles like margins, padding, and colors directly in HTML using short class names. This approach negates the need for custom CSS while reducing context switching between HTML and stylesheets. It uses a configuration file to dictate all aspects of generated styles. This method helps teams maintain design consistency while building unique interfaces. Tailwind's extensive utility classes offer a styling system for both basic layouts and advanced responsive features. ## How Tailwind CSS works Tailwind CSS scans your HTML, JavaScript, and template files for utility class names and generates the required CSS. It ensures only the styles in use are part of the final build. The configuration file specifies which files Tailwind should scan, offering precision in the CSS generation process. By default, the generated CSS relies on sane defaults for sizing and colors that are well-documented. Those defaults can be customized using a configuration file called `tailwind.config.js` to better match your project's color palette, spacing, and other visual properties. The file is created automatically when calling `npx tailwindcss init`, then customized as required. Tailwind CSS improves performance with just-in-time CSS generation, which it calls “JIT mode.” JIT mode generates CSS only as needed, thus reducing the final build size. This is unlike other styling frameworks, which often have a foundational set of utility classes that are always included in the final build, even if they're not used. JIT mode has been standard in Tailwind since version 2.1. Prior to that, it used PurgeCSS, which also minimized the bundle size, but was slower to generate CSS during development. ## Benefits of Tailwind CSS Tailwind CSS's utility-first method offers advantages over traditional frameworks. By allowing styles in HTML, developers build interfaces without file switching or custom CSS. This method promotes design consistency using predefined utility classes instead of divergent custom styles. The configuration system allows extensive customization while keeping styling organized. Define design tokens like colors and spacing, ensuring consistency across projects. These advantages, along with optimization features, make Tailwind CSS effective for large applications. Tailwind's active community has created many plugins, tools, and resources. Companies such as [Shopify](https://www.shopify.com/) and [Meetup](https://www.meetup.com/) use Tailwind CSS in production, proving its value in real-world applications. The framework's documentation and community support help teams address styling issues and share solutions. ## Integrating Tailwind CSS with Clerk Tailwind CSS integrates seamlessly with Clerk's authentication components, letting developers create cohesive user interfaces. Apply utility classes directly to Clerk Elements via the `className` prop to maintain consistent styling across authentication flows. For more on styling options, refer to [Clerk's styling documentation](/docs/customization/elements/guides/styling). ## The influence of Tailwind CSS on modern web development Tailwind CSS has proven utility-first styling can be practical and maintainable. Its optimized stylesheet generation and excellent developer experience standardize this tool in modern web development. The framework's success shows developers value tools offering both flexibility and performance. To get started, review the [official Tailwind CSS documentation](https://tailwindcss.com/docs) for guides and examples. Resources like [Flowbite](https://flowbite.com/) and [Daisy UI](https://daisyui.com/) provide pre-built components to accelerate development while retaining utility-first benefits. These tools and core features enable developers to build efficient, adaptable, and consistent web applications. --- ## Testing Tokens - URL: https://clerk.com/glossary.md#testing-tokens - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Testing Tokens are tokens used in the development and testing phases to simulate authentication and authorization processes without using real user credentials. **Related terms:** - Authentication - Security Testing - API Testing - Session Management - Pen Test - OWASP Testing Guide / Security Verification --- ## TLS - URL: https://clerk.com/glossary.md#tls - Date: 2026-02-25 - Category: Security & Privacy - Description: TLS (Transport Layer Security) is a cryptographic protocol that encrypts data transmitted between two systems over a network, ensuring privacy and data integrity. It is the standard mechanism for securing web traffic (HTTPS) and email delivery, preventing eavesdropping, tampering, and message forgery during transit. TLS replaced the older SSL (Secure Sockets Layer) protocol and is now required by major email providers like Gmail for all inbound email connections. **Related terms:** - Encryption at Rest / In Transit - Certificate Pinning - [DKIM](https://clerk.com/glossary/dkim.md) - [SPF](https://clerk.com/glossary/spf.md) - Data Protection --- ## Token Expiration - URL: https://clerk.com/glossary.md#token-expiration - Date: 2026-03-19 - Category: Authentication & Authorization - Description: Token expiration is the mechanism by which authentication and session tokens become invalid after a defined time period, balancing security against user convenience by requiring periodic re-authentication or token refresh. **Related terms:** - Session Lifecycle - Session Revocation - Refresh Token - Customizable Session Tokens - JSON Web Token --- ## User Enumeration - URL: https://clerk.com/glossary.md#user-enumeration - Date: 2025-08-06 - Category: Security - Description: User enumeration is a technique to determine whether a user account exists on an application, by detecting when failed authentication attempts still return information about the existence or non-existence of user accounts. **Related terms:** - Authentication - Brute Force Detection - Rate Limiting --- ## User Interface Components - URL: https://clerk.com/glossary.md#user-interface-components - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: User Interface Components are reusable building blocks used to create the visual elements of a web application, such as buttons, forms, and navigation bars. **Related terms:** - Component Library - Elements - Primitives - Control Components - ClerkProvider - Design System - Frontend Development --- ## User Management - URL: https://clerk.com/glossary.md#user-management - Date: 2024-07-24 - Category: User & Session Management - Description: User Management involves the processes and tools for managing user accounts, roles, permissions, and authentication within an application, ensuring secure and efficient access control. **Related terms:** - User Profile - Roles - Admin Dashboard - Organizations --- ## User Profile - URL: https://clerk.com/glossary.md#user-profile - Date: 2024-07-24 - Category: User & Session Management - Description: A User Profile is a collection of personal data and preferences associated with a user account, providing a personalized experience within an application. **Related terms:** - User Management - Roles - Data Privacy - User Experience --- ## User Verification - URL: https://clerk.com/glossary.md#user-verification - Date: 2026-03-19 - Category: Authentication & Authorization - Description: User verification is the process of confirming a user identity through one or more authentication factors, such as passwords, one-time passcodes, biometrics, or challenge-response mechanisms. **Related terms:** - Authentication - Authentication Challenge - Multi-factor Authentication (MFA) - [CAPTCHA](https://clerk.com/glossary/captcha.md) - Email OTP - One-Time Passcodes (Email / SMS) --- ## useSession - URL: https://clerk.com/glossary.md#usesession - Date: 2024-12-19 - Category: User & Session Management - Description: useSession is a React hook used in web development to manage user session state, providing authentication status and session details, and enabling sign-in and sign-out actions. It helps conditionally render content based on user login status. **Related terms:** - Customizable Session Tokens - JSON Web Token - Session - Session Management --- ## Virtual Routing - URL: https://clerk.com/glossary.md#virtual-routing - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: Virtual Routing is a routing technique that manages navigation and rendering of views in a web application without changing the URL, often used in client-side routing libraries. **Related terms:** - Client-Side Routing - Frontend Development - URL Management - React Router (Library) --- ## Vue.js - URL: https://clerk.com/glossary.md#vue-js - Date: 2026-03-19 - Category: Development Frameworks & Libraries - Description: Vue.js is a progressive JavaScript framework for building user interfaces, offering a flexible and approachable architecture for creating single-page applications and interactive web experiences. **Related terms:** - React - Framework --- ## Web Development - URL: https://clerk.com/glossary.md#web-development - Date: 2026-03-19 - Category: Development Tools & Concepts - Description: Web development encompasses the design, building, and maintenance of websites and web applications, spanning frontend interfaces, backend services, databases, and the infrastructure that connects them. **Related terms:** - Framework - Next.js - React - Software Development Kit (SDK) - Developer Velocity --- ## WebAuthn - URL: https://clerk.com/glossary.md#webauthn - Date: 2026-03-19 - Category: Security - Description: WebAuthn (Web Authentication) is a W3C browser standard that enables passwordless, phishing-resistant authentication using public-key cryptography. Instead of transmitting a shared secret like a password, a user's device generates a unique key pair — the private key stays on the device (often protected by biometric authentication or a hardware key), while the public key is registered with the server. During sign-in, the server issues a challenge-response: a fresh, unpredictable nonce that the authenticator signs with the private key, binding the signature to the origin to prevent replay and phishing attacks. This is the protocol that powers passkeys, letting users authenticate with a fingerprint, face scan, or USB security key instead of remembering a password. WebAuthn credentials can be managed programmatically through the browser's Credential Management API and are commonly used as a factor in multi-factor authentication flows. **Related terms:** - Authentication - Passkeys - Multi-factor Authentication (MFA) - Authenticator Apps (TOTP) - Hardware Keys - Security Best Practices - Biometric Authentication - Public-Key Cryptography - Challenge–Response - Authentication Challenge - Credential Management API - Cryptographic Nonce --- ## Webhook - URL: https://clerk.com/glossary.md#webhook - Date: 2024-07-24 - Category: Development Tools & Concepts - Description: A Webhook is an HTTP callback that allows one system to send real-time data to another system as soon as an event occurs, commonly used for integrating different services. **Related terms:** - API Integration - Real-Time Updates - Event-Driven Architecture - Automation --- ## Zero Trust Architecture - URL: https://clerk.com/glossary.md#zero-trust-architecture - Date: 2026-03-19 - Category: Security - Description: Zero Trust Architecture is a security model that requires strict identity verification for every person and device attempting to access resources, regardless of their location relative to the network perimeter, operating on the principle of never trust, always verify. **Related terms:** - Least Privilege Access - Conditional Access - Route-Specific Authentication - Security Best Practices - Multi-factor Authentication (MFA)