Everything you need. Secure by default.
Simple and secure user authentication, complete with everything you need out-of-the-box to provide a secure experience for your users.
Create an accountClerk follows the highest standards in security compliance to ensure your customer data stays safe.
HIPAA
Clerk complies with the Health Insurance Portability and Accountability Act (HIPAA). This means it's safe to store even the most sensitive user data.
Bot & Brute force detection
Let Clerk worry about every emergent security attack vector, while you focus on building your business.
Password leak protection
Enforce best practices by configuring custom password policies, and leveraging automatic HaveIBeenPwned leak detection.
Add high-conversion Social SSO to your application in seconds
When available, 53% of users choose to sign in with SSO instead of the alternatives. With Social SSO, Clerk makes it extremely simple to offer authentication the way your users want.
SSO averages 1.3 times faster than passwords, and 5.2 times faster than other passwordless authentication solutions like magic links.
Don't spoil SSO's impressive performance with common mistakes. Clerk handles edge cases gracefully, so you don't have to.
Clerk supports a wide range of SSO providers and is always adding more. If you need a provider that isn't listed, please submit a request here.
If a user signs in with SSO after creating their account a different way, they are automatically linked to the original.
Pre-built components, ready for everything
Simply add <SignIn />, <SignUp />, <UserButton />, <UserProfile /> anywhere in your React codebase. Keep users on your own domain, and bring your own CSS to align to your brand.
Explore UI componentsMFA is the best way to prevent account takeovers.
Stop 99.9% of account takeovers in their tracks and provide the level of security your users have come to expect.
A text-based digital handshake, securely verifying identity with a unique, randomly generated code delivered straight to your mobile phone.
Personal digital locksmiths, creating dynamic, time-based one-time passwords (TOTPs) to secure your online access points.
Hardware keys are your personal digital padlocks, physically securing your data by requiring a unique key from a physical device to unlock your accounts.
Your digital lifeline, granting you access to your account when other forms of authentication are unavailable.
Convert your users to your product in seconds.
Eliminate forgotten passwords and credential stuffing attacks by going passwordless.
Virtual passports, allowing you to swiftly navigate through various platforms using a single trusted account.
One-click gateways, offering a seamless and password-free method to authenticate and access your digital domains securely.
Exclusive digital stamps, presenting a one-time-use password for secure access, delivered directly to your inbox.
Your personalized digital keys, sent directly to your mobile device for secure one-time access.
Easily implement Enterprise-grade tools like SAML and OpenID Connect
Forget the pain of having to manually implement SAML auth flows into your app. Now implementing a compliant SAML flow is as simple as filling out a form in Clerk's Dashboard.
Take the security burden off your shoulders
Working with Clerk means integrating an enterprise-ready solution that considers security, privacy, and compliance our crucial responsibility and a top priority in everything we build.
Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.
Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.
Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.
Clerk uses NIST guidelines to determine the character rules for passwords and contracts with HaveIBeenPwned to review prospective passwords. Additionally, Clerk leverages bcrypt, an industry standard hashing algorithm for storage.
Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.
SOC2 Type II
HIPAA
CCPA
Speed up your application with sub-millisecond authentication
Clerk manages the full session lifecycle, including critical security features like active device monitoring and session revocation.
Clerk’s session architecture is purpose-built to be extremely performant and low-latency across the globe. Avoid the effort and complexity it takes to build session management infrastructure and let us obsess about it instead.
Our team is constantly assessing and protecting against the latest threats so you don’t have to. Never again compromise on critical features like session revocation because they take too long to build – Clerk provides them out of the box.
Most modern applications expect users to have separate accounts for business and personal contexts. Clerk’s session management enables users to sign into many accounts at once, and switch as needed.