From knowledge-patch
Covers migration to Clerk Core 3, authentication flows, Organizations, Billing, and SDK references for JavaScript, Python, Go, Next.js, and Astro.
How this skill is triggered — by the user, by Claude, or both
Slash command
/knowledge-patch:clerk-knowledge-patchThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this guide when implementing, upgrading, or debugging Clerk authentication, authorization, Organizations, Billing, SDKs, components, or deployment architecture. Start with the migration notes below, then open the topic reference that matches the work.
agents/openai.yamlcoverage.jsonreferences/architecture-and-deployment.mdreferences/authentication-and-sessions.mdreferences/billing.mdreferences/components.mdreferences/core-3-migration.mdreferences/customization.mdreferences/frontend-resources.mdreferences/go-backend-sdk.mdreferences/integrations-and-webhooks.mdreferences/javascript-backend-sdk.mdreferences/organizations-and-enterprise.mdreferences/python-backend-sdk.mdUse this guide when implementing, upgrading, or debugging Clerk authentication, authorization, Organizations, Billing, SDKs, components, or deployment architecture. Start with the migration notes below, then open the topic reference that matches the work.
| Reference | Topics |
|---|---|
| Architecture and deployment | Account Portal, FAPI, cookies, handshake, environments, routing, Astro, Next.js, Dashboard roles, Platform API |
| Authentication and sessions | Factors, SSO, OAuth/OIDC, passkeys, pending sessions, reverification, JWT claims, restrictions |
| Billing | Plans, Features, Subscriptions, trials, checkout, hooks, administration |
| Components | Sign-in-or-up, Waitlist, Google One Tap, Show, loading controls, redirects, Billing drawers |
| Core 3 migration | Signal API, Expo native UI and hooks, attempt errors, MFA, transfer handling |
| Customization | Appearance, themes, Tailwind, iOS theming, localization, templates, Elements, profile extensions |
| Frontend resources | Browser API keys, Web3, email links, token cache, user refresh, listeners, multi-session behavior |
| Go Backend SDK | v2 setup, clients, middleware, resources, JWTs, roles, machines, settings |
| Integrations and webhooks | Svix webhooks, Inngest, framework middleware, MCP, FAPI proxies, satellites, Chrome extensions |
| JavaScript Backend SDK | Request authentication, Next.js token types, user migration, metadata, JWT templates, API keys |
| Organizations and enterprise | Tenant scoping, roles, permissions, role sets, invitations, Verified Domains, enterprise connections |
| Python Backend SDK | Authentication, retries, API keys, agent tasks, Billing, machines, releases and breaking schemas |
Core 3 uses named factor methods and explicit finalization. Do not port old attemptFirstFactor() or createdSessionId activation literally.
const { signIn } = useSignIn()
await signIn.create({ identifier: email })
await signIn.password({ password })
if (signIn.status === 'complete') {
await signIn.finalize({ navigate: () => router.push('/') })
}
signIn.emailCode.sendCode() and verifyCode().signUp.verifications.signIn.mfa namespace.errors.fields, other handled failures from errors.global, and unparsed failures from errors.raw.clerk.setActive() for an existingSession; use an attempt's finalize() for a newly completed attempt.Organization selection, forced-password reset, or required-MFA setup can leave a session pending. IDs are normally null and protected routes reject it. After finalization, inspect session.currentTask and route to the task UI. Use treatPendingAsSignedOut: false only on code that intentionally handles pending identity.
JavaScript authenticateRequest() reports isAuthenticated; isSignedIn is deprecated. The result can be signed-in, signed-out, or handshake, exposes tokenType, and converts through toAuth().
const state = await client.authenticateRequest(request, {
authorizedParties: ['https://app.example.com'],
})
if (!state.isAuthenticated) return new Response('Unauthorized', { status: 401 })
Next.js auth() accepts session tokens by default. Explicitly set acceptsToken for API keys, OAuth tokens, or mixed machine routes, and branch on tokenType and scopes.
users.update() and organizations.update() inputs.github.com/clerk/clerk-sdk-go/v2.<SignOutButton> takes redirectUrl and sessionId directly; signOutOptions is deprecated.<UserButton> sign-out destinations to <ClerkProvider>; only afterSwitchSessionUrl remains local to the button.satelliteAutoSync defaults to false. Set it explicitly when automatic synchronization is required.CLERK_JS_URL, not deprecated CLERK_JS; replace old after-sign-in/up environment variables with fallback or force redirect settings.sessions.verifySession() with full-request authentication or direct JWT validation.@clerk/chrome-extension/client with background: true./saml_connections to /v1/enterprise_connections.Prepare for removal of these deprecated names:
| Old | Current |
|---|---|
colorText | colorForeground |
colorTextOnPrimaryBackground | colorPrimaryForeground |
colorTextSecondary | colorMutedForeground |
spacingUnit | spacing |
colorInputText | colorInputForeground |
colorInputBackground | colorInput |
Use signIn.create({ identifier, signUpIfMissing: true }). Verification returns sign_up_if_missing_transfer for a new account, after which signUp.create({ transfer: true }) preserves the verified identifier. This excludes password, username, restricted, and waitlist flows.
Server code checks auth.has({ reverification: preset }) and returns reverificationError(preset); client code wraps the operation with useReverification(). If the user lacks a second factor, a requested second- or multi-factor level downgrades to first-factor verification. Native Expo must provide onNeedsReverification; the prebuilt modal is web-only.
Current session tokens include v, pla, fea, sts, and an o object only when an Organization is active. Keep custom claims below 1.2 KB so the complete cookie stays below browser limits. Use CLERK_JWT_KEY or a supplied jwtKey for networkless verification.
oauth_token; API-key routes must opt into api_key.sid, v, pla, or fea.Calling server-side auth() makes the route dynamic. Client useAuth() remains static by default; scope <ClerkProvider dynamic> narrowly, optionally under <Suspense>. Built-in FAPI proxying is available through clerkMiddleware() or App Router proxy handlers.
Endpoints use synchronous locals.auth(), await locals.currentUser(), and clerkClient(context). Never serialize the complete Backend User because it contains privateMetadata. Match isStatic on Clerk controls to whether the page is prerendered.
The long-lived __client JWT on the FAPI domain is distinct from the one-minute __session JWT on the exact application domain. Cross-subdomain APIs should receive the session token in Authorization. An expired server-rendered token can trigger a 307 FAPI handshake; preserve Clerk's context headers through adapters and proxies.
Development instances have a 100-user cap and cannot transfer users to production. Staging normally needs a separate application and domain. A preview sharing production identity must use production keys on a subdomain of the same root domain; provider-owned preview domains use development keys.
slug with authenticated orgSlug before reading tenant data.has() checks.Clerk Billing objects are separate from Stripe Billing objects. The service is USD-only and has no native refunds, tax/VAT calculation, 3D Secure confirmation, or merchant-of-record service. Authorize entitlements with has() or <Show>, not display hooks.
For custom checkout, call start(), confirm(), then finalize() to synchronize identity state. New cards require <PaymentElementProvider> and <PaymentElement />; existing cards pass paymentMethodId. Billing buttons must be inside <Show when="signed-in">, and Organization checkout also requires an Active Organization.
<Show> accepts roles, permissions, features, plans, or a callback, but it only hides client content; repeat sensitive checks on the server.<GoogleOneTap> needs custom Google credentials and does not return provider access tokens.<Waitlist /> needs Waitlist mode plus waitlistUrl.theme, options, variables, elements, captcha, and cssLayerName; direct component appearance wins for one instance.utilities.cl-* classes before the lock marker; remove cl- when using an appearance.elements key.@clerk/expo 3.1 requires Expo SDK 53+. Its config plugin installs native iOS and Android dependencies. AuthView, UserButton, and UserProfileView come from @clerk/expo/native; native Google sign-in uses platform-native APIs. Set the plugin's appleSignIn option to false when the entitlement is not needed.
Use useUserProfileModal(), useNativeSession(), and useNativeAuthEvents() for native state. Cloudflare bot protection is unsupported in Expo and must be disabled there.
npx claudepluginhub nevaberry/nevaberry-plugins --plugin knowledge-patchRoutes Clerk authentication tasks to specialized skills for setup, CLI operations, custom UI, and framework-specific patterns (Next.js, React, Vue, Nuxt, Astro, Expo, etc.).
Provides Clerk auth patterns for Next.js App Router including setup, middleware, route protection, and common anti-patterns.
Implements Clerk authentication patterns for Next.js App Router, including middleware, organizations, webhooks, and user sync. Useful when adding sign-in/sign-up flows.