Loop

Concept	Description
JWT (JSON Web Token)	Signed token containing user claims, verified server-side without a session store
Session	Server-managed auth state, typically stored in HTTP-only cookies
RBAC	Role-Based Access Control — permissions derived from assigned roles

Concept	Description
JWT (JSON Web Token)	Signed token containing user claims, verified server-side without a session store
Session	Server-managed auth state, typically stored in HTTP-only cookies
RBAC	Role-Based Access Control — permissions derived from assigned roles

Clerk Auth Patterns · Loop · Loop

Pattern	Best for	Session store	Token type
Clerk (managed)	Next.js apps, rapid setup	Clerk-managed	Clerk session / JWT
Auth0	Enterprise SSO, custom flows	Auth0-managed	Auth0 JWT
Custom OAuth 2.0	Full control, multi-provider	Self-managed	Standard JWT
Supabase Auth	Supabase-native apps	Supabase-managed	Supabase JWT

import { clerkMiddleware } from '@clerk/nextjs/server'

// Default usage attaches Clerk to requests but does not implicitly block routes
export default clerkMiddleware()

export const config = {
  matcher: [
    '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
    '/(api|trpc)(.*)',
  ],
}

import { auth } from '@clerk/nextjs/server';
import { NextResponse } from 'next/server';

export async function GET() {
  const { userId, orgId, orgRole } = await auth();

  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  if (orgRole !== 'org:admin') return NextResponse.json({ error: 'Forbidden' }, { status: 403 });

  return NextResponse.json({ userId, orgId });
}

import { auth } from '@clerk/nextjs/server';
import { createClient } from '@supabase/supabase-js';

export async function getAuthenticatedSupabase() {
  const { getToken } = await auth();
  // request a standard session/JWT token; don't rely on deprecated preconfigured templates
  const userToken = await getToken();
  if (!userToken) throw new Error('Failed to obtain Clerk token');

  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    { global: { headers: { Authorization: `Bearer ${userToken}` } } }
  );
}

CREATE OR REPLACE FUNCTION auth.clerk_user_id()
RETURNS TEXT AS $$
  SELECT coalesce(
    current_setting('request.jwt.claims', true)::json->>'sub',
    (current_setting('request.jwt.claims', true)::json->>'userId')::text
  );
$$ LANGUAGE sql STABLE;

CREATE POLICY "users_own_data" ON public.user_profiles
  FOR ALL USING (clerk_user_id = auth.clerk_user_id());

import { auth } from '@clerk/nextjs/server';
import { NextResponse } from 'next/server';

type OrgRole = 'org:admin' | 'org:member' | 'org:viewer';
const ROLE_HIERARCHY: Record<OrgRole, number> = { 'org:admin': 3, 'org:member': 2, 'org:viewer': 1 };

export function requireRole(minimumRole: OrgRole) {
  return async function checkRole() {
    const { userId, orgRole } = await auth();
    if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
    const userLevel = ROLE_HIERARCHY[orgRole as OrgRole] ?? 0;
    if (userLevel < ROLE_HIERARCHY[minimumRole]) return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
    return null;
  };
}

import { Webhook } from 'svix';

const WEBHOOK_SECRET = process.env.CLERK_WEBHOOK_SECRET!;

// inside your POST handler
const payload = await request.text();
const wh = new Webhook(WEBHOOK_SECRET);
let event;
try { event = wh.verify(payload, request.headers as any); }
catch { return NextResponse.json({ error: 'Invalid signature' }, { status: 401 }); }
// handle event types idempotently

Activity

ActiveDaily · 9:00 AM6 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runin 1h

ScheduleDaily · 9:00 AM

Runs this month30

Latest outcomev7

April 2026

Clerk Auth Patterns refresh

Daily · 9:00 AM30 runsin 1h

Automation brief

Check Clerk changelog for SDK changes, middleware patterns, and organization-feature updates. Scan OWASP for session-management and JWT security advisories. Monitor Supabase for RLS and auth-hook changes. Update auth-flow diagrams and token-handling patterns.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 11, 2026 · 9:29 AM

triggerAutomation

editoropenai/gpt-5-mini

duration165.9s

statussuccess

web searches4

Revision: v7

This update clarifies Clerk session customization (preview feature and cookie size limits), removes reliance on deprecated supabase-js client patterns (setAuth), and replaces the Supabase-token-template guidance with a server-forwarding Authorization header pattern. It also tightens middleware and RLS guidance and cites Clerk changelog/docs and the supabase-js issue for verifiability.

Added Clerk Preview Custom Session Claims guidance; documented cookie-size constraint for custom claims; replaced Supabase token-template/code with Authorization header pattern; added citation to supabase-js v2 setAuth removal; clarified middleware filename note and opt-in protection behavior; preserved OWASP and supply-chain notes.

Agent steps

Step 1Started scanning 7 sources.

Step 2Clerk Changelog: 12 fresh signals captured.

Step 3OWASP: No fresh signals found.

Step 4Supabase Blog: No fresh signals found.

Step 5PortSwigger Research: 12 fresh signals captured.

Step 6Snyk Blog: 5 fresh signals captured.

Step 7Clerk Docs: 12 fresh signals captured.

Step 8Supabase Docs: 12 fresh signals captured.

Step 9Agent is rewriting the skill body from the fetched source deltas.

Step 10Agent used 4 web search(es).

Step 11v7 is live with body edits.

Sources

Clerk Changelogdone

12 fresh signals captured.

Preview Custom Session Claims Restrict end users from changing their identifiers Clerk Billing now supports plans with seat limits

OWASPdone

No fresh signals found.

Supabase Blogdone

No fresh signals found.

PortSwigger Researchdone

12 fresh signals captured.

Top 10 web hacking techniques of 2025 Top 10 web hacking techniques of 2025: call for nominations Document My Pentest: you hack, the AI writes it up!

Snyk Blogdone

5 fresh signals captured.

Governing Security in the Age of Infinite Signal – From Discovery to Control Secure What Matters: Scaling Effortless Container Security for the AI Era Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner Program

Clerk Docsdone

12 fresh signals captured.

Authentication B2B Authentication React

Supabase Docsdone

12 fresh signals captured.

anonymous user Multi-Factor Authentication Supabase Auth

Diff preview

### Step 1: Set up Clerk Middleware (recommended current pattern)

−

- Clerk's middleware integrates with Next.js via a proxy file. For Next.js ≤15 name it `middleware.ts`; otherwise `proxy.ts` (Clerk docs).

- Clerk's middleware integrates with Next.js via a proxy file. Name the file proxy.ts at the project root (or src/) as shown in Clerk docs. Note: when using older Next.js releases (<=15), Next.js expects the filename middleware.ts — the code is identical; only the filename differs (Clerk docs).

−

- The minimal recommended middleware attaches Clerk token parsing to requests but does not implicitly protect all routes; protection is opt-in (clerkMiddleware default behavior).

Example (proxy.ts):

@@ −62 +61 @@

}

```

- Use `createRouteMatcher()` when you need to protect multiple route groups or build complex matchers. The middleware supports both App and Pages routers (Clerk docs).

−

- Use `createRouteMatcher()` when you need to protect multiple route groups or build complex matchers. The middleware supports App and Pages routers (Clerk docs).

- By default, `clerkMiddleware()` does not protect routes — protection is opt-in. Prefer calling `auth()` inside App Router route handlers or server components for authoritative user context unless you need middleware redirects or proxying.

−

- Prefer calling `auth()` inside App Router route handlers or server components for authoritative user context rather than making complex auth decisions fully in middleware, unless you need in-middleware redirects or proxying.

Reference: Clerk middleware docs (clerk.com/docs/reference/nextjs/clerk-middleware).

@@ −88 +87 @@

}

```

−### Step 3: Integrate Clerk tokens with Supabase RLS (required migration)

+### Step 3: Integrate Clerk tokens with Supabase RLS (migration and current recommended pattern)

- Background: older public examples and community guides showed using `supabase.auth.setAuth` or Clerk-provided Supabase JWT templates to inject a Supabase-compatible token into the client. These approaches are no longer dependable: the supabase-js v2 client no longer exposes setAuth, and Clerk has shifted guidance toward server-side token provisioning and customized session claims (see sources below).

−

- Clerk previously documented a "Supabase JWT template" approach. That template-based flow was deprecated by Clerk (deprecation noted in Clerk's Supabase integration guide). Migrate away from relying on pre-configured token templates.

  - Evidence: supabase-js v2 issue reporting setAuth() missing (supabase/supabase#8490) and Clerk's session token customization docs.

+- Recommended pattern (server-mediated Authorization header):

  - Ensure the client sends the user's Clerk session token in the Authorization: Bearer <token> header when making requests that need database access.

  - On the server, create a Supabase client that forwards that Authorization header to Supabase so RLS policies can evaluate the token claims.

−

- Recommended pattern: obtain a valid Clerk session token for the current user on the server and pass it as an Authorization: Bearer <token> header when creating the Supabase client. Do NOT expose a Supabase service_role key to the client (Clerk docs + Supabase docs).

+ - Do NOT expose a Supabase service_role key to any client — service_role bypasses RLS.

−Example (server-side):

+Example (server-side request handler that forwards client's bearer token to Supabase client):

```typescript

−import { auth } from '@clerk/nextjs/server';

import { createClient } from '@supabase/supabase-js';

+export async function handler(req) {

+ const authHeader = req.headers.get('authorization') || '';

+ if (!authHeader.startsWith('Bearer ')) {

+ return new Response(JSON.stringify({ error: 'Missing token' }), { status: 401 });

−export async function getAuthenticatedSupabase() {

+ }

− const { getToken } = await auth();

Diff▶

+Generated: 2026-04-07T09:26:34.808Z

Summary: Update to align with Clerk docs: deprecate use of Supabase JWT templates and client-side setAuth flows, recommend sending Clerk user tokens in the Authorization header for Supabase; clarify newest Clerk middleware usage and add OWASP session-management guidance.

What changed: - Rewrote Supabase integration section to remove deprecated token-template usage and show Authorization-header pattern.

+- Clarified middleware setup to match Clerk docs and recommended file naming for Next.js versions.

+- Added OWASP session-management guidance and expanded edge cases.

+- Added references to Clerk docs and Supabase migration notes.

−Generated: 2026-04-05T09:54:36.163Z

+Body changed: yes

−

Summary: Clerk Auth Patterns agent run was interrupted: Free credits temporarily have rate limits in place due to abuse. We are working on a resolution. Try again later, or pay for credits which continue to have unrestricted access. Pur

−

What changed: Agent crashed mid-run after 0 search(es). (agent error: Free credits temporarily have rate limits in place due to abuse. We are working on a resolution. Try again later, or pay for credits which continue to have unrestricted access. Purchase credits at htt)

−Body changed: no

Editor: openai/gpt-5-mini

Changed sections: Workflow, Step 3: Integrate Clerk tokens with Supabase RLS (important update), Edge cases and gotchas, Research-backed changes

Experiments:

+- Measure impact of replacing getToken(template) with getToken() + Authorization header on RLS error rates and latency.

−- Re-run after the issue is resolved.

+- Track role-change propagation time after token refresh to determine if proactive session refresh is needed in-app.

−- Add a higher-signal source.

−- Check gateway credits or rate limits.

Signals:

+- Restrict end users from changing their identifiers (Clerk Changelog)

+- Clerk Billing now supports plans with seat limits (Clerk Changelog)

+- Overview for waitlist mode (Clerk Changelog)

−- Authentication (Clerk Changelog)

+- Clerk is now available in Stripe Projects (Clerk Changelog)

−- B2B Authentication (Clerk Changelog)

−- React (Clerk Changelog)

−- Next.js (Clerk Changelog)

Clerk Auth Patterns

Content

Clerk Auth Patterns

When to use

When NOT to use

Core concepts

Clerk Auth Patterns

Content

Clerk Auth Patterns

When to use

When NOT to use

Core concepts

Authentication flow comparison

Workflow (updated)

Step 1: Set up Clerk Middleware (recommended current pattern)

Step 2: Protect API routes with server-side auth checks

Step 3: Integrate Clerk tokens with Supabase RLS (important update)

Step 4: Implement RBAC with organization roles

Step 5: Handle Clerk webhooks securely

Examples

Decision tree (unchanged)

Edge cases and gotchas (updated)

Evaluation criteria (unchanged)

Research-backed changes

Activity

Automation & run history

Latest refresh trace

Research engine

Sources