Loop

Concept	Description
JWT (JSON Web Token)	Signed token containing user claims, verified server-side without a session store
Session	Server-managed auth state, typically stored in HTTP-only cookies
RBAC	Role-Based Access Control — permissions derived from assigned roles

Concept	Description
JWT (JSON Web Token)	Signed token containing user claims, verified server-side without a session store
Session	Server-managed auth state, typically stored in HTTP-only cookies
RBAC	Role-Based Access Control — permissions derived from assigned roles

Clerk Auth Patterns · Loop · Loop

Pattern	Best for	Session store	Token type
Clerk (managed)	Next.js apps, rapid setup	Clerk-managed	Clerk session / JWT
Auth0	Enterprise SSO, custom flows	Auth0-managed	Auth0 JWT
Custom OAuth 2.0	Full control, multi-provider	Self-managed	Standard JWT
Supabase Auth	Supabase-native apps	Supabase-managed	Supabase JWT

import { clerkMiddleware } from '@clerk/nextjs/server'

export default clerkMiddleware()

export const config = {
  matcher: [
    '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
    '/(api|trpc)(.*)',
  ],
}

import { auth } from '@clerk/nextjs/server';
import { NextResponse } from 'next/server';

export async function GET() {
  const { userId, orgId, orgRole } = await auth();

  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  if (orgRole !== 'org:admin') return NextResponse.json({ error: 'Forbidden' }, { status: 403 });

  return NextResponse.json({ userId, orgId });
}

import { auth } from '@clerk/nextjs/server';
import { createClient } from '@supabase/supabase-js';

export async function getAuthenticatedSupabase() {
  const { getToken } = await auth();
  // request a standard session/JWT token; don't rely on deprecated preconfigured templates
  const userToken = await getToken();
  if (!userToken) throw new Error('Failed to obtain Clerk token');

  return createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    { global: { headers: { Authorization: `Bearer ${userToken}` } } }
  );
}

CREATE OR REPLACE FUNCTION auth.clerk_user_id()
RETURNS TEXT AS $$
  SELECT coalesce(
    current_setting('request.jwt.claims', true)::json->>'sub',
    (current_setting('request.jwt.claims', true)::json->>'userId')::text
  );
$$ LANGUAGE sql STABLE;

CREATE POLICY "users_own_data" ON public.user_profiles
  FOR ALL USING (clerk_user_id = auth.clerk_user_id());

import { auth } from '@clerk/nextjs/server';
import { NextResponse } from 'next/server';

type OrgRole = 'org:admin' | 'org:member' | 'org:viewer';
const ROLE_HIERARCHY: Record<OrgRole, number> = { 'org:admin': 3, 'org:member': 2, 'org:viewer': 1 };

export function requireRole(minimumRole: OrgRole) {
  return async function checkRole() {
    const { userId, orgRole } = await auth();
    if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
    const userLevel = ROLE_HIERARCHY[orgRole as OrgRole] ?? 0;
    if (userLevel < ROLE_HIERARCHY[minimumRole]) return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
    return null;
  };
}

import { Webhook } from 'svix';

const WEBHOOK_SECRET = process.env.CLERK_WEBHOOK_SECRET!;

// inside your POST handler
const payload = await request.text();
const wh = new Webhook(WEBHOOK_SECRET);
let event;
try { event = wh.verify(payload, request.headers as any); }
catch { return NextResponse.json({ error: 'Invalid signature' }, { status: 401 }); }
// handle event types idempotently

Clerk token templates & Supabase: the older "Supabase JWT template" flow and client-side supabase.auth.setAuth usage are deprecated. Use a server-side token and send it in the Authorization header when creating the Supabase client. Verify the token includes a sub claim used by your RLS functions (Clerk docs, Supabase docs). Deprecation was announced in Clerk's Supabase integration guide.
Middleware matcher too broad — matching /(.*) intercepts static assets and causes performance issues. Use the recommended matcher pattern from Clerk's middleware docs.
Organization role caching — Clerk caches org roles in the session token. Role changes may not reflect immediately until token refresh (short cache windows are common — check your session TTL).
Webhook replay — svix handles deduplication via svix-id, but your handler must be idempotent for retries.
RLS with service role key — the Supabase service role key bypasses RLS entirely. Never expose it to the client; use the anon key with user JWTs.
Auth in server actions — auth() works in server components and route handlers but must be awaited in Next.js App Router handlers.
Cross-domain / multi-domain setups — Clerk sessions are domain-scoped. For multi-domain apps, use Clerk's multi-domain guidance or a backend auth proxy.
Session security (OWASP guidance):
- Set cookies with HttpOnly and Secure flags; use SameSite="Lax" or stricter where appropriate.
- Rotate session identifiers on privilege elevation and on login (prevent session fixation).
- Keep short-lived access tokens and refresh securely on the server.
- Do not store long-lived auth tokens in localStorage.
Dependency supply-chain risk: monitor dependency health and pin/scan critical packages — Snyk's recent Axios compromise writeup illustrates active supply-chain threats (snyk.io blog).
URL validation & input handling: recent PortSwigger research shows novel URL-validation bypass payloads — ensure strict validation and normalization on auth-related endpoints (portswigger.net research).

Activity

ActiveDaily · 9:00 AM7 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runin 1h

ScheduleDaily · 9:00 AM

Runs this month30

Latest outcomev7

April 2026

Clerk Auth Patterns refresh

Daily · 9:00 AM30 runsin 1h

Automation brief

Check Clerk changelog for SDK changes, middleware patterns, and organization-feature updates. Scan OWASP for session-management and JWT security advisories. Monitor Supabase for RLS and auth-hook changes. Update auth-flow diagrams and token-handling patterns.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 11, 2026 · 9:29 AM

triggerAutomation

editoropenai/gpt-5-mini

duration165.9s

statussuccess

web searches4

Revision: v7

This update clarifies Clerk session customization (preview feature and cookie size limits), removes reliance on deprecated supabase-js client patterns (setAuth), and replaces the Supabase-token-template guidance with a server-forwarding Authorization header pattern. It also tightens middleware and RLS guidance and cites Clerk changelog/docs and the supabase-js issue for verifiability.

Added Clerk Preview Custom Session Claims guidance; documented cookie-size constraint for custom claims; replaced Supabase token-template/code with Authorization header pattern; added citation to supabase-js v2 setAuth removal; clarified middleware filename note and opt-in protection behavior; preserved OWASP and supply-chain notes.

Agent steps

Step 1Started scanning 7 sources.

Step 2Clerk Changelog: 12 fresh signals captured.

Step 3OWASP: No fresh signals found.

Step 4Supabase Blog: No fresh signals found.

Step 5PortSwigger Research: 12 fresh signals captured.

Step 6Snyk Blog: 5 fresh signals captured.

Step 7Clerk Docs: 12 fresh signals captured.

Step 8Supabase Docs: 12 fresh signals captured.

Step 9Agent is rewriting the skill body from the fetched source deltas.

Step 10Agent used 4 web search(es).

Step 11v7 is live with body edits.

Sources

Clerk Changelogdone

12 fresh signals captured.

Preview Custom Session Claims Restrict end users from changing their identifiers Clerk Billing now supports plans with seat limits

OWASPdone

No fresh signals found.

Supabase Blogdone

No fresh signals found.

PortSwigger Researchdone

12 fresh signals captured.

Top 10 web hacking techniques of 2025 Top 10 web hacking techniques of 2025: call for nominations Document My Pentest: you hack, the AI writes it up!

Snyk Blogdone

5 fresh signals captured.

Governing Security in the Age of Infinite Signal – From Discovery to Control Secure What Matters: Scaling Effortless Container Security for the AI Era Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner Program

Clerk Docsdone

12 fresh signals captured.

Authentication B2B Authentication React

Supabase Docsdone

12 fresh signals captured.

anonymous user Multi-Factor Authentication Supabase Auth

Diff preview

### Step 1: Set up Clerk Middleware (recommended current pattern)

−

- Clerk's middleware integrates with Next.js via a proxy file. For Next.js ≤15 name it `middleware.ts`; otherwise `proxy.ts` (Clerk docs).

- Clerk's middleware integrates with Next.js via a proxy file. Name the file proxy.ts at the project root (or src/) as shown in Clerk docs. Note: when using older Next.js releases (<=15), Next.js expects the filename middleware.ts — the code is identical; only the filename differs (Clerk docs).

−

- The minimal recommended middleware attaches Clerk token parsing to requests but does not implicitly protect all routes; protection is opt-in (clerkMiddleware default behavior).

Example (proxy.ts):

@@ −62 +61 @@

}

```

- Use `createRouteMatcher()` when you need to protect multiple route groups or build complex matchers. The middleware supports both App and Pages routers (Clerk docs).

−

- Use `createRouteMatcher()` when you need to protect multiple route groups or build complex matchers. The middleware supports App and Pages routers (Clerk docs).

- By default, `clerkMiddleware()` does not protect routes — protection is opt-in. Prefer calling `auth()` inside App Router route handlers or server components for authoritative user context unless you need middleware redirects or proxying.

−

- Prefer calling `auth()` inside App Router route handlers or server components for authoritative user context rather than making complex auth decisions fully in middleware, unless you need in-middleware redirects or proxying.

Reference: Clerk middleware docs (clerk.com/docs/reference/nextjs/clerk-middleware).

@@ −88 +87 @@

}

```

−### Step 3: Integrate Clerk tokens with Supabase RLS (required migration)

+### Step 3: Integrate Clerk tokens with Supabase RLS (migration and current recommended pattern)

- Background: older public examples and community guides showed using `supabase.auth.setAuth` or Clerk-provided Supabase JWT templates to inject a Supabase-compatible token into the client. These approaches are no longer dependable: the supabase-js v2 client no longer exposes setAuth, and Clerk has shifted guidance toward server-side token provisioning and customized session claims (see sources below).

−

- Clerk previously documented a "Supabase JWT template" approach. That template-based flow was deprecated by Clerk (deprecation noted in Clerk's Supabase integration guide). Migrate away from relying on pre-configured token templates.

  - Evidence: supabase-js v2 issue reporting setAuth() missing (supabase/supabase#8490) and Clerk's session token customization docs.

+- Recommended pattern (server-mediated Authorization header):

  - Ensure the client sends the user's Clerk session token in the Authorization: Bearer <token> header when making requests that need database access.

  - On the server, create a Supabase client that forwards that Authorization header to Supabase so RLS policies can evaluate the token claims.

−

- Recommended pattern: obtain a valid Clerk session token for the current user on the server and pass it as an Authorization: Bearer <token> header when creating the Supabase client. Do NOT expose a Supabase service_role key to the client (Clerk docs + Supabase docs).

+ - Do NOT expose a Supabase service_role key to any client — service_role bypasses RLS.

−Example (server-side):

+Example (server-side request handler that forwards client's bearer token to Supabase client):

```typescript

−import { auth } from '@clerk/nextjs/server';

import { createClient } from '@supabase/supabase-js';

+export async function handler(req) {

+ const authHeader = req.headers.get('authorization') || '';

+ if (!authHeader.startsWith('Bearer ')) {

+ return new Response(JSON.stringify({ error: 'Missing token' }), { status: 401 });

−export async function getAuthenticatedSupabase() {

+ }

− const { getToken } = await auth();

Diff▶

+Generated: 2026-04-09T09:26:34.913Z

Summary: This update: 1) replaces deprecated Supabase JWT template guidance with the Authorization header pattern (Clerk docs); 2) clarifies clerkMiddleware defaults and routing matcher guidance (Clerk docs); and 3) adds OWASP session-management and supply-chain/URL-validation reminders (OWASP, Snyk, PortSwigger).

−Generated: 2026-04-07T09:26:34.808Z

What changed: - Rewrote the Supabase integration section to remove the template-based flow and show Authorization header usage; - Clarified clerkMiddleware defaults and file naming; - Added OWASP cookie/session guidance; - Added supply-chain and URL-validation reminders referencing Snyk and PortSwigger.

−

Summary: Update to align with Clerk docs: deprecate use of Supabase JWT templates and client-side setAuth flows, recommend sending Clerk user tokens in the Authorization header for Supabase; clarify newest Clerk middleware usage and add OWASP session-management guidance.

−

What changed: - Rewrote Supabase integration section to remove deprecated token-template usage and show Authorization-header pattern.

−- Clarified middleware setup to match Clerk docs and recommended file naming for Next.js versions.

−- Added OWASP session-management guidance and expanded edge cases.

−- Added references to Clerk docs and Supabase migration notes.

Body changed: yes

Editor: openai/gpt-5-mini

−

Changed sections: Workflow, Step 3: Integrate Clerk tokens with Supabase RLS (important update), Edge cases and gotchas, Research-backed changes

Changed sections: Workflow (updated), Step 3: Integrate Clerk tokens with Supabase RLS (required migration), Step 1: Set up Clerk Middleware (recommended current pattern), Edge cases and gotchas (updated)

Experiments:

- Measure latency impact of narrower middleware matcher vs protecting in-handler auth (benchmark middleware matcher patterns).

−- Measure impact of replacing getToken(template) with getToken() + Authorization header on RLS error rates and latency.

- Test role-change propagation strategies: short TTL sessions vs explicit token refresh endpoints and measure UX/consistency tradeoffs.

−- Track role-change propagation time after token refresh to determine if proactive session refresh is needed in-app.

Signals:

+- Authentication (Clerk Docs)

+- B2B Authentication (Clerk Docs)

+- React (Clerk Docs)

−- Restrict end users from changing their identifiers (Clerk Changelog)

+- Next.js (Clerk Docs)

−- Clerk Billing now supports plans with seat limits (Clerk Changelog)

−- Overview for waitlist mode (Clerk Changelog)

−- Clerk is now available in Stripe Projects (Clerk Changelog)

Clerk Auth Patterns

Content

Clerk Auth Patterns

When to use

When NOT to use

Core concepts

Clerk Auth Patterns

Content

Clerk Auth Patterns

When to use

When NOT to use

Core concepts

Authentication flow comparison

Workflow (updated)

Step 1: Set up Clerk Middleware (recommended current pattern)

Step 2: Protect API routes with server-side auth checks

Step 3: Integrate Clerk tokens with Supabase RLS (required migration)

Step 4: Implement RBAC with organization roles

Step 5: Handle Clerk webhooks securely

Examples

Decision tree

Edge cases and gotchas (updated)

Evaluation criteria

Research-backed changes

Notes

Activity

Automation & run history

Latest refresh trace

Research engine

Sources