Skip to content

nathanjohnson320/clerk_elixir

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
lib
lib
 
 
test
test
 
 
.formatter.exs
.formatter.exs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mix.exs
mix.exs
 
 
mix.lock
mix.lock
 
 

Repository files navigation

Clerk

HTTP client for the ClerkJS sdk. https://clerk.com/docs/reference/backend-api

Installation

If available in Hex, the package can be installed by adding clerk to your list of dependencies in mix.exs:

def deps do
  [
    {:clerk, "~> 2.0"}
  ]
end

Once the dependency is installed you can add your clerk domain and secret key to the config, the clerk module to the application tree, and then you can make API calls.

In the config

config :clerk,
  domain: "example.clerk.accounts.dev",
  secret_key: System.get_env("CLERK_API_KEY") || raise("CLERK_API_KEY environment variable is missing.")

Optional keys:

config :clerk,
  authorized_parties: ["https://app.example.com"]

When set, session JWT verification validates the token's azp (authorized party) claim against the list.

Exporting the secret key via bash

You can also export the secret key via bash. This is useful for local development.

export CLERK_API_KEY=sk_test_your-secret-key

Using dotenv in development to serve the clerk test api key

If you want to use a .env file, can use dotenv to load the config from a .env file. This is useful for local development. In production, you should set the environment variables directly into the server.

# .env
CLERK_API_KEY=sk_somekeyabc123

In your application's supervisor

children = [
  ...
  {Clerk, Clerk.config()},
  ...
]

{Clerk, Application.get_all_env(:clerk)} also works — Clerk.config/0 is the equivalent %Clerk.Config{} struct.

Then:

iex> Clerk.User.list()
{:ok,
  [
    %{
      "id" => "user_abcd12345",
      "locked" => false,
      "has_image" => true,
      "banned" => false,
      ...
    }
  ]
}

API calls and plugs default to Clerk.config/0 when config: is omitted. Pass it explicitly when you want to be clear about which tenant is in use:

Clerk.User.list(%{}, config: Clerk.config())
plug Clerk.AuthenticationPlug, config: Clerk.config()

You can also use the Clerk.AuthenticationPlug to automatically load the clerk session and user in plug based elixir applications. i.e. (in phoenix):

pipeline :api do
  plug :accepts, ["json"]
  plug :fetch_cookies
  plug Clerk.AuthenticationPlug
end

On success, the plug assigns :current_user and :clerk_session (the decoded JWT claims) to conn.assigns. It reads the token from the Authorization: Bearer header or the __session cookie (configurable via :session_key). Failed verification returns 401 Unauthorized.

Plug options:

plug Clerk.AuthenticationPlug, fetch_user: false  # use JWT claims only, skip API call
plug Clerk.AuthenticationPlug, session_key: "custom_session"

Multiple instances (umbrella apps)

In an umbrella application, all child apps run on the same BEAM node. The default Clerk supervisor registers under the fixed name Clerk, and its Finch pool uses ClerkHTTP. Starting a second {Clerk, Clerk.config()} child will crash with an already started error.

If each umbrella child app connects to a different Clerk tenant, give each supervisor a unique :name and a dedicated JWKS fetching strategy module (required when :name is not Clerk; see JokenJwks).

Do not rely on shared config :clerk for domain or secret key in multi-tenant setups — umbrella apps share one config namespace.

1. Define a fetching strategy per Clerk tenant

defmodule AppA.Clerk.FetchingStrategy do
  use JokenJwks.DefaultStrategyTemplate
end

2. Build a config and start the supervisor

Build a %Clerk.Config{}, keep a reference to it, and pass the same struct to the supervisor and all API calls.

# apps/app_a/lib/app_a/clerk_config.ex
defmodule AppA.ClerkConfig do
  def config do
    Clerk.Config.new(
      name: AppA.Clerk,
      domain: "app-a.clerk.accounts.dev",
      secret_key: System.fetch_env!("APP_A_CLERK_SECRET_KEY"),
      fetching_strategy: AppA.Clerk.FetchingStrategy,
      authorized_parties: ["https://app-a.example.com"]
    )
  end
end

# apps/app_a/lib/app_a/application.ex
config = AppA.ClerkConfig.config()

children = [
  {Clerk, config}
]

This starts a supervisor named AppA.Clerk, a Finch pool at AppA.Clerk.HTTP, and the JWKS fetching strategy for that tenant.

3. Pass config: on API calls and authentication

Unlike single-app usage, multi-tenant setups must pass config: on every call. Omitting it falls back to Clerk.config/0, which reads the shared config :clerk namespace and will target the wrong tenant.

config = AppA.ClerkConfig.config()

Clerk.User.list(%{}, config: config)
Clerk.Session.verify_and_validate(token, config: config)
plug Clerk.AuthenticationPlug, config: config

Documentation can be generated with ExDoc and published on HexDocs. Once published, the docs can be found at https://hexdocs.pm/clerk.

About

Elixir SDK for Clerk

Resources

Readme

License

MIT license
Activity

Stars

16 stars

Watchers

0 watching

Forks

8 forks
Report repository

Releases 7

v2.0.0 Latest
Jun 3, 2026
+ 6 releases

Packages

 
 
 

Contributors

Languages