# Clerk — LLM Context for Agentic Provisioning

Clerk is a drop-in authentication and user management platform. After provisioning a Clerk application, you'll have API keys to add sign-up, sign-in, and user management to any web or mobile app.

## Credentials you received

After provisioning, your credentials are in the `CLERK_AUTH_ENVIRONMENTS` environment variable as a JSON string:

```json
{
  "development": {
    "publishable_key": "pk_test_...",
    "secret_key": "sk_test_..."
  },
  "production": {
    "publishable_key": "pk_live_...",
    "secret_key": "sk_live_...",
    "domain": "yourapp.com",
    "dns_setup_required": true,
    "dns_setup_url": "https://dashboard.clerk.com/..."
  }
}
```

- **publishable_key** (starts with `pk_test_` or `pk_live_`) — Used client-side. Safe to expose in frontend code.
- **secret_key** (starts with `sk_test_` or `sk_live_`) — Used server-side. Keep secret — never expose in client code, git repos, or logs.
- **development** credentials are always present. Use these for local development.
- **production** credentials are present only if a `production_domain` was provided during provisioning. If `dns_setup_required` is true, visit the `dns_setup_url` to configure DNS before going live.

## Environment setup by framework

Extract the keys from `CLERK_AUTH_ENVIRONMENTS` and set them as your framework expects. Use the `development` keys for local development.

### Next.js

Add to `.env.local`:
```bash
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_...  # from development.publishable_key
CLERK_SECRET_KEY=sk_test_...                    # from development.secret_key
```

### React (Vite)

Add to `.env`:
```bash
VITE_CLERK_PUBLISHABLE_KEY=pk_test_...  # from development.publishable_key
```

### Express / Node.js

Add to `.env`:
```bash
CLERK_PUBLISHABLE_KEY=pk_test_...  # from development.publishable_key
CLERK_SECRET_KEY=sk_test_...       # from development.secret_key
```

### For production deployment

When deploying, use the `production` keys instead:
```bash
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_live_...  # from production.publishable_key
CLERK_SECRET_KEY=sk_live_...                    # from production.secret_key
```

## Quick start by framework

### Next.js (recommended)

```bash
npm install @clerk/nextjs
```

**middleware.ts** (project root):
```typescript
import { clerkMiddleware } from '@clerk/nextjs/server'

export default clerkMiddleware()

export const config = {
  matcher: [
    '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
    '/(api|trpc)(.*)',
  ],
}
```

**app/layout.tsx**:
```tsx
import { ClerkProvider } from '@clerk/nextjs'

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    <ClerkProvider>
      <html lang="en">
        <body>{children}</body>
      </html>
    </ClerkProvider>
  )
}
```

**Protect a page**:
```tsx
import { auth } from '@clerk/nextjs/server'

export default async function ProtectedPage() {
  const { userId } = await auth()
  if (!userId) return <div>Not signed in</div>
  return <div>Hello, {userId}</div>
}
```

### React (Vite, CRA, etc.)

```bash
npm install @clerk/clerk-react
```

```tsx
import { ClerkProvider, SignedIn, SignedOut, SignInButton, UserButton } from '@clerk/clerk-react'

function App() {
  return (
    <ClerkProvider publishableKey={import.meta.env.VITE_CLERK_PUBLISHABLE_KEY}>
      <SignedOut>
        <SignInButton />
      </SignedOut>
      <SignedIn>
        <UserButton />
      </SignedIn>
    </ClerkProvider>
  )
}
```

### Express

```bash
npm install @clerk/express
```

```typescript
import { clerkMiddleware, requireAuth } from '@clerk/express'
import express from 'express'

const app = express()
app.use(clerkMiddleware())

// Public route
app.get('/', (req, res) => res.send('Hello'))

// Protected route
app.get('/protected', requireAuth(), (req, res) => {
  res.json({ userId: req.auth.userId })
})

app.listen(3000)
```

### Other frameworks

Clerk supports Remix, Vue, Nuxt, Fastify, Astro, and more. See https://clerk.com/docs/quickstarts for framework-specific guides.

## Configuration options

When provisioning, you can pass:

- **app_name** (required) — Name of the Clerk application.
- **production_domain** (optional) — Your production domain (e.g. myapp.com). If provided, both development and production instances are created. DNS setup is required after provisioning — a link to the DNS configuration page is included in the response.

## What you can do with Clerk

- **Authentication**: Email/password, social OAuth (Google, GitHub, etc.), magic links, passkeys, multi-factor auth
- **User management**: User profiles, metadata, avatar uploads
- **Organizations**: Multi-tenant workspaces with roles and permissions
- **Session management**: JWTs, session tokens, multi-session support
- **Webhooks**: Real-time events for user/org lifecycle changes

## Environment types

- **Development** (pk_test_*, sk_test_*) — For local development. Test users, no email delivery, relaxed security.
- **Production** (pk_live_*, sk_live_*) — For live apps. Real email delivery, HTTPS required, production security. Requires domain configuration.

Development credentials are returned by default. To get production credentials, pass production_domain during provisioning.

## Useful links

- Documentation: https://clerk.com/docs
- Quickstarts: https://clerk.com/docs/quickstarts
- API reference: https://clerk.com/docs/reference/backend-api
- Dashboard: https://dashboard.clerk.com
- Support: https://clerk.com/contact/support