In my-app://renderer/sign-in, my-app is the scheme, renderer is the host, my-app://renderer is the origin, and /sign-in is the path. If your renderer uses path-based routing, serve every route from the same origin and fall back to your renderer entrypoint as needed.
Pass userAgent to createClerkBridge before creating renderer windows to set an app-specific product token, such as Acme Co/1.0.0. Clerk preserves Electron's platform details, such as Macintosh or Windows, while using the product token for UserProfile session activity attribution:
@clerk/electron loads Clerk's prebuilt UI from Clerk's CDN at runtime rather than bundling it, so your renderer's Content Security Policy must allow Clerk's Frontend API host. If it doesn't, the UI script fails to load and Clerk components never render.
Replace {fapi_host} below with your instance's Frontend API host, found in the Clerk Dashboard under API keys. It includes a clerk. segment (for example, clerk.your-app.com in production or your-slug.clerk.accounts.dev in development). This is not the Account Portal URL (your-slug.accounts.dev) — using that host blocks the UI script from loading.
[!NOTE]
This covers sign-in/up and the hotloaded UI. If you use Clerk Billing (Stripe) or other features, you'll need to allow additional origins; see Clerk's CSP guide for the full list.
Apply it either with a <meta> tag in your renderer HTML:
[!NOTE]
Loading the renderer from a dev server (such as Vite) requires looser rules for HMR: add 'unsafe-eval' to script-src and your dev server's origin to connect-src (for example, ws://localhost:<port> http://localhost:<port>). Many apps skip CSP during development and apply it only to packaged builds.
Passkeys
Passkey support works in two modes, selected automatically per request:
Renderer mode: when your window loads content over https:// from an origin that matches your passkey RP (Relying Party) ID, the renderer's built-in Chromium WebAuthn is used. Credentials are synced by the OS/browser ecosystem (Windows Hello works out of the box; Touch ID on macOS requires Electron ≥ 42 and app.configureWebAuthn).
Native mode: when your window loads a local bundle (e.g. scheme://host), WebAuthn's origin checks reject the request, so the ceremony is routed over IPC to the main process and serviced by the OS WebAuthn APIs (AuthenticationServices on macOS, webauthn.dll on Windows) via the optional @clerk/electron-passkeys native module.
Passkey code is only bundled and initialized when you pass the passkeys prop. If you manage the Clerk instance yourself instead of using ClerkProvider, wire it up before clerk.load():
Like passkeys on iOS, the macOS platform APIs require a verified association between your app and your domain:
In the Clerk Dashboard, navigate to the Native applications page and ensure that the Native API is enabled. This is required to integrate Clerk in your Electron application.
Add an iOS application to the Native applications page in the Clerk Dashboard. You will need your app's App ID Prefix and Bundle ID. An Electron macOS app uses the same configuration as iOS applications.
Sign your app with com.apple.developer.associated-domains containing webcredentials:<rp-domain>. This is a restricted entitlement: the build must embed a provisioning profile with the Associated Domains capability for the bundle ID, and the entitlements must also include com.apple.application-identifier and com.apple.developer.team-identifier matching the profile.
Quick Tips (each of these failure modes produces the same opaque "not associated with domain" error):
Sign with an Apple Development identity (mac.type: development in electron-builder) and a macOS App Development profile that includes your Mac; also install the profile on the machine (~/Library/Developer/Xcode/UserData/Provisioning Profiles/<UUID>.provisionprofile).
Copy .app bundles with ditto. Other copy methods may break the app seal and macOS silently ignores the entitlements of an app whose signature fails codesign --verify --deep --strict.
The system registers the domain association via swcd when the app launches; verify with sudo swcutil show. If state gets stuck, sudo swcutil reset and relaunch.
Prefer the default (production/CDN) association route. ?mode=developer + sudo swcutil developer-mode -e true exists but is often flaky.
Windows has no equivalent requirement. On Linux there is no native path; passkeys work in renderer mode only (including external security keys).
The npm package @clerk/electron receives a total of 7,021 weekly downloads. As such, @clerk/electron popularity was classified as popular.
We found that @clerk/electron demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.It has 6 open source maintainers collaborating on the project.
Package last updated on 17 Jul 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
The White House’s Gold Eagle Initiative aims to coordinate AI-discovered vulnerabilities, validate findings, and accelerate patching across critical software.