@clerk/express
Advanced tools
Clerk is the easiest way to add authentication and user management to your Express application. Add sign up, sign in, and profile management to your application in minutes.
>=18.17.0 or laternpm install @clerk/express
Navigate to the Clerk Dashboard and inside the API Keys section copy the publishable key and secret key.
Paste your keys into an .env file:
CLERK_PUBLISHABLE_KEY=pk_*******
CLERK_SECRET_KEY=sk_******
Ensure that the environment variables are loaded, for example by using dotenv at the top of your Express application:
import 'dotenv/config';
// Rest of application
clerkMiddleware()The clerkMiddleware() function checks the request's cookies and headers for a session JWT and, if found, attaches the Auth object to the request object under the auth key.
import { clerkMiddleware } from '@clerk/express';
import express from 'express';
const app = express();
// Pass no parameters
app.use(clerkMiddleware());
// Pass options
app.use(clerkMiddleware(options));
requireAuthThe requireAuth() middleware functions similarly to clerkMiddleware(), but also protects your routes by redirecting unauthenticated users to the sign-in page.
The sign-in path will be read from the signInUrl option or the CLERK_SIGN_IN_URL environment variable if available.
import { requireAuth } from '@clerk/express';
import express from 'express';
const app = express();
// Apply centralized middleware
app.use(requireAuth());
// Apply middleware to a specific route
app.get('/protected', requireAuth(), (req, res) => {
res.send('This is a protected route');
});
// Custom sign-in URL
app.get('/protected', requireAuth({ signInUrl: '/sign-in' }), (req, res) => {
res.send('This is a protected route');
});
getAuth()The getAuth() helper retrieves authentication state from the request object. See the Next.js reference documentation for more information on how to use it.
import { clerkMiddleware, getAuth } from '@clerk/express';
import express from 'express';
const app = express();
// Apply centralized middleware
app.use(clerkMiddleware());
// Protect a route based on authorization status
hasPermission = (request, response, next) => {
const auth = getAuth(request);
// Handle if the user is not authorized
if (!auth.has({ permission: 'org:admin:testpermission' })) {
return response.status(403).send('Unauthorized');
}
return next();
};
app.get('/path', requireAuth, hasPermission, (req, res) => res.json(req.auth));
clerkClientClerk's JavaScript Backend SDK exposes Clerk's Backend API resources and low-level authentication utilities for JavaScript environments. For example, if you wanted to get a list of all users in your application, instead of creating a fetch to Clerk's https://api.clerk.com/v1/users endpoint, you can use the users.getUserList() method provided by the JavaScript Backend SDK.
All resource operations are mounted as sub-APIs on the clerkClient object. See the reference documentation for more information.
import { clerkClient } from '@clerk/express';
import express from 'express';
const app = express();
app.get('/users', requireAuth, async (req, res) => {
const users = await clerkClient.users.getUserList();
return res.json({ users });
});
You can get in touch with us in any of the following ways:
We're open to all community contributions! If you'd like to contribute in any way, please read our contribution guidelines and code of conduct.
@clerk/express follows good practices of security, but 100% security cannot be assured.
@clerk/express is provided "as is" without any warranty. Use at your own risk.
For more information and to report security issues, please refer to our security documentation.
This project is licensed under the MIT license.
See LICENSE for more information.
FAQs
Clerk server SDK for usage with Express
The npm package @clerk/express receives a total of 43,540 weekly downloads. As such, @clerk/express popularity was classified as popular.
We found that @clerk/express demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.
Security News
The Node.js TSC opted not to endorse a feature bounty program, citing concerns about incentives, governance, and project neutrality.
Research
Security News
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.