clerk-sessions-webhooks-security
Installation
SKILL.md
Clerk Sessions, Webhooks, and Security
Overview
Use this skill for Clerk's security-sensitive surfaces: sessions, JWTs, token retrieval, organizations and authorization, webhook synchronization, environment separation, and production hardening. Prioritize trust boundaries and replay-safe design.
Sessions and Tokens
Distinguish the token or session type before writing code:
| Surface | Use |
|---|---|
| Session token | Authenticates a signed-in user session |
| Custom JWT template | Supplies custom claims for an external service integration |
| API key | Authenticates an application/user-created key where Clerk supports API keys |
| OAuth token | Authenticates OAuth access flows where enabled |
| Machine-to-machine token | Authenticates service-to-service requests |
Use getToken() from the relevant Clerk auth object or hook to retrieve a session token or custom JWT template where supported. Always await it. Do not store tokens in localStorage, log them, embed them in URLs, or send them to origins that do not need them.