clerk

package

v2.0.1 Latest Latest Go to latest Published: Feb 2, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aatuh/api-toolkit

Links

Open Source Insights

Documentation ¶

Overview ¶

Package clerk provides Clerk JWT middleware.

When enabled, JWKS refresh runs in the background. Call Middleware.Close() or cancel the context passed to NewMiddleware to stop the refresh goroutine.

Index ¶

func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker
func WithSubject(ctx context.Context, subj Subject) context.Context
type ClaimRequirements
type Config
- func LoadConfig(loader *config.Loader) Config
type Middleware
- func NewMiddleware(ctx context.Context, cfg Config, log ports.Logger) (*Middleware, error)
type Subject
- func SubjectFromContext(ctx context.Context) (Subject, bool)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func HealthChecker ¶

func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker

HealthChecker returns a Clerk JWKS health checker or nil when disabled.

func WithSubject ¶

func WithSubject(ctx context.Context, subj Subject) context.Context

WithSubject stores an authenticated subject in context.

Types ¶

type ClaimRequirements ¶

type ClaimRequirements struct {
	RequireSubject    *bool
	RequireExpiration *bool
	RequireIssuedAt   *bool
	RequireNotBefore  *bool
}

ClaimRequirements configures required JWT claims (nil preserves defaults).

type Config ¶

type Config struct {
	Enabled  bool
	JWKSURL  string
	Issuer   string
	Audience string
	// AllowedAlgorithms constrains JWT signing methods (defaults to RS256).
	AllowedAlgorithms   []string
	AllowedClockSkew    time.Duration
	JWKSRefreshTimeout  time.Duration
	JWKSRefreshInterval time.Duration
	// RequiredClaims enforces presence of specific JWT claims (defaults to sub + exp).
	RequiredClaims ClaimRequirements
	// AllowDangerousDevBypasses enables skip headers only from trusted proxies.
	AllowDangerousDevBypasses bool
	SkipHeaderEnabled         bool
	SkipHeaderName            string
	// SkipTrustedProxies configures trusted CIDRs for skip header usage.
	SkipTrustedProxies []string
}

Config controls Clerk JWT validation.

func LoadConfig ¶

func LoadConfig(loader *config.Loader) Config

LoadConfig reads Clerk config from environment.

type Middleware ¶

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware validates Clerk-issued JWTs and stores the subject.

func NewMiddleware ¶

func NewMiddleware(ctx context.Context, cfg Config, log ports.Logger) (*Middleware, error)

NewMiddleware creates a middleware instance. If JWKS refresh is enabled, Close() must be called or the passed context canceled on shutdown.

func (*Middleware) Close ¶

func (m *Middleware) Close()

Close stops background JWKS refresh work, if enabled.

func (*Middleware) Handler ¶

func (m *Middleware) Handler(next http.Handler) http.Handler

Handler returns the http middleware.

func (*Middleware) OptionalHandler ¶

func (m *Middleware) OptionalHandler(next http.Handler) http.Handler

OptionalHandler attaches a subject when a valid token is present, but allows requests without authentication to continue.

type Subject ¶

type Subject struct {
	UserID   string
	Email    string
	First    string
	Last     string
	Language string
}

Subject contains the identity extracted from Clerk tokens.

func SubjectFromContext ¶

func SubjectFromContext(ctx context.Context) (Subject, bool)

SubjectFromContext returns the subject if present.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL