clerk

package

v3.0.2 Latest Latest Go to latest Published: May 19, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aatuh/api-toolkit

Links

Open Source Insights

Documentation ¶

Overview ¶

Package clerk provides Clerk JWT middleware.

The authenticated Subject includes tenant and scope values derived from validated token claims so applications can enforce policy after Clerk JWT validation. When enabled, JWKS refresh runs in the background. Call Middleware.Close() or cancel the context passed to NewMiddleware to stop the refresh goroutine.

Index ¶

func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker
func WithSubject(ctx context.Context, subj Subject) context.Context
type ClaimRequirements
type Config
- func LoadConfig(loader *config.Loader) Config
type Middleware
- func NewMiddleware(ctx context.Context, cfg Config, log ports.Logger) (*Middleware, error)
type Subject
- func SubjectFromContext(ctx context.Context) (Subject, bool)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func HealthChecker ¶

func HealthChecker(cfg Config, client *http.Client) ports.HealthChecker

HealthChecker returns a Clerk JWKS health checker or nil when disabled.

func WithSubject ¶

func WithSubject(ctx context.Context, subj Subject) context.Context

WithSubject stores an authenticated subject in context.

Types ¶

type ClaimRequirements ¶

type ClaimRequirements struct {
	RequireSubject    *bool
	RequireExpiration *bool
	RequireIssuedAt   *bool
	RequireNotBefore  *bool
}

ClaimRequirements configures required JWT claims (nil preserves defaults).

type Config ¶

type Config struct {
	Enabled  bool
	JWKSURL  string
	Issuer   string
	Audience string
	// AllowedAlgorithms constrains JWT signing methods (defaults to RS256).
	AllowedAlgorithms   []string
	AllowedClockSkew    time.Duration
	JWKSRefreshTimeout  time.Duration
	JWKSRefreshInterval time.Duration
	// RequiredClaims enforces presence of specific JWT claims (defaults to sub + exp).
	RequiredClaims ClaimRequirements
	// AllowDangerousDevBypasses enables skip headers only from trusted proxies.
	AllowDangerousDevBypasses bool
	SkipHeaderEnabled         bool
	SkipHeaderName            string
	// SkipTrustedProxies configures trusted CIDRs for skip header usage.
	SkipTrustedProxies []string
}

Config controls Clerk JWT validation.

func LoadConfig ¶

func LoadConfig(loader *config.Loader) Config

LoadConfig reads Clerk config from environment.

type Middleware ¶

type Middleware struct {
	// contains filtered or unexported fields
}

Middleware validates Clerk-issued JWTs and stores the subject.

func NewMiddleware ¶

func NewMiddleware(ctx context.Context, cfg Config, log ports.Logger) (*Middleware, error)

NewMiddleware creates a middleware instance. If JWKS refresh is enabled, Close() must be called or the passed context canceled on shutdown.

func (*Middleware) Close ¶

func (m *Middleware) Close()

Close stops background JWKS refresh work, if enabled.

func (*Middleware) Handler ¶

func (m *Middleware) Handler(next http.Handler) http.Handler

Handler returns the http middleware.

func (*Middleware) OptionalHandler ¶

func (m *Middleware) OptionalHandler(next http.Handler) http.Handler

OptionalHandler attaches a subject when a valid token is present, but allows requests without authentication to continue.

type Subject ¶

type Subject struct {
	UserID   string
	Email    string
	First    string
	Last     string
	Language string
	TenantID string
	Scope    string
}

Subject contains the identity extracted from Clerk tokens.

func SubjectFromContext ¶

func SubjectFromContext(ctx context.Context) (Subject, bool)

SubjectFromContext returns the subject if present.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL