|
| 1 | +--- |
| 2 | +title: "Clerk" |
| 3 | +description: "Use Clerk as a User Source so people who already sign in through your Clerk instance can sign in to your MCP Gateways" |
| 4 | +--- |
| 5 | + |
| 6 | +import Image from "next/image"; |
| 7 | +import { Steps } from "nextra/components"; |
| 8 | + |
| 9 | +export const IMAGE_SCALE_FACTOR = 1.5; |
| 10 | +export const CLERK_SCREENSHOT_WIDTH = 1312 / IMAGE_SCALE_FACTOR; |
| 11 | +export const CLERK_SCREENSHOT_HEIGHT = 949 / IMAGE_SCALE_FACTOR; |
| 12 | + |
| 13 | +# Clerk |
| 14 | + |
| 15 | +Use Clerk as a User Source so the people who already sign in through your Clerk instance can sign in to your MCP Gateways. Clerk's [OAuth applications](https://clerk.com/docs/advanced-usage/clerk-idp) feature turns your Clerk instance into an OIDC identity provider that Arcade can connect to. Once you have the values it tells you to copy, [create the User Source in Arcade](/guides/user-sources#create-a-user-source). |
| 16 | + |
| 17 | +## Before you start |
| 18 | + |
| 19 | +- A Clerk account with admin access to the instance you want to use. |
| 20 | +- A Clerk instance. Clerk maintains separate development and production instances per app, each with its own Frontend API URL. You can develop against the development instance first and switch the User Source to the production instance when you're ready. |
| 21 | +- An Arcade project where you'll create the User Source. |
| 22 | + |
| 23 | +## Register an OAuth application in Clerk |
| 24 | + |
| 25 | +<Steps> |
| 26 | + |
| 27 | +### Open the Clerk Dashboard |
| 28 | + |
| 29 | +Sign in to the [Clerk Dashboard](https://dashboard.clerk.com/sign-in). Pick the workspace that owns your Clerk application, open the application you want to configure, then in the application's top tabs select **Configure**. In the left navigation under **Developers**, click **OAuth Applications**, then **Add OAuth application**. |
| 30 | + |
| 31 | +### Fill in the application details |
| 32 | + |
| 33 | +In the **Create application** dialog: |
| 34 | + |
| 35 | +- **Name**: a label your team will recognize, for example `Arcade User Source`. |
| 36 | +- **Scopes**: open the Scopes dropdown and make sure `openid` is selected. Arcade also requests `profile` and `email` by default, so add those if they aren't selected already. |
| 37 | +- **Public**: leave this toggle **off**. Arcade authenticates with Clerk using a Client Secret, which the confidential flow supports. Arcade still uses PKCE on every sign-in regardless of this setting; the toggle only controls whether Clerk requires a Client Secret on token exchange. |
| 38 | +- **Consent screen**: leave this toggle **off**. Clerk recommends enabling consent for third-party applications, but a User Source-backed gateway is part of your own identity infrastructure, so end users shouldn't see an extra consent prompt at sign-in. |
| 39 | + |
| 40 | +Click **Add**. |
| 41 | + |
| 42 | +<Image |
| 43 | + alt="Create application dialog in Clerk with Name and Scopes filled in and the Public and Consent screen toggles off" |
| 44 | + className="max-w-full mt-4" |
| 45 | + src="/images/user-sources/clerk/clerk-create-app-light.png" |
| 46 | + width={CLERK_SCREENSHOT_WIDTH} |
| 47 | + height={CLERK_SCREENSHOT_HEIGHT} |
| 48 | +/> |
| 49 | + |
| 50 | +### Save the Client Secret |
| 51 | + |
| 52 | +Clerk shows the **Client Secret** in a one-time dialog after the application is created. Copy the value and store it somewhere secure. The full secret is not retrievable from the Dashboard afterward; if you lose it, regenerate a new one from the application's settings. |
| 53 | + |
| 54 | +### Add the Arcade redirect URL |
| 55 | + |
| 56 | +After closing the secret dialog, Clerk takes you to the application's settings page. In the **Redirect URIs** section, click **Add URI** and enter: |
| 57 | + |
| 58 | +`https://cloud.arcade.dev/oauth2/intermediate_callback` |
| 59 | + |
| 60 | +The same page also surfaces your **Client ID** under **Application credentials** and your **Discovery URL** under **Application configuration URLs** — you'll use both in the next section. |
| 61 | + |
| 62 | +<Image |
| 63 | + alt="Clerk OAuth application Configure page with the Arcade redirect URI added and the Client ID and Discovery URL visible" |
| 64 | + className="max-w-full mt-4" |
| 65 | + src="/images/user-sources/clerk/clerk-redirect-uri-client-id-issuer-light.png" |
| 66 | + width={CLERK_SCREENSHOT_WIDTH} |
| 67 | + height={CLERK_SCREENSHOT_HEIGHT} |
| 68 | +/> |
| 69 | + |
| 70 | +</Steps> |
| 71 | + |
| 72 | +## Copy these values to Arcade |
| 73 | + |
| 74 | +Copy these values into Arcade's User Source form: |
| 75 | + |
| 76 | +| Arcade field | Where to find it in Clerk | |
| 77 | +|---|---| |
| 78 | +| **Issuer URL** | The OAuth application's **Discovery URL** under **Application configuration URLs**, with the `/.well-known/openid-configuration` suffix removed. For example, `https://<verb-noun-NN>.clerk.accounts.dev/.well-known/openid-configuration` becomes `https://<verb-noun-NN>.clerk.accounts.dev`. **Do not add a trailing slash.** Clerk emits the issuer without one and Arcade matches the value exactly. | |
| 79 | +| **Client ID** | The **Client ID** field under **Application credentials**. | |
| 80 | +| **Client Secret** | The Client Secret you saved when you created the application. | |
| 81 | + |
| 82 | +## Create the User Source in Arcade |
| 83 | + |
| 84 | +Open the Arcade Dashboard, select your project, navigate to **User Sources**, and click **Create User Source**. Paste the values from the table above. For a walkthrough of the form, see [Create a User Source](/guides/user-sources#create-a-user-source) in the User Sources overview. |
| 85 | + |
| 86 | +Once the User Source is active, attach it to an MCP Gateway by following [Create via Dashboard](/guides/mcp-gateways/create-via-dashboard) and picking **User Source** under "Non-Arcade Users" in the gateway form. |
| 87 | + |
| 88 | +## Notes |
| 89 | + |
| 90 | +- **Development vs production instances**: Clerk's development and production instances have different Frontend API URLs and different OAuth applications. When you're ready to move from a development setup to production, register a new OAuth application in the production instance and create a separate Arcade User Source for it. |
| 91 | +- **Client secret rotation**: Clerk supports regenerating the Client Secret from the OAuth application's **Application credentials** section. See [Rotate the client secret](/guides/user-sources#rotate-the-client-secret) in the User Sources guide for the Arcade-side procedure. |
| 92 | +- **Subject Claim**: Arcade's default Subject Claim, `sub`, is the Clerk user ID and is the recommended value. Clerk's OAuth applications also expose `public_metadata` and `private_metadata` scopes that surface the corresponding [user metadata](https://clerk.com/docs/users/metadata) on the ID token, which lets you add organization, role, or other custom data to claims. See [Advanced: scopes and subject claim](/guides/user-sources#advanced-scopes-and-subject-claim) in the overview for what makes a good claim. |
0 commit comments