Hey, the idea of delegating this to the front end is very interesting! I've integrated Auth0 before and felt that it was clunky for designing more customized flows from the UX/UI POV.

1. With the new server components paradigm, React and Next have gone through a lot of changes around how SSR is done. Are your helper functions (currentUser(), currentOrg(), etc.) compatible with both the old and new approaches? Or is adapting to both one of your current technical challenges?

2. Are you open to candidates in the Americas time zones (LatAm)?

Answering 2 first because it's easier: Yes.

1. It's a great question and we're still learning the answer. But, I believe the approach is ~95% compatible, and the last 5% just needs tweaking on the margins vs a major overhaul. Let me try to explain...

First: SSR definitely makes the framing of "frontend api" vs "backend api" very confusing. So ignore that, and think of it purely as "api authenticated with a session token" vs "api authenticated with a secret key."

I think authenticating via session token is the key to enabling faster development with Clerk than tools like Auth0 (or even Stripe/Twilio/etc). The reason why is that it shifts the problem of _authorization_ from our customer's backend to Clerk's backend.

As an example, consider a user updating their email...

In the past, you would build a frontend for collecting their new email, send it to your backend, ensure that the user is updating their own name (the authorization step), then forward the update along to your account system (Auth0, your own database, whatever).

With Clerk, you build a frontend for collecting their new email, then send it straight to Clerk to handle the update with the user's session token. We are responsible for ensuring the update is to the users own account, and there's no requirement to hop to your backend to relay the secret key.

In the end, that hop to the backend and authorization check is responsible for a lot of the "clunk" that Clerk eliminates. And ultimately, SSR doesn't change our ability to make things easier – we can authenticate our API with a session token just-as-well during SSR as we can from the frontend.

This feels like a paradox, right? A session token has such limited power compared to secret key, so surely it can't be used to build an easier API. But in practice, confidently knowing which user is making the request is necessary for shifting the authorization step to our service.

I'd add that this idea isn't particularly novel. Stripe Checkout depends on a CheckoutSession object, which you initialize by passing in the active user's ID. So there, you see that Stripe having the active user's ID enables them remove a ton of steps for building a checkout. Implicitly, under-the-hood Checkout relies on an API that uses a session token for authentication.

We just took the idea one step further and are exposing the API, instead of only using it to power a single, fairly rigid UI. With Clerk, developers can use React Hooks to build their own UI.

---

Now, regarding the 5% that we still need to figure out. It pertains exactly to the currentUser() and currentOrg() functions you're calling out. Those are compatible, but they require some extra thoughtfulness.

As an example, Clerk's User object has a field called "privateMetadata". From the backend, it's completely okay for currentUser() to return this private data, but Clerk needs to make sure it doesn't leak to the frontend. That creates some oddities - the User object on frontend is different than on backend, and I don't think we've really nailed the ergonomics / education on this part yet. But it generally feels like a solvable problem.

> A session token has such limited power compared to secret key

Does it though? Sure, it has different threat models, and you may choose to assign it different trust levels, but fundamentally (as I understand it) every session token _is_ a secret key, with added benefits.

Awesome! I applied. Just letting you know in case the system flags because I clicked "no" when asked if I'm in the US or the EU.

I agree that SSR makes the "frontend VS backend API" separation very confusing. Session token VS secret key is a better framing for this, and there's a very interesting insight into the paradox that you described! The ergonomics you mention for ensuring consistency sounds like a very interesting technical challenge.

Hey! Interested by the opportunity but does Clerk looking to hire new grad? Thanks!