After migrating three projects off Auth0, spending 47 hours debugging NextAuth session issues, and implementing Clerk across 14 tenant applications, I can say this: Clerk is the first auth provider that made me forget I was doing authentication.
I've been implementing authentication professionally for 12 years — from hand-rolled bcrypt + JWT to Firebase Auth, Auth0, NextAuth, and Supabase Auth. Every one of them made me miserable in different ways. Auth0's dashboard was Byzantine. NextAuth's session management felt like a Rube Goldberg machine. Supabase Auth worked until you needed custom claims, at which point it became a database migration project.
I migrated my first project to Clerk in August 2025 — a Next.js SaaS application with 4,200 users, social login (Google/GitHub), and organization-based multi-tenancy. The migration took 11 hours including testing. I've since migrated two more projects and built three greenfield applications on Clerk. Here's what I've learned from roughly 8 months of daily use across production workloads.
The Architecture: Sessions as a First-Class Concept
Clerk's architecture is built around sessions, not tokens. When a user authenticates, Clerk issues a session that's managed server-side, not in a JWT you pass around. This changes everything about how you think about auth.
In a JWT-based system (Auth0, Supabase), you issue a token with an expiry, decode it on every request, and pray nobody's token was stolen between the time you issued it and the expiry window. Revoking a JWT requires maintaining a token blacklist or waiting for it to expire. Clerk inverts this: the session lives on Clerk's servers, and your application gets a short-lived session token that Clerk validates on every request. Revoke a session from the dashboard, and it's dead instantly — no waiting for JWT expiry.
The React SDK is what sold me. Here's what protecting a route looks like with Clerk's Next.js integration:
// middleware.ts — protects routes with zero component-level changes
const isProtectedRoute = createRouteMatcher([
'/dashboard(.*)',
'/settings(.*)',
'/api/(.*)',
]);
const isAdminRoute = createRouteMatcher(['/admin(.*)']);
export default clerkMiddleware(async (auth, req) => {
// Protect general authenticated routes
if (isProtectedRoute(req)) {
await auth.protect();
}
// Role-based access for admin routes
if (isAdminRoute(req)) {
const { sessionClaims } = await auth();
if (sessionClaims?.metadata?.role !== 'admin') {
return new Response('Forbidden', { status: 403 });
}
}
});
export const config = {
matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc)(.*)'],
};
Compare this to NextAuth, where middleware protection requires manual token parsing, custom callbacks, and a session provider wrapped around your entire component tree. With Clerk, protecting routes is 6 lines of configuration. Protecting API routes is even simpler — every request automatically includes the authenticated user's session claims.
The organization (multi-tenancy) support is where Clerk pulls ahead of every competitor. Organizations are a native concept in Clerk, not a hack on top of user metadata. You can create organizations, invite members with roles (admin, member, guest), and scope sessions to specific organizations. Here's the pattern I use for multi-tenant API routes:
export async function GET() {
const { userId, orgId, orgRole } = await auth();
if (!userId || !orgId) {
return Response.json({ error: 'Unauthorized' }, { status: 401 });
}
if (orgRole !== 'org:admin') {
return Response.json({ error: 'Forbidden' }, { status: 403 });
}
// orgId scopes all queries to the current tenant
const projects = await db.query.projects.findMany({
where: { organizationId: orgId },
});
return Response.json(projects);
}
The orgId is automatically derived from the active session — no manual organization-scoping middleware, no accidental cross-tenant data leaks.
Developer Experience: The Pre-Built UI Is Actually Good
Every auth provider has pre-built UI components. Most are ugly, inflexible, and get ripped out the moment you need custom branding. Clerk's components are different. The ,, and `` components are production-quality — responsive, accessible, and themable via a simple configuration object:
`typescript
export default function RootLayout({ children }) {
return (
{children}
);
}
`
I built a complete auth flow — sign in, sign up, email verification, password reset, social login, organization switching — in roughly 90 minutes using Clerk's pre-built components. The same flow took me 3 days with NextAuth and 2 days with Auth0 (both including custom UI work). For the social login integration, connecting Google and GitHub OAuth took 4 minutes each — enter client ID and secret in the Clerk dashboard, and the buttons appear in your sign-in component.
The webhook system is comprehensive and well-documented. My application listens for user.created, user.updated, session.created, organizationMembership.created, and organizationMembership.deleted events. Each webhook payload includes the full user/org object, not just an ID that requires a follow-up API call. The webhook signature verification (Svix under the hood) works out of the box:
`typescript
export async function POST(req: Request) {
const WEBHOOK_SECRET = process.env.CLERK_WEBHOOK_SECRET!;
const payload = await req.text();
const headers = {
'svix-id': req.headers.get('svix-id')!,
'svix-timestamp': req.headers.get('svix-timestamp')!,
'svix-signature': req.headers.get('svix-signature')!,
};
const wh = new Webhook(WEBHOOK_SECRET);
const evt = wh.verify(payload, headers) as {
type: string;
data: Record;
};
switch (evt.type) {
case 'user.created':
await syncUserToDatabase(evt.data);
break;
case 'organizationMembership.created':
await provisionTenantResources(evt.data);
break;
}
return Response.json({ received: true });
}
`
Where It Falls Short
The pricing model has a cliff at 10,000 MAU. Clerk's free tier covers 10,000 monthly active users — generous for early-stage projects. The Pro plan at $25/month + $0.02 per additional MAU is reasonable. But at 50,000 MAU, you're paying roughly $825/month. At 100,000 MAU, it's $1,825/month. This is cheaper than Auth0 (which would be roughly $2,400/month at the same scale) but significantly more expensive than self-hosting NextAuth with a database, which costs $0 in auth-specific fees (you pay for your database and your engineering time).
The vendor lock-in is deeper than it appears. Clerk manages your users, sessions, organizations, and permissions. If you migrate away, you need to export users (including password hashes, which use Clerk's hashing algorithm), rebuild session management, recreate organization hierarchies, and replace the pre-built UI components. Clerk provides an export API, but migrating 50,000 users off Clerk would be a multi-week engineering project. Compare this to NextAuth, where you own your user table and sessions — migrating away means swapping a library.
The SDK surface area is massive for what it does. Clerk's JavaScript SDK is roughly 2.4MB minified (including React bindings). For comparison, NextAuth's core is about 180KB. If bundle size matters for your application — and it should if you're building for mobile web or slow connections — Clerk's SDK adds measurable weight to your initial JavaScript payload.
Custom claims are limited on lower tiers. Clerk's public metadata (for roles, permissions, etc.) is limited to 8KB on the free tier and 32KB on Pro. If you need complex permission structures with hundreds of granular permissions per user, you'll need to store them in your own database and sync via webhooks. This works, but it defeats the purpose of having auth metadata managed by your auth provider.
Who Should Use It
Use Clerk if you're building a Next.js (or React-based) application and authentication is a solved problem you want to stop thinking about. The developer experience is genuinely best-in-class — I've shipped auth flows in hours that took days with other providers. If you need multi-tenancy with organization-scoped sessions, Clerk is the only auth provider where this is a first-class feature, not a workaround. If you're a solo developer or small team building a SaaS product and you want to focus on your product instead of auth infrastructure, the monthly cost is worth the engineering time it saves.
Skip Clerk if you're building an application that might outgrow third-party auth (100K+ MAU), and you want to own your user data from day one. Clerk's vendor lock-in is real, and migrating at scale is painful. If you need deep customization of the auth UI and Clerk's theming variables don't cut it, you'll need to build custom components using Clerk's lower-level APIs, which eliminates much of the DX advantage. If bundle size is a hard constraint, Clerk's 2.4MB SDK is a non-trivial cost. And if you're building a B2C application with 500K+ users, the per-MAU pricing will eventually push you toward self-hosted solutions — plan your migration before you hit that scale, not after.
The Bottom Line
Clerk solves the problem it sets out to solve: making authentication not miserable. The pre-built UI is the first I've used that I didn't immediately want to replace. The organization model makes multi-tenancy feel native instead of bolted on. The middleware approach keeps auth logic out of your components, which keeps your application code clean.
The tradeoffs are the usual ones for managed auth: you're paying for convenience and accepting lock-in in exchange. For early-stage SaaS products and teams that want to focus on their product instead of auth infrastructure, Clerk is the best option available in 2026. For high-scale applications where per-user costs dominate, or for teams that need full control over their auth stack, the self-hosted path (NextAuth, Lucia, or a custom implementation) still makes sense — you'll just spend more time on authentication than you'd like.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)