Every app needs login. Almost nobody enjoys building it. You start with "just email and password," then a customer asks for Google sign-in, then a bigger customer asks for "log in with our company account," and suddenly you are reading SAML specifications at midnight and wondering where your weekend went. Authentication is the classic undifferentiated heavy lifting: mandatory, security-critical, and worth zero dollars of product differentiation if you build it yourself.
Clerk is the tool I reach for to make that whole problem go away, and the part it does best is the part most people dread: single sign-on. Here is the honest walkthrough, including what it costs and where it bites.
What Clerk actually is
Clerk is a drop-in authentication and user-management platform. Instead of writing sign-up forms, session handling, password resets, and MFA from scratch, you embed a few prebuilt components and let Clerk run identity for you. The headline components are exactly what you'd expect: <SignIn />, <SignUp />, <UserButton />, and for B2B apps, <OrganizationSwitcher />. Drop them in, point your app at Clerk, and you have a working auth system in an afternoon instead of a sprint.
The deeper value is that it keeps users inside your app rather than bouncing them to a generic hosted login page, and it covers the long tail of auth most teams underestimate: email verification, magic links, passkeys, account management, and session security.
SSO is where it earns its keep
There are two very different things people mean by "SSO," and Clerk handles both.
Social sign-on is the easy one: "continue with Google / GitHub / Microsoft." Clerk supports more than 20 OAuth providers, and in development you can flip them on with Clerk's preconfigured credentials before you ever register your own app with Google. That alone removes a fiddly afternoon.
Enterprise SSO is the one that usually turns into a project. When a business customer says "our employees log in through Okta," you are signing up for SAML, and SAML is a protocol that punishes improvisation. Clerk gives you three routes here, and picking the right one is most of the battle:
- SAML connections with Microsoft Entra (Azure AD), Google Workspace, and Okta as first-class identity providers, plus any other SAML-compliant IdP. It supports both service-provider-initiated and IdP-initiated flows.
- OIDC connections for any OpenID-Connect provider.
- EASIE, Clerk's lower-friction path that delivers enterprise-grade SSO through a multi-tenant OpenID provider (Google Workspace and Microsoft Entra). The distinction that matters: SAML leans on a single-tenant IdP and a full per-customer setup, while EASIE rides a multi-tenant provider, so you can stand up enterprise login with far less per-connection ceremony. If your enterprise customers live on Google or Microsoft, EASIE is the "easier SSO" in the title.
The genuinely useful part for B2B apps is that enterprise connections attach to a specific organization. In the Clerk dashboard you configure a connection and pick which org (which customer) it belongs to, enforce it per email domain, and let just-in-time provisioning auto-add employees with a default role when they first log in through their company IdP. That is real multi-tenant SSO, the thing that normally takes a dedicated engineer weeks, reduced to a config screen plus a callback.
The B2B layer: organizations
If you are building anything multi-tenant, Clerk's organizations are the other reason to look. Users can belong to multiple orgs, each session exposes the active org and the user's role in it, and you get default roles (org:admin, org:member) plus custom roles and fine-grained permissions, invitations, and the per-org SSO above. This is the Slack-workspace / Linear-team model handed to you instead of hand-rolled.
MFA, passkeys, and a correction worth making
Clerk covers multi-factor auth with authenticator-app TOTP, SMS codes, and backup codes, and supports passwordless flows including email codes, magic links, and passkeys (WebAuthn).
One precise point, because a lot of write-ups get it wrong: passkeys are a primary login factor in Clerk, not an MFA second factor. Clerk's own docs state passkeys are not currently available as an MFA option. If you are planning a "passkey as your second factor" flow, that is not how it works today. Use TOTP or SMS for the second factor and passkeys for primary, passwordless login.
A second freshness note for anyone who started a Clerk project a while ago: Clerk Elements, the headless component library, was deprecated with Clerk Core 3 in March 2026, in favor of redesigned hooks that handle custom UIs with less complexity and work with any component library. If you are reading an older tutorial that tells you to build custom flows on Elements, that path is on the way out. For most teams the prebuilt components plus the appearance prop for theming is all you need; reach for the hooks only when you want a fully custom UI.
What it costs (as of mid-2026)
Pricing is the part people get wrong most often, so here are the current numbers from clerk.com/pricing, dated June 2026 because Clerk has changed them before:
- Hobby (free): $0, up to 50,000 monthly retained users.
- Pro: $25/mo ($20/mo billed annually), 50,000 retained users included.
- Business: $300/mo, and Enterprise is custom.
Two details that matter more than the headline price:
First, the free metric is MRU, monthly retained users, not MAU. Clerk only counts a user as "retained" if they come back at least 24 hours after signing up, so all your day-one signups and bounced traffic are free. Most third-party articles say "MAU" here and it is simply wrong.
Second, and this is the big one for SSO: MFA and your first enterprise SSO connection are included in Pro at $25/mo. The old "Enhanced Authentication" add-on that used to gate MFA and SAML is gone. Additional enterprise connections are metered at about $75/mo each beyond the first, with volume discounts at scale. So the math is: $25/mo gets you the whole social + MFA + one-enterprise-connection stack, and you only pay more when you are signing multiple enterprise customers, which is exactly when you can afford to.
That per-connection model is also the honest caveat. If your business is selling to dozens of enterprises that each demand their own SAML connection, $75/mo per connection adds up, and you should price that into your deal economics. Clerk itself has written about per-connection versus per-user SSO pricing, so go in with eyes open.
The other honest tradeoffs
- Dev-to-production has real steps. Going live means swapping
pk_test_/sk_test_keys forpk_live_/sk_live_, replacing Clerk's shared development OAuth credentials with your own per-provider client IDs and secrets (the shared dev credentials are explicitly not secure for production), owning a domain and configuring DNS (which can take up to 48 hours), and updating webhook URLs. Forgetting to swap keys is the single most common launch mistake. Budget an afternoon for the cutover. - Vendor lock-in is real. Your auth, sessions, and user records live in Clerk's system. Migrating off later means re-implementing components and session handling and exporting users. That is the trade you make for not building it yourself, and for most teams it is the right trade, but it is a trade.
- Session token size. Custom claims in the session JWT are limited by the browser cookie cap (~4KB), leaving roughly 1.2KB for your own claims after Clerk's defaults. If you were planning to stuff a lot into the token, fetch it from your backend instead.
So when do I actually reach for it?
If you are shipping a product and auth is not your product, Clerk is the fastest credible path I have used to get from "no login" to "Google sign-in, MFA, and enterprise SAML for that one big customer," without turning identity into a subsystem you maintain forever. Pair it with a cheap, fast host (the Cloudflare developer platform is my default) and you can stand up a real, secure, multi-tenant app in days. If you are also building the AI side of that app, the platform-engineering capability roadmap covers the auth-adjacent infrastructure decisions worth getting right early.
The whole point of shipping lean is spending your limited hours on the thing customers pay for, not on the thing every app needs and nobody rewards you for. That mindset, build the smallest defensible thing and let proven tools carry the undifferentiated weight, is the entire argument of The $97 Launch.
Related reading
- The Cloudflare developer platform — where I host the apps Clerk authenticates
- Becoming an AI/ML platform engineer — the infrastructure skills behind production apps
- AI terminal kickstart — get a working AI dev environment in one script
Fact-check notes and sources
- Clerk overview, components, and Account Portal: Clerk docs — components overview and clerk.com (accessed 2026-06-24).
- Social connections (20+ OAuth providers): Clerk docs — social connections. Enterprise SSO (SAML, OIDC, EASIE; SP- and IdP-initiated): Clerk docs — enterprise connections. Per-organization SSO + JIT provisioning: Clerk docs — organization SSO.
- Organizations, roles, and permissions: Clerk docs — organizations.
- MFA options and passkeys-not-an-MFA-factor: Clerk docs — sign-up/sign-in options.
- Clerk Elements deprecated at Core 3 (March 3, 2026): Clerk changelog — Core 3.
- Sessions/JWT and custom-claim size limit: Clerk docs — session tokens and customize session tokens.
- Dev-to-production checklist (key swap, own OAuth credentials, DNS, webhooks): Clerk docs — deploy to production.
- Pricing (Hobby free / Pro $25/mo / Business $300/mo; MRU metric; MFA + first enterprise connection included in Pro; ~$75/mo per additional connection), as of 2026-06-24: clerk.com/pricing. Per-connection vs per-user SSO economics (vendor perspective): Clerk article.
This post is informational, not security or legal advice, and I have no affiliation with Clerk. Pricing and product details are as of mid-2026 and change; verify current figures at clerk.com before you build on them.
