Clerk Backend API: The Clerk REST Backend API, meant to be accessed by backend servers.
When the API changes in a way that isn't compatible with older versions, a new version is released.
Each version is identified by its release date, e.g. 2021-02-05
. For more information, please see Clerk API Versions.
Please see https://clerk.com/docs for more information.
More information about the API can be found at https://clerk.com/docs
- SDK Installation
- IDE Support
- SDK Example Usage
- Authentication
- Request Authentication
- Available Resources and Operations
- File uploads
- Retries
- Error Handling
- Server Selection
- Custom HTTP Client
- Debugging
- Development
The SDK can be installed with either pip or poetry package managers.
PIP is the default package installer for Python, enabling easy installation and management of packages from PyPI via the command line.
pip install clerk-backend-api
Poetry is a modern tool that simplifies dependency management and package publishing by using a single pyproject.toml
file to handle project metadata and dependencies.
poetry add clerk-backend-api
Generally, the SDK will work well with most IDEs out of the box. However, when using PyCharm, you can enjoy much better integration with Pydantic by installing an additional plugin.
# Synchronous Example
from clerk_backend_api import Clerk
with Clerk(
bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
res = clerk.email_addresses.get(email_address_id="email_address_id_example")
assert res is not None
# Handle response
print(res)
The same SDK client can also be used to make asychronous requests by importing asyncio.
# Asynchronous Example
import asyncio
from clerk_backend_api import Clerk
async def main():
async with Clerk(
bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
res = await clerk.email_addresses.get_async(email_address_id="email_address_id_example")
assert res is not None
# Handle response
print(res)
asyncio.run(main())
This SDK supports the following security scheme globally:
Name | Type | Scheme |
---|---|---|
bearer_auth |
http | HTTP Bearer |
To authenticate with the API the bearer_auth
parameter must be set when initializing the SDK client instance. For example:
from clerk_backend_api import Clerk
with Clerk(
bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
clerk.miscellaneous.get_interstitial(frontend_api="frontend-api_1a2b3c4d", publishable_key="pub_1a2b3c4d")
# Use the SDK ...
Use the authenticate_request method to authenticate a request from your app's frontend (when using a Clerk frontend SDK) to a Python backend (Django, Flask, and other Python web frameworks). For example the following utility function checks if the user is effectively signed in:
import os
import httpx
from clerk_backend_api import Clerk
from clerk_backend_api.jwks_helpers import AuthenticateRequestOptions
def is_signed_in(request: httpx.Request):
sdk = Clerk(bearer_auth=os.getenv('CLERK_SECRET_KEY'))
request_state = sdk.authenticate_request(
request,
AuthenticateRequestOptions(
authorized_parties=['https://example.com']
)
)
return request_state.is_signed_in
If the request is correctly authenticated, the token's payload is made available in request_state.payload
. Otherwise the reason for the token verification failure is given by request_state.reason
.
Available methods
- list_allowlist_identifiers - List all identifiers on the allow-list
- create_allowlist_identifier - Add identifier to the allow-list
- create_blocklist_identifier - Add identifier to the block-list
- delete_blocklist_identifier - Delete identifier from block-list
- delete - Delete identifier from allow-list
- update_instance_settings - Update instance settings
update_domain- Update production instance domain⚠️ Deprecated- change_production_instance_domain - Update production instance domain
- list - List all identifiers on the block-list
- list - List all instance domains
- add - Add a domain
- delete - Delete a satellite domain
- update - Update a domain
- create - Create an email address
- get - Retrieve an email address
- delete - Delete an email address
- update - Update an email address
upsert- Update a template for a given type and slug⚠️ Deprecated
list- List all templates⚠️ Deprecatedrevert- Revert a template⚠️ Deprecatedget- Retrieve a template⚠️ Deprecatedtoggle_template_delivery- Toggle the delivery by Clerk for a template of a given type and slug⚠️ Deprecated
- update - Update instance settings
- update_restrictions - Update instance restrictions
- update_organization_settings - Update instance organization settings
- get - Retrieve the JSON Web Key Set of the instance
- list - List all templates
- create - Create a JWT template
- get - Retrieve a template
- update - Update a JWT template
- delete - Delete a Template
- get_interstitial - Returns the markup for the interstitial page
- list - Get a list of OAuth applications for an instance
- create - Create an OAuth application
- get - Retrieve an OAuth application by ID
- update - Update an OAuth application
- delete - Delete an OAuth application
- rotate_secret - Rotate the client secret of the given OAuth application
- update - Update an organization domain.
- create - Create a new organization domain.
- list - Get a list of all domains of an organization.
- delete - Remove a domain from an organization.
- get_all - Get a list of organization invitations for the current instance
- create - Create and send an organization invitation
- list - Get a list of organization invitations
- bulk_create - Bulk create and send organization invitations
list_pending- Get a list of pending organization invitations⚠️ Deprecated- get - Retrieve an organization invitation by ID
- revoke - Revoke a pending organization invitation
- create - Create a new organization membership
- list - Get a list of all members of an organization
- update - Update an organization membership
- delete - Remove a member from an organization
- update_metadata - Merge and update organization membership metadata
- get_all - Get a list of all organization memberships within an instance.
- list - Get a list of organizations for an instance
- create - Create an organization
- get - Retrieve an organization by ID or slug
- update - Update an organization
- delete - Delete an organization
- merge_metadata - Merge and update metadata for an organization
- upload_logo - Upload a logo for the organization
- delete_logo - Delete the organization's logo.
- create - Create a phone number
- get - Retrieve a phone number
- delete - Delete a phone number
- update - Update a phone number
- verify - Verify the proxy configuration for your domain
- list - List all redirect URLs
- list - Get a list of SAML Connections for an instance
- create - Create a SAML Connection
- get - Retrieve a SAML Connection by ID
- update - Update a SAML Connection
- delete - Delete a SAML Connection
- list - List all sessions
- get - Retrieve a session
- revoke - Revoke a session
verify- Verify a session⚠️ Deprecated- create_token_from_template - Create a session token from a jwt template
- update - Update a sign-up
preview- Preview changes to a template⚠️ Deprecated
- create - Retrieve a new testing token
- list - List all users
- create - Create a new user
- count - Count users
- get - Retrieve a user
- update - Update a user
- delete - Delete a user
- ban - Ban a user
- unban - Unban a user
- lock - Lock a user
- unlock - Unlock a user
- set_profile_image - Set user profile image
- delete_profile_image - Delete user profile image
- update_metadata - Merge and update a user's metadata
- get_o_auth_access_token - Retrieve the OAuth access token of a user
- get_organization_memberships - Retrieve all memberships for a user
- get_organization_invitations - Retrieve all invitations for a user
- verify_password - Verify the password of a user
- verify_totp - Verify a TOTP or backup code for a user
- disable_mfa - Disable a user's MFA methods
- delete_backup_codes - Disable all user's Backup codes
- delete_passkey - Delete a user passkey
- delete_web3_wallet - Delete a user web3 wallet
- create_totp - Create a TOTP for a user
- delete_totp - Delete all the user's TOTPs
- delete_external_account - Delete External Account
- create_svix_app - Create a Svix app
- delete_svix_app - Delete a Svix app
- generate_svix_auth_url - Create a Svix Dashboard URL
Certain SDK methods accept file objects as part of a request body or multi-part request. It is possible and typically recommended to upload files as a stream rather than reading the entire contents into memory. This avoids excessive memory consumption and potentially crashing with out-of-memory errors when working with very large files. The following example demonstrates how to attach a file stream to a request.
Tip
For endpoints that handle file uploads bytes arrays can also be used. However, using streams is recommended for large files.
from clerk_backend_api import Clerk
with Clerk(
bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
res = clerk.users.set_profile_image(user_id="usr_test123", file={
"file_name": "example.file",
"content": open("example.file", "rb"),
"content_type": "<value>",
})
assert res is not None
# Handle response
print(res)
Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.
To change the default retry strategy for a single API call, simply provide a RetryConfig
object to the call:
from clerk_backend_api import Clerk
from clerk_backend_api.utils import BackoffStrategy, RetryConfig
with Clerk() as clerk:
clerk.miscellaneous.get_interstitial(frontend_api="frontend-api_1a2b3c4d", publishable_key="pub_1a2b3c4d",
RetryConfig("backoff", BackoffStrategy(1, 50, 1.1, 100), False))
# Use the SDK ...
If you'd like to override the default retry strategy for all operations that support retries, you can use the retry_config
optional parameter when initializing the SDK:
from clerk_backend_api import Clerk
from clerk_backend_api.utils import BackoffStrategy, RetryConfig
with Clerk(
retry_config=RetryConfig("backoff", BackoffStrategy(1, 50, 1.1, 100), False),
) as clerk:
clerk.miscellaneous.get_interstitial(frontend_api="frontend-api_1a2b3c4d", publishable_key="pub_1a2b3c4d")
# Use the SDK ...
Handling errors in this SDK should largely match your expectations. All operations return a response object or raise an exception.
By default, an API error will raise a models.SDKError exception, which has the following properties:
Property | Type | Description |
---|---|---|
.status_code |
int | The HTTP status code |
.message |
str | The error message |
.raw_response |
httpx.Response | The raw HTTP response |
.body |
str | The response content |
When custom error responses are specified for an operation, the SDK may also raise their associated exceptions. You can refer to respective Errors tables in SDK docs for more details on possible exception types for each operation. For example, the verify_async
method may raise the following exceptions:
Error Type | Status Code | Content Type |
---|---|---|
models.ClerkErrors | 400, 401, 404 | application/json |
models.SDKError | 4XX, 5XX | */* |
from clerk_backend_api import Clerk, models
with Clerk(
bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
res = None
try:
res = clerk.clients.verify(request={
"token": "jwt_token_example",
})
assert res is not None
# Handle response
print(res)
except models.ClerkErrors as e:
# handle e.data: models.ClerkErrorsData
raise(e)
except models.SDKError as e:
# handle exception
raise(e)
The default server can also be overridden globally by passing a URL to the server_url: str
optional parameter when initializing the SDK client instance. For example:
from clerk_backend_api import Clerk
with Clerk(
server_url="https://api.clerk.com/v1",
) as clerk:
clerk.miscellaneous.get_interstitial(frontend_api="frontend-api_1a2b3c4d", publishable_key="pub_1a2b3c4d")
# Use the SDK ...
The Python SDK makes API calls using the httpx HTTP library. In order to provide a convenient way to configure timeouts, cookies, proxies, custom headers, and other low-level configuration, you can initialize the SDK client with your own HTTP client instance.
Depending on whether you are using the sync or async version of the SDK, you can pass an instance of HttpClient
or AsyncHttpClient
respectively, which are Protocol's ensuring that the client has the necessary methods to make API calls.
This allows you to wrap the client with your own custom logic, such as adding custom headers, logging, or error handling, or you can just pass an instance of httpx.Client
or httpx.AsyncClient
directly.
For example, you could specify a header for every request that this sdk makes as follows:
from clerk_backend_api import Clerk
import httpx
http_client = httpx.Client(headers={"x-custom-header": "someValue"})
s = Clerk(client=http_client)
or you could wrap the client with your own custom logic:
from clerk_backend_api import Clerk
from clerk_backend_api.httpclient import AsyncHttpClient
import httpx
class CustomClient(AsyncHttpClient):
client: AsyncHttpClient
def __init__(self, client: AsyncHttpClient):
self.client = client
async def send(
self,
request: httpx.Request,
*,
stream: bool = False,
auth: Union[
httpx._types.AuthTypes, httpx._client.UseClientDefault, None
] = httpx.USE_CLIENT_DEFAULT,
follow_redirects: Union[
bool, httpx._client.UseClientDefault
] = httpx.USE_CLIENT_DEFAULT,
) -> httpx.Response:
request.headers["Client-Level-Header"] = "added by client"
return await self.client.send(
request, stream=stream, auth=auth, follow_redirects=follow_redirects
)
def build_request(
self,
method: str,
url: httpx._types.URLTypes,
*,
content: Optional[httpx._types.RequestContent] = None,
data: Optional[httpx._types.RequestData] = None,
files: Optional[httpx._types.RequestFiles] = None,
json: Optional[Any] = None,
params: Optional[httpx._types.QueryParamTypes] = None,
headers: Optional[httpx._types.HeaderTypes] = None,
cookies: Optional[httpx._types.CookieTypes] = None,
timeout: Union[
httpx._types.TimeoutTypes, httpx._client.UseClientDefault
] = httpx.USE_CLIENT_DEFAULT,
extensions: Optional[httpx._types.RequestExtensions] = None,
) -> httpx.Request:
return self.client.build_request(
method,
url,
content=content,
data=data,
files=files,
json=json,
params=params,
headers=headers,
cookies=cookies,
timeout=timeout,
extensions=extensions,
)
s = Clerk(async_client=CustomClient(httpx.AsyncClient()))
You can setup your SDK to emit debug logs for SDK requests and responses.
You can pass your own logger class directly into your SDK.
from clerk_backend_api import Clerk
import logging
logging.basicConfig(level=logging.DEBUG)
s = Clerk(debug_logger=logging.getLogger("clerk_backend_api"))
This SDK is in GA. We recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes between major versions unless you are intentionally looking for the latest version.
While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.