Starting January 18, 2027, Clerk will remove support for CBC-mode SSL/TLS cipher suites on Clerk-managed subdomains as certificates rotate. Clients that can only negotiate a CBC cipher will fail the TLS handshake; modern clients already using AEAD ciphers are unaffected.
Clerk Changelog
Each SAML connection can now be configured to send an email address, a custom attribute, or no login hint to the identity provider. Custom SAML connections are opt-in, while named providers default to email.
CLI 2.0 introduces a local webhooks command group (listen, verify, token) for testing deliveries without a linked project, and clerk impersonate (alias clerk imp) for creating short-lived sign-in URLs to debug as a specific user. The interactive experience is refreshed with clearer success/failure output, and all commands respect the agent contract with stable error codes and non-TTY safety.
A new clerk webhooks command group provides relay tunnels, signature verification, and relay-token management for local webhook testing. The clerk impersonate command creates a short-lived sign-in URL to debug as any user, with audit stamps and interactive user selection.
SAML connections can now reject sign-ins from users without an existing account instead of auto-provisioning them, controlled via a self-serve Dashboard toggle or the disable_jit field on the Backend API. When disabled, sign-in attempts by non-existent users fail with a saml_jit_provisioning_disabled error; existing users are unaffected.
Clerk Billing now supports adding or removing account credits from Users and Organizations directly from the Clerk Dashboard and Backend API. Credits are automatically applied toward future charges, with remaining balances carrying forward and all adjustments recorded in an audit ledger.
Enterprise SSO connections can now be configured directly by customers' IT admins through a Security tab in OrganizationProfile, instead of requiring Dashboard access on your side. Supports domains, identity providers (Okta, Google Workspace, Microsoft Entra ID, custom SAML), testing, and activation per Organization.
Clerk's new component lets you host the OAuth consent screen on your own application domain and style it to match your product, available across Next.js, React, React Router, TanStack React Start, Astro, Vue, and Nuxt. Also includes dashboard path configuration and organization selection when the user:org:read scope is requested.
SAML custom attributes can now map every value an identity provider sends into an array on publicMetadata, instead of keeping only the first. This feature is off by default, and existing custom attributes remain unchanged.
The Clerk CLI now includes a clerk deploy command which automates the process of moving an application from development to production by creating a production instance, guiding through DNS and OAuth setup, and verifying DNS, SSL, and email configuration. In agent mode, it emits a JSON handoff describing the deploy state.
Clerk Billing now supports creating plans with per-seat pricing, allowing organizations to charge based on the number of members using their product. Clerk automatically handles seat provisioning, prorates additional seats, and adjusts seat quantity at the beginning of each billing period.
Clerk's native mobile SDKs now include prebuilt Organization management components: OrganizationSwitcher for account switching and settings access, OrganizationListView for standalone account selection, and OrganizationProfileView for permission-gated organization management covering members, domains, and org lifecycle actions.
Email Logs are now available in public beta for production instances, providing a reverse-chronological view of transactional email delivery events in the Clerk Dashboard. Filter logs by recipient email, IP address, message ID, time range, and event type to debug delivery issues, and view delivery status, bounce reasons, and provider payloads for individual entries.
New report shows your largest organizations by member count, helping you understand usage distribution, spot outliers, and track account growth.
A new elevation appearance option allows rendering Clerk components without a card wrapper.
Groups and custom attributes mapping for Directory Sync are now generally available, completing the SCIM general availability rollout.
OAuth Applications can now request organization context, allowing users to select an organization during the OAuth flow and giving clients an org_id claim in the token.
A new Logs page in the Clerk Dashboard provides a reverse-chronological feed of auth, billing, and organization events across applications, with filtering by event type, actor, subject, trace ID, device, and date range. Application Logs are available for all plans with varying retention levels.
Clerk CLI is now available as an open-source command-line tool for setting up and managing Clerk from the terminal. Key commands include clerk init for framework detection and scaffolding, clerk config for managing application settings, and clerk api for interacting with the Clerk API directly.
API keys are now generally available as part of the machine authentication suite, allowing users to create credentials that delegate API access on their behalf. Billing is active with a free monthly allocation of 1,000 key creations and 100,000 key verifications, then usage-based pricing.


