Clerk

Clerk

Clerk is an authentication and user management platform for web applications. Scripts handle sign-in and sign-up flows, manage active session tokens in browser storage, and verify user identity. Sets secure authentication cookies and local storage entries required for access-controlled features.

Back to Vendor Library

Overview

Clerk is an authentication-as-a-service platform used by Next.js, React, and other JavaScript framework developers who want to delegate identity management. It handles the full authentication lifecycle — sign-up, sign-in, multi-factor authentication, session management, and user profile storage. Because Clerk manages active user sessions, its scripts and cookies are present on every authenticated page of any application built with it, making it a ubiquitous essential service in the sites that use it.

What This Script Does

Clerk loads its frontend SDK from clerk.browser.js or via the @clerk/nextjs / @clerk/clerk-react packages compiled into the host application. The script communicates with the Clerk Frontend API at clerk.[yourdomain].com (custom domain) or [app-slug].clerk.accounts.dev (shared infrastructure).

Session cookies: Clerk sets __session (a JWT containing the active session) and __client (a persistent client identifier) cookies on the host domain. The __session cookie is short-lived (typically 1 minute); the __client cookie persists for the browser session or longer depending on "remember me" configuration. Clerk also uses __client_uat (a Unix timestamp for session freshness detection) as a non-HttpOnly cookie readable by client-side code.

Local storage: Clerk stores additional session metadata in localStorage under clerk-[publishable-key] prefixed keys for active token caching and client state.

Network requests: On every page load, Clerk's script calls the Frontend API to validate and refresh the active session token. These requests transmit the session JWT and return updated tokens. No third-party advertising or analytics data is collected.

Authentication flows: Sign-in and sign-up use Clerk-hosted or embedded UI components that communicate exclusively with Clerk's authentication infrastructure.

Consent & Compliance

GDPR and ePrivacy Directive: Clerk's session cookies are strictly necessary for the authenticated application to function. A user cannot access a protected resource without a valid session token. Under the ePrivacy Directive, strictly necessary cookies are exempt from the consent requirement. No consent is required to set Clerk's authentication cookies for logged-in users. The __client persistent identifier cookie may warrant disclosure in the privacy policy as it persists beyond individual sessions.

CCPA/CPRA: Authentication session data constitutes personal information under CCPA. Clerk acts as a service provider processing identity data on behalf of the application operator. Clerk does not sell user identity data to third parties. The application operator remains the data controller for user account information stored in Clerk.

The consent category is essential. Authentication is a functional necessity with no marketing or analytics purpose.

Should You Block This Without Consent?

No.

Clerk scripts are strictly necessary for authenticated application functionality. Blocking them would prevent users from signing in or accessing any protected features. No consent is required before loading Clerk in applications that require authentication. Disclose Clerk's session cookie use in your privacy policy, but do not gate it behind a consent prompt.

Visit website

Consent Categories

Essential

Also Known As

clerkclerk authclerk.comauthentication platformclerk session cookiesuser management authclerk dev

Industries

Computers Electronics and Technology

Tracked Domains (2)

clerk.comEssential
clerk.devEssential

Frequently Asked Questions

Does Clerk require cookie consent on my website?

No. Clerk's session cookies are strictly necessary for authenticated application access. A user cannot reach protected resources without a valid session token. Under the ePrivacy Directive, strictly necessary cookies are exempt from consent requirements — no opt-in is needed.

What cookies does Clerk set?

Clerk sets secure HttpOnly session cookies and may store session tokens in localStorage for access-controlled features. These include a session identifier cookie and client-side state tokens. All storage is scoped to authentication state and is cleared on sign-out.

How does ConsentStack categorize Clerk?

ConsentStack classifies Clerk as an essential vendor. Because Clerk handles authentication, its cookies are treated as strictly necessary and are never blocked regardless of consent status. ConsentStack does not require user consent to load Clerk authentication scripts.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Clerk

ConsentStack automatically detects and manages Clerk trackers so your site stays compliant with global privacy regulations.

Get started free