惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

Clerk Blog

Going to production with Clerk Deploy Clerk Init: The fastest way to start a new project Introducing Clerk CLI Middleware-based route protection bypass Postmortem: Clerk System Outage (March 10, 2026) Clerk for the AI era Postmortem: Clerk System Outage (February 19, 2026) Using Clerk in a React Native app Postmortem: DNS Provider Outage (February 10, 2026) How do I implement passkeys in Next.js? Clerk ranked #4 fastest-growing software vendor on Ramp’s December 2025 list How do I handle JWT verification in Next.js? Committing to Agent Identity: Clerk raises $50m Series C from Menlo and Anthropic’s Anthology Fund What is the best way to handle authentication in Next.js App Router? Postmortem: Database Incident (September 14–18, 2025) How do I add authentication to a Next.js app? Introducing Free Trials in Clerk Billing Postmortem: August 28, 2025 - elevated API latency and errors Introducing Mosaic: Bring Your Brand to Every Authentication Flow Multi-tenant authentication: What you need to know (and how Clerk helps) What are the risks and challenges of multi-tenancy? Resilience in Practice: Regional Failover at Clerk Build a Cross-Platform B2B App with Clerk, Expo, and Supabase Highlights from the MiduDev/Clerk Hackathon Add multi-tenancy to an app built with Clerk, Lovable, and Supabase How to build an AI coding rules app with Clerk, Lovable, and Supabase How to Build Multi-Tenant Authentication with Clerk Choosing the right SaaS architecture: Multi-Tenant vs. Single-Tenant Postmortem: June 26, 2025 service outage How to Design a Multi-Tenant SaaS Architecture What is multi-tenancy and why it matters for B2B SaaS How OAuth Works Synchronize user data from Clerk to Supabase Add subscriptions to your SaaS with Clerk Billing Getting started with Clerk Billing Multi-tenant analytics with Tinybird and Clerk How Huntr Migrated 250K Users to Clerk: A Scalable Auth Solution for Startups How to take Clerk to Production How to take your Clerk application to production A practical guide to testing Clerk Next.js applications Implementing multi-tenancy into a Supabase app with Clerk How Clerk integrates with a Next.js application using Supabase How Clerk integrates with Supabase Build a blog with tRPC, Prisma, Next.js and Clerk How to enrich PostHog events with Clerk user data How to build a secure project management platform with Next.js, Clerk, and Neon Validate your SaaS idea while building an audience Postmortem: February 6, 2025 service outage Implement Role-Based Access Control in Next.js 15 Build a Next.js sign-up form with React Hook Form Build a Next.js login page template How to implement Google authentication in Next.js 15 What is middleware in Next.js? How to customize Next.js metadata How to set environment variables in Node.js Building a React Login Page Template How to implement per-user OAuth scopes with Clerk Using Clerk SSO to access Google Calendar and other service data Streamline enterprise customer onboarding with SAML and Clerk Clerk launches EASIE SSO and eliminates SSO fees How to secure Liveblocks Rooms with Clerk in Next.js Securing Node.js Express APIs with Clerk and React Combining the benefits of session tokens and JWTs Build a task manager with Next.js, Supabase, and Clerk Comparing Clerk Webhooks vs Backend API Automate Neon schema changes with Drizzle and GitHub Actions A guide to reading authenticated user data from Clerk Role based access control with Clerk Organizations Mitigating OAuth’s recently discovered Open Response Type vulnerability Per-user B2B monetization with Stripe and Clerk Organizations Build a team-based task manager with Next.js, Neon, and Clerk Building a Hybrid Sign-Up/Subscribe Form with Stripe Elements Welcoming Colin from Zod as our inaugural Open Source Fellow Build a modern authenticated chat application with Next.js, Ably, and Clerk Build a waitlist with Clerk user metadata How to use Clerk with PostHog Identify in Next.js How to secure API Gateway using JWT and Lambda Authorizers with Clerk What are passkeys and how do they work? Comparing Authentication in React.js vs. Next.js How to Add an Onboarding Flow for your Application with Clerk Create Your Own Custom User Menu with Radix - Part 2 Introducing Webhook Workflows with Inngest & Svix Clerk raises $30M Series B from CRV and Stripe Clerk in 2023: A Year in Review Build a Movie Emoji Quiz App with Remix, Fauna, and Clerk Ultimate Guide to Magic Link Authentication Create Your Own Custom User Menu with Radix Introducing has(), protect(), and <Protect> Updated Pricing: 10,000 MAUs Free, and a new “Pro Plan” Next.js Authentication with Clerk: Streamlined SSR Handling Clerk Webhooks: Data Sync with Convex Exploring Clerk Metadata with Stripe Webhooks The Ultimate Guide to Next.js Authentication Empower Your Support Team With User Impersonation Clerk Webhooks: Getting Started A Complete Guide to Session Management in Next.js The Advanced Guide to Passwordless Authentication in Next.js How We Roll – Chapter 10: Roundup How We Roll – Chapter 9: Infrastructure Password-Based Authentication in Next.js
Add API Key support to your SaaS in minutes
Nicolas Angelo · 2026-02-27 · via Clerk Blog

As your SaaS grows, your customers may want to connect your product with the rest of their tools, whether that's running scheduled jobs, syncing data, triggering workflows, or building private internal tools. These integrations all require the same foundational capability: A secure, reliable way to programmatically access your API.

API keys remain the simplest and most familiar way for customers to integrate with SaaS products. From a customer's perspective, API Keys should be easy to manage and use. But implementing API Keys correctly in a multi-tenant application takes real work:

  • Where do you store keys? How do you rotate or revoke them?
  • How do you ensure keys are scoped to the correct user or organization?
  • How do you build a secure UI for users or organization members to manage their keys?

Most teams eventually take on the work of building and maintaining their own approach to key management, which often turns into a complex, error-prone, and time-consuming effort.

Clerk removes that entire burden.

With Clerk API Keys, you can securely expose your application's functionality through an API for individual users or entire organizations, without having to build the underlying infrastructure yourself. In this guide, we'll introduce you to Clerk's new API Keys feature and show you how to integrate it into your SaaS product.

Follow along

To make this tutorial practical and easy to apply, we'll be working with the AgentOps demo app — an open-source, multi-tenant Next.js application that showcases how to integrate Clerk's new API Keys system into a real SaaS product.

This demo includes a simple "Agents" concept (AI assistants) and uses organization-scoped API Keys to ensure that only authorized members of organizations can access resources.

The app features:

  • Minimalistic dashboard UI using shadcn
  • Combined "Sign-In" and "Sign-Up" flow page powered by Clerk
  • An "Organization Settings" page that exposes Clerk's managed <APIKeys/> component
  • Protected Next.js API CRUD routes to demonstrate organization-scoped token verification

You'll need the following before you get started:

  • A Clerk account
  • Node and any package manager installed locally (e.g. npm, pnpm, yarn, bun)
  • Familiarity with Next.js

If you want to follow along, clone the API Keys Demo repository on GitHub and navigate to the directory:

terminal

Then, run the following commands to install the dependencies and start the development server:

Enabling API Keys in Clerk

To follow along with the demo project, you'll need to enable a few features in your app instance. But before turning on API Key support, you'll need to decide how keys should be scoped.

Clerk supports two types of keys:

  • User API Keys - Keys tied to an individual user. Ideal for personal scripts, CLI tools, or user-initiated automations.
  • Organization API Keys - Keys tied to an organization. Better suited for multi-tenant SaaS apps where members of organizations (or workspaces) need keys to access shared data.

This tutorial will focus on Organization API Keys. Before you can use API Keys, you'll need to enable Organizations first.

Enable Organizations and Roles

To get started, open your app instance in the Clerk dashboard and navigate to Organizations > Settings from the sidebar on the left. Toggle Enable organizations on if the feature is not already enabled. From here, make sure personal accounts are disabled.

Next, switch to the Roles & Permissions tab and grant the following system permissions to your test user:

  • org:sys_api_keys:read
  • org:sys_api_keys:manage

These permissions determine who can view, generate, and revoke API Keys within your organization. In the following sections, you'll integrate API Keys into your application and start protecting your backend routes using Clerk's token verification layer.

Finally, navigate to Configure > Developer > API Keys. Toggle the Organization API keys option to enable it and click Save. Make sure to leave the User API keys option disabled.

Adding API Key management to your SaaS dashboard

Once API Keys are enabled in your Clerk instance, the next step is to expose a place in your product where your users can view, create, and manage their own API Keys. In our AgentOps example, this component is integrated directly into the existing shadcn dashboard layout.

Using <OrganizationProfile/> component

If your application already includes an <OrganizationProfile/> or <OrganizationSwitcher/> component, Clerk automatically adds an API Keys tab when the minimum permissions (org:sys_api_keys:read) are present. These permissions are not set by default, so you'll need to apply them to both admin and member roles in the Clerk dashboard.

In the demo app, you can try this by:

  1. Switching to an organization using the <OrganizationSwitcher/> in the dashboard header
  2. Clicking Manage Organization
  3. Opening the API Keys tab

From here, organization members with org:sys_api_keys:read can view all active Organization API Keys, and members with org:sys_api_keys:manage can create new keys with one click, revoke any key immediately, and copy keys securely for external usage.

Here's the header layout used in the demo:

app/dashboard/layout.tsx

When you click Manage Organization in the <OrganizationSwitcher/> component, you'll see the API Keys tab appear automatically if permissions are configured correctly.

Using the <APIKeys/> component

If you'd prefer to have more control over where API Keys appear in your application, Clerk also provides a dedicated <APIKeys/> component that you can use.

Our demo app shows how to embed API Key management directly inside your own dashboard pages, which is useful if you want a dedicated “Developer Settings” or “Integrations” section.

Here's the example from the demo:

app/dashboard/settings/api-keys/page.tsx

This version gives you full control over where API Keys appear in your dashboard while Clerk handles security and key management.

Creating protected backend routes

With key generation enabled, the next step is to allow your API to accept API Keys alongside normal user session tokens. Clerk makes this extremely simple with a single configuration change.

Using multi-token verification

In server-side functions and API routes, Clerk's auth() helper can accept more than one token type. In our demo app, we've configured our /api/agents/route.ts file to accept both session tokens and API Keys. Below is a simplified example:

app/api/agents/route.ts

This line tells Clerk to accept:

  • Browser-based user sessions (from logged-in users)
  • API Keys (passed as a Bearer token in request headers)

Clerk automatically extracts and verifies the token, determines the organization, and ensures the key has not been revoked.

Rejecting unauthenticated or cross-org access

Because Clerk includes orgId directly in the token, your backend logic becomes extremely straightforward:

  • If no orgId → reject
  • If orgId does not match the requested resource → reject
  • Otherwise → process the request

This ensures strong multi-tenant isolation and prevents customers from ever accessing resources outside their organization.

Testing your API Keys

Now that API Keys are enabled and visible in your application’s dashboard, it’s time to test them against real API endpoints in the demo app. You can use cURL or tools like Insomnia or Postman to test your API Keys.

Go ahead and create an API Key on the /dashboard/settings/api-keys page using the <APIKeys/> component from the previous section.

With your key in hand, you can start making real requests.

Creating an agent

Let's start by creating a new agent using the POST /api/agents endpoint. This endpoint requires a valid Organization API Key.

terminal

If successful, you'll see the newly created agent returned in the response.

Since every request is tied to your Organization ID, the new agent is automatically scoped to your organization.

Now, try to create an agent with an invalid API Key. If the key is invalid (or revoked / expired), the request will be rejected with a 401 Unauthorized response.

You can test the same functionality from a logged-in user context by creating an agent on the /dashboard page.

Listing agents

Next, fetch all agents that belong to your organization.

terminal

You should get a response with an array containing the recently created agent:

Deleting an agent

Finally, delete an existing agent by using the DELETE /api/agents endpoint and sending its agentId in the request body:

terminal

Clerk validates the API Key, resolves the organization it belongs to, and ensures the deletion request only affects resources owned by that org.

You can test the same functionality from a logged-in user context by deleting an agent on the /dashboard page.

What you've verified

By this point, you've tested that:

  • Organization API Keys work alongside user session tokens for backend access
  • All requests are scoped to the correct organization
  • Requests are rejected if the API Key is invalid

Your platform can support external integrations and every API request passes through Clerk's verification. This mirrors how your real users will interact with your API.

Conclusion

Adding API Key support to a SaaS product is often a significant engineering effort, especially in a multi-tenant environment where every request must be scoped to the correct organization. Clerk removes that complexity by managing key creation, access controls, token validation, and providing ready-made UI components for your customers.

In just a few steps, you've put all the essential pieces in place:

  • Enabling API Keys in your Clerk app instance
  • Adding managed UI to your application
  • Protecting backend routes with multi-token verification
  • Enforcing organization-level data isolation
  • Testing endpoints with organization-scoped keys

Taken together, these steps give you a fast, secure foundation for customer-facing integrations—one that you can adapt to your product's needs. With this setup in place, your customers can connect your SaaS to the rest of their workflow with ease.

To explore the complete setup for this guide, check out the AgentOps API Keys Demo. For more advanced use cases, check out the examples in this repository.

Other resources: