ADR-004: Auth Provider — Clerk
Status
Accepted (2026-04-02)
Context
The platform needs authentication (login), authorization (RBAC), and API key management. Build vs buy decision.
Options Considered
Option A: Build custom auth
- JWT issuance, session management, password hashing, OIDC integration
- Rejected: High effort, security risk, not our core competency
Option B: Auth0
- Mature, feature-rich, good GitHub SSO support
- Free tier: 7,500 MAU
- Considered: Strong option, but more enterprise-oriented pricing and complexity
Option C: Clerk (selected)
- Modern auth-as-a-service, excellent DX
- Free tier: 10,000 MAU
- Native GitHub SSO, org/team management, API key support
- React components for login/signup
- Cloudflare Workers compatible (JWT verification)
Option D: Supabase Auth
- Open source, PostgreSQL-based
- Rejected: Ties auth to Supabase hosting; we’re on Cloudflare
Decision
Option C — Clerk. Best DX, Cloudflare-compatible, built-in org management, free tier sufficient for MVP.
Consequences
- Positive: GitHub SSO out of the box — key for our developer audience
- Positive: Org management and RBAC without custom code
- Positive: React components accelerate dashboard development
- Positive: API key management built-in
- Negative: Vendor dependency for a critical path (auth)
- Negative: Pricing scales with MAU — monitor as we grow
- Migration path: JWT-based; could switch to any OIDC provider without API changes