The most comprehensive User Management Platform

Summary

Clerk Backend API: The Clerk REST Backend API, meant to be accessed by backend servers.

Versions

When the API changes in a way that isn't compatible with older versions, a new version is released. Each version is identified by its release date, e.g. 2025-04-10. For more information, please see Clerk API Versions.

Please see https://clerk.com/docs for more information.

More information about the API can be found at https://clerk.com/docs

Table of Contents

• SDK Installation
• IDE Support
• SDK Example Usage
• Authentication
• Request Authentication
• Available Resources and Operations
• File uploads
• Retries
• Error Handling
• Server Selection
• Custom HTTP Client
• Resource Management
• Debugging
• Development
  • Maturity
  • Contributions

SDK Installation

Note

Python version upgrade policy

Once a Python version reaches its official end of life date, a 3-month grace period is provided for users to upgrade. Following this grace period, the minimum python version supported in the SDK will be updated.

The SDK can be installed with uv, pip, or poetry package managers.

uv

uv is a fast Python package installer and resolver, designed as a drop-in replacement for pip and pip-tools. It's recommended for its speed and modern Python tooling capabilities.

uv add clerk-backend-api

PIP

PIP is the default package installer for Python, enabling easy installation and management of packages from PyPI via the command line.

pip install clerk-backend-api

Poetry

Poetry is a modern tool that simplifies dependency management and package publishing by using a single pyproject.toml file to handle project metadata and dependencies.

poetry add clerk-backend-api

Shell and script usage with uv

You can use this SDK in a Python shell with uv and the uvx command that comes with it like so:

uvx --from clerk-backend-api python

It's also possible to write a standalone Python script without needing to set up a whole project like so:

#!/usr/bin/env -S uv run --script
# /// script
# requires-python = ">=3.9"
# dependencies = [
#     "clerk-backend-api",
# ]
# ///

from clerk_backend_api import Clerk

sdk = Clerk(
  # SDK arguments
)

# Rest of script here...

Once that is saved to a file, you can run it with uv run script.py where script.py can be replaced with the actual file name.

IDE Support

PyCharm

Generally, the SDK will work well with most IDEs out of the box. However, when using PyCharm, you can enjoy much better integration with Pydantic by installing an additional plugin.

• PyCharm Pydantic Plugin

SDK Example Usage

Example

# Synchronous Example
from clerk_backend_api import Clerk


with Clerk(
    bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:

    res = clerk.email_addresses.get(email_address_id="email_address_id_example")

    assert res is not None

    # Handle response
    print(res)

The same SDK client can also be used to make asynchronous requests by importing asyncio.

# Asynchronous Example
import asyncio
from clerk_backend_api import Clerk

async def main():

    async with Clerk(
        bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
    ) as clerk:

        res = await clerk.email_addresses.get_async(email_address_id="email_address_id_example")

        assert res is not None

        # Handle response
        print(res)

asyncio.run(main())

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

Name	Type	Scheme
bearer_auth	http	HTTP Bearer

To authenticate with the API the bearer_auth parameter must be set when initializing the SDK client instance. For example:

from clerk_backend_api import Clerk


with Clerk(
    bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:

    clerk.miscellaneous.get_public_interstitial(frontend_api_query_parameter1="pub_1a2b3c4d", publishable_key="<value>", proxy_url="https://fine-tarragon.info", domain="great-director.net", sign_in_url="https://likable-freckle.net/", use_domain_for_script=False)

    # Use the SDK ...

Request Authentication

Use the client's authenticate_request method to authenticate a request from your app's frontend (when using a Clerk frontend SDK) to a Python backend (Django, Flask, and other Python web frameworks). For example the following utility function checks if the user is effectively signed in:

import os
import httpx
from clerk_backend_api import Clerk
from clerk_backend_api.security import authenticate_request
from clerk_backend_api.security.types import AuthenticateRequestOptions

def is_signed_in(request: httpx.Request):
    sdk = Clerk(bearer_auth=os.getenv('CLERK_SECRET_KEY'))
    request_state = sdk.authenticate_request(
        request,
        AuthenticateRequestOptions(
            authorized_parties=['https://example.com']
        )
    )
    return request_state.is_signed_in

If the request is correctly authenticated, the token's payload is made available in request_state.payload. Otherwise the reason for the token verification failure is given by request_state.reason.

Authenticating Machine Tokens

If you need to authenticate a machine token rather than a session token, this can be done using the accepts_token param as such:

import os
import httpx
from clerk_backend_api import Clerk
from clerk_backend_api.security import authenticate_request
from clerk_backend_api.security.types import AuthenticateRequestOptions

def verify_machine_token(request: httpx.Request):
    sdk = Clerk(bearer_auth=os.getenv('CLERK_SECRET_KEY'))
    request_state = sdk.authenticate_request(
        request,
        AuthenticateRequestOptions(
            accepts_token=['oauth_token']  # Only accepts oauth access tokens
        )
    )
    return request_state.is_signed_in

Available Resources and Operations

Available methods

actor_tokens

• create - Create actor token
• revoke - Revoke actor token

allowlist_identifiers

• list - List all identifiers on the allow-list
• create - Add identifier to the allow-list
• delete - Delete identifier from allow-list

aws_credentials

• delete - Delete an AWS Credential
• update - Update an AWS Credential

beta_features

• update_instance_settings - Update instance settings
• update_production_instance_domain - Update production instance domain ⚠️ Deprecated

blocklist_identifiers

• list - List all identifiers on the block-list
• create - Add identifier to the block-list
• delete - Delete identifier from block-list

clients

• list - List all clients ⚠️ Deprecated
• verify - Verify a client
• get - Get a client

commerce

• list_plans - List all commerce plans
• list_subscription_items - List all subscription items

domains

• list - List all instance domains
• add - Add a domain
• delete - Delete a satellite domain
• update - Update a domain

email_addresses

• create - Create an email address
• get - Retrieve an email address
• delete - Delete an email address
• update - Update an email address

email_and_sms_templates

• upsert - Update a template for a given type and slug ⚠️ Deprecated

email_sms_templates

• list - List all templates ⚠️ Deprecated
• get - Retrieve a template ⚠️ Deprecated
• revert - Revert a template ⚠️ Deprecated
• toggle_template_delivery - Toggle the delivery by Clerk for a template of a given type and slug ⚠️ Deprecated

experimental_accountless_applications

• create - Create an accountless application [EXPERIMENTAL]
• complete - Complete an accountless application [EXPERIMENTAL]

instance_settings

• get - Fetch the current instance
• update - Update instance settings
• update_restrictions - Update instance restrictions
• change_domain - Update production instance domain
• update_organization_settings - Update instance organization settings

invitations

• create - Create an invitation
• list - List all invitations
• bulk_create - Create multiple invitations
• revoke - Revokes an invitation

jwks

• get_jwks - Retrieve the JSON Web Key Set of the instance

jwt_templates

• list - List all templates
• create - Create a JWT template
• get - Retrieve a template
• update - Update a JWT template
• delete - Delete a Template

m2m

• create_token - Create a M2M Token
• list_tokens - Get M2M Tokens
• revoke_token - Revoke a M2M Token
• verify_token - Verify a M2M Token

machines

• list - Get a list of machines for an instance
• create - Create a machine
• get - Retrieve a machine
• update - Update a machine
• delete - Delete a machine
• get_secret_key - Retrieve a machine secret key
• create_scope - Create a machine scope
• delete_scope - Delete a machine scope

miscellaneous

• get_public_interstitial - Returns the markup for the interstitial page

oauth_access_tokens

• verify - Verify an OAuth Access Token

oauth_applications

• list - Get a list of OAuth applications for an instance
• create - Create an OAuth application
• get - Retrieve an OAuth application by ID
• update - Update an OAuth application
• delete - Delete an OAuth application
• rotate_secret - Rotate the client secret of the given OAuth application

organization_domains

• create - Create a new organization domain.
• list - Get a list of all domains of an organization.
• update - Update an organization domain.
• delete - Remove a domain from an organization.
• list_all - List all organization domains

organization_invitations

• get_all - Get a list of organization invitations for the current instance
• create - Create and send an organization invitation
• list - Get a list of organization invitations
• bulk_create - Bulk create and send organization invitations
• list_pending - Get a list of pending organization invitations ⚠️ Deprecated
• get - Retrieve an organization invitation by ID
• revoke - Revoke a pending organization invitation

organization_memberships

• create - Create a new organization membership
• list - Get a list of all members of an organization
• update - Update an organization membership
• delete - Remove a member from an organization
• update_metadata - Merge and update organization membership metadata

organizations

• list - Get a list of organizations for an instance
• create - Create an organization
• get - Retrieve an organization by ID or slug
• update - Update an organization
• delete - Delete an organization
• merge_metadata - Merge and update metadata for an organization
• upload_logo - Upload a logo for the organization
• delete_logo - Delete the organization's logo.

phone_numbers

• create - Create a phone number
• get - Retrieve a phone number
• delete - Delete a phone number
• update - Update a phone number

proxy_checks

• verify - Verify the proxy configuration for your domain

redirect_urls

• list - List all redirect URLs
• create - Create a redirect URL
• get - Retrieve a redirect URL
• delete - Delete a redirect URL

saml_connections

• list - Get a list of SAML Connections for an instance
• create - Create a SAML Connection
• get - Retrieve a SAML Connection by ID
• update - Update a SAML Connection
• delete - Delete a SAML Connection

sessions

• list - List all sessions
• create - Create a new active session
• get - Retrieve a session
• refresh - Refresh a session
• revoke - Revoke a session
• create_token - Create a session token
• create_token_from_template - Create a session token from a jwt template

sign_in_tokens

• create - Create sign-in token
• revoke - Revoke the given sign-in token

sign_ups

• get - Retrieve a sign-up by ID
• update - Update a sign-up

templates

• preview - Preview changes to a template ⚠️ Deprecated

testing_tokens

• create - Retrieve a new testing token

users

• list - List all users
• create - Create a new user
• count - Count users
• get - Retrieve a user
• update - Update a user
• delete - Delete a user
• ban - Ban a user
• unban - Unban a user
• bulk_ban - Ban multiple users
• bulk_unban - Unban multiple users
• lock - Lock a user
• unlock - Unlock a user
• set_profile_image - Set user profile image
• delete_profile_image - Delete user profile image
• update_metadata - Merge and update a user's metadata
• get_o_auth_access_token - Retrieve the OAuth access token of a user
• get_organization_memberships - Retrieve all memberships for a user
• get_organization_invitations - Retrieve all invitations for a user
• verify_password - Verify the password of a user
• verify_totp - Verify a TOTP or backup code for a user
• disable_mfa - Disable a user's MFA methods
• delete_backup_codes - Disable all user's Backup codes
• delete_passkey - Delete a user passkey
• delete_web3_wallet - Delete a user web3 wallet
• delete_totp - Delete all the user's TOTPs
• delete_external_account - Delete External Account
• get_instance_organization_memberships - Get a list of all organization memberships within an instance.

waitlist_entries

• list - List all waitlist entries
• create - Create a waitlist entry

webhooks

• create_svix_app - Create a Svix app
• delete_svix_app - Delete a Svix app
• generate_svix_auth_url - Create a Svix Dashboard URL

File uploads

Certain SDK methods accept file objects as part of a request body or multi-part request. It is possible and typically recommended to upload files as a stream rather than reading the entire contents into memory. This avoids excessive memory consumption and potentially crashing with out-of-memory errors when working with very large files. The following example demonstrates how to attach a file stream to a request.

Tip

For endpoints that handle file uploads bytes arrays can also be used. However, using streams is recommended for large files.

from clerk_backend_api import Clerk


with Clerk(
    bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:

    res = clerk.users.set_profile_image(user_id="usr_test123", file={
        "file_name": "example.file",
        "content": open("example.file", "rb"),
    })

    assert res is not None

    # Handle response
    print(res)

Retries

Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.

To change the default retry strategy for a single API call, simply provide a RetryConfig object to the call:

from clerk_backend_api import Clerk
from clerk_backend_api.utils import BackoffStrategy, RetryConfig


with Clerk() as clerk:

    clerk.miscellaneous.get_public_interstitial(frontend_api_query_parameter1="pub_1a2b3c4d", publishable_key="<value>", proxy_url="https://fine-tarragon.info", domain="great-director.net", sign_in_url="https://likable-freckle.net/", use_domain_for_script=False,
        RetryConfig("backoff", BackoffStrategy(1, 50, 1.1, 100), False))

    # Use the SDK ...

If you'd like to override the default retry strategy for all operations that support retries, you can use the retry_config optional parameter when initializing the SDK:

from clerk_backend_api import Clerk
from clerk_backend_api.utils import BackoffStrategy, RetryConfig


with Clerk(
    retry_config=RetryConfig("backoff", BackoffStrategy(1, 50, 1.1, 100), False),
) as clerk:

    clerk.miscellaneous.get_public_interstitial(frontend_api_query_parameter1="pub_1a2b3c4d", publishable_key="<value>", proxy_url="https://fine-tarragon.info", domain="great-director.net", sign_in_url="https://likable-freckle.net/", use_domain_for_script=False)

    # Use the SDK ...

Error Handling

ClerkBaseError is the base class for all HTTP error responses. It has the following properties:

Property	Type	Description
err.message	str	Error message
err.status_code	int	HTTP response status code eg 404
err.headers	httpx.Headers	HTTP response headers
err.body	str	HTTP body. Can be empty string if no body is returned.
err.raw_response	httpx.Response	Raw HTTP response
err.data		Optional. Some errors may contain structured data. See Error Classes.

Example

import clerk_backend_api
from clerk_backend_api import Clerk, models


with Clerk(
    bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
) as clerk:
    res = None
    try:

        res = clerk.aws_credentials.delete(id="<id>")

        assert res is not None

        # Handle response
        print(res)


    except models.ClerkBaseError as e:
        # The base class for HTTP error responses
        print(e.message)
        print(e.status_code)
        print(e.body)
        print(e.headers)
        print(e.raw_response)

        # Depending on the method different errors may be thrown
        if isinstance(e, models.ClerkErrors):
            print(e.data.errors)  # List[clerk_backend_api.ClerkError]
            print(e.data.meta)  # Optional[clerk_backend_api.ClerkErrorsMeta]

Error Classes

Primary errors:

• ClerkBaseError: The base class for HTTP error responses.
  • ClerkErrors: Request was not successful. *

Less common errors (16)

Network errors:

• httpx.RequestError: Base class for request errors.
  • httpx.ConnectError: HTTP client was unable to make a request to a server.
  • httpx.TimeoutException: HTTP request timed out.

Inherit from ClerkBaseError:

• CreateM2MTokenM2mResponseBody: 400 Bad Request. Status code 400. Applicable to 1 of 151 methods.*
• GetM2MTokensM2mResponseBody: 400 Bad Request. Status code 400. Applicable to 1 of 151 methods.*
• RevokeM2MTokenM2mResponseBody: 400 Bad Request. Status code 400. Applicable to 1 of 151 methods.*
• VerifyM2MTokenM2mResponseBody: 400 Bad Request. Status code 400. Applicable to 1 of 151 methods.*
• VerifyOAuthAccessTokenOauthAccessTokensResponseBody: 400 Bad Request. Status code 400. Applicable to 1 of 151 methods.*
• GetM2MTokensM2mResponseResponseBody: 403 Forbidden. Status code 403. Applicable to 1 of 151 methods.*
• GetM2MTokensM2mResponse404ResponseBody: 404 Not Found. Status code 404. Applicable to 1 of 151 methods.*
• RevokeM2MTokenM2mResponseResponseBody: 404 Not Found. Status code 404. Applicable to 1 of 151 methods.*
• VerifyM2MTokenM2mResponseResponseBody: 404 Not Found. Status code 404. Applicable to 1 of 151 methods.*
• VerifyOAuthAccessTokenOauthAccessTokensResponseResponseBody: 404 Not Found. Status code 404. Applicable to 1 of 151 methods.*
• CreateM2MTokenM2mResponseResponseBody: 409 Conflict. Status code 409. Applicable to 1 of 151 methods.*
• ResponseValidationError: Type mismatch between the response data and the expected Pydantic model. Provides access to the Pydantic validation error via the cause attribute.

* Check the method documentation to see if the error is applicable.

Server Selection

Override Server URL Per-Client

The default server can be overridden globally by passing a URL to the server_url: str optional parameter when initializing the SDK client instance. For example:

from clerk_backend_api import Clerk


with Clerk(
    server_url="https://api.clerk.com/v1",
) as clerk:

    clerk.miscellaneous.get_public_interstitial(frontend_api_query_parameter1="pub_1a2b3c4d", publishable_key="<value>", proxy_url="https://fine-tarragon.info", domain="great-director.net", sign_in_url="https://likable-freckle.net/", use_domain_for_script=False)

    # Use the SDK ...

Custom HTTP Client

The Python SDK makes API calls using the httpx HTTP library. In order to provide a convenient way to configure timeouts, cookies, proxies, custom headers, and other low-level configuration, you can initialize the SDK client with your own HTTP client instance. Depending on whether you are using the sync or async version of the SDK, you can pass an instance of HttpClient or AsyncHttpClient respectively, which are Protocol's ensuring that the client has the necessary methods to make API calls. This allows you to wrap the client with your own custom logic, such as adding custom headers, logging, or error handling, or you can just pass an instance of httpx.Client or httpx.AsyncClient directly.

For example, you could specify a header for every request that this sdk makes as follows:

from clerk_backend_api import Clerk
import httpx

http_client = httpx.Client(headers={"x-custom-header": "someValue"})
s = Clerk(client=http_client)

or you could wrap the client with your own custom logic:

from clerk_backend_api import Clerk
from clerk_backend_api.httpclient import AsyncHttpClient
import httpx

class CustomClient(AsyncHttpClient):
    client: AsyncHttpClient

    def __init__(self, client: AsyncHttpClient):
        self.client = client

    async def send(
        self,
        request: httpx.Request,
        *,
        stream: bool = False,
        auth: Union[
            httpx._types.AuthTypes, httpx._client.UseClientDefault, None
        ] = httpx.USE_CLIENT_DEFAULT,
        follow_redirects: Union[
            bool, httpx._client.UseClientDefault
        ] = httpx.USE_CLIENT_DEFAULT,
    ) -> httpx.Response:
        request.headers["Client-Level-Header"] = "added by client"

        return await self.client.send(
            request, stream=stream, auth=auth, follow_redirects=follow_redirects
        )

    def build_request(
        self,
        method: str,
        url: httpx._types.URLTypes,
        *,
        content: Optional[httpx._types.RequestContent] = None,
        data: Optional[httpx._types.RequestData] = None,
        files: Optional[httpx._types.RequestFiles] = None,
        json: Optional[Any] = None,
        params: Optional[httpx._types.QueryParamTypes] = None,
        headers: Optional[httpx._types.HeaderTypes] = None,
        cookies: Optional[httpx._types.CookieTypes] = None,
        timeout: Union[
            httpx._types.TimeoutTypes, httpx._client.UseClientDefault
        ] = httpx.USE_CLIENT_DEFAULT,
        extensions: Optional[httpx._types.RequestExtensions] = None,
    ) -> httpx.Request:
        return self.client.build_request(
            method,
            url,
            content=content,
            data=data,
            files=files,
            json=json,
            params=params,
            headers=headers,
            cookies=cookies,
            timeout=timeout,
            extensions=extensions,
        )

s = Clerk(async_client=CustomClient(httpx.AsyncClient()))

Resource Management

The Clerk class implements the context manager protocol and registers a finalizer function to close the underlying sync and async HTTPX clients it uses under the hood. This will close HTTP connections, release memory and free up other resources held by the SDK. In short-lived Python programs and notebooks that make a few SDK method calls, resource management may not be a concern. However, in longer-lived programs, it is beneficial to create a single SDK instance via a context manager and reuse it across the application.

from clerk_backend_api import Clerk
def main():

    with Clerk(
        bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
    ) as clerk:
        # Rest of application here...


# Or when using async:
async def amain():

    async with Clerk(
        bearer_auth="<YOUR_BEARER_TOKEN_HERE>",
    ) as clerk:
        # Rest of application here...

Debugging

You can setup your SDK to emit debug logs for SDK requests and responses.

You can pass your own logger class directly into your SDK.

from clerk_backend_api import Clerk
import logging

logging.basicConfig(level=logging.DEBUG)
s = Clerk(debug_logger=logging.getLogger("clerk_backend_api"))

Development

Maturity

This SDK is in GA. We recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes between major versions unless you are intentionally looking for the latest version.

Contributions

While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.

SDK Created by Speakeasy