Clerk
Blog

Back

Company


Oct 01, 2022

Back

Company


Oct 01, 2022

Changelog September 30, 2022

Colin Sidoti

Colin Sidoti


We launched safe and auditable User Impersonation!


User Impersonation

User Impersonation has been a top 5 request feature since the week Clerk launched. This feature allows admins to sign in as an another user, and experience the application as the user would.

From the Clerk dashboard, admins can now easily sign in as their users with the "Impersonate User" button:

Impersonation is commonly used within customer support and engineering teams to help with debugging. It's helpful to "see what user sees" in these contexts, especially as applications have become more complex and personalized to individual customers.

Keeping impersonation safe

Like every other Clerk feature, our top piority while developing User Impersonation was security.

Unsafe implementations of User Impersonation are often called "God-mode" because they empower admins to impersonate another user without leaving a trace. This is not the case with Clerk.

Impersonation sessions are automatically logged and can be retrieved from the Session List endpoint of our API.

We've made it possible to detect impersonated sessions as they are happening, so developers can easily choose to prevent actions while a user is being impersonated.

The detection is available on both the frontend and the backend.

Frontend

On the frontend, information about the impersonator (a.k.a. the "actor") is available through the useAuth() hook. When actor is not null, it's an impersonation session.

const { userId, actor } = useAuth();

Backend

On the backend, it's available through the "auth" helper for the framework of your choice (Next.js shown).

import { withAuth } from "@clerk/nextjs/api";
export default withAuth(async (req) => {
const { userId, actor } = req.auth;
//...
});

If you do not use one of our SDKs, the data is available on the "act" claim of the authentication JWT in compliance with RFC 8693.

Since the impersonator data is ultimately transmitted through the JWT, this additional context is available with no additional latency.

Technical deep dive coming soon

In the coming weeks, we'll continue to share more details about impersonation's design and all of it's capabilities.

Meanwhile, you can learn more in the impersonation documentation.

Thanks to the contributors
Alex Ntousias, Giannis Katsanos, and George Desipris
Alex Ntousias
Giannis Katsanos
George Desipris
Clerk's logo

Start now,
no strings attached

Start completely free for up to 10,000 monthly active users and up to 100 monthly active orgs. No credit card required.

Start Building

Pricing built for
businesses of all sizes.

Learn more about our transparent per-user costs to estimate how much your company could save by implementing Clerk.

View pricing
Clerk's logo

Newsletter!

The latest news and updates from Clerk, sent to your inbox.

Clerk logo

Clerk - Complete User Management

TwitterLinkedInGitHubDiscordFacebook

© 2024 Clerk Inc.


product
Components

© 2024 Clerk Inc.