Authentication
Authentication
Purpose
Document where Clerk authentication is enforced and where downstream services trust verified upstream identity.
Participants
- Clerk issues sessions and JWTs.
- Brisket validates user-facing requests with @clerk/nextjs middleware and auth().
- Strip validates sessions with custom Fiber middleware and clerk-sdk-go/v2.
- Brain uses a NestJS Passport guard backed by @clerk/backend.
- Sirloin generally trusts upstream auth and uses the Clerk SDK for lookups.
- Round has no auth and is internal-only.
Sequence
sequenceDiagram participant User participant Clerk participant Brisket participant Strip participant Brain participant Sirloin participant Round User->>Clerk: Sign in Clerk-->>Brisket: Session/JWT Clerk-->>Strip: Session/JWT Brisket->>Sirloin: Request with verified user context Strip->>Sirloin: Request with verified user context Brain->>Brain: Guard checks Clerk unless route is public/API-key Brain->>Round: Internal gRPC call Sirloin->>Clerk: Lookup user metadata when neededSource Links
- apps/brisket/src/middleware.ts
- apps/strip/internal/app/middleware/auth.go
- apps/brain/src/modules/application/auth/guards/clerk-auth.guard.ts
- apps/sirloin/internal/pkg/clerk/
State Transitions
Unauthenticated browser requests become authenticated app requests after Clerk validation at the frontend/service edge. Sirloin receives user identifiers from trusted callers rather than revalidating every JWT.
Invariants
- User-facing services must validate Clerk identity before calling trusted backend paths.
- Sirloin trust depends on upstream callers preserving verified user identity.
- Round must remain internal-only unless an auth boundary is added.
Error Paths
Invalid or missing Clerk sessions are rejected by Brisket, Strip, or Brain before protected work starts. Strip also protects return_to redirects and token size.
Tests And Verification
- Brisket: cd apps/brisket && pnpm test
- Strip: cd apps/strip && make run-tests
- Brain: cd apps/brain && pnpm test