Authentication & Authorization
How identity, sessions, and service-to-service auth are managed.
Authentication & Authorization
Wordloop delegates absolute identity management to Clerk while retaining local user schemas strictly to anchor database relations.
[!IMPORTANT] Internal services rely on symmetric tokens for system-level trust. Zero-trust principles apply at external boundaries; inherited trust applies internally.
User Authentication Flow (Clerk)
Clerk acts as our authoritative identity provider (IdP).
Frontend Implementation
- Identity Context:
wordloop-appuses@clerk/nextjsfor all auth flows. - Header Injection: JWT tokens are automatically injected into
wordloop-corerequests asAuthorization: Bearer <token>by the Orval API clients via a custom fetch interceptor.
Backend Validation
- Middleware:
wordloop-coreuses robust Clerk middleware within the Huma framework. - Verification: The middleware validates the JWT symmetrically against Clerk's JWKS endpoint, extracting the
clerk_user_iddirectly into the Requestcontext.Context.
Data Synchronization
To link auth identities with core business entities (like Meetings or Transcripts), users are synchronized into the local Postgres database.
[!NOTE] Database synchronization occurs asynchronously via Clerk Webhooks.
- User Creation: When a user registers, Clerk fires a
user.createdwebhook towordloop-core. - Database Sink: Core validates the Svix headers, parses the webhook payload, and idempotently upserts the record into the
userstable.
Service-to-Service Authentication
When internal services communicate outside of standard user contexts (e.g., the ML engine pulling an audio binary from Core API endpoints), they use a static symmetric token.
- Header Specification:
Authorization: Bearer <SERVICE_AUTH_TOKEN> - Assumed Scope: Full administrative access.
[!WARNING] Never expose the
SERVICE_AUTH_TOKENto the frontend or public-facing API routes. This token bypasses user validation logic.