WordloopAuthentication & Authorization
How identity, sessions, and service-to-service auth are managed.
Authentication & Authorization
Wordloop delegates absolute identity management to Clerk while retaining local user schemas strictly to anchor database relations.
Important
Internal services rely on symmetric tokens for system-level trust. Zero-trust principles apply at external boundaries; inherited trust applies internally.
User Authentication Flow (Clerk)
Clerk acts as our authoritative identity provider (IdP).
Frontend Implementation
- Identity Context:
wordloop-appuses@clerk/nextjsfor all auth flows. - Header Injection: JWT tokens are automatically injected into
wordloop-corerequests asAuthorization: Bearer <token>by the Orval API clients via a custom fetch interceptor.
Backend Validation
- Middleware:
wordloop-coreuses robust Clerk middleware within the Huma framework. - Verification: The middleware validates the JWT symmetrically against Clerk's JWKS endpoint, extracting the
clerk_user_iddirectly into the Requestcontext.Context.
Data Synchronization
To link auth identities with core business entities (like Meetings or Transcripts), users are synchronized into the local Postgres database.
Database synchronization occurs asynchronously via Clerk Webhooks.
- User Creation: When a user registers, Clerk fires a
user.createdwebhook towordloop-core. - Database Sink: Core validates the Svix headers, parses the webhook payload, and idempotently upserts the record into the
userstable.
Service-to-Service Authentication
When internal services communicate outside of standard user contexts (e.g., the ML engine pulling an audio binary from Core API endpoints), they use a static symmetric token.
- Header Specification:
Authorization: Bearer <SERVICE_AUTH_TOKEN> - Assumed Scope: Full administrative access.
Never expose the SERVICE_AUTH_TOKEN to the frontend or public-facing API routes. This token bypasses user validation logic.