← Back to Learn

Learn · Authentication

What Clerk Actually Does

And the 20-Line Alternative

You're building a Next.js app. You need login. Someone in a YouTube tutorial says “just use Clerk.” You copy-paste some code, it works, and now you have a beautiful sign-in page with Google, GitHub, and a profile dropdown. Great.

But what did you actually install?

What It Actually Does

Clerk handles the “is this person who they say they are” problem. When a user logs in, Clerk creates a session token (a JWT), stores it in a cookie, and validates that cookie on every request. It also manages OAuth flows so your users can log in with Google or GitHub without you having to read 47 pages of OAuth 2.0 documentation. Plus it gives you pre-built UI components so you don't have to design a sign-in form at 2am.

That's it. Cookie management, JWT validation, and OAuth plumbing wrapped in pretty UI.

The Magic Trick Revealed

When you click “Sign in with Google,” here's what actually happens:

  Browser                 Clerk                Google
    |                       |                    |
    |── Click "Sign in" ──▶ |                    |
    |                       |── Redirect ───────▶|
    |                       |   (client ID)      |
    |                       |                    |
    |                       |◀─ Auth code ───────|
    |                       |   (user approved)  |
    |                       |                    |
    |                       |── Exchange code ──▶|
    |                       |◀─ Access token ────|
    |                       |                    |
    |◀─ Set JWT cookie ─────|                    |
    |   (signed, HTTP-only) |                    |
    |                       |                    |
    |── Any request ───────▶|                    |
    |   (cookie attached)   |── Verify JWT       |
    |◀─ User ID + data ─────|   (secret key)     |

On every subsequent request, your middleware reads that cookie, verifies the JWT signature, extracts the user ID, and makes it available to your app. That's the entire trick. A signed cookie and a secret key.

Clerk is charging you (eventually) to do this so you don't have to.

The 20-Line Alternative

NextAuth.js (now called Auth.js) does exactly this. It's open source, runs in your own app, and the core config is about 20 lines. Google login, GitHub login, JWT sessions, session callbacks. It handles the OAuth flow, signs your tokens, and manages cookies. For free. Forever. No vendor lock-in.

When You SHOULD Use Clerk

Multi-tenant SaaS

Org-level access with roles and invitations. Building this yourself with NextAuth and Prisma is a week of work.

MFA & advanced security

SMS codes, TOTP apps, hardware keys — Clerk has this built in.

Compliance requirements

SOC 2, HIPAA, or SAML SSO for enterprise login (Okta, Azure AD).

Managed user directory

Dashboard to see all users, ban them, reset passwords, view login history.

When You're Wasting Money

You're building an MVP. You have 12 users. You just need to know “is someone logged in” to show them their saved items. You don't need Clerk.

The real cost is lock-in. Your auth is now a dependency on a startup that could raise prices, change terms, or go under. You've also handed over your entire user database to a third party. If you outgrow the free tier, the pricing jumps fast. And migrating away from Clerk later is painful because your user IDs are Clerk IDs, not your IDs.

The Verdict

Use NextAuth for any project under 1,000 users or until you actually need org management, MFA, or compliance — then and only then consider Clerk.

Ready to pick the right stack?

Next: What Vercel Does →All Guides