Skip to content

Commit cfac443

Browse files
alexisintechalexisintech
committed
wip
1 parent 8844211 commit cfac443

File tree

3 files changed

+232
-217
lines changed

3 files changed

+232
-217
lines changed

docs/guides/development/custom-flows/authentication/client-trust.mdx

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
title: Build a custom authentication flow with Client Trust
3+
description: Learn how to build a custom authentication flow that supports Client Trust.
4+
---
5+
6+
<Include src="_partials/custom-flows-callout" />
7+
8+
<If sdk={["nextjs", "react", "expo", "js-frontend", "react-router", "tanstack-react-start"]}>
9+
> [!IMPORTANT]
10+
> This guide applies to the following Clerk SDKs:
11+
>
12+
> - `@clerk/react` v6 or higher
13+
> - `@clerk/nextjs` v7 or higher
14+
> - `@clerk/expo` v3 or higher
15+
> - `@clerk/react-router` v3 or higher
16+
> - `@clerk/tanstack-react-start` v0.26.0 or higher
17+
>
18+
> If you're using an older version of one of these SDKs, or are using the legacy API, refer to the [legacy API documentation](/docs/guides/development/custom-flows/authentication/legacy/email-password).
19+
</If>
20+
21+
Client Trust is Clerk's defense against [credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) attacks - a type of attack where bad actors use lists of stolen passwords to attempt to gain unauthorized access to user accounts.
22+
23+
When Client Trust is enabled, when a user is signing in with a password on a new client (e.g. device), users will always be challenged for a [second factor](!second-factor). If you have multi-factor authentication (MFA) enabled, users may have already configured a second factor, such as SMS verification code or authenticator app. If you don't have MFA enabled, or if the user has not yet configured one, a one-time email code (default), SMS code, or email link will be used, depending on your application's settings.
24+
25+
This guide will demonstrate how to build a custom sign-in flow that supports the second factor strategies: email code and email link. To support SMS code or authenticator app, see the [MFA custom flow guide](/docs/guides/development/custom-flows/authentication/email-password-mfa).
26+
27+
## Build the custom flow
28+
29+
When Client Trust requires verification, the sign-in attempt will return a status of `needs_second_factor`.
30+
31+
### Email code
32+
33+
### Email link

0 commit comments

Comments
 (0)