> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Clerk connector

> C1 provides identity governance for Clerk. Integrate your Clerk instance with C1 for unified visibility and governance over user access.

## Capabilities

| Resource                 | Sync                                                          | Provision |
| ------------------------ | ------------------------------------------------------------- | --------- |
| Users                    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Organizations            | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Organization roles       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Organization permissions | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

## Gather Clerk credentials

<Warning>
  Use a Clerk Secret Key for the Clerk instance you want to sync. Clerk Secret
  Keys have broad Backend API access. The connector performs read-only API
  calls, but the key itself is not scoped to read-only access by Clerk.
</Warning>

<Steps>
  <Step>
    Sign in to the Clerk Dashboard and open the application to sync.
  </Step>

  <Step>
    Navigate to **Configure** > **API Keys**.
  </Step>

  <Step>
    Under **Secret keys**, create a new key or copy an existing key.
  </Step>

  <Step>
    Store the key securely. Production keys start with `sk_live_`; development
    keys start with `sk_test_`.
  </Step>
</Steps>

## Configuration fields

| Field        | Required | Description                                                               |
| ------------ | -------- | ------------------------------------------------------------------------- |
| `secret-key` | Yes      | Clerk Secret Key used as the Bearer credential for the Clerk Backend API. |

## Synced resource types

* **Users**: Clerk users from `GET /v1/users`.
* **Organizations**: Clerk organizations from `GET /v1/organizations`.
* **Organization roles**: instance-wide organization role definitions from
  `GET /v1/organization_roles`.
* **Organization permissions**: instance-wide organization permission
  definitions from `GET /v1/organization_permissions`.
* **Organization membership grants**: user memberships emitted as organization
  grants. Each membership receives the generic member grant and, when the
  membership role can be resolved, the matching role grant.

## Special notes

* All Clerk resource types are opt-in.
* Organization memberships are not separate resources; they are grant edges on
  the organization resource.
* The connector resolves membership role keys to stable Clerk role IDs before
  emitting role grants.
* Clerk list APIs use `limit` and `offset` pagination. The connector requests
  the largest supported page size.
* On rate limit responses, the connector follows Clerk's `Retry-After` header.

## Configure the Clerk connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Clerk** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Clerk connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Paste the Clerk Secret Key into **Clerk Secret Key**.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by
        **Connected**. You can view the logs to ensure that information is
        syncing.
      </Step>
    </Steps>

    **Done.** Your Clerk connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the Clerk connector in your own
    environment.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Clerk connector, set the owner, and click
        **Next**.
      </Step>

      <Step>
        In the **Settings** area, click **Edit**, then click **Rotate** to
        generate a new Client ID and Client Secret. Store these values
        securely for your deployment.
      </Step>

      <Step>
        Configure C1 credentials and the Clerk Secret Key as environment
        variables:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        BATON_CLIENT_ID=<C1 client ID>
        BATON_CLIENT_SECRET=<C1 client secret>
        BATON_HOST_ID=baton-clerk
        BATON_SECRET_KEY=<Clerk Secret Key>
        ```
      </Step>

      <Step>
        Deploy the connector using the Public ECR image:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        public.ecr.aws/conductorone/baton-clerk:<version>
        ```

        Use a version tag without the leading `v`, such as `0.0.3`.
      </Step>
    </Steps>

    **Done.** Your Clerk connector is now pulling access data into C1.
  </Tab>
</Tabs>