Leaked Clerk secret key — impersonate any user

Clerk secret keys authorize server-side operations including session creation, user impersonation, and organization management. Leakage = account takeover for every user.

The next 60 seconds matter

The attacker calls Clerk's backend API with the key, creating session tokens for any user ID they know. They then use those tokens against your app as if they were the user. User data, payments, private messages — all accessible.

  • Forge session tokens for any user
  • Enumerate users via Clerk's Users API
  • Delete sessions to lock out legitimate users
  • Modify user metadata including admin flags if you store them there

Rotation playbook

  1. Clerk Dashboard → API Keys → Roll secret key
  2. Update every environment — the old key stops working within seconds
  3. Review Clerk's Activity log for unexpected sign-ins in the past 24 hours

Prevent the next one

  • Never ship Clerk secret keys to the client (use publishable keys)
  • Enable Clerk's Anti-bot + rate-limiting features
  • Rotate keys quarterly
Pattern we scan for
sk_live_... / sk_test_...