Authentication

Clerk v6 integration

Authentication uses Clerk v6 with hash-based routing for login and registration (/login#, /register#). This approach avoids dedicated route segments for auth pages and keeps the URL structure clean. The Clerk middleware runs on every request, using auth.protect() to gate protected routes before they reach the handler.

Routes are split into public and protected segments via the middleware matcher. API routes under /(api|trpc)(.*) are automatically protected — unauthenticated requests receive a 404 response (Clerk's rewrite behavior, not the route handler). Dashboard routes require a valid session. Public routes like the marketing pages and legal pages pass through without checks.

Environment-aware switching

The authentication layer switches between real and test mode based on environment variables. In development, a demo mode provides pre-configured test credentials so local iteration does not require a live Clerk instance. In production, all auth flows route through Clerk's hosted components with multi-provider support, MFA, and session management.