Authentication (Clerk)
Clerk issues JWTs on the frontend. The web app’sApiProvider wraps
createApi(getToken) so every request includes a Bearer token. On the server,
clerkMiddleware() runs globally and decodes the token.
Authorization (CASL)
Authorization is enforced in two layers:Server resolves ability
The
requireStudioAbility(action, subject) middleware looks up the current
user’s studio membership, builds a CASL ability, and attaches
req.studioMembership and req.ability to the request before any protected
route runs.Roles
MemberRole is one of OWNER, ADMIN, or MEMBER, defined on the
StudioMember that links a User to a Studio.