> ## Documentation Index
> Fetch the complete documentation index at: https://help.getatelier.design/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication & authorization

> How Clerk and CASL secure Atelier.

## Authentication (Clerk)

Clerk issues JWTs on the frontend. The web app's `ApiProvider` wraps
`createApi(getToken)` so every request includes a `Bearer` token. On the server,
`clerkMiddleware()` runs globally and decodes the token.

## Authorization (CASL)

Authorization is enforced in two layers:

<Steps>
  <Step title="Server resolves ability">
    The `requireStudioAbility(action, subject)` middleware looks up the current
    user's studio membership, builds a CASL ability, and attaches
    `req.studioMembership` and `req.ability` to the request before any protected
    route runs.
  </Step>

  <Step title="UI mirrors ability">
    The web app builds an ability from `studio.currentUserRole` in
    `AbilityProvider` and consumes it via `useAbility()` for UI-level permission
    checks (showing or hiding actions).
  </Step>
</Steps>

<Warning>
  UI checks are for display only. The server is the source of truth — every
  protected route must go through `requireStudioAbility`.
</Warning>

## Roles

`MemberRole` is one of `OWNER`, `ADMIN`, or `MEMBER`, defined on the
`StudioMember` that links a `User` to a `Studio`.
