Neon•4mo ago

Clerk + Neon RLS configuration

Hello, I have setup Clerk with Neon/Drizzle but am getting RLS errors in production when I enable RLS on the Users table:

  query: 'select "id", "clerkId", "firstName", "lastName", "email", "role", "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"
      at bv.execute (.next/server/chunks/6880.js:30:3757)
      at async (.next/server/chunks/6880.js:2:12144)
      at async p.queryWithCache (.next/server/chunks/6880.js:34:10323)
      at async p.execute (.next/server/chunks/6880.js:2:12101)
      at async (.next/server/app/api/trpc/[trpc]/route.js:8:70264)
      at async bI.middlewares (.next/server/app/api/trpc/[trpc]/route.js:5:7696)
      at async bM (.next/server/app/api/trpc/[trpc]/route.js:8:69)
      at async b (.next/server/app/api/trpc/[trpc]/route.js:5:7932)
      at async (.next/server/app/api/trpc/[trpc]/route.js:1:36558) {
    severity: undefined,
    code: undefined,
    detail: undefined,
    hint: undefined,
    position: undefined,
    internalPosition: undefined,
    internalQuery: undefined,
    where: undefined,
    schema: undefined,
    table: undefined,
    column: undefined,
    dataType: undefined,
    constraint: undefined,
    file: undefined,
    line: undefined,
    routine: undefined,
    sourceError: undefined
  }
}

  query: 'select "id", "clerkId", "firstName", "lastName", "email", "role", "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"
      at bv.execute (.next/server/chunks/6880.js:30:3757)
      at async (.next/server/chunks/6880.js:2:12144)
      at async p.queryWithCache (.next/server/chunks/6880.js:34:10323)
      at async p.execute (.next/server/chunks/6880.js:2:12101)
      at async (.next/server/app/api/trpc/[trpc]/route.js:8:70264)
      at async bI.middlewares (.next/server/app/api/trpc/[trpc]/route.js:5:7696)
      at async bM (.next/server/app/api/trpc/[trpc]/route.js:8:69)
      at async b (.next/server/app/api/trpc/[trpc]/route.js:5:7932)
      at async (.next/server/app/api/trpc/[trpc]/route.js:1:36558) {
    severity: undefined,
    code: undefined,
    detail: undefined,
    hint: undefined,
    position: undefined,
    internalPosition: undefined,
    internalQuery: undefined,
    where: undefined,
    schema: undefined,
    table: undefined,
    column: undefined,
    dataType: undefined,
    constraint: undefined,
    file: undefined,
    line: undefined,
    routine: undefined,
    sourceError: undefined
  }
}

  query: 'select "id", "clerkId", "firstName", "lastName", "email", "role", "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"
      at bv.execute (.next/server/chunks/6880.js:30:3757)
      at async (.next/server/chunks/6880.js:2:12144)
      at async p.queryWithCache (.next/server/chunks/6880.js:34:10323)
      at async p.execute (.next/server/chunks/6880.js:2:12101)
      at async (.next/server/app/api/trpc/[trpc]/route.js:8:70264)
      at async bI.middlewares (.next/server/app/api/trpc/[trpc]/route.js:5:7696)
      at async bM (.next/server/app/api/trpc/[trpc]/route.js:8:69)
      at async b (.next/server/app/api/trpc/[trpc]/route.js:5:7932)
      at async (.next/server/app/api/trpc/[trpc]/route.js:1:36558) {
    severity: undefined,
    code: undefined,
    detail: undefined,
    hint: undefined,
    position: undefined,
    internalPosition: undefined,
    internalQuery: undefined,
    where: undefined,
    schema: undefined,
    table: undefined,
    column: undefined,
    dataType: undefined,
    constraint: undefined,
    file: undefined,
    line: undefined,
    routine: undefined,
    sourceError: undefined
  }
}

  query: 'select "id", "clerkId", "firstName", "lastName", "email", "role", "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"
      at bv.execute (.next/server/chunks/6880.js:30:3757)
      at async (.next/server/chunks/6880.js:2:12144)
      at async p.queryWithCache (.next/server/chunks/6880.js:34:10323)
      at async p.execute (.next/server/chunks/6880.js:2:12101)
      at async (.next/server/app/api/trpc/[trpc]/route.js:8:70264)
      at async bI.middlewares (.next/server/app/api/trpc/[trpc]/route.js:5:7696)
      at async bM (.next/server/app/api/trpc/[trpc]/route.js:8:69)
      at async b (.next/server/app/api/trpc/[trpc]/route.js:5:7932)
      at async (.next/server/app/api/trpc/[trpc]/route.js:1:36558) {
    severity: undefined,
    code: undefined,
    detail: undefined,
    hint: undefined,
    position: undefined,
    internalPosition: undefined,
    internalQuery: undefined,
    where: undefined,
    schema: undefined,
    table: undefined,
    column: undefined,
    dataType: undefined,
    constraint: undefined,
    file: undefined,
    line: undefined,
    routine: undefined,
    sourceError: undefined
  }
}

Can someone please advise how I can resolve this issue?
Thank you!

instant-harlequin•9/11/25, 2:05 AM

Hey!
Have you added the pg_session_sessionpg_session_session extension? And have you set up your JWKS URL in the Neon Console?
This doc might be handy to you for setting up RLS with Neon Auth : https://neon.com/docs/guides/neon-rls-clerk

Neon

Secure your data with Clerk and Neon RLS - Neon Docs

Clerk + Neon RLS Neon RLS Tutorial Manual JWT verification Simplify RLS with Drizzle Use Clerk with Neon RLS to add secure, database level authorization to your application. This guide assumes you alr...

Iinstant-harlequin Hey! Have you added the `pg_session_session` extension? And have you set up your...

verbal-limeOP•9/11/25, 2:26 AM

Hi Sam, yes I've added the JWKS URL from Clerk (generated using their JWT template for Neon)

verbal-limeOP•9/11/25, 2:26 AM

Let me double check regarding the pg_session_sessionpg_session_session extension

verbal-limeOP•9/11/25, 2:28 AM

I have these 2 configured on the Neon branch:

Available JWT/session extensions:
  - pg_session_jwt v0.3.1: pg_session_jwt: manage authentication sessions using JWTs
  - pgjwt v0.2.0: JSON Web Token API for Postgresql

Available JWT/session extensions:
  - pg_session_jwt v0.3.1: pg_session_jwt: manage authentication sessions using JWTs
  - pgjwt v0.2.0: JSON Web Token API for Postgresql

verbal-limeOP•9/11/25, 2:30 AM

I see it says: "Neon RLS is available only in private preview. Contact Support if you'd like to use it." in the docs, do I need to take any additional steps to turn RLS on in my database? I've raised a support ticket but not sure what the status of it is

instant-harlequin•9/11/25, 1:29 PM

No additional steps are needed, support should get back to you soon

Iinstant-harlequin No additional steps are needed, support should get back to you soon 🙂

verbal-limeOP•9/11/25, 1:33 PM

Hi @Sam , I got a reply back from Support but the RLS queries are still failing. Do I need to take any other actions? Same error as before:

  query: 'select "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"

  query: 'select "analyticsEnabled", "errorMonitoringEnabled" from "User" where "User"."clerkId" = $1',
  params: [Array],
  [cause]: Error [NeonDbError]: Server error (HTTP status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"

It is not clear from their email if they enabled RLS on the project, seems like they are suggesting me to switch to the Neon Data API which is not realistic for me at this time.

instant-harlequin•9/11/25, 1:33 PM

Let me ping internally

instant-harlequin•9/11/25, 1:36 PM

What was your ticket number?

verbal-limeOP•9/11/25, 1:37 PM

where can I find the ticket number?

verbal-limeOP•9/11/25, 1:37 PM

ah sorry. Ticket # 7950 - Requesting RLS Access

verbal-limeOP•9/11/25, 4:56 PM

hi @Sam , sorry to ping you again - have you heard anything from support? I am trying to figure out how I can unblock my production release. thanks

instant-harlequin•9/11/25, 4:57 PM

I haven’t heard back yet. Looks like we are sunsetting Neon RLS, but we should be able to get you set up for now. Sorry for this delay!

verbal-limeOP•9/11/25, 4:59 PM

No problem, thanks for letting me know. Just to understand for the future, would the alternative be migrating to the Neon Data API? how substantial of a task would this be?

instant-harlequin•9/11/25, 7:57 PM

Yes, the Neon Data API is the successor to the Neon RLS. If you enable the Neon Data API, and run normal queries with auth.user_id()auth.user_id(), does that work for you? or are you only able to use that through connections coming from the postgrest endpoint?

verbal-limeOP•9/11/25, 10:22 PM

Let me try enabling and see if the queries are successful. I am using Drizzle ORM, if it makes any difference

instant-harlequin•9/11/25, 11:05 PM

Nope, it should all work the same

verbal-limeOP•9/11/25, 11:32 PM

Hi @Sam , this is the error I get when I try to enable Neon data API with the attached Clerk JWKS

Screenshot_2025-09-12_at_12.31.46_AM.png

instant-harlequin•9/12/25, 1:19 AM

That's most likely because Neon RLS had been enabled, if you try with afresh db/project?

Iinstant-harlequin That's most likely because Neon RLS had been enabled, if you try with afresh db/...

verbal-limeOP•9/12/25, 2:19 AM

Hi @Sam , thanks for the response - I tried to enable the Neon Data API on 2 other projects and got the same error. The original queries on the main project still return the same error, so I don't think RLS has been enabled:

prisma:error Server error (HTTP
 status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"

prisma:error Server error (HTTP
 status 500): "{\"message\":\"could not set up the JWT authorization database extension\",\"code\":\"\",\"detail\":null,\"hint\":null,\"position\":null,\"internalPosition\":null,\"internalQuery\":null,\"severity\":\"\",\"where\":null,\"table\":null,\"column\":null,\"schema\":null,\"dataType\":null,\"constraint\":null,\"file\":null,\"line\":null,\"routine\":null}"

instant-harlequin•9/12/25, 2:21 AM

And if you access the tables from the PostgREST endpoint does it work?
I think it would be great if the Data API still let users use it as they would Neon RLS. I’ll try some things on my end and forward this internally. Thank you for trying so many things!

Iinstant-harlequin And if you access the tables from the PostgREST endpoint does it work? I think i...

verbal-limeOP•9/12/25, 2:31 AM

where can I find the PostgREST endpoint URL in the Neon console?

instant-harlequin•9/12/25, 2:33 AM

It's in the Data API tab

verbal-limeOP•9/12/25, 2:33 AM

ah yeah, I am unable to enable the Data API

verbal-limeOP•9/12/25, 2:33 AM

instant-harlequin•9/12/25, 2:34 AM

Is that happening even on a fresh project?

verbal-limeOP•9/12/25, 2:37 AM

yes just tried a fresh project, with the same Clerk JWKS URL, and got the same error

instant-harlequin•9/12/25, 2:37 AM

That's unfortunate, thank you for trying. I'll make sure to try things on my end and forward this.

verbal-limeOP•9/12/25, 2:38 AM

do you think it could be an issue with Clerk? I created a fresh Clerk project yesterday to re-create the JWKS URL, and the project uses the standard JWT template that Clerk provides for Neon.

verbal-limeOP•9/12/25, 2:39 AM

I am not sure if this is helpful but this is how I'm initializing the RLS usage:

// Development client (no RLS)
export function createDrizzleClient() {
  if (!process.env.DATABASE_URL) {
    throw new Error('DATABASE_URL environment variable is required');
  }

  return createNeonClient(process.env.DATABASE_URL);
}

// Production client with RLS support using neon-http for JWT authentication
export function createDrizzleClientWithRLS(jwt?: string) {
  if (!process.env.DATABASE_AUTHENTICATED_URL) {
    throw new Error(
      'DATABASE_AUTHENTICATED_URL environment variable is required for RLS',
    );
  }

  console.log('🔑 Creating RLS client with Neon HTTP driver for JWT authentication');

  // Use neon-http driver with JWT authorization for RLS
  const sql = neon(process.env.DATABASE_AUTHENTICATED_URL, {
    authToken: jwt,
  });

  return drizzleHttp(sql, { schema });
}

// Development client (no RLS)
export function createDrizzleClient() {
  if (!process.env.DATABASE_URL) {
    throw new Error('DATABASE_URL environment variable is required');
  }

  return createNeonClient(process.env.DATABASE_URL);
}

// Production client with RLS support using neon-http for JWT authentication
export function createDrizzleClientWithRLS(jwt?: string) {
  if (!process.env.DATABASE_AUTHENTICATED_URL) {
    throw new Error(
      'DATABASE_AUTHENTICATED_URL environment variable is required for RLS',
    );
  }

  console.log('🔑 Creating RLS client with Neon HTTP driver for JWT authentication');

  // Use neon-http driver with JWT authorization for RLS
  const sql = neon(process.env.DATABASE_AUTHENTICATED_URL, {
    authToken: jwt,
  });

  return drizzleHttp(sql, { schema });
}

instant-harlequin•9/12/25, 2:40 AM

I doubt it since its at the role creation for the Data API. I'll try and reproduce

verbal-limeOP•9/12/25, 2:43 AM

thank you! I am going to log off for now but will be back in a few hours.

verbal-limeOP•9/12/25, 9:56 AM

hi @Sam did you have any luck reproducing the issue?

verbal-lime•9/12/25, 4:52 PM

Hi @llobanov do you want to use Neon RLS or the Data API? I see some messages related for the Data API for the code snippet you provider is for Neon RLS

verbal-limeOP•9/12/25, 5:14 PM

hi Luis, ideally I wanted to use Neon RLS but Sam suggested to try enabling the Neon Data API, which threw an error when I tried to enable it. Ideally I would like to get RLS working as it is blocking my production release

instant-harlequin•9/12/25, 5:16 PM

For context, it's looking like we are sunsetting Neon RLS, so I'm looking for a way to use the Data API in the same way that one might with Neon RLS. I.e. without touching the exposed postgREST compatible API

verbal-lime•9/12/25, 5:31 PM

Hi @llobanov indeed we are sunsetting Neon RLS. In order to migrate to the Data API you will need to delete the authenticator and authenticated roles of your database and then enable the Data API. If you want to still use Neon RLS you'll need to use the API (https://api-docs.neon.tech/reference/getting-started-with-neon-api) and call the "Add JWKs" endpoint with role_namesrole_names set to authenticatedauthenticated and anonymousanonymous

Neon

Neon API Reference

This page will help you get started with the Neon API

Vverbal-lime Hi @llobanov indeed we are sunsetting Neon RLS. In order to migrate to the Data ...

verbal-limeOP•9/12/25, 5:37 PM

I see. In that case why did I get the above error when trying to enable Data API on a completely new project with no pre-existing configuration?

Vverbal-lime Click to see attachment

verbal-lime•9/12/25, 5:40 PM

you got this on a new project?

sour-pink•9/12/25, 5:46 PM

@llobanov as for an example how to use drizzle for the schema and rls management + the new data api, you can take a look at this template: https://github.com/neondatabase-labs/neon-data-api-neon-auth . It uses neon auth, but it shouldn't be that hard to adapt to clerk.

GitHub

GitHub - neondatabase-labs/neon-data-api-neon-auth: A note taking a...

A note taking app powered by Neon Data API and Neon Auth - neondatabase-labs/neon-data-api-neon-auth