insforge-integrations
insforge/agent-skills
Wire external auth providers (Clerk, Auth0, WorkOS, Kinde, Stytch, Better Auth) or OKX x402 payment into InsForge.
What is insforge-integrations?
Integrates third-party authentication providers and payment facilitators with InsForge. Use this when setting up JWT-based row-level security with an external auth system, or when adding onchain pay-per-use billing via OKX x402 HTTP payment protocol.
- Connect Clerk, Auth0, WorkOS, Kinde, Stytch, or Better Auth for JWT-based RLS policies
- Embed user claims into JWT tokens for row-level security enforcement
- Integrate OKX x402 payment facilitator for onchain pay-per-use billing
- Implement EIP-3009 authorization signing for stablecoin payments on X Layer
- Set up payment settlement with realtime database triggers for live dashboards
- Enforce RLS policies using requesting_user_id() function with string-format user IDs
How to install insforge-integrations
npx skills add https://github.com/insforge/agent-skills --skill insforge-integrations- InsForge project with Postgres database
- JWT secret accessible via npx @insforge/cli secrets get JWT_SECRET
- For auth: credentials/API keys from chosen provider (Clerk, Auth0, WorkOS, Kinde, Stytch, or Better Auth setup)
- For OKX x402: Web3 API key from web3.okx.com/onchainos/dev-portal (not exchange trading API)
- For Better Auth: connection string to your InsForge Postgres
How to use insforge-integrations
- 1.Identify which auth provider or payment facilitator your project uses
- 2.Read the corresponding reference guide (clerk.md, auth0.md, workos.md, kinde.md, stytch.md, better-auth.md, or okx-x402.md)
- 3.Configure the provider's dashboard (API keys, application settings, JWT templates, or Web3 credentials)
- 4.Implement server-side code (JWT utilities for auth; facilitator client + signing for payments)
- 5.Create or update database schema (RLS policies using requesting_user_id() for auth; payment table with tx_hash UNIQUE constraint for x402)
- 6.Set environment variables from the provider setup guide
- 7.Test the integration locally (use MOCK_OKX_FACILITATOR=true for payment testing without real funds)
Use cases
- Adding Clerk authentication with JWT templates to a new InsForge project without server-side signing
- Configuring Auth0 post-login Actions to inject custom claims into access tokens for RLS
- Setting up Better Auth as a self-hosted auth layer in your InsForge Postgres without per-MAU costs
- Implementing OKX x402 payment flow for HTTP endpoints with onchain USDG settlement on X Layer
- Migrating from one auth provider to another while maintaining RLS policy structure
- Backend engineers wiring authentication into InsForge applications
- Full-stack developers implementing row-level security with third-party auth
- SaaS builders adding onchain pay-per-use billing
- Teams evaluating auth providers (Clerk, Auth0, WorkOS, Kinde, Stytch, Better Auth)
- Projects requiring self-hosted auth without SaaS vendor lock-in
insforge-integrations FAQ
Clerk is simplest (JWT Template, no server signing). Auth0 is flexible (post-login Actions). WorkOS is enterprise-focused (AuthKit + server signing). Kinde is developer-friendly. Stytch is API-first. Better Auth is self-hosted in your Postgres with no per-MAU cost.
Use requesting_user_id() instead of auth.uid() — third-party provider IDs are strings, not UUIDs. Also ensure user_id columns are TEXT, not UUID.
Set MOCK_OKX_FACILITATOR=true in your environment. Mock mode returns fake tx hashes and bypasses verification. Never use mock mode in production.
Money has already moved onchain. Always check the insert result and log/handle errors. Use a UNIQUE constraint on tx_hash to prevent duplicate records from retries.
Yes. Better Auth runs self-hosted in your InsForge Postgres via a connection string and a small bridge route. After migration, run REVOKE to seal PostgREST exposure and keep your user table private.
Full instructions (SKILL.md)
Source of truth, from insforge/agent-skills.
name: insforge-integrations description: >- Use when wiring an external auth provider (Clerk, Auth0, WorkOS, Kinde, Stytch, Better Auth) into InsForge for JWT-based RLS, or when adding the OKX x402 payment facilitator for onchain pay-per-use billing. license: Apache-2.0 metadata: author: insforge version: "1.2.0" organization: InsForge date: April 2026
InsForge Integrations
This skill covers integrating third-party providers with InsForge. Currently two categories are supported: auth providers (RLS via JWT claims) and payment facilitators (x402 HTTP payment protocol). Each provider has its own guide under this directory.
Auth Providers
| Provider | Guide | When to use |
|---|---|---|
| Clerk | Clerk JWT Templates + InsForge RLS | Clerk signs tokens directly via JWT Template — no server-side signing needed |
| Auth0 | Auth0 Actions + InsForge RLS | Auth0 uses a post-login Action to embed claims into the access token |
| WorkOS | WorkOS AuthKit + InsForge RLS | WorkOS AuthKit middleware + server-side JWT signing with jsonwebtoken |
| Kinde | Kinde + InsForge RLS | Kinde token customization for InsForge integration |
| Stytch | Stytch + InsForge RLS | Stytch session tokens for InsForge integration |
| Better Auth | Better Auth + InsForge RLS | Self-hosted auth running in your InsForge Postgres — no third-party SaaS, no per-MAU cost |
Payment Facilitators
| Provider | Guide | When to use |
|---|---|---|
| OKX x402 | OKX as x402 facilitator (USDG on X Layer) | Pay-per-use HTTP endpoints settled onchain with zero gas for the payer |
Common Patterns
Auth providers
- Provider signs or issues a JWT containing the user's ID
- JWT is passed to InsForge via
accessTokenincreateClient()(deprecated alias:edgeFunctionToken) - InsForge exposes claims through
auth.jwt()in SQL - RLS policies use a
requesting_user_id()function to enforce row-level security
Payment facilitators (x402)
- Server returns
402 Payment Requiredwith a JSON challenge base64-encoded inPAYMENT-REQUIREDheader - Client signs an EIP-3009 authorization using the stablecoin's EIP-712 domain
- Server forwards the signed payload to the facilitator's
/verify+/settleendpoints - Server records the settled payment in an InsForge table with a realtime trigger for live dashboards
Choosing a Provider
Auth
- Clerk — Simplest setup; JWT Template handles signing, no server code needed
- Auth0 — Flexible; uses post-login Actions for claim injection
- WorkOS — Enterprise-focused; AuthKit middleware + server-side JWT signing
- Kinde — Developer-friendly; built-in token customization
- Stytch — API-first; session-based token flow
- Better Auth — Self-hosted in your Postgres; no SaaS vendor; you own the user table. Pairs cleanly with InsForge's Postgres via a connection string + a small bridge route. Requires a one-time
REVOKEafter migrate to seal PostgREST exposure.
Payment facilitators
- OKX x402 — Onchain pay-per-use via USDG on X Layer; zero gas for the payer
Setup
- Identify which provider the project uses
- Read the corresponding reference guide from the tables above
- Follow the provider-specific setup steps
Usage Examples
Each provider guide includes full code examples for:
- Provider dashboard configuration (API keys, application settings, etc.)
- Server and client code (JWT utilities for auth; facilitator client + signing utilities for payments)
- Database setup (RLS for auth; payment table + realtime trigger for payments)
- Environment variable setup
Refer to the specific references/<provider>.md file for complete examples.
Best Practices
Auth
- All auth provider user IDs are strings (not UUIDs) — always use
TEXTcolumns foruser_id - Use
requesting_user_id()instead ofauth.uid()for RLS policies - Pass the JWT via
accessToken— a static string, not a function; for short-lived tokens (Clerk) sync refreshes withclient.setAccessToken() - Always get the JWT secret via
npx @insforge/cli secrets get JWT_SECRET
Payment facilitators (x402)
- Always check the result of the database
insert(...)after settlement — settlement takes money onchain before the insert runs; a silent DB failure loses the record - Add
UNIQUEto thetx_hashcolumn to prevent duplicate records from retries - Verify EIP-712 domain (
name,version) against the token contract's on-chainDOMAIN_SEPARATOR— wrong values produceInvalid Authorityerrors - Use a
MOCK_OKX_FACILITATORenv flag for local dev so the full flow can be exercised without real funds
Common Mistakes
Auth
| Mistake | Solution |
|---|---|
Using auth.uid() for RLS | Use requesting_user_id() — third-party IDs are strings, not UUIDs |
Using UUID columns for user_id | Use TEXT — all supported providers use string-format IDs |
| Hardcoding the JWT secret | Always retrieve via npx @insforge/cli secrets get JWT_SECRET |
Missing requesting_user_id() function | Must be created before RLS policies will work |
Payments (x402)
| Mistake | Solution |
|---|---|
| Using an OKX exchange trading API key | Create a separate Web3 API key at web3.okx.com/onchainos/dev-portal |
| Wrong EIP-712 domain values | Read the token contract's DOMAIN_SEPARATOR — for USDG on X Layer use name: "Global Dollar", version: "1" |
| Ignoring DB insert error after settlement | Always destructure { error } and log/handle it — money has already moved |
MOCK_OKX_FACILITATOR=true in production | Mock mode is demo-only; it returns fake tx hashes and bypasses verification |
Related skills
More from insforge/agent-skills and the wider catalog.
insforge
SDK integration for InsForge app features: database, auth, storage, functions, AI, realtime, email, and payments.
insforge-cli
Manage InsForge backend infrastructure, databases, deployments, and cloud services via CLI.
insforge-debug
Diagnose InsForge project failures and performance issues using logs, metrics, DB health, and AI-assisted triage.