GuidesClever App DashboardAPI Postman CollectionClever AcademySupportStatus
Guides
Start typing to search…

Clever Single Sign-On Quickstart Guide

Configure Clever Single Sign-On, send users through the OAuth flow, and identify the signed-in user.

Use this page to configure Clever Single Sign-On, send users through the OAuth flow, and identify the signed-in user.

Overview

Clever Single Sign-On uses the OAuth 2.0 authorization code flow to authenticate teachers, students, staff, and district admins without requiring a separate set of credentials for your app.

This quickstart walks you through:

  1. configuring redirect URIs
  2. sending users to Clever for authentication
  3. exchanging the authorization code for an access token
  4. identifying the signed-in user with /v3.0/me

How end users sign in with Clever

Clever Single Sign-On supports three common login paths.

🚧

Support Clever Portal login

Most Clever users launch apps from the Clever Portal. Clever strongly recommends that your integration support Clever Portal login, even if you also support Log in with Clever on your own site.

1. Clever Portal

Users can launch your app from the Clever Portal after a district or user connection has been established.

To learn more about the Clever Portal, see this Help Center article.

2. Authorization link for Log in with Clever

You can add a Log in with Clever ("LIWC") button to your login page and send users to Clever’s authorization endpoint.

Example authorization URL:

https://clever.com/oauth/authorize?response_type=code&redirect_uri=<YOUR_REDIRECT_URI>&client_id=<YOUR_CLIENT_ID>

3. Instant Login link

Some districts prefer to launch apps through Instant Login links instead of the Clever Portal.

Example Instant Login URL:

https://clever.com/oauth/instant-login?client_id=<YOUR_CLIENT_ID>&district_id=<DISTRICT_ID>

🚧

Clever Library and Instant Login

Instant Login links do not work for Clever Library integrations.

📘

Field access depends on integration type

See https://clever.com/schema for field-level access by integration type.

Supported SSO technologies

Clever supports:

  • OAuth 2.0
  • OpenID Connect (OIDC)
  • SAML

For implementation details, see:

🚧

SAML is not supported for Clever Library

SAML requires district-level configuration, so it is not compatible with Clever Library.

🚧

OIDC is not supported for Clever Library

Clever Library integrations should use the /userinfo endpoint instead of an ID token. If you need more guidance, contact Clever Support through the Help Center chat.

Prerequisites

Before you begin:

  1. Create a Clever developer account at apps.clever.com/signup.
  2. Find your client ID and client secret in your Clever App Dashboard under Settings.

Step 1: Configure redirect URIs

When a user authenticates with Clever, Clever redirects the browser back to your application with a temporary authorization code.

  1. Sign in to your Clever App Dashboard.
  2. Open Settings > Redirect URIs.
  3. Add the exact URL where your backend will handle the OAuth callback.
    • Example local URL: https://localhost:3000/auth/clever/callback
    • Example production URL: https://yourapp.com/auth/clever/callback
🚧

Redirect URIs must match exactly

Clever strictly validates the redirect URI. It must match exactly what you send in your OAuth requests, including trailing slashes.

Step 2: Create the Log in with Clever request

To start the SSO flow, send the user to Clever’s authorization endpoint. This can happen when the user clicks your app in the Clever Portal or clicks a Log in with Clever button on your site.

Redirect the user to:

https://clever.com/oauth/authorize?response_type=code&redirect_uri=<YOUR_REDIRECT_URI>&client_id=<YOUR_CLIENT_ID>

After the user signs in, Clever redirects them back to your redirect_uri with an authorization code:

https://yourapp.com/auth/clever/callback?code=1234567890abcdef

Step 3: Exchange the code for an access token

Once your backend receives the authorization code, exchange it for an access token. This step must happen on your server because it uses your client secret.

curl -X POST "https://clever.com/oauth/tokens" \
  -d '{
        "code": "1234567890abcdef",
        "grant_type": "authorization_code",
        "redirect_uri": "<YOUR_REDIRECT_URI>"
      }' \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic <BASE64_ENCODED_CLIENT_ID:CLIENT_SECRET>"
🚧

Build the Basic Auth header correctly

The Authorization header must contain your client ID and client secret joined by a colon and Base64-encoded.

If the request succeeds, Clever returns a response similar to:

{
  "access_token": "token_abc123..."
}

Step 4: Identify the user

Use the access token to call /v3.0/me and identify the signed-in user.

curl -X GET "https://api.clever.com/v3.0/me" \
  -H "Authorization: Bearer token_abc123..."

Example response:

{
  "data": {
    "id": "5f3e4b1c...",
    "district": "5de12345...",
    "type": "student",
    "name": {
      "first": "John",
      "last": "Doe"
    }
  },
  "links": [...]
}

Use the id from this response to look up the user in your database and start an application session.

What’s next?

  • Map users to your database
    Use /v3.0/me to identify the user. If you also need roster data, use the user ID with Secure Sync endpoints such as /v3.0/users/{id}.

  • Test with sandbox users
    Use the Custom Test User tool in your Clever Dashboard to simulate logins for different user types.

Updated 1 day ago

What’s Next