Security
Security at Clever
Clever's goal is to set the highest bar in the industry for student data privacy and security. Learn more about our security and download our whitepaper here.
Security Best Practices
As part of our ongoing commitment to data security and privacy, we require all Clever app account users to activate SSO or two-factor authentication (2FA) by June 30th, 2023.
Login Options
There are three login options available:
- App Dashboard SSO
- Sign in with Google
- Two-factor Authentication
These login options provide a simple, effective way to protect your account from unauthorized access at no cost to you.
Important Note
The email provided in the OAuth token is not verified by Clever. We do not warrant that the email is controlled by the user authenticated by Clever.
Before using the email for any authentication or authorization purpose, ensure to match their Clever ID or have an alternate mechanism to verify the control of the email address.
Since the email address value is controlled by Clever users, a malicious user can use an unverified email in the OAuth flow. This can lead to account takeover if the email is implicitly trusted. Clever IDs are not controlled by the user; they are based on authentication completed with Clever and tied to the user’s identity.
Keep Secrets Secret
Do not send district-app tokens or your client secret (or full authorization headers) through email or other non-secure channels. We recommend excluding them from your code and loading them as environment variables instead.
Security Notice
If our team detects a token or secret sent through email, we will reset the token/secret within 24 hours.
Updated 5 months ago