I would say that beyond the green corridors, the main difference is how global it feels now. Lots of international cuisine, international DJs playing here, foreigners around, real estate ads in English, etc.
But the prices of "nationally-distributed" "things" (e.g. laundry detergent right?) pretty much adheres to the national trend...
...however rent in Medellín has gone up in these past 2 years too, like in some places it has gone up to double, gotta account for inflation (in USD terms you know) too but still...
Unless you’re in tech or a few other sectors (eg: long tail exports such the company that manufactures transistors for Tesla, which is near here) the local job market is very bad. Particularly with new prices, in the wealthy areas it’s comparable to a city like Lisbon now.
If you have a remote job however, it’s a no brainer. For example, renting a 3 bedroom in a wealthy area (through the local route, not Airbnb) within a gated community that has a pool, a gym, etc = $1,000. A private maid/chef once per week = $80. Normal Uber ride = $4-$6. Meal for 2 in a very fancy restaurant = $50 - $75.
Regarding the crimes against some foreigners:
- It shouldn’t happen. That’s why we elected a new major with a very different philosophy from the previous one.
- 1,8M foreigners came here in 2023 and 35 got killed. Again, the number should be 0, but once you see it as a statistic it feels improbable.
- If you don’t do ilegal stupid stuff you shouldn’t be doing in the first place (you know what I’m talking about) you’ll be fine.
I dunno man, I'm a nomad, I looked long and hard at where to spend a few months this winter and Medellin sounded attractive...until I read more about it.
No thank you. 35 deaths is the worst possible outcome. I don't want to leave the house in fear of getting mugged at knife/gun point and I'm sure those stats aren't even remote to being listed/accurate anywhere.
A significant portion of deaths resulted from drug overdose, and there was also a notable absence of acknowledgment regarding criminal activities perpetrated by migrants/tourists who arrived last year, despite numerous reported cases.
Hey, the idea of delegating this to the front end is very interesting! I've integrated Auth0 before and felt that it was clunky for designing more customized flows from the UX/UI POV.
1. With the new server components paradigm, React and Next have gone through a lot of changes around how SSR is done. Are your helper functions (currentUser(), currentOrg(), etc.) compatible with both the old and new approaches? Or is adapting to both one of your current technical challenges?
2. Are you open to candidates in the Americas time zones (LatAm)?
1. It's a great question and we're still learning the answer. But, I believe the approach is ~95% compatible, and the last 5% just needs tweaking on the margins vs a major overhaul. Let me try to explain...
First: SSR definitely makes the framing of "frontend api" vs "backend api" very confusing. So ignore that, and think of it purely as "api authenticated with a session token" vs "api authenticated with a secret key."
I think authenticating via session token is the key to enabling faster development with Clerk than tools like Auth0 (or even Stripe/Twilio/etc). The reason why is that it shifts the problem of _authorization_ from our customer's backend to Clerk's backend.
As an example, consider a user updating their email...
In the past, you would build a frontend for collecting their new email, send it to your backend, ensure that the user is updating their own name (the authorization step), then forward the update along to your account system (Auth0, your own database, whatever).
With Clerk, you build a frontend for collecting their new email, then send it straight to Clerk to handle the update with the user's session token. We are responsible for ensuring the update is to the users own account, and there's no requirement to hop to your backend to relay the secret key.
In the end, that hop to the backend and authorization check is responsible for a lot of the "clunk" that Clerk eliminates. And ultimately, SSR doesn't change our ability to make things easier – we can authenticate our API with a session token just-as-well during SSR as we can from the frontend.
This feels like a paradox, right? A session token has such limited power compared to secret key, so surely it can't be used to build an easier API. But in practice, confidently knowing which user is making the request is necessary for shifting the authorization step to our service.
I'd add that this idea isn't particularly novel. Stripe Checkout depends on a CheckoutSession object, which you initialize by passing in the active user's ID. So there, you see that Stripe having the active user's ID enables them remove a ton of steps for building a checkout. Implicitly, under-the-hood Checkout relies on an API that uses a session token for authentication.
We just took the idea one step further and are exposing the API, instead of only using it to power a single, fairly rigid UI. With Clerk, developers can use React Hooks to build their own UI.
---
Now, regarding the 5% that we still need to figure out. It pertains exactly to the currentUser() and currentOrg() functions you're calling out. Those are compatible, but they require some extra thoughtfulness.
As an example, Clerk's User object has a field called "privateMetadata". From the backend, it's completely okay for currentUser() to return this private data, but Clerk needs to make sure it doesn't leak to the frontend. That creates some oddities - the User object on frontend is different than on backend, and I don't think we've really nailed the ergonomics / education on this part yet. But it generally feels like a solvable problem.
> A session token has such limited power compared to secret key
Does it though? Sure, it has different threat models, and you may choose to assign it different trust levels, but fundamentally (as I understand it) every session token _is_ a secret key, with added benefits.
Awesome! I applied. Just letting you know in case the system flags because I clicked "no" when asked if I'm in the US or the EU.
I agree that SSR makes the "frontend VS backend API" separation very confusing. Session token VS secret key is a better framing for this, and there's a very interesting insight into the paradox that you described! The ergonomics you mention for ensuring consistency sounds like a very interesting technical challenge.
Great product! I really liked the UI/UX, and the fact that you provide an example is awesome. I played around with it for about 10 minutes, but one thing wasn't entirely clear to me: How do I import my API if it's not an NPM package?
Thanks for the feedback! Today, you need to script API calls with an http client like axios. We're working on a feature that will let you import a swagger or har file, and autogenerate most of the test.
Besides this, you can also see on our repository that we only send line diffs, titles of pull requests, and descriptions of pull requests to the GPT API, not your entire codebase.
reply