JWT format support for OAuth access tokens
- Category
- Product
- Published
OAuth access tokens can now be issued as JWTs, enabling networkless verification and better compatibility with third-party tools.
JWTs are now the default for newly created applications, while existing applications continue using opaque tokens unless changed.
Why JWT?
JWT access tokens offer several advantages:
- Networkless verification — JWTs can be verified locally using your instance's public key, without making a network request to Clerk's servers
- Self-contained — All necessary information (user ID, scopes, expiration) is embedded in the token itself
- Better compatibility — Many third-party tools and libraries expect JWT tokens
When to use opaque tokens
Opaque tokens remain valuable for security-sensitive scenarios:
- Instant revocation — Opaque tokens can be invalidated immediately, while JWTs remain valid until they expire
How to configure
To change your OAuth access token format:
- Navigate to OAuth applications in the Clerk Dashboard
- Select the Settings tab
- Toggle Generate access tokens as JWTs on or off
- Save your changes
Clerk's SDKs automatically handle verification for both token formats — no code changes are required when switching between them. For manual verification of JWT tokens outside of Clerk's SDKs, use the same approach as session token verification with your instance's public key.
For more details on the differences between token formats, see the token formats documentation.