authenticateRequest()
Authenticates a token passed from the frontend. Networkless if the jwtKey is provided. Otherwise, performs a network call to retrieve the JWKS from the Backend API.
function authenticateRequest(
request: Request,
options: AuthenticateRequestOptions,
): Promise<RequestState>- Name
request- Type
Request- Description
Requestobject
- Name
options?- Type
- AuthenticateRequestOptions
- Description
Optional options to configure the authentication.
AuthenticateRequestOptions
It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey option using the CLERK_SECRET_KEY environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }).
- Name
secretKey?- Type
string- Description
The Clerk Secret Key from the API keys page in the Clerk Dashboard.
- Name
publishableKey?- Type
string- Description
The Clerk Publishable Key from the API keys page in the Clerk Dashboard.
- Name
jwtKey?- Type
string- Description
Used to verify the session token in a networkless manner. Supply the JWKS Public Key from the API keys page in the Clerk Dashboard. For more information, refer to Manual JWT verification.
- Name
acceptsToken?- Type
TokenType- Description
Determines what type of authentication token(s) to verify. Valid values are:
'session_token'- authenticates a user session.'oauth_token'- authenticates a machine request using OAuth.'machine_token'- authenticates a machine request.'api_key'- authenticates a machine request using API keys.
If set to
any, the function will authenticate both user sessions and machine requests. Defaults tosession_token.
- Name
domain?- Type
string- Description
The domain for the application. For development, you can pass the localhost your application is running on. For example:
localhost:3001
- Name
isSatellite?- Type
boolean- Description
Set to
trueif the instance is a satellite domain in a multi-domain setup.
- Name
proxyUrl?- Type
string- Description
The proxy URL from a multi-domain setup.
- Name
signInUrl?- Type
string- Description
The sign-in URL from a multi-domain setup.
- Name
signUpUrl?- Type
string- Description
It's recommended to use sign-up URL from a multi-domain setup.
- Name
afterSignInUrl?- Type
string- Description
Full URL or path to navigate to after successful sign in. Defaults to
/.
- Name
afterSignUpUrl?- Type
string- Description
Full URL or path to navigate to after successful sign up. Defaults to
/.
- Name
audience?- Type
string | string[]- Description
A string or list of audiences.
- Name
authorizedParties?- Type
string[]- Description
An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack. For example:
['http://localhost:3000', 'https://example.com']
- Name
clockSkewInMs?- Type
number- Description
Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).
- Name
jwksCacheTtlInMs?(deprecated)- Type
number- Description
Deprecated. Specifying a cache TTL is now a no-op.
- Name
skipJwksCache?- Type
boolean- Description
A flag to skip ignore cache and always fetch JWKS before each jwt verification.
- Name
isAuthenticated- Type
boolean- Description
A boolean that indicates whether the incoming request is authenticated. Initially
false, becomestrueonce the request is authenticated.
- Name
isSignedIn(deprecated)- Type
boolean- Description
Deprecated. Use
isAuthenticatedinstead. Indicates whether the incoming request is authenticated.
- Name
status- Type
'signed-in' | 'signed-out' | 'handshake'- Description
The authentication state.
- Name
reason- Type
string | null- Description
The error code or reason for the current state. When there is a signed-in user, the value will be
null.
- Name
message- Type
string | null- Description
The full error message or additional context. When there is a signed-in user, the value will be
null.
- Name
tokenType- Type
'session_token' | 'oauth_token' | 'machine_token' | 'api_key'- Description
The type of token.
- Name
token- Type
string- Description
The value of the token.
- Name
headers- Type
- Headers
- Description
A
Headersobject containing debug or status headers.
- Name
toAuth()- Type
function- Description
A function that returns the
Authobject. This JavaScript object contains important information like the current user's session ID, user ID, and organization ID. Learn more about the Auth object.
If you are using the JavaScript Backend SDK on its own, you need to provide the secretKey and publishableKey to createClerkClient() so that it is passed to authenticateRequest(). You can set these values as environment variables and then pass them to the function.
import { createClerkClient } from '@clerk/backend'
export async function GET(req: Request) {
const clerkClient = createClerkClient({
secretKey: process.env.CLERK_SECRET_KEY,
publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
})
const { isAuthenticated } = await clerkClient.authenticateRequest(req, {
authorizedParties: ['https://example.com'],
})
if (!isAuthenticated) {
return Response.json({ status: 401 })
}
// Add logic to perform protected actions
return Response.json({ message: 'This is a reply' })
}authenticateRequest() requires publishableKey to be set. If you are importing clerkClient from a higher-level SDK, such as Next.js, then clerkClient infers the publishableKey from your environment variables. The following example uses Next.js, but the same logic applies for other frameworks.
import { clerkClient } from '@clerk/nextjs/server'
const client = await clerkClient()
export async function GET(req: Request) {
const { isAuthenticated } = await client.authenticateRequest(req, {
authorizedParties: ['https://example.com'],
})
if (!isAuthenticated) {
return Response.json({ status: 401 })
}
// Perform protected actions
// Add logic to perform protected actions
return Response.json({ message: 'This is a reply' })
}Machine authentication
By default, authenticateRequest() will authenticate a session request. To authenticate a machine request, you need to set the acceptsToken option to a machine token type, such as 'api_key', 'oauth_token' or 'machine_token'.
import { createClerkClient } from '@clerk/backend'
export async function GET(request: Request) {
const clerkClient = createClerkClient({
secretKey: process.env.CLERK_SECRET_KEY,
publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
})
const { isAuthenticated } = await clerkClient.authenticateRequest(request, {
acceptsToken: 'oauth_token',
})
if (!isAuthenticated) {
return Response.json({ status: 401 })
}
// Add logic to perform protected actions
return Response.json({ message: 'This is a machine-to-machine reply' })
}Networkless token verification
The following example uses the authenticateRequest() method with the JavaScript Backend SDK to verify the token passed by the frontend, and performs a networkless authentication by passing jwtKey. This will verify if the user is signed into the application or not.
import { createClerkClient } from '@clerk/backend'
export async function GET(req: Request) {
const clerkClient = createClerkClient({
secretKey: process.env.CLERK_SECRET_KEY,
publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
})
const { isSignedIn } = await clerkClient.authenticateRequest(req, {
jwtKey: process.env.CLERK_JWT_KEY,
authorizedParties: ['https://example.com'],
})
if (!isSignedIn) {
return Response.json({ status: 401 })
}
// Add logic to perform protected actions
return Response.json({ message: 'This is a reply' })
}Feedback
Last updated on