verifyToken()
Verifies a Clerk-generated token signature. Networkless if the jwtKey is provided. Otherwise, performs a network call to retrieve the JWKS from the Backend API.
function verifyToken(
token: string,
options: VerifyTokenOptions,
): Promise<JwtReturnType<JwtPayload, TokenVerificationError>>- Name
token- Type
string- Description
The token to verify.
- Name
options- Type
VerifyTokenOptions- Description
Options for verifying the token.
VerifyTokenOptions
It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey option using the CLERK_SECRET_KEY environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }).
- Name
audience?- Type
string | string[]- Description
A string or list of audiences.
- Name
authorizedParties- Type
string[]- Description
Can be used to validate that the
azpclaim equals any of your known origins that are permitted to generate those tokens. For example:['http://localhost:4003', 'https://clerk.dev']
- Name
clockSkewInMs?- Type
number- Description
Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).
- Name
jwtKey?- Type
string- Description
Used to verify the session token in a networkless manner. Supply the JWKS Public Key from the API keys page in the Clerk Dashboard. For more information, refer to Manual JWT verification.
- Name
secretKey?- Type
string- Description
The Clerk Secret Key from the API keys page in the Clerk Dashboard.
- Name
skipJwksCache?- Type
boolean- Description
A flag to ignore the JWKS cache and always fetch JWKS before each JWT verification.
- Name
apiUrl?- Type
string- Description
The Clerk Backend API endpoint. Defaults to
'https://api.clerk.com'.
- Name
apiVersion?- Type
string- Description
The version passed to the Clerk API. Defaults to
'v1'.
Example
The following example demonstrates how to use the JavaScript Backend SDK to verify the token signature.
In the following example:
- The JWKS Public Key from the Clerk Dashboard is set in the environment variable
CLERK_JWT_KEY. - The session token is retrieved from the
__sessioncookie or the Authorization header. - The token is verified in a networkless manner by passing the
jwtKeyprop. - The
authorizedPartiesprop is passed to verify that the session token is generated from the expected frontend application. - If the token is valid, the response contains the verified token.
import { verifyToken } from '@clerk/backend'
import { cookies } from 'next/headers'
export async function GET(request: Request) {
const cookieStore = cookies()
const sessToken = cookieStore.get('__session')?.value
const bearerToken = request.headers.get('Authorization')?.replace('Bearer ', '')
const token = sessToken || bearerToken
if (!token) {
return Response.json({ error: 'Token not found. User must sign in.' }, { status: 401 })
}
try {
const verifiedToken = await verifyToken(token, {
jwtKey: process.env.CLERK_JWT_KEY,
authorizedParties: ['http://localhost:3001', 'api.example.com'], // Replace with your authorized parties
})
return Response.json({ verifiedToken })
} catch (error) {
return Response.json({ error: 'Token not verified.' }, { status: 401 })
}
}If the token is valid, the response will contain a JSON object that looks something like this:
{
"verifiedToken": {
"azp": "http://localhost:3000",
"exp": 1687906422,
"iat": 1687906362,
"iss": "https://magical-marmoset-51.clerk.accounts.dev",
"nbf": 1687906352,
"sid": "sess_2Ro7e2IxrffdqBboq8KfB6eGbIy",
"sub": "user_2RfWKJREkjKbHZy0Wqa5qrHeAnb"
}
}Feedback
Last updated on