# authenticateRequest() Authenticates a token passed from the frontend. Networkless if the `jwtKey` is provided. Otherwise, performs a network call to retrieve the JWKS from the [Backend API](https://clerk.com/docs/reference/backend-api/tag/jwks/GET/jwks){{ target: '_blank' }}. `authenticateRequest()` requires `publishableKey` to be set. You should already have this set in your [environment variables](https://clerk.com/docs/guides/development/clerk-environment-variables.md#clerk-publishable-and-secret-keys). `clerkClient` will infer the `publishableKey` from your environment variables. ```ts function authenticateRequest( request: Request, options: AuthenticateRequestOptions, ): Promise ``` ## Parameters | Name | Type | Description | | -------- | -------------------------- | ------------------------------------------------- | | request | Request | Request object | | options? | AuthenticateRequestOptions | Optional options to configure the authentication. | ## `AuthenticateRequestOptions` It is recommended to set these options as [environment variables](https://clerk.com/docs/guides/development/clerk-environment-variables.md#api-and-sdk-configuration) where possible, and then pass them to the function. For example, you can set the `secretKey` option using the `CLERK_SECRET_KEY` environment variable, and then pass it to the function like this: `createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY })`. > You must provide either `jwtKey` or `secretKey`. > > For better security, it's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. The value should be a list of domains that are allowed to make requests to your application. Not setting this value can open your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). | Property | Type | Description | | --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `acceptsToken?` | `"api_key" | "oauth_token" | "session_token" | "m2m_token" | ("api_key" | "oauth_token" | "session_token" | "m2m_token")[] | "any"` | The type of token to accept. Defaults to `'session_token'`. | | `afterSignInUrl?` | `string` | Full URL or path to navigate to after successful sign in. Defaults to `'/'`. | | `afterSignUpUrl?` | `string` | Full URL or path to navigate to after successful sign up. Defaults to `'/'`. | | `apiUrl?` | `string` | The [Clerk Backend API](https://clerk.com/docs/reference/backend-api){{ target: '_blank' }} endpoint. Defaults to `'https://api.clerk.com'`. | | `apiVersion?` | `string` | The version passed to the Clerk API. Defaults to `'v1'`. | | `audience?` | `string | string[]` | A string or list of [audiences](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). If passed, it is checked against the `aud` claim in the token. | | `authorizedParties?` | `string[]` | An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack. Example: `['http://localhost:3000', 'https://example.com']`. | | `clockSkewInMs?` | `number` | Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to `5000`. | | `domain?` | `string` | The domain of a [satellite application](https://clerk.com/docs/guides/dashboard/dns-domains/satellite-domains.md) in a multi-domain setup. | | `headerType?` | `string | string[]` | A string or list of allowed [header types](https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9). Defaults to `'JWT'`. | | `isSatellite?` | `boolean` | Whether the instance is a satellite domain in a multi-domain setup. Defaults to `false`. | | ~~`jwksCacheTtlInMs?`~~ | `number` | **Deprecated.** This cache TTL will be removed in the next major version. Specifying a cache TTL is a no-op. | | `jwtKey?` | `string` | Used to verify the session token in a networkless manner. Supply the PEM public key from the **[**API keys**](https://dashboard.clerk.com/last-active?path=api-keys) page -> Show JWT public key -> PEM Public Key** section in the Clerk Dashboard. **It's recommended to use [the environment variable](https://clerk.com/docs/guides/development/clerk-environment-variables.md) instead.** For more information, refer to [Manual JWT verification](https://clerk.com/docs/guides/sessions/manual-jwt-verification.md). | | `machineSecretKey?` | `string` | The machine secret key to use when verifying machine-to-machine tokens. This will override the Clerk secret key. | | `organizationSyncOptions?` | `{ organizationPatterns?: string[]; personalAccountPatterns?: string[]; }` | Used to activate a specific [Organization](https://clerk.com/docs/guides/organizations/overview.md) or [Personal Account](https://clerk.com/docs/guides/dashboard/overview.md) based on URL path parameters. If there's a mismatch between the Active Organization in the session (e.g., as reported by `auth()`) and the Organization indicated by the URL, an attempt to activate the Organization specified in the URL will be made. If the activation can't be performed, either because an Organization doesn't exist or the user lacks access, the Active Organization in the session won't be changed. Ultimately, it's the responsibility of the page to verify that the resources are appropriate to render given the URL and handle mismatches appropriately (e.g., by returning a 404). | | `organizationSyncOptions.organizationPatterns?` | `string[]` | Specifies URL patterns that are Organization-specific, containing an Organization ID or slug as a path parameter. If a request matches this path, the Organization identifier will be used to set that Organization as active. If the route also matches the `personalAccountPatterns` prop, this prop takes precedence. Patterns must have a path parameter named either `:id` (to match a Clerk Organization ID) or `:slug` (to match a Clerk Organization slug). If the Organization can't be activated—either because it doesn't exist or the user lacks access—the previously active Organization will remain unchanged. Components must detect this case and provide an appropriate error and/or resolution pathway, such as calling `notFound()` or displaying an [](https://clerk.com/docs/reference/components/organization/organization-switcher.md). Examples: `["/orgs/:slug",, "/orgs/:slug/(.*)"]`, `["/orgs/:id",, "/orgs/:id/(.*)"]`, `["/app/:any/orgs/:slug",, "/app/:any/orgs/:slug/(.*)"]`. | | `organizationSyncOptions.personalAccountPatterns?` | `string[]` | URL patterns for resources that exist within the context of a [Clerk Personal Account](https://clerk.com/docs/guides/dashboard/overview.md) (user-specific, outside any Organization). If the route also matches the `organizationPattern` prop, the `organizationPattern` prop takes precedence. Examples: `["/user",, "/user/(.*)"]`, `["/user/:any",, "/user/:any/(.*)"]`. | | `proxyUrl?` | `string` | The proxy URL from a multi-domain setup. | | `publishableKey?` | `string` | The Clerk Publishable Key from the [**API keys**](https://dashboard.clerk.com/last-active?path=api-keys) page in the Clerk Dashboard. | | `satelliteAutoSync?` | `boolean` | Controls whether satellite apps automatically sync with the primary domain on initial page load. When `false` (default), satellite apps will skip the automatic handshake if no session cookies exist, and only trigger the handshake after an explicit sign-in action. This provides the best performance by showing the satellite app immediately without attempting to sync state first. When `true`, satellite apps will automatically trigger a handshake redirect to sync authentication state with the primary domain on first load, even if no session cookies exist. Use this if you want users who are already signed in on the primary domain to be automatically recognized on the satellite. Defaults to `false`. | | `secretKey?` | `string` | The Clerk Secret Key from the [**API keys**](https://dashboard.clerk.com/last-active?path=api-keys) page in the Clerk Dashboard. | | `signInUrl?` | `string` | The sign-in URL from a multi-domain setup. | | `signUpUrl?` | `string` | The sign-up URL from a multi-domain setup. | | `skipJwksCache?` | `boolean` | A flag to ignore the JWKS cache and always fetch JWKS before each JWT verification. | ## Returns | Name | Type | Description | | ----------------------- | ---------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | isAuthenticated | boolean | A boolean that indicates whether the incoming request is authenticated. Initially false, becomes true once the request is authenticated. | | isSignedIn (deprecated) | boolean | Deprecated. Use isAuthenticated instead. Indicates whether the incoming request is authenticated. | | status | 'signed-in' | 'signed-out' | 'handshake' | The authentication state. | | reason | string | null | The error code or reason for the current state. When there is a signed-in user, the value will be null. | | message | string | null | The full error message or additional context. When there is a signed-in user, the value will be null. | | tokenType | 'session\_token' | 'oauth\_token' | 'm2m\_token' | 'api\_key' | The type of token. | | token | string | The value of the token. | | headers | Headers | A Headers object containing debug or status headers. | | toAuth() | function | A function that returns the Auth object. This JavaScript object contains important information like the current user's session ID, user ID, and Organization ID. Learn more about the Auth object. | ## Examples ```tsx import { clerkClient } from '@clerk/nextjs/server' export async function GET(req: Request) { // Initialize clerkClient const client = await clerkClient() // Use the `authenticateRequest()` method to verify the token const { isAuthenticated } = await client.authenticateRequest(req, { authorizedParties: ['https://example.com'], }) // Protect the route from unauthenticated users if (!isAuthenticated) { return Response.json({ error: 'Unauthorized' }, { status: 401 }) } // Add logic to perform protected actions return Response.json({ message: 'This is a reply' }) } ``` ### Machine authentication By default, `authenticateRequest()` will authenticate a session request. To authenticate a machine request, you need to set the `acceptsToken` option to a machine token type, such as `'api_key'`, `'oauth_token'` or `'m2m_token'`. ```tsx import { clerkClient } from '@clerk/nextjs/server' // Initialize clerkClient const client = await clerkClient() export async function GET(req: Request) { // Use the `authenticateRequest()` method to verify the token const { isAuthenticated } = await client.authenticateRequest(req, { acceptsToken: 'oauth_token', }) // Protect the route from unauthenticated users if (!isAuthenticated) { return Response.json({ error: 'Unauthorized' }, { status: 401 }) } // Add logic to perform protected actions return Response.json({ message: 'This is a machine-to-machine reply' }) } ``` ### Networkless token verification The following example uses the `authenticateRequest()` method with [`clerkClient`](https://clerk.com/docs/reference/backend/overview.md) to verify the token passed by the frontend, and performs a networkless authentication by passing `jwtKey`. This will verify if the user is signed into the application or not. filename: app/api/example/route.ts ```tsx import { clerkClient } from '@clerk/nextjs/server' export async function GET(req: Request) { // Initialize clerkClient const client = await clerkClient() // Use the `authenticateRequest()` method to verify the token const { isAuthenticated } = await client.authenticateRequest(req, { authorizedParties: ['https://example.com'], + jwtKey: process.env.CLERK_JWT_KEY, }) // Protect the route from unauthenticated users if (!isAuthenticated) { return Response.json({ error: 'Unauthorized' }, { status: 401 }) } // Add logic to perform protected actions return Response.json({ message: 'This is a reply' }) } ``` --- ## Sitemap [Overview of all docs pages](https://clerk.com/docs/llms.txt)