Networkless token verification

Clerk's JWT session token can be verified in a networkless manner using the JWT verification key. By default, Clerk will use our JWKs endpoint to fetch and cache the key for any subsequent verification. If you use the CLERK_JWT_KEY environment variable to supply the key, Clerk will pick it up and do networkless verification for session tokens using it.

To learn more about Clerk's token verification, you can find more information on our guide to validating session tokens.

The value of the JWT verification key can also be added on the instance level or on any single middleware call e.g. for Next.js.

import { withAuth } from '@clerk/nextjs';
 
const handler = (req, res) => {
  // ...
};
 
withAuth(handler, { jwtKey: 'my_clerk_public_key' });

Custom instance initialization:

import { createClerkClient } from '@clerk/clerk-sdk-node';
 
const clerk = createClerkClient({ jwtKey: 'my_clerk_public_key' });

Validate the authorized party of a session token

Clerk's JWT session token contains the azp claim, which equals the Origin of the request during token generation. You can provide the middlewares with a list of allowlisted origins to verify against, to protect your application of the subdomain cookie leaking attack. You can find an example below:

import { requireAuth } from '@clerk/nextjs';
 
const authorizedParties = ['http://localhost:3000', 'https://example.com']
 
function handler(req: RequireAuthProp<NextApiRequest>, res: NextApiResponse) {
  // do something with the auth attribute
}
 
export requireAuth(handler, { authorizedParties });

// Node + Express app
import { ClerkExpressRequireAuth } from '@clerk/clerk-sdk-node';
 
const authorizedParties = ['http://localhost:3000', 'https://example.com'];
 
app.use(ClerkExpressRequireAuth({ authorizedParties }));

Last updated on April 19, 2024