clerkMiddleware()
The clerkMiddleware() helper integrates Clerk authentication into your TanStack Start application through middleware.
Configure clerkMiddleware()
Create a src/start.ts file and add clerkMiddleware() to the requestMiddleware array.
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'
import { createStart } from '@tanstack/react-start'
export const startInstance = createStart(() => {
return {
requestMiddleware: [clerkMiddleware()],
}
})clerkMiddleware() options
The clerkMiddleware() function accepts an optional object. The following options are available:
- Name
audience?- Type
string | string[]- Description
A string or list of audiences. If passed, it is checked against the
audclaim in the token.
- Name
authorizedParties?- Type
string[]- Description
An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack. For example:
['http://localhost:3000', 'https://example.com']
- Name
clockSkewInMs?- Type
number- Description
Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).
- Name
domain?- Type
string- Description
The domain used for satellites to inform Clerk where this application is deployed.
- Name
isSatellite?- Type
boolean- Description
When using Clerk's satellite feature, this should be set to
truefor secondary domains.
- Name
satelliteAutoSync?- Type
boolean- Description
Controls whether a satellite app automatically syncs authentication state with the primary domain on first page load. When
false(default), the satellite app skips the automatic redirect if no session cookies exist, and only triggers the handshake after the user initiates a sign-in or sign-up action. Whentrue, the satellite app redirects to the primary domain on every first visit to sync state. Defaults tofalse. See satellite domains for more details.
- Name
jwtKey- Type
string- Description
Used to verify the session token in a networkless manner. Supply the JWKS Public Key from the API keys page in the Clerk Dashboard. It's recommended to use the environment variable instead. For more information, refer to Manual JWT verification.
- Name
organizationSyncOptions?- Type
OrganizationSyncOptions | undefined- Description
Used to activate a specific Organization or based on URL path parameters. If there's a mismatch between the in the session (e.g., as reported by auth()) and the Organization indicated by the URL, the middleware will attempt to activate the Organization specified in the URL.
- Name
proxyUrl?- Type
string- Description
Specify the URL of the proxy, if using a proxy.
- Name
signInUrl- Type
string- Description
The full URL or path to your sign-in page. Needs to point to your primary application on the client-side. Required for a satellite application in a development instance. It's recommended to use the environment variable instead.
- Name
signUpUrl- Type
string- Description
The full URL or path to your sign-up page. Needs to point to your primary application on the client-side. Required for a satellite application in a development instance. It's recommended to use the environment variable instead.
- Name
publishableKey- Type
string- Description
The Clerk for your instance.
- Name
secretKey?- Type
string- Description
The Clerk for your instance. The
CLERK_ENCRYPTION_KEYenvironment variable must be set when providingsecretKeyas an option, refer to Dynamic keys.
- Name
frontendApiProxy?- Type
- FrontendApiProxyOptions
- Description
Configure Frontend API proxy handling. When enabled, requests to the proxy path are forwarded to Clerk's Frontend API, and the
proxyUrlis automatically derived for authentication handshake.
Feedback
Last updated on