Docs

authenticateRequest()

Authenticates a token passed from the frontend. Networkless if the jwtKey is provided. Otherwise, performs a network call to retrieve the JWKS from the Backend API.

function authenticateRequest(
  request: Request,
  options: AuthenticateRequestOptions,
): Promise<RequestState>
  • Name
    request
    Type
    Request
    Description

    Request object

  • Name
    options?
    Type
    AuthenticateRequestOptions
    Description

    Optional options to configure the authentication.

AuthenticateRequestOptions

It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey option using the CLERK_SECRET_KEY environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }).

Warning

You must provide either jwtKey or secretKey.

We strongly recommend explicitly setting the authorizedParties option when authorizing requests. The value should be a list of domains that are allowed to make requests to your application. Not setting this value can open your application to CSRF attacks.

  • Name
    secretKey?
    Type
    string
    Description

    The Clerk secret key from the API Keys page in the Clerk Dashboard.

  • Name
    publishableKey?
    Type
    string
    Description

    The Clerk publishable key from the API Keys page in the Clerk Dashboard.

  • Name
    jwtKey?
    Type
    string
    Description

    Used to verify the session token in a networkless manner. Supply the PEM public key from the API Keys page -> Show JWT public key -> PEM Public Key section of the Clerk Dashboard. For more information, refer to Manual JWT verification.

  • Name
    domain?
    Type
    string
    Description

    The domain for the application. For development, you can pass the localhost your application is running on. For example: localhost:3001

  • Name
    isSatellite?
    Type
    boolean
    Description

    Set to true if the instance is a satellite domain in a multi-domain setup.

  • Name
    proxyUrl?
    Type
    string
    Description

    The proxy URL from a multi-domain setup.

  • Name
    signInUrl?
    Type
    string
    Description

    The sign-in URL from a multi-domain setup.

  • Name
    signUpUrl?
    Type
    string
    Description

    It's recommended to use sign-up URL from a multi-domain setup.

  • Name
    afterSignInUrl?
    Type
    string
    Description

    Full URL or path to navigate to after successful sign in. Defaults to /.

  • Name
    afterSignUpUrl?
    Type
    string
    Description

    Full URL or path to navigate to after successful sign up. Defaults to /.

  • Name
    audience?
    Type
    string | string[]
    Description

    A string or list of audiences.

  • Name
    authorizedParties?
    Type
    string[]
    Description

    An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack.
    For example: ['http://localhost:3000', 'https://example.com']

  • Name
    clockSkewInMs?
    Type
    number
    Description

    Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).

  • Name
    jwksCacheTtlInMs? (deprecated)
    Type
    number
    Description

    Deprecated. Specifying a cache TTL is now a no-op.

  • Name
    skipJwksCache?
    Type
    boolean
    Description

    A flag to skip ignore cache and always fetch JWKS before each jwt verification.

Examples

With a higher-level SDK

authenticateRequest() requires publishableKey to be set. If you are importing clerkClient from a higher-level SDK, such as Next.js, then clerkClient infers the publishableKey from your environment variables.

import { clerkClient } from '@clerk/nextjs/server'

const client = await clerkClient()

export async function GET(req: Request) {
  const { isSignedIn } = await client.authenticateRequest(req, {
    authorizedParties: ['https://example.com'],
  })

  if (!isSignedIn) {
    return Response.json({ status: 401 })
  }

  // Perform protected actions
  // Add logic to perform protected actions

  return Response.json({ message: 'This is a reply' })
}

With the Backend SDK on its own

If you are using the JavaScript Backend SDK on its own, you need to provide the secretKey and publishableKey to createClerkClient() so that it is passed to authenticateRequest(). You can set these values as environment variables and then pass them to the function.

import { createClerkClient } from '@clerk/backend'

export async function GET(req: Request) {
  const clerkClient = createClerkClient({
    secretKey: process.env.CLERK_SECRET_KEY,
    publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
  })

  const { isSignedIn } = await clerkClient.authenticateRequest(req, {
    authorizedParties: ['https://example.com'],
  })

  if (!isSignedIn) {
    return Response.json({ status: 401 })
  }

  // Add logic to perform protected actions

  return Response.json({ message: 'This is a reply' })
}

Networkless token verification

The following example uses the authenticateRequest() method with the JavaScript Backend SDK to verify the token passed by the frontend, and performs a networkless authentication by passing jwtKey. This will verify if the user is signed into the application or not.

import { createClerkClient } from '@clerk/backend'

export async function GET(req: Request) {
  const clerkClient = createClerkClient({
    secretKey: process.env.CLERK_SECRET_KEY,
    publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
  })

  const { isSignedIn } = await clerkClient.authenticateRequest(req, {
    jwtKey: process.env.CLERK_JWT_KEY,
    authorizedParties: ['https://example.com'],
  })

  if (!isSignedIn) {
    return Response.json({ status: 401 })
  }

  // Add logic to perform protected actions

  return Response.json({ message: 'This is a reply' })
}

Feedback

What did you think of this content?

Last updated on