authenticateRequest()
Authenticates a token passed from the frontend. Networkless if the jwtKey
is provided. Otherwise, performs a network call to retrieve the JWKS from the Backend API.
- Name
request
- Type
Request
- Description
Request
object
- Name
options?
- Type
AuthenticateRequestOptions
- Description
Optional options to configure the authentication.
AuthenticateRequestOptions
It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey
option using the CLERK_SECRET_KEY
environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY })
.
- Name
secretKey?
- Type
string
- Description
The Clerk secret key from the API Keys page in the Clerk Dashboard.
- Name
publishableKey?
- Type
string
- Description
The Clerk publishable key from the API Keys page in the Clerk Dashboard.
- Name
jwtKey?
- Type
string
- Description
Used to verify the session token in a networkless manner. Supply the PEM public key from the API Keys page -> Show JWT public key -> PEM Public Key section of the Clerk Dashboard. For more information, refer to Manual JWT verification.
- Name
domain?
- Type
string
- Description
The domain for the application. For development, you can pass the localhost your application is running on. For example:
localhost:3001
- Name
isSatellite?
- Type
boolean
- Description
Set to
true
if the instance is a satellite domain in a multi-domain setup.
- Name
proxyUrl?
- Type
string
- Description
The proxy URL from a multi-domain setup.
- Name
signInUrl?
- Type
string
- Description
The sign-in URL from a multi-domain setup.
- Name
signUpUrl?
- Type
string
- Description
It's recommended to use sign-up URL from a multi-domain setup.
- Name
afterSignInUrl?
- Type
string
- Description
Full URL or path to navigate to after successful sign in. Defaults to
/
.
- Name
afterSignUpUrl?
- Type
string
- Description
Full URL or path to navigate to after successful sign up. Defaults to
/
.
- Name
audience?
- Type
string | string[]
- Description
A string or list of audiences.
- Name
authorizedParties?
- Type
string[]
- Description
An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack.
For example:['http://localhost:3000', 'https://example.com']
- Name
clockSkewInMs?
- Type
number
- Description
Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).
- Name
jwksCacheTtlInMs?
(deprecated)- Type
number
- Description
Deprecated. Specifying a cache TTL is now a no-op.
- Name
skipJwksCache?
- Type
boolean
- Description
A flag to skip ignore cache and always fetch JWKS before each jwt verification.
Examples
With a higher-level SDK
authenticateRequest()
requires publishableKey
to be set. If you are importing clerkClient
from a higher-level SDK, such as Next.js, then clerkClient
infers the publishableKey
from your environment variables.
With the Backend SDK on its own
If you are using the JavaScript Backend SDK on its own, you need to provide the secretKey
and publishableKey
to createClerkClient()
so that it is passed to authenticateRequest()
. You can set these values as environment variables and then pass them to the function.
Networkless token verification
The following example uses the authenticateRequest()
method with the JavaScript Backend SDK to verify the token passed by the frontend, and performs a networkless authentication by passing jwtKey
. This will verify if the user is signed into the application or not.
Feedback
Last updated on