verifyToken()
Verifies a Clerk-generated token signature. Networkless if the jwtKey
is provided. Otherwise, performs a network call to retrieve the JWKS from the Backend API.
- Name
token
- Type
string
- Description
The token to verify.
- Name
options
- Type
VerifyTokenOptions
- Description
Options for verifying the token.
VerifyTokenOptions
It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey
option using the CLERK_SECRET_KEY
environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY })
.
- Name
audience?
- Type
string | string[]
- Description
A string or list of audiences.
- Name
authorizedParties
- Type
string[]
- Description
Can be used to validate that the
azp
claim equals any of your known origins that are permitted to generate those tokens. For example:['http://localhost:4003', 'https://clerk.dev']
- Name
clockSkewInMs?
- Type
number
- Description
Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).
- Name
jwtKey?
- Type
string
- Description
Used to verify the session token in a networkless manner. Supply the PEM public key from the API keys page -> Show JWT public key -> PEM Public Key section in the Clerk Dashboard. For more information, refer to Manual JWT verification.
- Name
secretKey?
- Type
string
- Description
The Clerk Secret Key from the API keys page in the Clerk Dashboard.
- Name
skipJwksCache?
- Type
boolean
- Description
A flag to ignore the JWKS cache and always fetch JWKS before each JWT verification.
- Name
apiUrl?
- Type
string
- Description
The Clerk Backend API endpoint. Defaults to
'https://api.clerk.com'
.
- Name
apiVersion?
- Type
string
- Description
The version passed to the Clerk API. Defaults to
'v1'
.
Example
The following example demonstrates how to use the JavaScript Backend SDK to verify the token signature.
In the following example:
- The PEM public key from the Clerk Dashboard is set in the environment variable
CLERK_JWT_KEY
. - The session token is retrieved from the
__session
cookie or the Authorization header. - The token is verified in a networkless manner by passing the
jwtKey
prop. - The
authorizedParties
prop is passed to verify that the session token is generated from the expected frontend application. - If the token is valid, the response contains the verified token.
If the token is valid, the response will contain a JSON object that looks something like this:
Feedback
Last updated on