Docs

verifyToken()

Warning

This is a lower-level method intended for more advanced use-cases. It's recommended to use authenticateRequest(), which fully authenticates a token passed from the request object.

Verifies a Clerk-generated token signature. Networkless if the jwtKey is provided. Otherwise, performs a network call to retrieve the JWKS from Clerk's Backend API.

function verifyToken(
  token: string,
  options: VerifyTokenOptions,
): Promise<JwtReturnType<JwtPayload, TokenVerificationError>>
  • Name
    token
    Type
    string
    Description

    The token to verify.

  • Name
    options
    Type
    VerifyTokenOptions
    Description

    Options for verifying the token.

VerifyTokenOptions

It is recommended to set these options as environment variables where possible, and then pass them to the function. For example, you can set the secretKey option using the CLERK_SECRET_KEY environment variable, and then pass it to the function like this: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }).

Warning

You must provide either jwtKey or secretKey.

  • Name
    audience?
    Type
    string | string[]
    Description

    A string or list of audiences.

  • Name
    authorizedParties
    Type
    string[]
    Description

    Can be used to validate that the azp claim equals any of your known origins that are permitted to generate those tokens. For example: ['http://localhost:4003', 'https://clerk.dev']

  • Name
    clockSkewInMs?
    Type
    number
    Description

    Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds).

  • Name
    jwtKey?
    Type
    string
    Description

    Used to verify the session token in a networkless manner. Supply the PEM public key from the API Keys page -> Show JWT public key -> PEM Public Key section of the Clerk Dashboard. For more information, refer to Manual JWT verification.

  • Name
    secretKey?
    Type
    string
    Description

    The Clerk secret key from the API Keys page in the Clerk Dashboard.

  • Name
    skipJwksCache?
    Type
    boolean
    Description

    A flag to ignore the JWKS cache and always fetch JWKS before each JWT verification.

  • Name
    apiUrl?
    Type
    string
    Description

    The Clerk Backend API endpoint. Defaults to 'https://api.clerk.com'.

  • Name
    apiVersion?
    Type
    string
    Description

    The version passed to the Clerk API. Defaults to 'v1'.

Example

The following example demonstrates how to use the JavaScript Backend SDK to verify the token signature.

In the following example:

  1. The PEM public key from the Clerk Dashboard is set in the environment variable CLERK_JWT_KEY.
  2. The session token is retrieved from the __session cookie or the Authorization header.
  3. The token is verified in a networkless manner by passing the jwtKey prop.
  4. The authorizedParties prop is passed to verify that the session token is generated from the expected frontend application.
  5. If the token is valid, the response contains the verified token.
import { verifyToken } from '@clerk/backend'
import { cookies } from 'next/headers'

export async function GET(request: Request) {
  const cookieStore = cookies()
  const sessToken = cookieStore.get('__session')?.value
  const bearerToken = request.headers.get('Authorization')?.replace('Bearer ', '')
  const token = sessToken || bearerToken

  if (!token) {
    return Response.json({ error: 'Token not found. User must sign in.' }, { status: 401 })
  }

  try {
    const verifiedToken = await verifyToken(token, {
      jwtKey: process.env.CLERK_JWT_KEY,
      authorizedParties: ['http://localhost:3001', 'api.example.com'], // Replace with your authorized parties
    })

    return Response.json({ verifiedToken })
  } catch (error) {
    return Response.json({ error: 'Token not verified.' }, { status: 401 })
  }
}

If the token is valid, the response will contain a JSON object that looks something like this:

{
  "verifiedToken": {
    "azp": "http://localhost:3000",
    "exp": 1687906422,
    "iat": 1687906362,
    "iss": "https://magical-marmoset-51.clerk.accounts.dev",
    "nbf": 1687906352,
    "sid": "sess_2Ro7e2IxrffdqBboq8KfB6eGbIy",
    "sub": "user_2RfWKJREkjKbHZy0Wqa5qrHeAnb"
  }
}

Feedback

What did you think of this content?

Last updated on