Networkless Token Verification

Networkless token verification using the JWT verification key

Clerk's JWT session token can be verified in a networkless manner using the JWT verification key. By default Clerk will use our JWKs endpoint to fetch and cache the key for any subsequent verification. If you use the CLERK_JWT_KEY environment variable to supply the key, Clerk will pick it up and do networkless verification for session tokens using it.

To learn more about Clerk's token verification you can find more information on our guide to validating session tokens.

The value of the JWT verification key can also be added on the instance level or on any single middleware call e.g. for Next.js

1
import { withAuth } from '@clerk/nextjs/api';
2

3
const handler = (req, res) => {
4
  // ...
5
};
6

7
withAuth(handler, { jwtKey: 'my_clerk_public_key' });

Custom instance initialization:

1
import Clerk from '@clerk/clerk-sdk-node/instance';
2

3
const clerk = new Clerk({ jwtKey: 'my_clerk_public_key' });

Validate the Authorized Party of a session token

Clerk's JWT session token, contains the azp claim, which equals the Origin of the request during token generation. You can provide the middlewares with a list of whitelisted origins to verify against, to protect your application of the subdomain cookie leaking attack. You can find an example below:

Express

1
import { ClerkExpressRequireAuth } from '@clerk/clerk-sdk-node';
2

3
const authorizedParties = ['http://localhost:3000', 'https://example.com'];
4

5
app.use(ClerkExpressRequireAuth({ authorizedParties }));

Next.js

1
import { requireAuth } from '@clerk/nextjs/api';
2

3
const authorizedParties = ['http://localhost:3000', 'https://example.com']
4

5
function handler(req: RequireAuthProp<NextApiRequest>, res: NextApiResponse) {
6
  // do something with the auth attribute
7
}
8

9
export requireAuth(handler, { authorizedParties });