authenticateRequest()
Authenticates a token passed from the frontend. Networkless if the secretKey or jwtKey are provided. Otherwise, performs a network call to retrieve the JWKS from Clerk's Backend API.
function authenticateRequest: (request: Request, options: AuthenticateRequestOptions) => Promise<RequestState>;
authenticateRequest() parameters
| Name | Type | Description |
|---|---|---|
request | Request | Request object |
options? | AuthenticateRequestOptions | Optional options to configure the authentication. |
AuthenticateRequestOptions
| Name | Type | Description |
|---|---|---|
secretKey? | string | The Clerk secret key from the API Keys(opens in a new tab) page in the Clerk Dashboard. |
publishableKey? | string | The Clerk publishable key from the API Keys(opens in a new tab) page in the Clerk Dashboard. |
domain? | string | The domain for the application. For development, you can pass the localhost your application is running on. For example: localhost:3001 |
isSatellite? | boolean | Set to true if the instance is a satellite domain in a multi-domain setup. |
proxyUrl? | string | The proxy URL from a multi-domain setup. |
signInUrl? | string | The sign-in URL from a multi-domain setup. It's recommended to use the environment variable instead. |
signUpUrl? | string | It's recommended to use sign-up URL from a multi-domain setup. Use the environment variable instead. |
signInFallbackRedirectUrl? | string | The fallback URL to redirect to after the user signs in, if there's no redirect_url in the path already. Defaults to /. It's recommended to use the environment variable instead. |
signUpFallbackRedirectUrl? | string | The fallback URL to redirect to after the user signs up, if there's no redirect_url in the path already. Defaults to /. It's recommended to use the environment variable instead. |
signInForceRedirectUrl? | string | If provided, this URL will always be redirected to after the user signs in. It's recommended to use the environment variable instead. |
signUpForceRedirectUrl? | string | If provided, this URL will always be redirected to after the user signs up. It's recommended to use the environment variable instead. |
jwtKey? | string | The PEM public key from the API Keys(opens in a new tab) page -> Advanced -> JWT public key section of the Clerk Dashboard. It's recommended to use the environment variable instead. |
audience? | string | string[] | A string or list of audiences(opens in a new tab). |
authorizedParties | string[] | |
clockSkewInMs? | number | Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token. Defaults to 5000 ms (5 seconds). |
jwksCacheTtlInMs? | number | Specifies the allowed time (in milliseconds) the JWKs are considered valid in cache . Defaults to 3600_000 ms (1 hour). |
skipJwksCache? | boolean | A flag to skip ignore cache and always fetch JWKs before each jwt verification. |
authenticateRequest() example
Takes the token passed by the frontend as a Bearer token in the Authorization header, and performs a networkless authenication. This will verify if the user is signed into the application or not.
import { clerkClient } from '@clerk/nextjs/server' import { NextRequest, NextResponse } from 'next/server' export async function GET(req: NextRequest) { const { isSignedIn } = await clerkClient.authenticateRequest(req) if ( !isSignedIn ) { return NextResponse.json({ status: 401 }) } // Perform protected actions return NextResponse.json({ message: "This is a reply" }) }