Clerk logo

Clerk Docs

Ctrl + K
Go to clerkstage.dev
Check out a preview of our new docs.

Handling requests with Node.js and Express

Node.js and Connect/Express Middleware

The Clerk Node SDK offers two authentication middlewares specifically for Express and Connect/Express compatible frameworks such as Gatsby and Fastify.

ClerkExpressWithAuth is a lax middleware that returns an empty auth object when an unauthenticated request is made.

ClerkExpressRequireAuth is a strict middleware that raises an error when an unauthenticated request is made.

ClerkExpressWithAuth()

1
import { ClerkExpressWithAuth } from '@clerk/clerk-sdk-node';
2
import express from 'express';
3


4
const port = process.env.PORT || 3000;
5


6
const app = express();
7


8
// Use the lax middleware that returns an empty auth object when unauthenticated
9
app.get(
10
  '/protected-endpoint',
11
  ClerkExpressWithAuth({
12
    // ...options
13
  }),
14
  (req, res) => {
15
    res.json(req.auth);
16
  }
17
);
18


19
app.listen(port, () => {
20
  console.log(`Example app listening at http://localhost:${port}`);
21
});
22


1
import {
2
  ClerkExpressWithAuth,
3
  LooseAuthProp,
4
  WithAuthProp,
5
} from '@clerk/clerk-sdk-node';
6
import express, { Application, Request, Response } from 'express';
7


8
const port = process.env.PORT || 3000;
9


10
const app: Application = express();
11


12
declare global {
13
  namespace Express {
14
    interface Request extends LooseAuthProp {}
15
  }
16
}
17


18
// Use the lax middleware that returns an empty auth object when unauthenticated
19
app.get(
20
  '/protected-route',
21
  ClerkExpressWithAuth({
22
    // ...options
23
  }),
24
  (req: WithAuthProp<Request>, res: Response) => {
25
    res.json(req.auth);
26
  }
27
);
28


29
app.use((err, req, res, next) => {
30
  console.error(err.stack);
31
  res.status(401).send('Unauthenticated!');
32
});
33


34
app.listen(port, () => {
35
  console.log(`Example app listening at http://localhost:${port}`);
36
});

ClerkExpressRequireAuth()

1
import { ClerkExpressRequireAuth } from '@clerk/clerk-sdk-node';
2
import express from 'express';
3


4
const port = process.env.PORT || 3000;
5
const app = express();
6


7
// Use the strict middleware that raises an error when unauthenticated
8
app.get(
9
  '/protected-endpoint',
10
  ClerkExpressRequireAuth({
11
    // ...options
12
  }),
13
  (req: RequireAuthProp<Request>, res) => {
14
    res.json(req.auth);
15
  }
16
);
17


18
app.use((err, req, res, next) => {
19
  console.error(err.stack);
20
  res.status(401).send('Unauthenticated!');
21
});
22


23
app.listen(port, () => {
24
  console.log(`Example app listening at http://localhost:${port}`);
25
});
26


1
import {
2
  ClerkExpressRequireAuth,
3
  RequireAuthProp,
4
  StrictAuthProp,
5
} from '@clerk/clerk-sdk-node';
6
import express, { Application, Request, Response } from 'express';
7


8
const port = process.env.PORT || 3000;
9
const app: Application = express();
10


11
declare global {
12
  namespace Express {
13
    interface Request extends StrictAuthProp {}
14
  }
15
}
16


17
// Use the strict middleware that raises an error when unauthenticated
18
app.get(
19
  '/protected-route',
20
  ClerkExpressRequireAuth({
21
    // ...options
22
  }),
23
  (req: RequireAuthProp<Request>, res) => {
24
    res.json(req.auth);
25
  }
26
);
27


28
app.use((err, req, res, next) => {
29
  console.error(err.stack);
30
  res.status(401).send('Unauthenticated!');
31
});
32


33
app.listen(port, () => {
34
  console.log(`Example app listening at http://localhost:${port}`);
35
});
36

Express Error Handlers

Express comes with a default error handler for errors encountered in the middleware chain.

Developers can also implement their own custom error handlers as detailed in the Express error handling guide. An example error handler can be found above.

If you are using the strict middleware variant, the err pass to your error handler will contain enough context for you to respond as you deem fit.

Middleware options

NameTypeDescription
authorizedPartiesstring[]

Validate that the azp claim in the Clerk Session JWT equals any of your known Origins that are permitted to generate those tokens. This is an extra security check that we highly recommend that you do.

For more information refer to Manual JWT Verification.

jwtKeystring

Clerk's JWT session token can be verified in a networkless manner using the JWT verification key.

By default, Clerk will use our well-known JWKs endpoint to fetch and cache the key for any subsequent token verification. If you use the CLERK_JWT_KEY environment variable or the jwtKey option to supply the key, Clerk will pick it up and do networkless verification for session tokens using it.

For more information refer to Networkless Token Verification.

onError(error: ClerkAPIResponseError) => unknown

This function can act as a custom error handler tailored to the needs of your application.

Was this helpful?

Clerk © 2023