Session tokens
When a user is authenticated in your application, a short-lived session token is generated by Clerk.js that depicts the fact and it's sent to your backend. Your backend will typically want to validate that the session token is valid (i.e. that it comes from Clerk, that it hasn't expired etc.)
Default session claims
Below are the default session claims that Clerk generates for you:
- iss
- sub
- sid
- exp
- nbf
- iat
- azp
- act
- orgs
- org_id
- org_slug
- org_role
If you want to customize your session token, you can do that by following our guide on customizing session tokens.
Validate session tokens
If you're using the middleware provided by our Clerk SDKs, this is all handled automatically in every request. If you're not using the middleware, you can still use the respective helpers provided by the SDKs to validate the tokens.
To learn how to manually verify a session token, please refer to the manual JWT verification section of our documentation.