authMiddleware()
The authMiddleware() helper integrates Clerk authentication into your Next.js application through middleware. authMiddleware() is compatible with both the App and Pages routers.
Usage
Create the middleware.ts file in the root folder of your application, or inside the src/ if that is how your app is set up.
For more information about middleware in Next.js, see the Next.js documentation.
middleware.tsimport { authMiddleware } from "@clerk/nextjs"; export default authMiddleware(); export const config = { matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc)(.*)'], };
With the recommended matcher, all routes are protected by Clerk's authentication middleware, with the exception of internal /_next/ routes and static files. Static files are detected by matching on paths that end in .+\..+. If your middleware needs to run on all routes but you don't want Clerk to protect every route, use the ignoredRoutes option.
Using afterAuth() for fine-grained control
Some developers will need to handle specific cases such as handling redirects differently or detecting if a user is inside an organization. These cases can be handled with afterAuth().
middleware.tsimport { authMiddleware, redirectToSignIn } from '@clerk/nextjs'; export default authMiddleware({ afterAuth(auth, req, evt) { // handle users who aren't authenticated if (!auth.userId && !auth.isPublicRoute) { return redirectToSignIn({ returnBackUrl: req.url }); } // redirect them to organization selection page if(auth.userId && !auth.orgId && req.nextUrl.pathname !== "/org-selection"){ const orgSelection = new URL('/org-selection', req.url) return NextResponse.redirect(orgSelection) } } });
Using beforeAuth() to execute middleware before authentication
If you need additional middleware handlers to execute before Clerk's authentication middleware, use beforeAuth(). An example where the middleware handler from next-intl is executed can be seen below.
middleware.tsimport { authMiddleware } from "@clerk/nextjs"; import createMiddleware from "next-intl/middleware"; const intlMiddleware = createMiddleware({ locales: ["en", "el"], defaultLocale: "en", }); export default authMiddleware({ beforeAuth: (req) => { // Execute next-intl middleware before Clerk's auth middleware return intlMiddleware(req); }, // Ensure that locale specific sign-in pages are public publicRoutes: ["/", "/:locale/sign-in"], }); export const config = { matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc)(.*)'], };
Making pages public using publicRoutes
By default, Clerk's authMiddleware() treats all routes as private if the middleware runs. If you need to make specific routes public, use the publicRoutes option.
middleware.tsimport { authMiddleware } from "@clerk/nextjs"; export default authMiddleware({ // "/" will be accessible to all users publicRoutes: ["/"] }); export const config = { matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc)(.*)'], };
If you are building your own sign in pages, you don't need to add these pages to your publicRoutes. They will be inferred from your .env file:
.envNEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/ NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/
Execution order of beforeAuth, publicRoutes, and afterAuth
If you define an afterAuth function, it will run even if the request corresponds to a private route and no user is signed out. If you don’t define an afterAuth function, a redirect response to the signInUrl will be returned automatically. This diagram explains how and when the two handlers are invoked in the runtime.
Options
| Name | Type | Description |
|---|---|---|
afterAuth? | function | Called after the authentication middleware is executed. This function has access to the Authentication object and can be used to execute logic based on the auth state. |
apiRoutes? | string[] | A list of routes that should return 401. You can use glob patterns to match multiple routes or a function to match against the request object. For example: ['/foo', '/bar(.*)'] or [/^/foo/.*$/] |
audience? | `string | string[]` |
authorizedParties? | string[] | An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack. For example: ['http://localhost:3000', 'https://example.com']For more information, refer to the reference guide. |
beforeAuth? | function | A function called before the authentication middleware is executed. If a redirect response is returned, the middleware will respect it and redirect the user. If false is returned, the auth middleware will not execute and the request will be handled as if the auth middleware was not present. |
clockSkewInSeconds? | number | Overrides the default allowed clock skew. |
debug? | boolean | Enables debugging mode in the Clerk middleware handler. Logs out additional debugging information. |
domain? | string | The domain used for satellites to inform Clerk where this application is deployed. |
isSatellite? | boolean | When using Clerk's satellite feature, this should be enabled for secondary domains. |
proxyUrl? | string | If using a proxy, specify the URL of the proxy. |
jwksCacheTtlInMs? | number | Set the JWKs cache TTL, in milliseconds. |
jwtKey? | string | An optional custom JWT key to use for session token validation. |
ignoredRoutes? | string[] | A list of routes that should be ignored by the middleware. This list typically includes routes for static files or Next.js internals. For improved performance, these routes should be skipped using the default config.matcher instead. |
publicRoutes? | string[] | A list of routes that should be accessible without authentication. You can use glob patterns to match multiple routes or a function to match against the request object. For example: ['/foo', '/bar(.*)'] or [/^/foo/.*$/]The sign in and sign up URLs are included by default, unless a function is provided. |
publishableKey | string | An alternate Clerk publishable key. |
secretKey? | string | An alternate Clerk secret key. |
signInUrl? | string | An alternative sign in URL. |
skipJwksCache? | boolean | Disables use of the JWKs cache. |
apiKey? | string | An alternate Clerk API key. |
frontendApi? | string | An alternate Clerk frontend API URL. |