Update docs/backend-requests/handling/manual-jwt.mdx

Co-authored-by: victoria <[email protected]>
clerk · Dec 2, 2024 · 399c510 · 399c510
1 parent 4e9126b
commit 399c510
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/docs/backend-requests/handling/manual-jwt.mdx b/docs/backend-requests/handling/manual-jwt.mdx
@@ -35,8 +35,8 @@ The following example uses the `authenticateRequest()` method to verify the sess
   To verify the token signature:
 
   1. Use your instance's public key to verify the token's signature.
-  1. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims.
-  1. Validate that the `azp` (authorized parties) claim equals any of your known origins that are permitted to generate those tokens. It's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. The value should be a list of domains that are allowed to make requests to your application. Not setting this value can open your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). For example, if you are permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings like so: `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim does not exist, then you can skip this step.
+  1. Validate that the token isn't expired by checking the `exp` ([expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims.
+  1. Validate that the `azp` (authorized parties) claim equals any of your known origins permitted to generate those tokens. For better security, it's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. The value should be a list of domains allowed to make requests to your application. Not setting this value can open your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). For example, if you're permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings, such as `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim doesn't exist, you can skip this step.
 
   ### Finished