diff --git a/docs/backend-requests/handling/manual-jwt.mdx b/docs/backend-requests/handling/manual-jwt.mdx index 898509196f..227e00ef61 100644 --- a/docs/backend-requests/handling/manual-jwt.mdx +++ b/docs/backend-requests/handling/manual-jwt.mdx @@ -35,8 +35,8 @@ The following example uses the `authenticateRequest()` method to verify the sess To verify the token signature: 1. Use your instance's public key to verify the token's signature. - 1. Validate that the token is not expired by checking the `exp` ([Expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([Not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. - 1. Validate that the `azp` (authorized parties) claim equals any of your known origins that are permitted to generate those tokens. It's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. The value should be a list of domains that are allowed to make requests to your application. Not setting this value can open your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). For example, if you are permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings like so: `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim does not exist, then you can skip this step. + 1. Validate that the token isn't expired by checking the `exp` ([expiration time](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4)) and `nbf` ([not before](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5)) claims. + 1. Validate that the `azp` (authorized parties) claim equals any of your known origins permitted to generate those tokens. For better security, it's highly recommended to explicitly set the `authorizedParties` option when authorizing requests. The value should be a list of domains allowed to make requests to your application. Not setting this value can open your application to [CSRF attacks](https://owasp.org/www-community/attacks/csrf). For example, if you're permitting tokens retrieved from `http://localhost:3000`, then the `azp` claim should equal `http://localhost:3000`. You can also pass an array of strings, such as `['http://localhost:4003', 'https://clerk.dev']`. If the `azp` claim doesn't exist, you can skip this step. ### Finished