-
Notifications
You must be signed in to change notification settings - Fork 498
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
230 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
title: Making Machine Requests | ||
description: Lean about making machine-to-machine requests. | ||
--- | ||
|
||
If your client is a backend service, you can create a [machine token](/docs/backend-requests/resources/machine-tokens) and use it in the `Authorization` header of your request. | ||
|
||
## Using the Node.js SDK | ||
|
||
The Node.js SDK has a `machineTokens` object that can be used to create machine tokens. | ||
|
||
> [!WARNING] | ||
> Use of the Node.js SDK is still subject to the [Backend API rate limits](/docs/backend-requests/resources/rate-limits) | ||
```tsx | ||
import { createClerkClient } from '@clerk/backend' | ||
|
||
export default function machineFetch() { | ||
|
||
const clerkClient = createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }) | ||
|
||
// creates a token with no additional claims. | ||
const { token } = await clerkClient.machineTokens.create({ | ||
machineId: "mch_cron", | ||
claims: { | ||
permissions: ["read", "write"] | ||
}, // custom claims customer's can add to their token | ||
expiresInSeconds: 60 | ||
}); | ||
|
||
const authenticatedFetch = async (...args) => { | ||
return fetch(...args, { | ||
headers: { Authorization: `Bearer ${await getToken()}` }, | ||
}).then((res) => res.json()) | ||
} | ||
|
||
return authenticatedFetch | ||
} | ||
``` | ||
|
||
## Using the Backend API reference | ||
|
||
You can also generate machine tokens by simply making a requests to Clerk's Backend API | ||
|
||
Go to the Backend API reference to learn more. **The API reference for this endpoint doesn't exist yet** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
--- | ||
title: Machine tokens | ||
description: Learn about machine tokens and how to validate them in your backend. | ||
--- | ||
|
||
When you want a machine to authenticate requests to your backend, you authorize the requests with machine tokens. | ||
|
||
Machine tokens are JWTs that contain information about your machine. | ||
|
||
## Customizing your machine tokens. | ||
|
||
### Machine ID | ||
|
||
Every machine token you create needs to be associated with a `machine_id`. You can pick any value for the `machine_id` as long as it meets the following requirements: | ||
|
||
- It must be prefixed with `mch_` | ||
- It must only contain lowercase letters and numbers | ||
|
||
> [!TIP] | ||
> It is a good idea to have the `machine_id` correspond with the identity of the service generating the token. For example if you have a cron service, a `machine_id` of `mch_cron` would make sense. | ||
#### Some valid machine_ids | ||
|
||
- mch_123 | ||
- mch_hi_there_jack | ||
- mch_ooooooooooohhhhhhhhhhhhh_snaaaaaaaaaaap | ||
|
||
#### Some invalid machine_ids | ||
|
||
- user_1234 | ||
- mch_OH_HI_MARK | ||
- MCH_123 | ||
- mch-123 | ||
|
||
### Some **valid** machine_ids | ||
|
||
- mch_cron | ||
- mch_pub_sub | ||
- mch_scheduler | ||
- mch_device_ada3f8b7-d491-4fe4-b76e-99e4c00b56d1 | ||
|
||
### Claims | ||
|
||
You can add custom claims to your machine token to include any additional information that your application might need. Claims are key-value pairs included in the token's payload, and they can convey important data such as permissions, roles, or any other attributes relevant to the machine's identity. | ||
|
||
For example, it is a good practice to include any permissions that your service requires directly in the claims. This allows your backend to easily verify what actions the machine is authorized to perform. | ||
|
||
> [!NOTE] | ||
> You cannot add claims that are [already set by clerk](#default-machine-claims). | ||
### Expires In Seconds | ||
|
||
The `expiresInSeconds` parameter defines how long the machine token remains valid, specified in seconds. This parameter is optional and defaults to 60 seconds (1 minute). | ||
|
||
If you need the machine token to be valid for a longer period of time, you can set the `expiresInSeconds` parameter to a higher value. However, keep in mind that longer-lived tokens can present a higher security risk if compromised, while shorter-lived tokens may require more frequent token generation, potentially impacting your [Backend API rate limits](/docs/backend-requests/resources/rate-limits). Therefore, it's important to balance token lifespan with security requirements and rate limit considerations. | ||
|
||
### Clock Skew | ||
|
||
The `allowedClockSkew` parameter provides a leeway in seconds to account for clock differences between servers. This setting affects the `nbf` (Not Before) claim in the token, calculated as `nbf = current_time - allowed_clock_skew`. The default value is 5 seconds. | ||
|
||
Adjusting the clock skew helps prevent token validation failures due to minor time discrepancies between the issuing server and the verifying server. | ||
|
||
|
||
## Default machine claims | ||
|
||
Every generated token has default claims that cannot be overridden by custom claims. Clerk's default claims include: | ||
|
||
- `exp`: expiration time - the time after which the token will expire, as a Unix timestamp. Determined using the **Token Expires In Seconds** request body parameter when creating machine tokens. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4) for more information. | ||
- `iat`: issued at - the time at which the token was issued as a Unix timestamp. For example: `1516239022`. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6) for more information. | ||
- `jti`: JWT ID - the ID of the token internally generated by Clerk. For example: `a1b2c3d4e5f67890abcd`. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7) for more information. | ||
- `iss`: issuer - the Frontend API URL of your instance. For example: `https://clerk.your-site.com` for a production instance or `https://your-site.clerk.accounts.dev` for a development instance. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) for more information. | ||
- `nbf`: not before - the time before which the token is considered invalid, as a Unix timestamp. Determined using the **Allowed Clock Skew** request body parameter when creating machine tokens. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5) for more information. | ||
- `sub`: subject - the ID of the machine that created the token. Determined using the **Machine ID** request body parameter when creating machine tokens. For example: `mch_123`. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2) for more information. | ||
|
||
## Making Machine Requests | ||
|
||
To start making machine requests, refer to [making machine requests](/docs/backend-requests/making/machine). | ||
|
||
## Validating Machine Tokens | ||
|
||
To learn how to manually verify a machine token, refer to [validating machine tokens](/docs/backend-requests/handling/manual-jwt#machine-tokens). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters