Closed afroozeh closed 3 months ago
Note: sid
is present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
Note:
sid
is present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
Good timing on opening this - was looking into a similar issue this week. Thank you for raising. I talked with a couple Clerk engineers a about this very issue and they said sid
is always defined even on long-lived tokens which seems contradictory to what I've seen in the past and what ur saying (I can generate a long-lived token right now and it will have a sid
). It might depend on how you generate the long-lived token though (e.g in active authed browser session or not)
Note:
sid
is present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
Looks like when you create a Clerk JWT template you can optionally specify a sid
(or not) so I think this can most definitely be optional
EDIT: Also got this response from a Clerk engineer ✅
All session tokens, whether they're created via JWT Templates or not, will always contain an sid
claim with its value set to the current session ID. The value cannot be overrode, since it's part of the default claims that Clerk always sets.
Even if you define add an sid
claim in your template, it will be overrode during token generation.
@agis this is clearly not the case for JWT Templates. I created a JWT Template without changing anything and was getting JSON deserialization error using the clerk-rs middleware. This is the response I got from a Clerk dev on discord:
It's also logical to not have sid
because there is no session associated with a long-lived token anyway. Also, as the dev mentioned, other Clerk SDKs account for optional sid
.
You're right - I was mistaken!
sid
is not a recommended claim according to the guidelines (https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims). Recently, we encountered an issue where the server returned a 401 error because JSON parsing failed on a token that lackedsid
.