No "azp" field is created when using the SDK to create a JWT, thus no "azp" can be used when validating the JWT

[aaronmaxcarver]

There's no "azp" field returned in the JWT when using the SDK to fetch a JWT. This happens for the default JWT and for JWT templates.

The docs call out that "azp" will be included automatically (see here):

  // default claims, included automatically
  "azp": "http://localhost:3000",

And the JWT Template builder prevents adding "azp":

You can't use the reserved claim: azp

But when using the SDK is used to fetch a JWT for a session:

async with Clerk(bearer_auth=CLERK_SECRET_KEY) as clerk:
    res = await clerk.sessions.create_session_token_async(
        session_id="REDACTED"
    )
    assert res is not None

jwt_token = res.jwt
print(jwt_token)

The decoded JWT value has no azp key:

{
  "email_verified": true,
  "exp": 1738520013,
  "fva": [
    5370,
    -1
  ],
  "iat": 1738519953,
  "iss": "https://REDACTED.clerk.accounts.dev",
  "jti": "REDACTED",
  "nbf": 1738519943,
  "primary_email_address": "REDACTED",
  "public_metadata": {
    "admin": "true"
  },
  "sid": "REDACTED",
  "sub": "REDACTED"
}

So when that JWT is checked by Clerk authenticate request, there's no way to enforce "azp". (Removing the options entirely does allow the JWT to be validated.)

    clerk = Clerk(bearer_auth=os.getenv("CLERK_SECRET_KEY"))
    auth_result: RequestState = clerk.authenticate_request(
        request,  # type: ignore
        AuthenticateRequestOptions(
            authorized_parties=azp,
        ),
    )

Result:

RequestState(status=<AuthStatus.SIGNED_OUT: 'signed-out'>, reason=<TokenVerificationErrorReason.TOKEN_INVALID_AUTHORIZED_PARTIES: ('token-invalid-authorized-parties', 'Authorized party claim (azp) does not match any of the authorized parties.')>, token=None, payload=None)

Please add the "azp" key by default or allow some way to get it, e.g. via setting the value in the JWT Template or passing the value as a parameter in the SDK calls for fetching JWTs.

[aaronmaxcarver]