Re-publish JWT v2 docs (#2185)

alex-ntousias · web-flow · commit 9d97c4dbe4fa · 2025-04-15T18:33:50.000+03:00
diff --git a/docs/backend-requests/resources/session-tokens.mdx b/docs/backend-requests/resources/session-tokens.mdx
@@ -9,35 +9,84 @@ Read more about Clerk session tokens and how they work in [the dedicated blog po
 
 ## Default claims
 
-Every generated token has default claims that cannot be overridden by templates. Clerk's default claims include:
-
-| Claim | Abbreviation expanded | Description | Example |
-| - | - | - | - |
-| `azp` | authorized party | The `Origin` header that was included in the original Frontend API request made from the user. Most commonly, it will be the URL of the application. This claim could be omitted if, for privacy-related reasons, `Origin` is empty or null. | `https://example.com` |
-| `exp` | expiration time | The time after which the token will expire, as a Unix timestamp. Determined using the **Token lifetime** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4) for more information. | `1713158400` |
-| `fva` | factor verification age | Each item represents the minutes that have passed since the last time a first or second factor, respectively, was verified. | `[7, -1]` which means it has been 7 minutes since the first factor was verified, and there either is not a second factor or the second factor has never been verified. |
-| `iat` | issued at | The time at which the token was issued as a Unix timestamp. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6) for more information. | `1713158400` |
-| `iss` | issuer | The Frontend API URL of your instance. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) for more information. | `https://clerk.your-site.com` for a production instance, `https://your-site.clerk.accounts.dev` for a development instance |
-| `nbf` | not before | The time before which the token is considered invalid, as a Unix timestamp. Determined using the **Allowed Clock Skew** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5) for more information. | `1713158400` |
-| `sid` | session ID | The ID of the current session. | `sess_123` |
-| `sub` | subject | The ID of the current user of the session. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2) for more information. | `user_123` |
-
-The **`act` (actor) claim** is only included if the user is [impersonating](/docs/users/user-impersonation) another user. It's value is an object that contains the following properties:
-
-| Claim | Abbreviation expanded | Description | Example |
-| - | - | - | - |
-| `iss` | issuer | The referrer of the token. | `https://dashboard.clerk.com` |
-| `sid` | session ID | The session ID of the impersonated session. | `sess_456` |
-| `sub` | subject | The ID of the impersonator. | `user_456` |
-
-The following claims are only included if the user is part of an [organization](/docs/organizations/overview):
-
-| Claim | Abbreviation expanded | Description | Example |
-| - | - | - | - |
-| `org_id` | organization ID | The ID of the active organization that the user belongs to. | `org_123` |
-| `org_permissions` | organization permissions | The permissions of the user in the currently active organization. System permissions are not included in the session token. | `["org:admin:example_permission", "org:member:example_permission"]` |
-| `org_slug` | organization slug | The slug of the currently active organization that the user belongs to. | `org-slug` |
-| `org_role` | organization role | The role of the user in the currently active organization. | `org:admin` |
+<Tabs items={["Version 2", "Version 1"]}>
+  <Tab>
+    > [!IMPORTANT]
+    > You are reading about version 2 of Clerk's session token claims. To read about version 1, select the respective tab above.
+
+    Every generated token has default claims that cannot be overridden by templates. Clerk's default claims include:
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `azp` | authorized party | The `Origin` header that was included in the original Frontend API request made from the user. Most commonly, it will be the URL of the application. This claim could be omitted if, for privacy-related reasons, `Origin` is empty or null. | `https://example.com` |
+    | `exp` | expiration time | The time after which the token will expire, as a Unix timestamp. Determined using the **Token lifetime** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4) for more information. | `1713158400` |
+    | `fva` | factor verification age | Each item represents the minutes that have passed since the last time a first or second factor, respectively, was verified. | `[7, -1]` which means it has been 7 minutes since the first factor was verified, and there either is not a second factor or the second factor has never been verified. |
+    | `iat` | issued at | The time at which the token was issued as a Unix timestamp. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6) for more information. | `1713158400` |
+    | `iss` | issuer | The Frontend API URL of your instance. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) for more information. | `https://clerk.your-site.com` for a production instance, `https://your-site.clerk.accounts.dev` for a development instance |
+    | `nbf` | not before | The time before which the token is considered invalid, as a Unix timestamp. Determined using the **Allowed Clock Skew** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5) for more information. | `1713158400` |
+    | `sid` | session ID | The ID of the current session. | `sess_123` |
+    | `sub` | subject | The ID of the current user of the session. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2) for more information. | `user_123` |
+    | `v` | version | The version number of the session token. | `2` |
+    | `fea` | features | A list of enabled features and their scope. The scope can either be `o` for org-level features, `u` for user-level features, or `uo` for both. | `o:dashboard,o:impersonation` |
+
+    The **`o` claim**, or organization claim, is only included if the user is part of an [organization](/docs/organizations/overview) and that organization is [active](/docs/organizations/overview#active-organization). Its value is an object that contains the following properties:
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `id` | ID | The ID of the organization. | `org_123` |
+    | `slg` | slug | The slug of the organization. | `org-slug` |
+    | `rol` | role | The role of the user in the organization, without the `org:` prefix. | `admin` |
+    | `per` | permissions | The names of the permissions the user has in the organization. | `read,manage` |
+    | `fpm` | feature-permission map | The mapping of features with permissions, where the value of the integer, when converted to binary, represents a bitmask where each bit's position corresponds to a permission in the `o.per` list, and where `0` = `not-allowed` and `1` = `allowed`. | `3,2` |
+
+    > [!WARNING]
+    > The organization claims above are intentionally designed to be as compact as possible to keep JWT tokens small.
+    > As a result, they can be difficult to decode manually. We strongly recommend using one of our SDKs that support API version [2025-04-10](/docs/versioning/available-versions#2025-04-10) to handle decoding reliably.
+
+    The **`act` (actor) claim** is only included if the user is [impersonating](/docs/users/user-impersonation) another user. It's value is an object that contains the following properties:
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `iss` | issuer | The referrer of the token. | `https://dashboard.clerk.com` |
+    | `sid` | session ID | The session ID of the impersonated session. | `sess_456` |
+    | `sub` | subject | The ID of the impersonator. | `user_456` |
+  </Tab>
+
+  <Tab>
+    > [!IMPORTANT]
+    > Version 1 was deprecated on April 14, 2025. To upgrade to version 2, go to the [**Updates**](https://dashboard.clerk.com/last-active?path=updates) page in the Clerk Dashboard.
+
+    Every generated token has default claims that cannot be overridden by templates. Clerk's default claims include:
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `azp` | authorized party | The `Origin` header that was included in the original Frontend API request made from the user. Most commonly, it will be the URL of the application. This claim could be omitted if, for privacy-related reasons, `Origin` is empty or null. | `https://example.com` |
+    | `exp` | expiration time | The time after which the token will expire, as a Unix timestamp. Determined using the **Token lifetime** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4) for more information. | `1713158400` |
+    | `fva` | factor verification age | Each item represents the minutes that have passed since the last time a first or second factor, respectively, was verified. | `[7, -1]` which means it has been 7 minutes since the first factor was verified, and there either is not a second factor or the second factor has never been verified. |
+    | `iat` | issued at | The time at which the token was issued as a Unix timestamp. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6) for more information. | `1713158400` |
+    | `iss` | issuer | The Frontend API URL of your instance. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) for more information. | `https://clerk.your-site.com` for a production instance, `https://your-site.clerk.accounts.dev` for a development instance |
+    | `nbf` | not before | The time before which the token is considered invalid, as a Unix timestamp. Determined using the **Allowed Clock Skew** JWT template setting in the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=jwt-templates). See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5) for more information. | `1713158400` |
+    | `sid` | session ID | The ID of the current session. | `sess_123` |
+    | `sub` | subject | The ID of the current user of the session. See [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2) for more information. | `user_123` |
+
+    The following claims are only included if the user is part of an organization and that organization is [active](/docs/organizations/overview#active-organization):
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `org_id` | organization ID | The ID of the active organization that the user belongs to. | `org_123` |
+    | `org_permissions` | organization permissions | The permissions of the user in the currently active organization. System permissions are not included in the session token. | `["org:admin:example_permission", "org:member:example_permission"]` |
+    | `org_slug` | organization slug | The slug of the currently active organization that the user belongs to. | `org-slug` |
+    | `org_role` | organization role | The role of the user in the currently active organization. | `org:admin` |
+
+    The **`act` (actor) claim** is only included if the user is [impersonating](/docs/users/user-impersonation) another user. It's value is an object that contains the following properties:
+
+    | Claim | Abbreviation expanded | Description | Example |
+    | - | - | - | - |
+    | `iss` | issuer | The referrer of the token. | `https://dashboard.clerk.com` |
+    | `sid` | session ID | The session ID of the impersonated session. | `sess_456` |
+    | `sub` | subject | The ID of the impersonator. | `user_456` |
+  </Tab>
+</Tabs>
 
 If you would like to add custom claims to your session token, you can [customize it](/docs/backend-requests/custom-session-token).
 
diff --git a/docs/organizations/create-roles-permissions.mdx b/docs/organizations/create-roles-permissions.mdx
@@ -16,7 +16,7 @@ In the Clerk Dashboard, you can create roles, assign permissions to them, and ch
 
 1. In the Clerk Dashboard, navigate to [**Permissions**](https://dashboard.clerk.com/last-active?path=organizations-settings/permissions).
 1. Select **Create new permission**.
-1. Give the permission a name, a key to reference it by in the format `org:<resource>:<action>`, and a description.
+1. Give the permission a name, a key to reference it by in the format `org:<feature>:<action>`, and a description.
 1. Select **Create permission**.
 
 ## Change a user's role in an organization
diff --git a/docs/organizations/roles-permissions.mdx b/docs/organizations/roles-permissions.mdx
@@ -65,7 +65,7 @@ You can assign these system permissions to any role.
 
 ### Custom permissions
 
-When creating a new permission, follow the format `org:<resource>:<action>`. You can then assign the permission to an existing role.
+When creating a new permission, follow the format `org:<feature>:<action>`. You can then assign the permission to an existing role.
 
 For example, you could create a new role called **Sales** (`org:sales`) and a new permission called **Create invoices** (`org:invoices:create`) which allows only users with this permission to edit invoices. You could also grant this permission to the **Billing** role.
 
diff --git a/docs/versioning/available-versions.mdx b/docs/versioning/available-versions.mdx
@@ -5,6 +5,27 @@ description: A list of the available API versions and their breaking changes.
 
 Below is a list of all the available API versions with their respective breaking changes. For information on how to apply the appropriate version, see [Versioning overview](/docs/versioning/overview).
 
+### 2025-04-10
+
+Adds support for [version 2 of Clerk session tokens](/docs/backend-requests/resources/session-tokens).
+The following SDKs are compatible with this version:
+
+| SDK | Version |
+| - | - |
+| Clerk.js | @clerk/clerk-js v5.61.0 or higher |
+| Next.js | @clerk/nextjs v6.15.0 or higher |
+| Astro | @clerk/astro v2.6.4 or higher |
+| Expo | @clerk/expo v2.9.12 or higher |
+| Express | @clerk/express v1.4.5 or higher |
+| Fastify | @clerk/fastify v2.2.5 or higher |
+| Go | clerk-sdk-go v2.3.1 or higher |
+| JavaScript Backend | @clerk/backend v1.28.0 or higher |
+| Nuxt.js | @clerk/nuxt v1.5.5 or higher |
+| React Router | @clerk/react-router v1.2.5 or higher |
+| Remix | @clerk/remix v4.5.17 or higher |
+| Ruby | clerk-sdk-ruby v4.1.0 or higher |
+| TanStack React Start | @clerk/tanstack-react-start v0.13.5 or higher |
+
 ### 2024-10-01
 
 - Notification for new sign-ins to users' accounts feature becomes available.
