Skip to main content
Instead of managing tokens manually, you can let your authentication provider issue JWT tokens using JWKS. This allows you to leverage your existing auth infrastructure (e.g., Clerk, Auth0).
During the Turso Beta, we only support Clerk & Auth0 as OIDC providers.
1

Generate JWT Template

Use the Turso CLI to generate a JWT claims template for your auth provider:
# Full access to a database
turso org jwks template --database <database-name> --scope full-access

# Read-only access to a group
turso org jwks template --group <group-name> --scope read-only

# Fine-grained permissions
turso org jwks template \
  --database <database-name> \
  --permissions all:data_read \
  --permissions comments:data_add
Copy the generated template into your auth provider’s JWT configuration.
2

Add JWKS Endpoint to Turso

Register your auth provider’s JWKS endpoint with your Turso organization:
turso org jwks save <name> <url>
For example, with Clerk:
turso org jwks save clerk https://your-app.clerk.accounts.dev/.well-known/jwks.json
You can also add JWKS endpoints in the Turso Dashboard under organization settings.
3

Use Tokens in Your Application

Get the JWT from your auth provider and pass it as the authToken:
import { createClient } from "@tursodatabase/serverless";

const authToken = await getAuthToken(); // e.g., from Clerk, Auth0

const db = createClient({
  url: "<your-database-url>",
  authToken,
});

Managing JWKS Endpoints

# List all JWKS endpoints
turso org jwks list

# Remove a JWKS endpoint
turso org jwks remove <name>
If you don’t setup a JWT template with specific permissions, the generated tokens will have access to all databases in all groups by default.