Releases: clerk/javascript
Release list
@clerk/backend@3.0.0
Major Changes
-
Remove deprecated verify methods in favor of
verify(). (#7927) by @wobsorianoapiKeys.verifySecret()removed// Before await clerkClient.apiKeys.verifySecret(secret); // After await clerkClient.apiKeys.verify(secret);
idpOAuthAccessToken.verifyAccessToken()removed// Before await clerkClient.idpOAuthAccessToken.verifyAccessToken(accessToken); // After await clerkClient.idpOAuthAccessToken.verify(accessToken);
m2m.verifyToken()removed// Before await clerkClient.m2m.verifyToken(params); // After await clerkClient.m2m.verify(params);
-
Update engines config to require node@20 or higher (#6931) by @jacekradko
-
Remove deprecated
samlAccountin favor ofenterpriseAccount(#7258) by @LauraBeatris
Minor Changes
-
Add support for Agent Tasks API endpoint which allows developers to create agent tasks that can be used to act on behalf of users through automated flows. (#7783) by @tmilewski
-
Add Frontend API proxy support via
frontendApiProxyoption inclerkMiddleware(#7602) by @brkalow -
Add
satelliteAutoSyncoption to optimize satellite app handshake behavior (#7597) by @nikosdouvlisSatellite apps currently trigger a handshake redirect on every first page load, even when no cookies exist. This creates unnecessary redirects to the primary domain for apps where most users aren't authenticated.
New option:
satelliteAutoSync(default:false)- When
false(default): Skip automatic handshake if no session cookies exist, only trigger after explicit sign-in action - When
true: Satellite apps automatically trigger handshake on first load (previous behavior)
New query parameter:
__clerk_sync__clerk_sync=1(NeedsSync): Triggers handshake after returning from primary sign-in__clerk_sync=2(Completed): Prevents re-sync loop after handshake completes
Backwards compatible: Still reads legacy
__clerk_synced=trueparameter.SSR redirect fix: Server-side redirects (e.g.,
redirectToSignIn()from middleware) now correctly add__clerk_sync=1to the return URL for satellite apps. This ensures the handshake is triggered when the user returns from sign-in on the primary domain.CSR redirect fix: Client-side redirects now add
__clerk_sync=1to all redirect URL variants (forceRedirectUrl,fallbackRedirectUrl) for satellite apps, not just the defaultredirectUrl.Usage
SSR (Next.js Middleware)
import { clerkMiddleware } from '@clerk/nextjs/server'; export default clerkMiddleware({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', // Set to true to automatically sync auth state on first load satelliteAutoSync: true, });
SSR (TanStack Start)
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; export default clerkMiddleware({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', // Set to true to automatically sync auth state on first load satelliteAutoSync: true, });
CSR (ClerkProvider)
<ClerkProvider publishableKey='pk_...' isSatellite={true} domain='satellite.example.com' signInUrl='https://primary.example.com/sign-in' // Set to true to automatically sync auth state on first load satelliteAutoSync={true} > {children} </ClerkProvider>
SSR (TanStack Start with callback)
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; // Options callback - receives context object, returns options export default clerkMiddleware(({ url }) => ({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', satelliteAutoSync: url.pathname.startsWith('/dashboard'), }));
Migration Guide
Behavior change:
satelliteAutoSyncdefaults tofalsePreviously, satellite apps would automatically trigger a handshake redirect on every first page load to sync authentication state with the primary domain—even when no session cookies existed. This caused unnecessary redirects to the primary domain for users who weren't authenticated.
The new default (
satelliteAutoSync: false) provides a better experience for end users. Performance-wise, the satellite app can be shown immediately without attempting to sync state first, which is the right behavior for most use cases.To preserve the previous behavior where visiting a satellite while already signed in on the primary domain automatically syncs your session, set
satelliteAutoSync: true:export default clerkMiddleware({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', satelliteAutoSync: true, // Opt-in to automatic sync on first load });
TanStack Start: Function props to options callback
The
clerkMiddlewarefunction no longer accepts individual props as functions. If you were using the function form for props likedomain,proxyUrl, orisSatellite, migrate to the options callback pattern.Before (prop function form - no longer supported):
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; export default clerkMiddleware({ isSatellite: true, // ❌ Function form for individual props no longer works domain: url => url.hostname, });
After (options callback form):
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; // ✅ Wrap entire options in a callback function export default clerkMiddleware(({ url }) => ({ isSatellite: true, domain: url.hostname, }));
The callback receives a context object with the
urlproperty (aURLinstance) and can return options synchronously or as a Promise for async configuration. - When
Patch Changes
-
Warn when a cookie-based session token is missing the
azpclaim instead of rejecting the token. This prepares consumers for a future version where theazpclaim will be required. (#7929) by @jacekradko -
Dropping the
__experimental_prefix fromsetPasswordCompromisedandunsetPasswordCompromisedand marking them as stable (#7504) by @octoper -
Added date filter parameters to user list endpoint (#7793) by @wobsoriano
-
Fixes an issue with host header parsing that would cause Clerk to throw an exception when receiving malformed host values. (#7370) by @brkalow
-
Improve token type validation in authentication requests (#7765) by @wobsoriano
-
Allow
nullforperiod_endinBillingSubscriptionItemWebhookEventJSON(#7699) by @jacekradko -
fix: Update getAuthData to use isMachineToken (#7755) by @jeremy-clerk
-
Allow usage of machine secret key when listing M2M tokens: (#7968) by @wobsoriano
const clerkClient = createClerkClient(); const m2mToken = await clerkClient.m2m.list({ machineSecretKey: 'ak_xxxxx', subject: machineId, });
-
Add missing fields to CommercePlan type. (#7707) by @dstaley
-
Updated dependencies [
0a9cce3,e35960f,c9f0d77,1bd1747,6a2ff9e,d2cee35,0a9cce3,a374c18,466d642,5ef4a77,af85739,10b5bea, [a05d130](https://github....
@clerk/astro@3.0.0
Major Changes
-
Align experimental/unstable prefixes to use consistent naming: (#7361) by @brkalow
- Renamed all
__unstable_*methods to__internal_*(for internal APIs) - Renamed all
experimental__*andexperimental_*methods to__experimental_*(for beta features) - Removed deprecated billing-related props (
__unstable_manageBillingUrl,__unstable_manageBillingLabel,__unstable_manageBillingMembersLimit) andexperimental__forceOauthFirst
- Renamed all
-
Require Node.js 20.9.0 in all packages (#7262) by @jacekradko
-
Remove deprecated
asprop from unstyled button components (SignInButton,SignUpButton,SignOutButton,CheckoutButton,PlanDetailsButton,SubscriptionDetailsButton). Use theasChildprop with a custom element in the default slot instead. (#7839) by @wobsorianoBefore:
<SignInButton as='a' href='/sign-in' > Sign in </SignInButton>
After:
<SignInButton asChild> <a href='/sign-in'>Sign in</a> </SignInButton>
-
Remove
clerkJSUrl,clerkJSVersion,clerkUIUrl, andclerkUIVersionprops from all SDKs. To pin a specific version of@clerk/clerk-js, import theClerkconstructor from@clerk/clerk-jsand pass it toClerkProvidervia theClerkprop. To pin a specific version of@clerk/ui, importuifrom@clerk/uiand pass it via theuiprop. This bundles the modules directly with your application instead of loading them from the CDN. (#7879) by @jacekradko -
Introduce
<Show when={...}>as the cross-framework authorization control component and remove<Protect>,<SignedIn>, and<SignedOut>in favor of<Show>. (#7373) by @jacekradko -
Changed environment variable resolution order in
getContextEnvVar()to preferprocess.envoverimport.meta.env. Runtime environment variables (e.g., set in the Node.js adapter) now take precedence over build-time values statically replaced by Vite. This ensures that environment variables set at runtime behave as expected when deploying with the Astro Node adapter or similar runtime environments. (#7889) by @alexcarpenter
Minor Changes
-
Remove
clerkJSVariantoption and headless bundle. UseprefetchUI={false}instead. (#7629) by @jacekradko -
Introduce Keyless quickstart for Astro. This allows the Clerk SDK to be used without having to sign up and paste your keys manually. (#7812) by @wobsoriano
-
Add
uiprop toClerkProviderfor passing@clerk/ui(#7664) by @jacekradko -
Add standalone
getToken()function for retrieving session tokens outside of framework component trees. (#7325) by @bratsosThis function is safe to call from anywhere in the browser, such as API interceptors, data fetching layers (e.g., React Query, SWR), or vanilla JavaScript code. It automatically waits for Clerk to initialize before returning the token.
import { getToken } from '@clerk/nextjs'; // or any framework package
// Example: Axios interceptor
axios.interceptors.request.use(async (config) => {
const token = await getToken();
if (token) {
config.headers.Authorization =Bearer ${token};
}
return config;
}); -
Add
/typessubpath export to re-export types from@clerk/shared/typesalong with SDK-specific types. This allows importing Clerk types directly from the SDK package (e.g.,import type { UserResource } from '@clerk/react/types') without needing to install@clerk/typesas a separate dependency. (#7644) by @nikosdouvlis -
Introduce
<UNSAFE_PortalProvider>component which allows you to specify a custom container for Clerk floating UI elements (popovers, modals, tooltips, etc.) that use portals. Only Clerk components within the provider will be affected, components outside the provider will continue to use the default document.body for portals. (#7310) by @alexcarpenterThis is particularly useful when using Clerk components inside external UI libraries like Radix Dialog or React Aria Components, where portaled elements need to render within the dialog's container to remain interact-able.
'use client'; import { useRef } from 'react'; import * as Dialog from '@radix-ui/react-dialog'; import { UNSAFE_PortalProvider, UserButton } from '@clerk/nextjs'; export function UserDialog() { const containerRef = useRef<HTMLDivElement>(null); return ( <Dialog.Root> <Dialog.Trigger>Open Dialog</Dialog.Trigger> <Dialog.Portal> <Dialog.Overlay /> <Dialog.Content ref={containerRef}> <UNSAFE_PortalProvider getContainer={() => containerRef.current}> <UserButton /> </UNSAFE_PortalProvider> </Dialog.Content> </Dialog.Portal> </Dialog.Root> ); }
Patch Changes
-
Rename dev browser APIs to remove JWT terminology. The dev browser identifier is now a generic ID, so internal naming has been updated to reflect this. No runtime behavior changes. (#7930) by @brkalow
-
Wire
clerkUIVersionoption through all framework packages (#7740) by @nikosdouvlis -
Fix compatibility with Astro v6 Cloudflare adapter by using
cloudflare:workersenv whenlocals.runtime.envis unavailable (#7890) by @alexcarpenter -
Add
satelliteAutoSyncoption to optimize satellite app handshake behavior (#7597) by @nikosdouvlisSatellite apps currently trigger a handshake redirect on every first page load, even when no cookies exist. This creates unnecessary redirects to the primary domain for apps where most users aren't authenticated.
New option:
satelliteAutoSync(default:false)- When
false(default): Skip automatic handshake if no session cookies exist, only trigger after explicit sign-in action - When
true: Satellite apps automatically trigger handshake on first load (previous behavior)
New query parameter:
__clerk_sync__clerk_sync=1(NeedsSync): Triggers handshake after returning from primary sign-in__clerk_sync=2(Completed): Prevents re-sync loop after handshake completes
Backwards compatible: Still reads legacy
__clerk_synced=trueparameter.SSR redirect fix: Server-side redirects (e.g.,
redirectToSignIn()from middleware) now correctly add__clerk_sync=1to the return URL for satellite apps. This ensures the handshake is triggered when the user returns from sign-in on the primary domain.CSR redirect fix: Client-side redirects now add
__clerk_sync=1to all redirect URL variants (forceRedirectUrl,fallbackRedirectUrl) for satellite apps, not just the defaultredirectUrl.Usage
SSR (Next.js Middleware)
import { clerkMiddleware } from '@clerk/nextjs/server'; export default clerkMiddleware({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', // Set to true to automatically sync auth state on first load satelliteAutoSync: true, });
SSR (TanStack Start)
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; export default clerkMiddleware({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', // Set to true to automatically sync auth state on first load satelliteAutoSync: true, });
CSR (ClerkProvider)
<ClerkProvider publishableKey='pk_...' isSatellite={true} domain='satellite.example.com' signInUrl='https://primary.example.com/sign-in' // Set to true to automatically sync auth state on first load satelliteAutoSync={true} > {children} </ClerkProvider>
SSR (TanStack Start with callback)
import { clerkMiddleware } from '@clerk/tanstack-react-start/server'; // Options callback - receives context object, returns options export default clerkMiddleware(({ url }) => ({ isSatellite: true, domain: 'satellite.example.com', signInUrl: 'https://primary.example.com/sign-in', satelliteAutoSync: url.pathname.startsWith('/dashboard'), }));
Migration Guide
Behavior change:
satelliteAutoSyncdefaults tofalsePreviously, satellite apps would automatically trigger a handshake redirect on every fir...
- When
@clerk/agent-toolkit@0.3.0
Minor Changes
- Bump
@modelcontextprotocol/sdkfrom 1.7.0 to 1.25.2 to resolve security alerts (#7739) by @wobsoriano
Patch Changes
- Updated dependencies [
0a9cce3,e35960f,c9f0d77,1bd1747,6a2ff9e,d2cee35,44d0e5c,6ec5f08,0a9cce3,8c47111,00882e8,a374c18,466d642,5ef4a77,3abe9ed,af85739,10b5bea,a05d130,b193f79,e9d2f2f,6e90b7f,43fc7b7,0f1011a,cbc5618,38def4f,7772f45,a3e689f,583f7a9,965e7f1,84483c2,2b76081,f284c3d,ac34168,cf0d0dc,0aff70e,690280e,b971d0b,22d1689,e9a1d4d,c088dde,8902e21,972f6a0,a1aaff3,d85646a,ab3dd16,4a8cb10,fd195c1,8887fac,0b4b481,5f88dbb,dc886a9,428629b,8b95393,c438fa5,c438fa5,fd195c1,fd69edb,8d91225,1fc95e2,3dac245,a4c3b47,7c3c002,d8bbc66,3983cf8,f1f1d09,736314f,2cc7dbb,0af2e6f,86d2199,da415c8,97c9ab3,cc63aab,a7a38ab,cfa70ce,25d37b0,26254f0,c97e6af,5b24266,d98727e,79e2622,12b3070]:- @clerk/shared@4.0.0
- @clerk/backend@3.0.0
@clerk/clerk-js@5.125.4
Patch Changes
- Fix a crash in the Turnstile CAPTCHA retry logic where captcha.reset() was called after the widget's DOM container had already been removed, causing an unhandled error (#7957) by @tmilewski
@clerk/clerk-expo@2.19.30
Patch Changes
- Updated dependencies [
86d42b9]:- @clerk/clerk-js@5.125.4
@clerk/chrome-extension@2.9.9
Patch Changes
- Updated dependencies [
86d42b9]:- @clerk/clerk-js@5.125.4
@clerk/vue@1.17.18
Patch Changes
- Updated dependencies [
7955e9d]:- @clerk/shared@3.47.2
- @clerk/types@4.101.20
@clerk/types@4.101.20
Patch Changes
- Updated dependencies [
7955e9d]:- @clerk/shared@3.47.2
@clerk/themes@2.4.57
Patch Changes
- Updated dependencies [
7955e9d]:- @clerk/shared@3.47.2