Skip to content

Releases: clerk/javascript

@clerk/backend@3.0.0

Choose a tag to compare

@clerk-cookie clerk-cookie released this 03 Mar 21:28

Major Changes

  • Remove deprecated verify methods in favor of verify(). (#7927) by @wobsoriano

    apiKeys.verifySecret() removed

    // Before
    await clerkClient.apiKeys.verifySecret(secret);
    
    // After
    await clerkClient.apiKeys.verify(secret);

    idpOAuthAccessToken.verifyAccessToken() removed

    // Before
    await clerkClient.idpOAuthAccessToken.verifyAccessToken(accessToken);
    
    // After
    await clerkClient.idpOAuthAccessToken.verify(accessToken);

    m2m.verifyToken() removed

    // Before
    await clerkClient.m2m.verifyToken(params);
    
    // After
    await clerkClient.m2m.verify(params);
  • Update engines config to require node@20 or higher (#6931) by @jacekradko

  • Remove deprecated samlAccount in favor of enterpriseAccount (#7258) by @LauraBeatris

Minor Changes

  • Add support for Agent Tasks API endpoint which allows developers to create agent tasks that can be used to act on behalf of users through automated flows. (#7783) by @tmilewski

  • Add Frontend API proxy support via frontendApiProxy option in clerkMiddleware (#7602) by @brkalow

  • Add satelliteAutoSync option to optimize satellite app handshake behavior (#7597) by @nikosdouvlis

    Satellite apps currently trigger a handshake redirect on every first page load, even when no cookies exist. This creates unnecessary redirects to the primary domain for apps where most users aren't authenticated.

    New option: satelliteAutoSync (default: false)

    • When false (default): Skip automatic handshake if no session cookies exist, only trigger after explicit sign-in action
    • When true: Satellite apps automatically trigger handshake on first load (previous behavior)

    New query parameter: __clerk_sync

    • __clerk_sync=1 (NeedsSync): Triggers handshake after returning from primary sign-in
    • __clerk_sync=2 (Completed): Prevents re-sync loop after handshake completes

    Backwards compatible: Still reads legacy __clerk_synced=true parameter.

    SSR redirect fix: Server-side redirects (e.g., redirectToSignIn() from middleware) now correctly add __clerk_sync=1 to the return URL for satellite apps. This ensures the handshake is triggered when the user returns from sign-in on the primary domain.

    CSR redirect fix: Client-side redirects now add __clerk_sync=1 to all redirect URL variants (forceRedirectUrl, fallbackRedirectUrl) for satellite apps, not just the default redirectUrl.

    Usage

    SSR (Next.js Middleware)

    import { clerkMiddleware } from '@clerk/nextjs/server';
    
    export default clerkMiddleware({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync: true,
    });

    SSR (TanStack Start)

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    export default clerkMiddleware({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync: true,
    });

    CSR (ClerkProvider)

    <ClerkProvider
      publishableKey='pk_...'
      isSatellite={true}
      domain='satellite.example.com'
      signInUrl='https://primary.example.com/sign-in'
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync={true}
    >
      {children}
    </ClerkProvider>

    SSR (TanStack Start with callback)

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    // Options callback - receives context object, returns options
    export default clerkMiddleware(({ url }) => ({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      satelliteAutoSync: url.pathname.startsWith('/dashboard'),
    }));

    Migration Guide

    Behavior change: satelliteAutoSync defaults to false

    Previously, satellite apps would automatically trigger a handshake redirect on every first page load to sync authentication state with the primary domain—even when no session cookies existed. This caused unnecessary redirects to the primary domain for users who weren't authenticated.

    The new default (satelliteAutoSync: false) provides a better experience for end users. Performance-wise, the satellite app can be shown immediately without attempting to sync state first, which is the right behavior for most use cases.

    To preserve the previous behavior where visiting a satellite while already signed in on the primary domain automatically syncs your session, set satelliteAutoSync: true:

    export default clerkMiddleware({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      satelliteAutoSync: true, // Opt-in to automatic sync on first load
    });

    TanStack Start: Function props to options callback

    The clerkMiddleware function no longer accepts individual props as functions. If you were using the function form for props like domain, proxyUrl, or isSatellite, migrate to the options callback pattern.

    Before (prop function form - no longer supported):

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    export default clerkMiddleware({
      isSatellite: true,
      // ❌ Function form for individual props no longer works
      domain: url => url.hostname,
    });

    After (options callback form):

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    // ✅ Wrap entire options in a callback function
    export default clerkMiddleware(({ url }) => ({
      isSatellite: true,
      domain: url.hostname,
    }));

    The callback receives a context object with the url property (a URL instance) and can return options synchronously or as a Promise for async configuration.

Patch Changes

  • Warn when a cookie-based session token is missing the azp claim instead of rejecting the token. This prepares consumers for a future version where the azp claim will be required. (#7929) by @jacekradko

  • Dropping the __experimental_ prefix from setPasswordCompromised and unsetPasswordCompromised and marking them as stable (#7504) by @octoper

  • Added date filter parameters to user list endpoint (#7793) by @wobsoriano

  • Fixes an issue with host header parsing that would cause Clerk to throw an exception when receiving malformed host values. (#7370) by @brkalow

  • Improve token type validation in authentication requests (#7765) by @wobsoriano

  • Allow null for period_end in BillingSubscriptionItemWebhookEventJSON (#7699) by @jacekradko

  • fix: Update getAuthData to use isMachineToken (#7755) by @jeremy-clerk

  • Allow usage of machine secret key when listing M2M tokens: (#7968) by @wobsoriano

    const clerkClient = createClerkClient();
    
    const m2mToken = await clerkClient.m2m.list({
      machineSecretKey: 'ak_xxxxx',
      subject: machineId,
    });
  • Add missing fields to CommercePlan type. (#7707) by @dstaley

  • Updated dependencies [0a9cce3, e35960f, c9f0d77, 1bd1747, 6a2ff9e, d2cee35, 0a9cce3, a374c18, 466d642, 5ef4a77, af85739, 10b5bea, [a05d130](https://github....

Read more

@clerk/astro@3.0.0

Choose a tag to compare

@clerk-cookie clerk-cookie released this 03 Mar 21:27

Major Changes

  • Align experimental/unstable prefixes to use consistent naming: (#7361) by @brkalow

    • Renamed all __unstable_* methods to __internal_* (for internal APIs)
    • Renamed all experimental__* and experimental_* methods to __experimental_* (for beta features)
    • Removed deprecated billing-related props (__unstable_manageBillingUrl, __unstable_manageBillingLabel, __unstable_manageBillingMembersLimit) and experimental__forceOauthFirst
  • Require Node.js 20.9.0 in all packages (#7262) by @jacekradko

  • Remove deprecated as prop from unstyled button components (SignInButton, SignUpButton, SignOutButton, CheckoutButton, PlanDetailsButton, SubscriptionDetailsButton). Use the asChild prop with a custom element in the default slot instead. (#7839) by @wobsoriano

    Before:

    <SignInButton
      as='a'
      href='/sign-in'
    >
      Sign in
    </SignInButton>

    After:

    <SignInButton asChild>
      <a href='/sign-in'>Sign in</a>
    </SignInButton>
  • Remove clerkJSUrl, clerkJSVersion, clerkUIUrl, and clerkUIVersion props from all SDKs. To pin a specific version of @clerk/clerk-js, import the Clerk constructor from @clerk/clerk-js and pass it to ClerkProvider via the Clerk prop. To pin a specific version of @clerk/ui, import ui from @clerk/ui and pass it via the ui prop. This bundles the modules directly with your application instead of loading them from the CDN. (#7879) by @jacekradko

  • Introduce <Show when={...}> as the cross-framework authorization control component and remove <Protect>, <SignedIn>, and <SignedOut> in favor of <Show>. (#7373) by @jacekradko

  • Changed environment variable resolution order in getContextEnvVar() to prefer process.env over import.meta.env. Runtime environment variables (e.g., set in the Node.js adapter) now take precedence over build-time values statically replaced by Vite. This ensures that environment variables set at runtime behave as expected when deploying with the Astro Node adapter or similar runtime environments. (#7889) by @alexcarpenter

Minor Changes

  • Remove clerkJSVariant option and headless bundle. Use prefetchUI={false} instead. (#7629) by @jacekradko

  • Introduce Keyless quickstart for Astro. This allows the Clerk SDK to be used without having to sign up and paste your keys manually. (#7812) by @wobsoriano

  • Add ui prop to ClerkProvider for passing @clerk/ui (#7664) by @jacekradko

  • Add standalone getToken() function for retrieving session tokens outside of framework component trees. (#7325) by @bratsos

    This function is safe to call from anywhere in the browser, such as API interceptors, data fetching layers (e.g., React Query, SWR), or vanilla JavaScript code. It automatically waits for Clerk to initialize before returning the token.

    import { getToken } from '@clerk/nextjs'; // or any framework package

    // Example: Axios interceptor
    axios.interceptors.request.use(async (config) => {
    const token = await getToken();
    if (token) {
    config.headers.Authorization = Bearer ${token};
    }
    return config;
    });

  • Add /types subpath export to re-export types from @clerk/shared/types along with SDK-specific types. This allows importing Clerk types directly from the SDK package (e.g., import type { UserResource } from '@clerk/react/types') without needing to install @clerk/types as a separate dependency. (#7644) by @nikosdouvlis

  • Introduce <UNSAFE_PortalProvider> component which allows you to specify a custom container for Clerk floating UI elements (popovers, modals, tooltips, etc.) that use portals. Only Clerk components within the provider will be affected, components outside the provider will continue to use the default document.body for portals. (#7310) by @alexcarpenter

    This is particularly useful when using Clerk components inside external UI libraries like Radix Dialog or React Aria Components, where portaled elements need to render within the dialog's container to remain interact-able.

    'use client';
    
    import { useRef } from 'react';
    import * as Dialog from '@radix-ui/react-dialog';
    import { UNSAFE_PortalProvider, UserButton } from '@clerk/nextjs';
    
    export function UserDialog() {
      const containerRef = useRef<HTMLDivElement>(null);
    
      return (
        <Dialog.Root>
          <Dialog.Trigger>Open Dialog</Dialog.Trigger>
          <Dialog.Portal>
            <Dialog.Overlay />
            <Dialog.Content ref={containerRef}>
              <UNSAFE_PortalProvider getContainer={() => containerRef.current}>
                <UserButton />
              </UNSAFE_PortalProvider>
            </Dialog.Content>
          </Dialog.Portal>
        </Dialog.Root>
      );
    }

Patch Changes

  • Rename dev browser APIs to remove JWT terminology. The dev browser identifier is now a generic ID, so internal naming has been updated to reflect this. No runtime behavior changes. (#7930) by @brkalow

  • Wire clerkUIVersion option through all framework packages (#7740) by @nikosdouvlis

  • Fix compatibility with Astro v6 Cloudflare adapter by using cloudflare:workers env when locals.runtime.env is unavailable (#7890) by @alexcarpenter

  • Add satelliteAutoSync option to optimize satellite app handshake behavior (#7597) by @nikosdouvlis

    Satellite apps currently trigger a handshake redirect on every first page load, even when no cookies exist. This creates unnecessary redirects to the primary domain for apps where most users aren't authenticated.

    New option: satelliteAutoSync (default: false)

    • When false (default): Skip automatic handshake if no session cookies exist, only trigger after explicit sign-in action
    • When true: Satellite apps automatically trigger handshake on first load (previous behavior)

    New query parameter: __clerk_sync

    • __clerk_sync=1 (NeedsSync): Triggers handshake after returning from primary sign-in
    • __clerk_sync=2 (Completed): Prevents re-sync loop after handshake completes

    Backwards compatible: Still reads legacy __clerk_synced=true parameter.

    SSR redirect fix: Server-side redirects (e.g., redirectToSignIn() from middleware) now correctly add __clerk_sync=1 to the return URL for satellite apps. This ensures the handshake is triggered when the user returns from sign-in on the primary domain.

    CSR redirect fix: Client-side redirects now add __clerk_sync=1 to all redirect URL variants (forceRedirectUrl, fallbackRedirectUrl) for satellite apps, not just the default redirectUrl.

    Usage

    SSR (Next.js Middleware)

    import { clerkMiddleware } from '@clerk/nextjs/server';
    
    export default clerkMiddleware({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync: true,
    });

    SSR (TanStack Start)

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    export default clerkMiddleware({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync: true,
    });

    CSR (ClerkProvider)

    <ClerkProvider
      publishableKey='pk_...'
      isSatellite={true}
      domain='satellite.example.com'
      signInUrl='https://primary.example.com/sign-in'
      // Set to true to automatically sync auth state on first load
      satelliteAutoSync={true}
    >
      {children}
    </ClerkProvider>

    SSR (TanStack Start with callback)

    import { clerkMiddleware } from '@clerk/tanstack-react-start/server';
    
    // Options callback - receives context object, returns options
    export default clerkMiddleware(({ url }) => ({
      isSatellite: true,
      domain: 'satellite.example.com',
      signInUrl: 'https://primary.example.com/sign-in',
      satelliteAutoSync: url.pathname.startsWith('/dashboard'),
    }));

    Migration Guide

    Behavior change: satelliteAutoSync defaults to false

    Previously, satellite apps would automatically trigger a handshake redirect on every fir...

Read more

@clerk/agent-toolkit@0.3.0

Choose a tag to compare

@clerk/clerk-js@5.125.4

Choose a tag to compare

@clerk-cookie clerk-cookie released this 02 Mar 18:17
eb9c9ee

Patch Changes

  • Fix a crash in the Turnstile CAPTCHA retry logic where captcha.reset() was called after the widget's DOM container had already been removed, causing an unhandled error (#7957) by @tmilewski

@clerk/clerk-expo@2.19.30

Choose a tag to compare

@clerk-cookie clerk-cookie released this 02 Mar 18:17
eb9c9ee

Patch Changes

  • Updated dependencies [86d42b9]:
    • @clerk/clerk-js@5.125.4

@clerk/chrome-extension@2.9.9

Choose a tag to compare

@clerk-cookie clerk-cookie released this 02 Mar 18:17
eb9c9ee

Patch Changes

  • Updated dependencies [86d42b9]:
    • @clerk/clerk-js@5.125.4

@clerk/vue@1.17.18

Choose a tag to compare

@clerk-cookie clerk-cookie released this 27 Feb 19:37
f2e31af

Patch Changes

  • Updated dependencies [7955e9d]:
    • @clerk/shared@3.47.2
    • @clerk/types@4.101.20

@clerk/types@4.101.20

Choose a tag to compare

@clerk-cookie clerk-cookie released this 27 Feb 19:36
f2e31af

Patch Changes

  • Updated dependencies [7955e9d]:
    • @clerk/shared@3.47.2

@clerk/themes@2.4.57

Choose a tag to compare

@clerk-cookie clerk-cookie released this 27 Feb 19:36
f2e31af

Patch Changes

  • Updated dependencies [7955e9d]:
    • @clerk/shared@3.47.2

@clerk/testing@1.14.3

Choose a tag to compare

@clerk-cookie clerk-cookie released this 27 Feb 19:36
f2e31af

Patch Changes

  • Updated dependencies [76a5a1b, 7955e9d, 51bc9a9]:
    • @clerk/backend@2.33.0
    • @clerk/shared@3.47.2
    • @clerk/types@4.101.20