Patch Changes

• Updated dependencies [d8fa5d9, be2e89c, 5644d94, b578225, 8838120]:
  • @clerk/types@4.60.0

Minor Changes

• Add waitToBeActive({ planSlug }) and getPlanCardCTA({ planSlug }) to pricingTable object. (#6051) by @panteliselef

Patch Changes

• Update checkoutObject with waitForStipeElements method and root property. (#5980) by @panteliselef

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/shared@3.9.6

Minor Changes

• Machine authentication is now supported for advanced use cases via the backend SDK. You can use clerkClient.authenticateRequest to validate machine tokens (such as API keys, OAuth tokens, and machine-to-machine tokens). No new helpers are included in these packages yet. (#5689) by @wobsoriano

  Example (Astro):

  import { clerkClient } from '@clerk/astro/server'; export const GET: APIRoute = ({ request }) => { const requestState = await clerkClient.authenticateRequest(request, { acceptsToken: 'api_key', }); if (!requestState.isAuthenticated) { return new Response(401, { message: 'Unauthorized' }); } return new Response(JSON.stringify(requestState.toAuth())); };

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Apply Clerk response headers (#6057) by @dios-david

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/clerk-react@5.31.9
  • @clerk/shared@3.9.6

Patch Changes

• Updated dependencies [d8fa5d9, be2e89c, 5644d94, b578225, 8838120]:
  • @clerk/types@4.60.0

Minor Changes

• Machine authentication is now supported for advanced use cases via the backend SDK. You can use clerkClient.authenticateRequest to validate machine tokens (such as API keys, OAuth tokens, and machine-to-machine tokens). No new helpers are included in these packages yet. (#5689) by @wobsoriano

  Example (Astro):

  import { clerkClient } from '@clerk/astro/server'; export const GET: APIRoute = ({ request }) => { const requestState = await clerkClient.authenticateRequest(request, { acceptsToken: 'api_key', }); if (!requestState.isAuthenticated) { return new Response(401, { message: 'Unauthorized' }); } return new Response(JSON.stringify(requestState.toAuth())); };

Patch Changes

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:
  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/clerk-react@5.31.9
  • @clerk/shared@3.9.6

Minor Changes

• Machine authentication is now supported for advanced use cases via the backend SDK. You can use clerkClient.authenticateRequest to validate machine tokens (such as API keys, OAuth tokens, and machine-to-machine tokens). No new helpers are included in these packages yet. (#5689) by @wobsoriano

  Example (Astro):

  import { clerkClient } from '@clerk/astro/server'; export const GET: APIRoute = ({ request }) => { const requestState = await clerkClient.authenticateRequest(request, { acceptsToken: 'api_key', }); if (!requestState.isAuthenticated) { return new Response(401, { message: 'Unauthorized' }); } return new Response(JSON.stringify(requestState.toAuth())); };

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• In this release the TypeScript types for rootAuthLoader(), getAuth(), and <ClerkProvider> were adjusted but should still work as before. Previously, these types relied on internal, unstable React Router types that changed in their recent 7.6.1 release. We simplified our TypeScript types and no longer rely on internal exports from React Router. (#6019) by @LekoArts

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/clerk-react@5.31.9
  • @clerk/shared@3.9.6

Minor Changes

• Machine authentication is now supported for advanced use cases via the backend SDK. You can use clerkClient.authenticateRequest to validate machine tokens (such as API keys, OAuth tokens, and machine-to-machine tokens). No new helpers are included in these packages yet. (#5689) by @wobsoriano

  Example (Astro):

  import { clerkClient } from '@clerk/astro/server'; export const GET: APIRoute = ({ request }) => { const requestState = await clerkClient.authenticateRequest(request, { acceptsToken: 'api_key', }); if (!requestState.isAuthenticated) { return new Response(401, { message: 'Unauthorized' }); } return new Response(JSON.stringify(requestState.toAuth())); };

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:
  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/shared@3.9.6
  • @clerk/vue@1.8.7

Minor Changes

• Introduces machine authentication, supporting four token types: api_key, oauth_token, machine_token, and session_token. For backwards compatibility, session_token remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification. (#5689) by @wobsoriano

  You can specify which token types are allowed for a given route or handler using the acceptsToken property in the auth() helper, or the token property in the auth.protect() helper. Each can be set to a specific type, an array of types, or 'any' to accept all supported tokens.

  Example usage in Nextjs middleware:

  import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server'; const isOAuthAccessible = createRouteMatcher(['/oauth(.*)']); const isApiKeyAccessible = createRouteMatcher(['/api(.*)']); const isMachineTokenAccessible = createRouteMatcher(['/m2m(.*)']); const isUserAccessible = createRouteMatcher(['/user(.*)']); const isAccessibleToAnyValidToken = createRouteMatcher(['/any(.*)']); export default clerkMiddleware(async (auth, req) => { if (isOAuthAccessible(req)) await auth.protect({ token: 'oauth_token' }); if (isApiKeyAccessible(req)) await auth.protect({ token: 'api_key' }); if (isMachineTokenAccessible(req)) await auth.protect({ token: 'machine_token' }); if (isUserAccessible(req)) await auth.protect({ token: 'session_token' }); if (isAccessibleToAnyValidToken(req)) await auth.protect({ token: 'any' }); }); export const config = { matcher: [ '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)', '/(api|trpc)(.*)', ], };

  Leaf node route protection:

  import { auth } from '@clerk/nextjs/server'; // In this example, we allow users and oauth tokens with the "profile" scope // to access the data. Other types of tokens are rejected. function POST(req, res) { const authObject = await auth({ acceptsToken: ['session_token', 'oauth_token'] }); if (authObject.tokenType === 'oauth_token' && !authObject.scopes?.includes('profile')) { throw new Error('Unauthorized: OAuth token missing the "profile" scope'); } // get data from db using userId const data = db.select().from(user).where(eq(user.id, authObject.userId)); return { data }; }

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Updated URL for 'auth() was called but Clerk can't detect usage of clerkMiddleware()' (#6035) by @royanger

• Introduce getAuthObjectFromJwt as internal utility function that centralizes the logic for generating auth objects from session JWTs. (#6053) by @LauraBeatris

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/clerk-react@5.31.9
  • @clerk/shared@3.9.6

Patch Changes

• Update Spanish (es-ES) password validation messages to match new English (en-US) format (#6048) by @ReyserLyn

• Updated dependencies [d8fa5d9, be2e89c, 5644d94, b578225, 8838120]:

  • @clerk/types@4.60.0

Minor Changes

• Machine authentication is now supported for advanced use cases via the backend SDK. You can use clerkClient.authenticateRequest to validate machine tokens (such as API keys, OAuth tokens, and machine-to-machine tokens). No new helpers are included in these packages yet. (#5689) by @wobsoriano

  Example (Astro):

  import { clerkClient } from '@clerk/astro/server'; export const GET: APIRoute = ({ request }) => { const requestState = await clerkClient.authenticateRequest(request, { acceptsToken: 'api_key', }); if (!requestState.isAuthenticated) { return new Response(401, { message: 'Unauthorized' }); } return new Response(JSON.stringify(requestState.toAuth())); };

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:
  • @clerk/backend@2.0.0
  • @clerk/types@4.60.0
  • @clerk/shared@3.9.6