feat(backend): Error if azp is missing on a cookie-based token

[jescalan]

Description

If a session token is sent via cookie, this usually means it's being sent through the browser. When an app is browser-based, it's expected that requests are sent with an Origin header and session JWTs are built with an azp claim. For native apps, this isn't the case, as they don't have urls or enforce an origin header. Because of this, we don't enforce azp claims on session tokens.

This PR makes a small change, such that if session tokens are sent via cookie and are missing an azp claim, which generally is suspicious, as there's no natural scenario where this would make a lot of sense, we error instead of accepting it.

Fixes: USER-4306

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes

  • Cookie-based session tokens must include the authorized-party (azp) claim; tokens missing it are rejected and cause sign-out to improve authentication security. Header-based token flows remain unaffected.

• Tests

  • Added tests covering cookie and header authentication flows with and without the azp claim.

• Chores

  • Added a release entry documenting the validation change.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 854fd49

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages

Name	Type
@clerk/backend	Major
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 9, 2026 2:57am

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds TokenMissingAzp ('token-missing-azp') to the TokenVerificationErrorReason object and type. Changes request handling so that session JWTs received via cookies are required to include an azp claim; if missing, a TokenVerificationError with reason TokenMissingAzp is thrown. Adds unit tests covering cookie- and header-based authentication scenarios (cookie token missing azp -> signed-out with TokenMissingAzp; cookie token with azp -> sign-in; header token missing azp -> sign-in). Adds a changeset documenting the new validation.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding error handling for missing azp claims on cookie-based tokens.
Linked Issues check	✅ Passed	The PR implementation fully addresses USER-4306 requirements: detects cookie-based tokens, enforces azp presence, maintains non-enforcement for native scenarios, and treats missing azp as an error.
Out of Scope Changes check	✅ Passed	All changes directly support the objective of enforcing azp validation on cookie-based tokens; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/backend/src/tokens/__tests__/request_azp.test.ts (1)

29-30: Improve type safety in tests.

The tests use @ts-ignore (lines 54, 56) and as any (lines 30, 36, 73, 79, 111, 117) to bypass TypeScript's type checking, which violates the coding guidelines requiring proper type annotations and avoiding any types.

For the @ts-ignore usage: Use type narrowing instead:

 const result = await authenticateRequest(request, options);

 expect(result.status).toBe('signed-out');
-// @ts-ignore
-expect(result.reason).toBe(TokenVerificationErrorReason.TokenMissingAzp);
-// @ts-ignore
-expect(result.message).toBe(
-  'Session tokens from cookies must have an azp claim. (reason=token-missing-azp, token-carrier=cookie)',
-);
+if (result.status === 'signed-out') {
+  expect(result.reason).toBe(TokenVerificationErrorReason.TokenMissingAzp);
+  expect(result.message).toBe(
+    'Session tokens from cookies must have an azp claim. (reason=token-missing-azp, token-carrier=cookie)',
+  );
+}

For the as any casts: Consider creating a properly typed mock payload or using satisfies operator:

 const payload = {
   sub: 'user_123',
   sid: 'sess_123',
   iat: 1234567891,
   exp: 1234567991,
   azp: 'http://localhost:3000',
-};
+} satisfies Partial<JwtPayload>;

 vi.mocked(verifyToken).mockResolvedValue({
-  data: payload as any,
+  data: payload,
   errors: undefined,
 });

As per coding guidelines: "Avoid any type - prefer unknown when type is uncertain" and "Use satisfies operator for type checking without widening types."

Also applies to: 35-36, 54-55, 72-73, 78-79, 110-111, 116-117

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d4aef71 and e8716ed.

📒 Files selected for processing (3)

• packages/backend/src/errors.ts (1 hunks)
• packages/backend/src/tokens/__tests__/request_azp.test.ts (1 hunks)
• packages/backend/src/tokens/request.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Prefer importing types from @clerk/shared/types instead of the deprecated @clerk/types alias

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/tokens/request.ts
• packages/backend/src/errors.ts
• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

🧬 Code graph analysis (2)

packages/backend/src/tokens/request.ts (1)

packages/backend/src/errors.ts (3)

• TokenVerificationError (42-70)
• TokenVerificationErrorReason (9-26)
• TokenVerificationErrorReason (28-29)

packages/backend/src/tokens/__tests__/request_azp.test.ts (3)

packages/backend/src/jwt/verifyJwt.ts (1)

• decodeJwt (45-95)

packages/backend/src/tokens/request.ts (1)

• authenticateRequest (147-815)

packages/backend/src/errors.ts (2)

• TokenVerificationErrorReason (9-26)
• TokenVerificationErrorReason (28-29)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

packages/backend/src/errors.ts (1)

14-14: LGTM!

The new TokenMissingAzp error reason follows the established pattern and naming conventions. The placement within the error reasons list is appropriate.

packages/backend/src/tokens/request.ts (1)

568-573: LGTM! Cookie-based azp enforcement implemented correctly.

The validation correctly enforces the presence of the azp claim only for cookie-based tokens, aligning with the PR objectives. The error will be caught by the try-catch block and handled appropriately by handleSessionTokenError, which will return a signed-out state since TokenMissingAzp is not in the list of reasons that trigger a handshake.

The falsy check (!data.azp) is appropriate for this use case, as it treats empty strings, null, and undefined as invalid, which is correct for an authorized party claim that should contain a valid origin.

packages/backend/src/tokens/__tests__/request_azp.test.ts (2)

18-97: Test coverage looks comprehensive.

The test suite properly covers both the failure case (missing azp in cookie token) and success case (present azp in cookie token), with appropriate mocking of the verification flow.

---

99-135: Good coverage of header-based authentication flow.

This test correctly verifies that header-based tokens do not require the azp claim, confirming the asymmetric enforcement intended by the PR objectives (cookie tokens require azp, header tokens do not).

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7332

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7332

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7332

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7332

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7332

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7332

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7332

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7332

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7332

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7332

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7332

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7332

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7332

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7332

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7332

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7332

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7332

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7332

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7332

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7332

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7332

commit: 854fd49

[brkalow]

This would be a breaking change

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.changeset/three-things-jump.md:
- Line 2: The changeset currently lists '@clerk/backend' as a patch but the
token validation change is breaking: cookie-based session tokens that lack the
azp claim now throw TokenMissingAzp, so update the changeset in
.changeset/three-things-jump.md to bump '@clerk/backend' to major and include a
brief note that token validation now requires the azp claim and may break
existing cookie-based sessions (reference TokenMissingAzp and cookie-based
session tokens).

🧹 Nitpick comments (1)

.changeset/three-things-jump.md (1)

5-5: Consider highlighting the breaking nature in the changeset description.

The description accurately conveys the new behavior, but it could be more explicit about this being a breaking change. This helps users understand the impact when upgrading. Consider adding language like "Breaking: Tokens from cookies..." or similar to make the breaking nature more prominent.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e8716ed and 5f85333.

📒 Files selected for processing (1)

• .changeset/three-things-jump.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)

• GitHub Check: Unit Tests (**)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Unit Tests (shared, clerk-js, RQ)
• GitHub Check: Static analysis
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @packages/backend/src/tokens/__tests__/request_azp.test.ts:
- Around line 45-48: The test uses credential-like strings for
publishableKey/secretKey in the options object (and repeated elsewhere) which
Gitleaks will flag; update the test fixtures by replacing 'pk_live_...' and
'sk_live_...' with clearly non-secret placeholders (e.g., 'pk_test_placeholder'
/ 'sk_test_placeholder' or import existing test keys) wherever the options
object or similar variables are defined (references: the options constant in
request_azp.test.ts and the other occurrences around lines 88-92 and 126-130) so
no secret-like material remains in the tests.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5f85333 and b52ac81.

📒 Files selected for processing (1)

• packages/backend/src/tokens/__tests__/request_azp.test.ts

🧰 Additional context used

📓 Path-based instructions (13)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use React Testing Library for component testing

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

🪛 Gitleaks (8.30.0)

packages/backend/src/tokens/__tests__/request_azp.test.ts

[high] 46-46: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 89-89: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 127-127: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/three-things-jump.md (1)

5-5: Clarify the user-facing description for changelog accuracy.

The current description uses "signed-out state with reason" which may be ambiguous to users reading the changelog. Consider clarifying what this means operationally—is this an authentication error, a session invalidation, or request rejection?

Additionally, since this is a breaking change, the description would benefit from explicitly noting the scope:

• This validation applies only to cookie-based session tokens (browser scenarios).
• Header-based tokens and native app scenarios are unaffected.

This helps users understand the impact on their specific integration patterns.

Could you confirm:

1. How does the implementation surface this error to clients? (e.g., as a TokenVerificationError, an HTTP 401, a middleware rejection?)
2. Does the implementation only apply this validation to cookie-based tokens, leaving header-based and native scenarios unchanged?
3. What does "signed-out state" translate to in the actual API response or behavior?

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b52ac81 and e504313.

📒 Files selected for processing (1)

• .changeset/three-things-jump.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (28)

• GitHub Check: CodeQL
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

.changeset/three-things-jump.md (1)

1-3: Changeset format and version bump are correct.

The YAML frontmatter with package name and major version bump appropriately reflects that this is a breaking change for @clerk/backend.

[jacekradko]

!allow-major

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @packages/backend/src/tokens/__tests__/request_azp.test.ts:
- Around line 19-38: Replace secret-looking literals and remove unsafe `as any`
casts in the tests: use clearly non-secret placeholder strings (e.g.,
"pk_test_placeholder" or generated test token) instead of any "pk_live_..."
literal, and replace `as any` by properly typing the test data and mock returns
— declare the payload with a specific type or Partial (e.g., `const payload:
Partial<YourJwtPayloadType> = {...}`) and cast mock results with `as unknown as
ExpectedReturnType` or use generics on `vi.mocked` to satisfy the compiler;
update the `vi.mocked(verifyToken).mockResolvedValue(...)` and
`vi.mocked(decodeJwt).mockReturnValue(...)` calls to return correctly typed
objects rather than using `as any`, and ensure all token literals are
non-sensitive placeholders.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e504313 and 854fd49.

📒 Files selected for processing (1)

• packages/backend/src/tokens/__tests__/request_azp.test.ts

🧰 Additional context used

📓 Path-based instructions (13)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use React Testing Library for component testing

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

• packages/backend/src/tokens/__tests__/request_azp.test.ts

🧬 Code graph analysis (1)

packages/backend/src/tokens/__tests__/request_azp.test.ts (3)

packages/backend/src/jwt/verifyJwt.ts (1)

• decodeJwt (45-95)

packages/backend/src/tokens/request.ts (1)

• authenticateRequest (147-815)

packages/backend/src/errors.ts (2)

• TokenVerificationErrorReason (9-26)
• TokenVerificationErrorReason (28-29)

🪛 Gitleaks (8.30.0)

packages/backend/src/tokens/__tests__/request_azp.test.ts

[high] 46-46: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 87-87: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 125-125: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)

• GitHub Check: Unit Tests (**)
• GitHub Check: Unit Tests (shared, clerk-js, RQ)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Static analysis
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Blocker: secret-looking test keys (Gitleaks) + as any casts may fail CI

• Line 46 / Line 87 / Line 125: the pk_live_... literal is being detected as an API key; this is likely to break security scanning (and shouldn’t be in tests).
• Line 29 / Line 35 / Line 70 / Line 76 / Line 108 / Line 114: as any can trip no-explicit-any (common in TS repos) and fail lint.

Proposed fix

 import { describe, expect, test, vi } from 'vitest';

 import { TokenVerificationErrorReason } from '../../errors';
 import { decodeJwt } from '../../jwt/verifyJwt';
 import { authenticateRequest } from '../request';
 import { verifyToken } from '../verify';

+type VerifyTokenResult = Awaited<ReturnType<typeof verifyToken>>;
+type DecodeJwtResult = ReturnType<typeof decodeJwt>;
+
+const testKeys = {
+  // Avoid secret-scanner false-positives while still resembling expected formats.
+  publishableKey: 'pk_test_' + 'local_testing_key',
+  secretKey: 'sk_test_' + 'local_testing_key',
+} as const;
+
 vi.mock('../verify', () => ({
   verifyToken: vi.fn(),
   verifyMachineAuthToken: vi.fn(),
 }));

 vi.mock('../../jwt/verifyJwt', () => ({
   decodeJwt: vi.fn(),
 }));

 describe('authenticateRequest with cookie token', () => {
   test('throws TokenMissingAzp when azp claim is missing', async () => {
     const payload = {
       sub: 'user_123',
       sid: 'sess_123',
       iat: 1234567891,
       exp: 1234567991,
       // azp is missing
     };

     // Mock verifyToken to return a payload without azp
     vi.mocked(verifyToken).mockResolvedValue({
-      data: payload as any,
+      data: payload as unknown as VerifyTokenResult['data'],
       errors: undefined,
     });

     // Mock decodeJwt to return the same payload
     vi.mocked(decodeJwt).mockReturnValue({
-      data: { payload } as any,
+      data: { payload } as unknown as DecodeJwtResult extends { data: infer D } ? D : never,
       errors: undefined,
     });

     const request = new Request('http://localhost:3000', {
       headers: {
         cookie: '__session=mock_token; __client_uat=1234567890',
       },
     });

-    const options = {
-      publishableKey: 'pk_live_Y2xlcmsuaW5zcGlyZWQucHVtYS03NC5sY2wuZGV2JA',
-      secretKey: 'sk_live_deadbeef',
-    };
+    const options = testKeys;

     const result = await authenticateRequest(request, options);

     expect(result.status).toBe('signed-out');
     expect(result.reason).toBe(TokenVerificationErrorReason.TokenMissingAzp);
     expect(result.message).toBe(
       'Session tokens from cookies must have an azp claim. (reason=token-missing-azp, token-carrier=cookie)',
     );
   });

   test('succeeds when azp claim is present', async () => {
     const payload = {
       sub: 'user_123',
       sid: 'sess_123',
       iat: 1234567891,
       exp: 1234567991,
       azp: 'http://localhost:3000',
     };

     // Mock verifyToken to return a payload with azp
     vi.mocked(verifyToken).mockResolvedValue({
-      data: payload as any,
+      data: payload as unknown as VerifyTokenResult['data'],
       errors: undefined,
     });

     // Mock decodeJwt to return the same payload
     vi.mocked(decodeJwt).mockReturnValue({
-      data: { payload } as any,
+      data: { payload } as unknown as DecodeJwtResult extends { data: infer D } ? D : never,
       errors: undefined,
     });

     const request = new Request('http://localhost:3000', {
       headers: {
         cookie: '__session=mock_token; __client_uat=1234567890',
       },
     });

-    const options = {
-      publishableKey: 'pk_live_Y2xlcmsuaW5zcGlyZWQucHVtYS03NC5sY2wuZGV2JA',
-      secretKey: 'sk_live_deadbeef',
-    };
+    const options = testKeys;

     const result = await authenticateRequest(request, options);
     expect(result.isSignedIn).toBe(true);
   });
 });

 describe('authenticateRequest with header token', () => {
   test('succeeds when azp claim is missing', async () => {
     const payload = {
       sub: 'user_123',
       sid: 'sess_123',
       iat: 1234567891,
       exp: 1234567991,
       // azp is missing
     };

     // Mock verifyToken to return a payload without azp
     vi.mocked(verifyToken).mockResolvedValue({
-      data: payload as any,
+      data: payload as unknown as VerifyTokenResult['data'],
       errors: undefined,
     });

     // Mock decodeJwt to return the same payload
     vi.mocked(decodeJwt).mockReturnValue({
-      data: { payload } as any,
+      data: { payload } as unknown as DecodeJwtResult extends { data: infer D } ? D : never,
       errors: undefined,
     });

     const request = new Request('http://localhost:3000', {
       headers: {
         authorization: 'Bearer mock_token',
       },
     });

-    const options = {
-      publishableKey: 'pk_live_Y2xlcmsuaW5zcGlyZWQucHVtYS03NC5sY2wuZGV2JA',
-      secretKey: 'sk_live_deadbeef',
-    };
+    const options = testKeys;

     const result = await authenticateRequest(request, options);
     expect(result.isSignedIn).toBe(true);
   });
 });

Also applies to: 45-49, 60-79, 86-90, 98-117, 124-128

🤖 Prompt for AI Agents

In @packages/backend/src/tokens/__tests__/request_azp.test.ts around lines 19 -
38, Replace secret-looking literals and remove unsafe `as any` casts in the
tests: use clearly non-secret placeholder strings (e.g., "pk_test_placeholder"
or generated test token) instead of any "pk_live_..." literal, and replace `as
any` by properly typing the test data and mock returns — declare the payload
with a specific type or Partial (e.g., `const payload:
Partial<YourJwtPayloadType> = {...}`) and cast mock results with `as unknown as
ExpectedReturnType` or use generics on `vi.mocked` to satisfy the compiler;
update the `vi.mocked(verifyToken).mockResolvedValue(...)` and
`vi.mocked(decodeJwt).mockReturnValue(...)` calls to return correctly typed
objects rather than using `as any`, and ensure all token literals are
non-sensitive placeholders.