clerk
diff --git a/‎.changeset/cold-moose-dance.md‎
Lines changed: 35 additions & 0 deletions b/‎.changeset/cold-moose-dance.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎.changeset/cookie-session-token-warn-missing-azp.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/cookie-session-token-warn-missing-azp.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.changeset/cyan-shoes-return.md‎
Lines changed: 7 additions & 0 deletions b/‎.changeset/cyan-shoes-return.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.changeset/dev-browser-jwt-to-id.md‎
Lines changed: 9 additions & 0 deletions b/‎.changeset/dev-browser-jwt-to-id.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.changeset/fresh-eyes-drop.md‎
Lines changed: 29 additions & 0 deletions b/‎.changeset/fresh-eyes-drop.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.changeset/nice-jobs-sort.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/nice-jobs-sort.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.changeset/rude-pans-study.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/rude-pans-study.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎integration/templates/express-vite/src/server/main.ts‎
Lines changed: 0 additions & 23 deletions b/‎integration/templates/express-vite/src/server/main.ts‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎integration/tests/db-jwt.test.ts‎
Lines changed: 3 additions & 3 deletions b/‎integration/tests/db-jwt.test.ts‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎integration/tests/express/basic.test.ts‎
Lines changed: 0 additions & 36 deletions b/‎integration/tests/express/basic.test.ts‎
Lines changed: 0 additions & 36 deletions
@@ -0,0 +1,35 @@
+---
+"@clerk/backend": major
+---
+
+Remove deprecated verify methods in favor of `verify()`.
+
+**`apiKeys.verifySecret()` removed**
+
+```ts
+// Before
+await clerkClient.apiKeys.verifySecret(secret);
+
+// After
+await clerkClient.apiKeys.verify(secret);
+```
+
+**`idpOAuthAccessToken.verifyAccessToken()` removed**
+
+```ts
+// Before
+await clerkClient.idpOAuthAccessToken.verifyAccessToken(accessToken);
+
+// After
+await clerkClient.idpOAuthAccessToken.verify(accessToken);
+```
+
+**`m2m.verifyToken()` removed**
+
+```ts
+// Before
+await clerkClient.m2m.verifyToken(params);
+
+// After
+await clerkClient.m2m.verify(params);
+```
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Warn when a cookie-based session token is missing the `azp` claim instead of rejecting the token. This prepares consumers for a future version where the `azp` claim will be required.
@@ -0,0 +1,7 @@
+---
+'@clerk/clerk-js': minor
+'@clerk/shared': minor
+'@clerk/ui': minor
+---
+
+Don't display impersonation overlay for agents
@@ -0,0 +1,9 @@
+---
+'@clerk/shared': patch
+'@clerk/clerk-js': patch
+'@clerk/nextjs': patch
+'@clerk/astro': patch
+'@clerk/chrome-extension': patch
+---
+
+Rename dev browser APIs to remove JWT terminology. The dev browser identifier is now a generic ID, so internal naming has been updated to reflect this. No runtime behavior changes.
@@ -0,0 +1,29 @@
+---
+"@clerk/express": major
+---
+
+Remove deprecated `enableHandshake` option and `req.auth` object-access pattern.
+
+**`enableHandshake` removed**
+
+This option had no effect and was previously deprecated. Remove it from your `clerkMiddleware` call:
+
+```ts
+// Before
+app.use(clerkMiddleware({ enableHandshake: false }));
+
+// After
+app.use(clerkMiddleware());
+```
+
+**`req.auth` must now be called as a function**
+
+Accessing `req.auth` as a plain object (legacy `clerk-sdk-node` style) no longer works. Use `getAuth()` instead:
+
+```ts
+// Before
+const { userId } = req.auth;
+
+// After
+const { userId } = getAuth(req);
+```
@@ -0,0 +1,5 @@
+---
+'@clerk/react': minor
+---
+
+Get transferable state in sign in proxy.
@@ -0,0 +1,5 @@
+---
+"@clerk/upgrade": patch
+---
+
+fix(upgrade): add package replacement for @clerk/themes → @clerk/ui
@@ -22,28 +22,5 @@ app.get('/api/protected', (req: any, res: any, _next: any) => {
   res.send('Protected API response');
 });
 
-const legacyRequireAuth = (req: any, _res: any, next: any) => {
-  if (!req.auth.userId) {
-    return next(new Error('Unauthorized'));
-  }
-
-  next();
-};
-
-app.get('/api/legacy/protected', legacyRequireAuth, (_req: any, res: any, _next: any) => {
-  res.send('Protected API response');
-});
-
-// Handle authentication error, otherwise application will crash
-// @ts-ignore
-app.use((err, req, res, next) => {
-  if (err) {
-    res.status(401).send('Unauthorized');
-    return;
-  }
-
-  return next();
-});
-
 const port = parseInt(process.env.PORT as string) || 3002;
 ViteExpress.listen(app, port, () => console.log(`Server is listening on port ${port}...`));
@@ -5,7 +5,7 @@ import { appConfigs } from '../presets';
 import type { FakeUser } from '../testUtils';
 import { createTestUtils } from '../testUtils';
 
-test.describe('Dev Browser JWT test', () => {
+test.describe('Dev browser test', () => {
   const configs = [];
 
   configs.forEach(config => {
@@ -50,7 +50,7 @@ test.describe('Dev Browser JWT test', () => {
         await u.po.expect.toBeSignedIn();
       });
 
-      test('Dev Browser JWT that gets appended to the URL when redirecting to Accounts Portal, overrides any existing Dev Browser JWT in AP', async () => {
+      test('Dev browser ID that gets appended to the URL when redirecting to Accounts Portal, overrides any existing dev browser in AP', async () => {
         // TODO: Implement this test
       });
 
@@ -65,7 +65,7 @@ test.describe('Dev Browser JWT test', () => {
         - Sign in with email and password
         - Should be redirected back to localhost and are signed in
        */
-      test('Deleting localhost Dev Browser JWT should clear the signed in state in Accounts Portal when redirected', async () => {
+      test('Deleting localhost dev browser should clear the signed in state in Accounts Portal when redirected', async () => {
         // TODO: Implement this test
       });
 
 
@@ -50,40 +50,4 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withEmailCodes] })('basic tes
     expect(res.status()).toBe(401);
     expect(await res.text()).toBe('Unauthorized');
   });
-
-  test('authenticates protected routes when user is signed in using legacy req.auth approach', async ({
-    page,
-    context,
-  }) => {
-    const u = createTestUtils({ app, page, context });
-    await u.page.goToRelative('/');
-
-    await u.po.signIn.waitForMounted();
-    await u.po.signIn.setIdentifier(fakeUser.email);
-    await u.po.signIn.continue();
-    await u.po.signIn.setPassword(fakeUser.password);
-    await u.po.signIn.continue();
-
-    await u.po.userButton.waitForMounted();
-
-    const url = new URL('/api/legacy/protected', app.serverUrl);
-    const res = await u.page.request.get(url.toString());
-    expect(res.status()).toBe(200);
-    expect(await res.text()).toBe('Protected API response');
-  });
-
-  test('rejects protected routes when user is not authenticated using legacy req.auth approach', async ({
-    page,
-    context,
-  }) => {
-    const u = createTestUtils({ app, page, context });
-    await u.page.goToRelative('/');
-
-    await u.po.signIn.waitForMounted();
-
-    const url = new URL('/api/legacy/protected', app.serverUrl);
-    const res = await u.page.request.get(url.toString());
-    expect(res.status()).toBe(401);
-    expect(await res.text()).toBe('Unauthorized');
-  });
 });
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/backend': patch
 +---
++
 +Warn when a cookie-based session token is missing the `azp` claim instead of rejecting the token. This prepares consumers for a future version where the `azp` claim will be required.