clerk/javascript @clerk/backend@2.0.0

on GitHub

Major Changes

• Introduces machine authentication, supporting four token types: api_key, oauth_token, machine_token, and session_token. For backwards compatibility, session_token remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification. (#5689) by @wobsoriano

  You can specify which token types are allowed by using the acceptsToken option in the authenticateRequest() function. This option can be set to a specific type, an array of types, or 'any' to accept all supported tokens.

  Example usage:

  import express from 'express';
  import { createClerkClient } from '@clerk/backend';
  
  const app = express();
  const clerkClient = createClerkClient({ secretKey: 'sk_xxx', publishableKey: 'pk_xxx' });
  
  app.use(async (req, res, next) => {
    const requestState = await clerkClient.authenticateRequest(req, {
      acceptsToken: 'any',
    });
  
    if (!requestState.isAuthenticated) {
      // do something for unauthenticated requests
    }
  
    const authObject = requestState.toAuth();
  
    if (authObject.tokenType === 'session_token') {
      console.log('this is session token from a user');
    } else {
      console.log('this is some other type of machine token');
      console.log('more specifically, a ' + authObject.tokenType);
    }
  
    // Attach the auth object to locals so downstream handlers
    // and middleware can access it
    res.locals.auth = authObject;
    next();
  });

Minor Changes

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#6059) by @royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Improve JSDoc comments for verifyWebhook and verifyToken (#6060) by @LekoArts

• Improve JSDoc comments (#6049) by @LekoArts

• Introduce getAuthObjectFromJwt as internal utility function that centralizes the logic for generating auth objects from session JWTs. (#6053) by @LauraBeatris

• Updated dependencies [d8fa5d9, be2e89c, 5644d94, b578225, 8838120]:

  • @clerk/types@4.60.0
  • @clerk/shared@3.9.6