@clerk/backend 3.0.0-snapshot.v20251204175016 → 3.0.0-snapshot.v20251211120550

package/dist/api/resources/OrganizationMembership.d.ts

@@ -2,7 +2,7 @@ import { Organization } from '../resources';
 import type { OrganizationMembershipRole } from './Enums';
 import type { OrganizationMembershipJSON, OrganizationMembershipPublicUserDataJSON } from './JSON';
 /**
- * The Backend `OrganizationMembership` object is similar to the [`OrganizationMembership`](https://clerk.com/docs/reference/javascript/types/organization-membership) object as it's the model around an organization membership entity and describes the relationship between users and organizations. However, the Backend `OrganizationMembership` object is different in that it's used in the [Backend API](https://clerk.com/docs/reference/backend-api/tag/Organization-Memberships#operation/CreateOrganizationMembership){{ target: '_blank' }} and is not directly accessible from the Frontend API.
+ * The Backend `OrganizationMembership` object is similar to the [`OrganizationMembership`](https://clerk.com/docs/reference/javascript/types/organization-membership) object as it's the model around an Organization membership entity and describes the relationship between users and Organizations. However, the Backend `OrganizationMembership` object is different in that it's used in the [Backend API](https://clerk.com/docs/reference/backend-api/tag/Organization-Memberships#operation/CreateOrganizationMembership){{ target: '_blank' }} and is not directly accessible from the Frontend API.
  */
 export declare class OrganizationMembership {
     /**
@@ -10,11 +10,11 @@ export declare class OrganizationMembership {
      */
     readonly id: string;
     /**
-     * The role of the user.
+     * The Role of the user.
      */
     readonly role: OrganizationMembershipRole;
     /**
-     * The permissions granted to the user in the organization.
+     * The Permissions granted to the user in the Organization.
      */
     readonly permissions: string[];
     /**
@@ -34,7 +34,7 @@ export declare class OrganizationMembership {
      */
     readonly updatedAt: number;
     /**
-     * The organization that the user is a member of.
+     * The Organization that the user is a member of.
      */
     readonly organization: Organization;
     /**
@@ -49,11 +49,11 @@ export declare class OrganizationMembership {
      */
     id: string, 
     /**
-     * The role of the user.
+     * The Role of the user.
      */
     role: OrganizationMembershipRole, 
     /**
-     * The permissions granted to the user in the organization.
+     * The Permissions granted to the user in the Organization.
      */
     permissions: string[], 
     /**
@@ -73,7 +73,7 @@ export declare class OrganizationMembership {
      */
     updatedAt: number, 
     /**
-     * The organization that the user is a member of.
+     * The Organization that the user is a member of.
      */
     organization: Organization, 
     /**

package/dist/api/resources/SamlConnection.d.ts

@@ -12,11 +12,11 @@ export declare class SamlConnection {
      */
     readonly name: string;
     /**
-     * The domain of your organization. Sign in flows using an email with this domain will use the connection.
+     * The domain of your Organization. Sign in flows using an email with this domain will use the connection.
      */
     readonly domain: string;
     /**
-     * The organization ID of the organization.
+     * The Organization ID of the Organization.
      */
     readonly organizationId: string | null;
     /**
@@ -97,11 +97,11 @@ export declare class SamlConnection {
      */
     name: string, 
     /**
-     * The domain of your organization. Sign in flows using an email with this domain will use the connection.
+     * The domain of your Organization. Sign in flows using an email with this domain will use the connection.
      */
     domain: string, 
     /**
-     * The organization ID of the organization.
+     * The Organization ID of the Organization.
      */
     organizationId: string | null, 
     /**

package/dist/api/resources/Session.d.ts

@@ -111,7 +111,7 @@ export declare class Session {
      */
     readonly updatedAt: number;
     /**
-     * The ID of the last active organization.
+     * The ID of the last active Organization.
      */
     readonly lastActiveOrganizationId?: string | undefined;
     /**
@@ -160,7 +160,7 @@ export declare class Session {
      */
     updatedAt: number, 
     /**
-     * The ID of the last active organization.
+     * The ID of the last active Organization.
      */
     lastActiveOrganizationId?: string | undefined, 
     /**

package/dist/api/resources/User.d.ts

@@ -116,11 +116,11 @@ export declare class User {
      */
     readonly lastActiveAt: number | null;
     /**
-     * A boolean indicating whether the organization creation is enabled for the user or not.
+     * A boolean indicating whether the Organization creation is enabled for the user or not.
      */
     readonly createOrganizationEnabled: boolean;
     /**
-     * An integer indicating the number of organizations that can be created by the user. If the value is `0`, then the user can create unlimited organizations. Default is `null`.
+     * An integer indicating the number of Organizations that can be created by the user. If the value is `0`, then the user can create unlimited Organizations. Default is `null`.
      */
     readonly createOrganizationsLimit: number | null;
     /**
@@ -247,11 +247,11 @@ export declare class User {
      */
     lastActiveAt: number | null, 
     /**
-     * A boolean indicating whether the organization creation is enabled for the user or not.
+     * A boolean indicating whether the Organization creation is enabled for the user or not.
      */
     createOrganizationEnabled: boolean, 
     /**
-     * An integer indicating the number of organizations that can be created by the user. If the value is `0`, then the user can create unlimited organizations. Default is `null`.
+     * An integer indicating the number of Organizations that can be created by the user. If the value is `0`, then the user can create unlimited Organizations. Default is `null`.
      */
     createOrganizationsLimit: number | null | undefined, 
     /**

package/dist/{chunk-777XG3PJ.mjs → chunk-4FN7VCZQ.mjs}

@@ -14,7 +14,7 @@ import {
   hasValidSignature,
   runtime,
   verifyJwt
-} from "./chunk-QYKVFAML.mjs";
+} from "./chunk-SNA7AD3D.mjs";
 import {
   MachineTokenVerificationError,
   MachineTokenVerificationErrorCode,
@@ -22,7 +22,7 @@ import {
   TokenVerificationErrorAction,
   TokenVerificationErrorCode,
   TokenVerificationErrorReason
-} from "./chunk-HNJNM32R.mjs";
+} from "./chunk-TCIXZLLW.mjs";
 import {
   __privateAdd,
   __privateMethod
@@ -31,7 +31,7 @@ import {
 // src/constants.ts
 var API_URL = "https://api.clerk.com";
 var API_VERSION = "v1";
-var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.v20251204175016"}`;
+var USER_AGENT = `${"@clerk/backend"}@${"3.0.0-snapshot.v20251211120550"}`;
 var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
 var SUPPORTED_BAPI_VERSION = "2025-11-10";
 var Attributes = {
@@ -542,13 +542,36 @@ var APIKeysAPI = class extends AbstractAPI {
       bodyParams: params
     });
   }
-  async revoke(params) {
+  async get(apiKeyId) {
+    this.requireId(apiKeyId);
+    return this.request({
+      method: "GET",
+      path: joinPaths(basePath4, apiKeyId)
+    });
+  }
+  async update(params) {
     const { apiKeyId, ...bodyParams } = params;
     this.requireId(apiKeyId);
+    return this.request({
+      method: "PATCH",
+      path: joinPaths(basePath4, apiKeyId),
+      bodyParams
+    });
+  }
+  async delete(apiKeyId) {
+    this.requireId(apiKeyId);
+    return this.request({
+      method: "DELETE",
+      path: joinPaths(basePath4, apiKeyId)
+    });
+  }
+  async revoke(params) {
+    const { apiKeyId, revocationReason = null } = params;
+    this.requireId(apiKeyId);
     return this.request({
       method: "POST",
       path: joinPaths(basePath4, apiKeyId, "revoke"),
-      bodyParams
+      bodyParams: { revocationReason }
     });
   }
   async getSecret(apiKeyId) {
@@ -2625,6 +2648,26 @@ var IdPOAuthAccessToken = class _IdPOAuthAccessToken {
       data.updated_at
     );
   }
+  /**
+   * Creates an IdPOAuthAccessToken from a JWT payload.
+   * Maps standard JWT claims and OAuth-specific fields to token properties.
+   */
+  static fromJwtPayload(payload, clockSkewInMs = 5e3) {
+    const oauthPayload = payload;
+    return new _IdPOAuthAccessToken(
+      oauthPayload.jti ?? "",
+      oauthPayload.client_id ?? "",
+      "oauth_token",
+      payload.sub,
+      oauthPayload.scp ?? oauthPayload.scope?.split(" ") ?? [],
+      false,
+      null,
+      payload.exp * 1e3 <= Date.now() - clockSkewInMs,
+      payload.exp,
+      payload.iat,
+      payload.iat
+    );
+  }
 };
 
 // src/api/resources/Instance.ts
@@ -3857,14 +3900,33 @@ var M2M_TOKEN_PREFIX = "mt_";
 var OAUTH_TOKEN_PREFIX = "oat_";
 var API_KEY_PREFIX = "ak_";
 var MACHINE_TOKEN_PREFIXES = [M2M_TOKEN_PREFIX, OAUTH_TOKEN_PREFIX, API_KEY_PREFIX];
+var JwtFormatRegExp = /^[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/;
+function isJwtFormat(token) {
+  return JwtFormatRegExp.test(token);
+}
+var OAUTH_ACCESS_TOKEN_TYPES = ["at+jwt", "application/at+jwt"];
+function isOAuthJwt(token) {
+  if (!isJwtFormat(token)) {
+    return false;
+  }
+  try {
+    const { data, errors } = decodeJwt(token);
+    return !errors && !!data && OAUTH_ACCESS_TOKEN_TYPES.includes(data.header.typ);
+  } catch {
+    return false;
+  }
+}
 function isMachineTokenByPrefix(token) {
   return MACHINE_TOKEN_PREFIXES.some((prefix) => token.startsWith(prefix));
 }
+function isMachineToken(token) {
+  return isMachineTokenByPrefix(token) || isOAuthJwt(token);
+}
 function getMachineTokenType(token) {
   if (token.startsWith(M2M_TOKEN_PREFIX)) {
     return TokenType.M2MToken;
   }
-  if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
+  if (token.startsWith(OAUTH_TOKEN_PREFIX) || isOAuthJwt(token)) {
     return TokenType.OAuthToken;
   }
   if (token.startsWith(API_KEY_PREFIX)) {
@@ -4291,7 +4353,11 @@ var ClerkRequest = class extends Request {
     if (origin === initialUrl.origin) {
       return createClerkUrl(initialUrl);
     }
-    return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
+    try {
+      return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
+    } catch {
+      return createClerkUrl(initialUrl);
+    }
   }
   getFirstValueFromHeader(value) {
     return value?.split(",")[0];
@@ -4520,7 +4586,91 @@ async function verifyM2MToken(token, options) {
     return handleClerkAPIError(TokenType.M2MToken, err, "Machine token not found");
   }
 }
+async function verifyJwtOAuthToken(accessToken, options) {
+  let decoded;
+  try {
+    decoded = decodeJwt(accessToken);
+  } catch (e) {
+    return {
+      data: void 0,
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenInvalid,
+          message: e.message
+        })
+      ]
+    };
+  }
+  const { data: decodedResult, errors } = decoded;
+  if (errors) {
+    return {
+      data: void 0,
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenInvalid,
+          message: errors[0].message
+        })
+      ]
+    };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  let key;
+  try {
+    if (options.jwtKey) {
+      key = loadClerkJwkFromPem({ kid, pem: options.jwtKey });
+    } else if (options.secretKey) {
+      key = await loadClerkJWKFromRemote({ ...options, kid });
+    } else {
+      return {
+        data: void 0,
+        tokenType: TokenType.OAuthToken,
+        errors: [
+          new MachineTokenVerificationError({
+            action: TokenVerificationErrorAction.SetClerkJWTKey,
+            message: "Failed to resolve JWK during verification.",
+            code: MachineTokenVerificationErrorCode.TokenVerificationFailed
+          })
+        ]
+      };
+    }
+    const { data: payload, errors: verifyErrors } = await verifyJwt(accessToken, {
+      ...options,
+      key,
+      headerType: OAUTH_ACCESS_TOKEN_TYPES
+    });
+    if (verifyErrors) {
+      return {
+        data: void 0,
+        tokenType: TokenType.OAuthToken,
+        errors: [
+          new MachineTokenVerificationError({
+            code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
+            message: verifyErrors[0].message
+          })
+        ]
+      };
+    }
+    const token = IdPOAuthAccessToken.fromJwtPayload(payload, options.clockSkewInMs);
+    return { data: token, tokenType: TokenType.OAuthToken, errors: void 0 };
+  } catch (error) {
+    return {
+      tokenType: TokenType.OAuthToken,
+      errors: [
+        new MachineTokenVerificationError({
+          code: MachineTokenVerificationErrorCode.TokenVerificationFailed,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
 async function verifyOAuthToken(accessToken, options) {
+  if (isJwtFormat(accessToken)) {
+    return verifyJwtOAuthToken(accessToken, options);
+  }
   try {
     const client = createBackendApiClient(options);
     const verifiedToken = await client.idPOAuthAccessToken.verify(accessToken);
@@ -4542,7 +4692,7 @@ async function verifyMachineAuthToken(token, options) {
   if (token.startsWith(M2M_TOKEN_PREFIX)) {
     return verifyM2MToken(token, options);
   }
-  if (token.startsWith(OAUTH_TOKEN_PREFIX)) {
+  if (token.startsWith(OAUTH_TOKEN_PREFIX) || isJwtFormat(token)) {
     return verifyOAuthToken(token, options);
   }
   if (token.startsWith(API_KEY_PREFIX)) {
@@ -4643,6 +4793,9 @@ var HandshakeService = class {
     );
     url.searchParams.append(constants.QueryParameters.HandshakeReason, reason);
     url.searchParams.append(constants.QueryParameters.HandshakeFormat, "nonce");
+    if (this.authenticateContext.sessionToken) {
+      url.searchParams.append(constants.Cookies.Session, this.authenticateContext.sessionToken);
+    }
     if (this.authenticateContext.instanceType === "development" && this.authenticateContext.devBrowserToken) {
       url.searchParams.append(constants.QueryParameters.DevBrowser, this.authenticateContext.devBrowserToken);
     }
@@ -4935,7 +5088,7 @@ function isTokenTypeInAcceptedArray(acceptsToken, authenticateContext) {
   let parsedTokenType = null;
   const { tokenInHeader } = authenticateContext;
   if (tokenInHeader) {
-    if (isMachineTokenByPrefix(tokenInHeader)) {
+    if (isMachineToken(tokenInHeader)) {
       parsedTokenType = getMachineTokenType(tokenInHeader);
     } else {
       parsedTokenType = TokenType.SessionToken;
@@ -5345,7 +5498,7 @@ var authenticateRequest = (async (request, options) => {
     if (!tokenInHeader) {
       return handleSessionTokenError(new Error("Missing token in header"), "header");
     }
-    if (!isMachineTokenByPrefix(tokenInHeader)) {
+    if (!isMachineToken(tokenInHeader)) {
       return signedOut({
         tokenType: acceptsToken,
         authenticateContext,
@@ -5374,7 +5527,7 @@ var authenticateRequest = (async (request, options) => {
     if (!tokenInHeader) {
       return handleSessionTokenError(new Error("Missing token in header"), "header");
     }
-    if (isMachineTokenByPrefix(tokenInHeader)) {
+    if (isMachineToken(tokenInHeader)) {
       const parsedTokenType = getMachineTokenType(tokenInHeader);
       const mismatchState = checkTokenTypeMismatch(parsedTokenType, acceptsToken, authenticateContext);
       if (mismatchState) {
@@ -5547,4 +5700,4 @@ export {
   debugRequestState,
   createAuthenticateRequest
 };
-//# sourceMappingURL=chunk-777XG3PJ.mjs.map
+//# sourceMappingURL=chunk-4FN7VCZQ.mjs.map