Skip to content

feat(clerk-js,shared): Remove expired_token retry flow#8108

Open
nikosdouvlis wants to merge 1 commit intomainfrom
nikos/remove-expired-token-retry
Open

feat(clerk-js,shared): Remove expired_token retry flow#8108
nikosdouvlis wants to merge 1 commit intomainfrom
nikos/remove-expired-token-retry

Conversation

@nikosdouvlis
Copy link
Member

@nikosdouvlis nikosdouvlis commented Mar 18, 2026
edited by coderabbitai bot
Loading

Why

The previous session token is now always sent in the /tokens POST body (via the token param in #8105), so the backend no longer needs to request it via a 422 missing_expired_token error and a retry with ?expired_token=<jwt> in the query string.

This also removes JWT leakage from query strings. The old flow sent the full JWT as a URL search param, which is visible in access logs, proxies, and referrer headers. The new token body param avoids this.

What

  • Remove MissingExpiredTokenError class from @clerk/shared
  • Remove the catch-and-retry logic in Session.#createTokenResolver
  • Remove 4 related tests

Note: isUnauthenticatedError still treats 422 as unauthenticated. This is left as-is for now since other 422 error codes may still indicate invalid session state.

Test plan

  • Existing token refresh flows still work
  • 422 errors are no longer retried with expired_token
  • No regression in sign-in/sign-out flows

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • Improved session token handling by streamlining the token resolution flow and removing outdated retry mechanisms, resulting in more reliable authentication requests.

@nikosdouvlis
feat(clerk-js,shared): Remove expired_token retry flow
3eb6e94 
The previous session token is now always sent in the /tokens POST
body (via the `token` param), so the backend no longer needs to
request it via a 422 missing_expired_token error and retry.

Removes:
- MissingExpiredTokenError class and its re-export from @clerk/shared
- The catch-and-retry logic in Session.#createTokenResolver
- 4 related tests in Session.test.ts
@changeset-bot
Copy link

changeset-bot bot commented Mar 18, 2026

🦋 Changeset detected

Latest commit: 3eb6e94

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages
Name Type
@clerk/shared Patch
@clerk/clerk-js Patch
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/backend Patch
@clerk/chrome-extension Patch
@clerk/expo-passkeys Patch
@clerk/expo Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/localizations Patch
@clerk/msw Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/react Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch
@clerk/ui Patch
@clerk/vue Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Mar 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 18, 2026 1:50pm

Request Review

@nikosdouvlis nikosdouvlis marked this pull request as ready for review March 19, 2026 08:58
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 19, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: cf3800a9-e0cb-43b9-bfde-7c3a4889c148

📥 Commits

Reviewing files that changed from the base of the PR and between 1e36aec and 3eb6e94.

📒 Files selected for processing (5)
  • .changeset/remove-expired-token-retry.md
  • packages/clerk-js/src/core/resources/Session.ts
  • packages/clerk-js/src/core/resources/__tests__/Session.test.ts
  • packages/shared/src/error.ts
  • packages/shared/src/errors/missingExpiredTokenError.ts
💤 Files with no reviewable changes (2)
  • packages/shared/src/error.ts
  • packages/shared/src/errors/missingExpiredTokenError.ts
📝 Walkthrough

Walkthrough

This change removes the expired token retry flow and related error handling from the Clerk authentication libraries. The Session token resolver in clerk-js no longer attempts to recover from MissingExpiredTokenError by retrying with an expired_token parameter. The MissingExpiredTokenError class is deleted from the shared error module, its import is removed from the session resource, and associated test cases covering the retry behavior are deleted. A changeset entry marks patch releases for @clerk/shared and @clerk/clerk-js reflecting this removal.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main change: removing the expired_token retry flow from clerk-js and shared packages, which is the primary objective of this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bratsos bratsos bratsos approved these changes

Assignees

No one assigned

Labels

clerk-js

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nikosdouvlis @bratsos