chore(backend): Rename M2M `secret` -> `token` #6536

wobsoriano · 2025-08-13T17:46:29Z

Description

Deprecate clerkClient.m2mTokens.verifySecret in favor of .verifyToken.
Backwards compatible with verifySecret users

See workers PR for more info

Resolves USER-3147

Checklist

pnpm test runs as expected.
pnpm build runs as expected.
(If applicable) JSDoc comments have been added or updated for any package exports
(If applicable) Documentation has been updated

Type of change

Summary by CodeRabbit

New Features
- Added token-based verification for M2M tokens via verifyToken.
- M2M token responses may now include a token field alongside the legacy secret.
Deprecations
- verifySecret is deprecated; use verifyToken({ token }) instead.
- The secret field on M2M tokens is deprecated in favor of token.
- Deprecation warnings are emitted when using the old method/field.
Chores
- Added a changeset entry for a minor release of @clerk/backend.

changeset-bot · 2025-08-13T17:46:33Z

🦋 Changeset detected

Latest commit: 64b3cf6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Minor
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2025-08-13T17:46:35Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready	Preview	Comment	Aug 13, 2025 5:58pm

coderabbitai · 2025-08-13T17:50:15Z

📝 Walkthrough

Walkthrough

Introduces a new m2mTokens.verifyToken({ token }) method and deprecates m2mTokens.verifySecret({ secret }) across backend API, resources, and internal verification flow. Adds token to M2MToken and M2MTokenJSON, updates constructors and fromJSON mapping. Adjusts tests to use verifyToken, adds coverage for deprecated verifySecret, and updates integration tests and routes to authenticate via Bearer token with verifyToken while preserving a deprecated path. Adds deprecation warning in verifySecret and a changeset entry for a minor release of @clerk/backend.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Rename M2M verification methods from token to secret (USER-3147)	❌	Code renames secret to token, adds verifyToken and deprecates verifySecret, contrary to the stated direction.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

pkg-pr-new · 2025-08-13T17:53:34Z

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6536

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6536

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6536

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6536

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6536

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6536

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6536

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6536

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6536

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6536

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6536

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6536

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6536

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6536

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6536

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6536

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6536

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6536

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6536

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6536

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6536

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6536

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6536

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6536

commit: 64b3cf6

coderabbitai

Actionable comments posted: 5

🔭 Outside diff range comments (2)

packages/backend/src/tokens/verify.ts (1)

203-214: Forward machineSecretKey and surface it in options type

Passing machineSecretKey through ensures callers can override the Authorization header for M2M verification. Also expose machineSecretKey on VerifyTokenOptions so callers don’t hit excess property checks.

Apply this diff to forward the param:

 async function verifyM2MToken(
   token: string,
   options: VerifyTokenOptions & { machineSecretKey?: string },
 ): Promise<MachineTokenReturnType<M2MToken, MachineTokenVerificationError>> {
   try {
     const client = createBackendApiClient(options);
-    const verifiedToken = await client.m2mTokens.verifyToken({ token });
+    const verifiedToken = await client.m2mTokens.verifyToken({
+      token,
+      // allow per-call override when provided
+      machineSecretKey: options.machineSecretKey,
+    });
     return { data: verifiedToken, tokenType: TokenType.M2MToken, errors: undefined };
   } catch (err: any) {
     return handleClerkAPIError(TokenType.M2MToken, err, 'Machine token not found');
   }
 }

And add machineSecretKey to VerifyTokenOptions (outside this hunk):

// In this file, extend the options type:
export type VerifyTokenOptions = Omit<VerifyJwtOptions, 'key'> &
  Omit<LoadClerkJWKFromRemoteOptions, 'kid'> & {
    /**
     * Used to verify the session token in a networkless manner. Supply the PEM public key...
     */
    jwtKey?: string;
    /**
     * When verifying M2M tokens, use this secret to authenticate with the Backend API.
     * If omitted, falls back to `secretKey` depending on client configuration.
     */
    machineSecretKey?: string;
  };

packages/backend/src/api/endpoints/M2MTokenApi.ts (1)

36-46: Export newly introduced public types

Packages should export TypeScript types alongside runtime code. Export VerifyM2MTokenParamsDeprecated so SDK users can type variables and params externally.
-type VerifyM2MTokenParamsDeprecated = {
+export type VerifyM2MTokenParamsDeprecated = {
   /**
    * Custom machine secret key for authentication.
    */
   machineSecretKey?: string;
   /**
    * Machine-to-machine token secret to verify.
    */
   secret: string;
 };

🧹 Nitpick comments (8)

.changeset/small-adults-crash.md (1)
5-6: Fix grammar and stray character in changeset note

“in favor or” → “in favor of”

Remove the dangling “6” line.

Apply this diff:
-Deprecates `clerkClient.m2mTokens.verifySecret({ secret: 'mt_xxx' })` in favor or `clerkClient.m2mTokens.verifyToken({ token: 'mt_xxx' })`
-6
+Deprecates `clerkClient.m2mTokens.verifySecret({ secret: 'mt_xxx' })` in favor of `clerkClient.m2mTokens.verifyToken({ token: 'mt_xxx' })`
packages/backend/src/api/resources/JSON.ts (1)
737-742: M2MTokenJSON: deprecate secret, add token — LGTM; consider adding brief JSDoc for token

The deprecation on secret with a pointer to token is good. Consider adding a short JSDoc explaining token to aid Typedoc output.

Apply this diff to document token:
 export interface M2MTokenJSON extends ClerkResourceJSON {
   object: typeof ObjectType.M2MToken;
   /**
    * @deprecated Use {@link token} instead.
    */
   secret?: string;
+  /**
+   * The raw machine-to-machine token string to be used as a Bearer credential.
+   */
   token?: string;
   subject: string;
   scopes: string[];
   claims: Record<string, any> | null;
integration/tests/machine-auth/m2m.test.ts (2)
43-51: Short-circuit on missing Authorization token

Minor guard to avoid calling the SDK with an undefined token, and to return 401 faster.

Apply this diff:
 app.get('/api/protected', async (req, res) => {
-  const token = req.get('Authorization')?.split(' ')[1];
-  
-  try {
+  const token = req.get('Authorization')?.split(' ')[1];
+  if (!token) {
+    return res.status(401).send('Unauthorized');
+  }
+  try {
     const m2mToken = await clerkClient.m2mTokens.verifyToken({ token });
     res.send('Protected response ' + m2mToken.id);
   } catch {
     res.status(401).send('Unauthorized');
   }
 });
184-195: Deprecated path coverage — LGTM

Back-compat route exercising verifySecret is valuable; ensures smooth migration.

Optional: consider adding an assertion that a deprecation warning is logged (if the SDK surfaces one) to make sure consumers notice the migration path.
packages/backend/src/api/__tests__/M2MTokenApi.test.ts (3)
17-20: Align mock naming with new API terminology

The mock assigns the same value to both secret and token. To reduce confusion now that token is the preferred field, consider renaming m2mSecret to m2mToken (or adding a separate const) and favoring token in assertions going forward.

51-51: Good: Asserting the new token field on creation

Adding an assertion for response.token ensures the model exposes the new property. Consider adding a similar assertion in the second create test for consistency.

212-287: Prefer asserting token over secret in verifyToken tests

Since verifyToken is the new API, assertions should prioritize response.token. Keeping a legacy assertion for response.secret is fine temporarily, but it should be phased out.

Suggested update:
@@
-      expect(response.id).toBe(m2mId);
-      expect(response.secret).toBe(m2mSecret);
+      expect(response.id).toBe(m2mId);
+      expect(response.token).toBe(m2mSecret);
+      // Back-compat assertion; consider removing in a future cleanup
+      expect(response.secret).toBe(m2mSecret);
@@
-      expect(response.id).toBe(m2mId);
-      expect(response.secret).toBe(m2mSecret);
+      expect(response.id).toBe(m2mId);
+      expect(response.token).toBe(m2mSecret);
+      // Back-compat assertion; consider removing in a future cleanup
+      expect(response.secret).toBe(m2mSecret);
packages/backend/src/api/resources/M2MToken.ts (1)

15-17: Add JSDoc and deprecation notice for class properties

Public APIs should be documented. Add JSDoc for token and mark secret as deprecated to guide users.

Would you like me to open a follow-up PR to add property-level JSDoc on M2MToken (and mark secret as @deprecated)?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b52d7a and 64b3cf6.

📒 Files selected for processing (8)

.changeset/small-adults-crash.md (1 hunks)
integration/tests/machine-auth/m2m.test.ts (5 hunks)
packages/backend/src/api/__tests__/M2MTokenApi.test.ts (3 hunks)
packages/backend/src/api/__tests__/factory.test.ts (4 hunks)
packages/backend/src/api/endpoints/M2MTokenApi.ts (5 hunks)
packages/backend/src/api/resources/JSON.ts (1 hunks)
packages/backend/src/api/resources/M2MToken.ts (2 hunks)
packages/backend/src/tokens/verify.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (13)

.changeset/**

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

.changeset/small-adults-crash.md

**/*.{js,jsx,ts,tsx}