chore(backend): Rename M2M namespace from `m2mTokens` to `m2m` in api client #6544

wobsoriano · 2025-08-14T01:44:34Z

Description

Please see this notion doc for the updated namespace.

Rename M2M namespace from m2mTokens to m2m in Backend API client

Before:

clerkClient.m2mTokens.create()

clerkClient.m2mTokens.revoke()

clerkClient.m2mTokens.verifySecret({ secret: 'ak_xxx' })

After:

clerkClient.m2m.createToken()

clerkClient.m2m.revokeToken()

clerkClient.m2m.verifyToken({ token: 'ak_xxx' })

Checklist

pnpm test runs as expected.
pnpm build runs as expected.
(If applicable) JSDoc comments have been added or updated for any package exports
(If applicable) Documentation has been updated

Type of change

Summary by CodeRabbit

Refactor
- Renamed the M2M API namespace from m2mTokens to m2m.
- Renamed methods: create → createToken, revoke → revokeToken; verifyToken now accessed via m2m.
- Removed deprecated verifySecret flow and its associated deprecated route.
Tests
- Updated tests to use m2m.createToken, m2m.revokeToken, and m2m.verifyToken.
- Adjusted test authorization flows to align with the new API surface.

changeset-bot · 2025-08-14T01:44:38Z

🦋 Changeset detected

Latest commit: 6e76cf7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Minor
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2025-08-14T01:44:39Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready	Preview	Comment	Aug 14, 2025 1:49am

pkg-pr-new · 2025-08-14T01:51:41Z

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6544

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6544

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6544

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6544

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6544

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6544

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6544

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6544

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6544

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6544

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6544

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6544

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6544

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6544

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6544

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6544

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6544

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6544

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6544

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6544

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6544

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6544

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6544

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6544

commit: 6e76cf7

coderabbitai · 2025-08-14T01:53:42Z

📝 Walkthrough

Walkthrough

Public API namespace renamed from m2mTokens to m2m across backend client, endpoints, and tests. Method names changed: create → createToken, revoke → revokeToken; verifyToken moved to the new namespace and continues to accept a token (and optional machineSecretKey). The deprecated verifySecret method and its related endpoint/route were removed. Factory now exports m2m instead of m2mTokens. Tests and internal verification callers were updated to the new method names and paths. No other behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~18 minutes

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 1

🔭 Outside diff range comments (3)

packages/backend/src/api/factory.ts (1)
75-82: Keep the m2mTokens alias for backward-compatibility

We found m2mTokens referenced in several packages’ CHANGELOG.md files, so adding a deprecated alias will avoid breaking downstream users:

• File to update: packages/backend/src/api/factory.ts
• Add a single shared instance for both keys and alias it:
@@ createBackendApiClient(options) {
-  m2m: new M2MTokenApi(
-    buildRequest({
-      ...options,
-      skipApiVersionInUrl: true,
-      requireSecretKey: false,
-      useMachineSecretKey: true,
-    }),
-  ),
+  // primary export
+  m2m: m2mApi,
+  /** @deprecated Use `m2m` instead. Will be removed in a future major release. */
+  m2mTokens: m2mApi,
}

@@ before return
-    m2m: new M2MTokenApi(
-      buildRequest({ ...options, skipApiVersionInUrl: true, requireSecretKey: false, useMachineSecretKey: true }),
-    ),
+  const m2mApi = new M2MTokenApi(
+    buildRequest({ ...options, skipApiVersionInUrl: true, requireSecretKey: false, useMachineSecretKey: true }),
+  );
This preserves existing clerkClient.m2mTokens.* calls while steering users toward the new m2m key.
packages/backend/src/api/endpoints/M2MTokenApi.ts (2)
60-76: Add explicit return type and JSDoc for the public API method createToken

Per the repo’s TS guidelines, public APIs should have explicit return types and JSDoc. Also consider exporting the input type so users can import it.
-  async createToken(params?: CreateM2MTokenParams) {
+  /**
+   * Create a new M2M token.
+   */
+  async createToken(params?: CreateM2MTokenParams): Promise<M2MToken> {
     const { claims = null, machineSecretKey, secondsUntilExpiration = null } = params || {};
Optional (outside this hunk):

Export input types for consumers:
export type CreateM2MTokenParams = { /* ... */ }
Ensure barrel re-exports if applicable (e.g., from './endpoints').

78-95: Add explicit return type and harden header merging in revokeToken

Return type should be explicit. Additionally, while not in this hunk, #createRequestOptions spreads options.headerParams which can be undefined; guard with nullish coalescing to avoid runtime TypeErrors.
-  async revokeToken(params: RevokeM2MTokenParams) {
+  async revokeToken(params: RevokeM2MTokenParams): Promise<M2MToken> {
     const { m2mTokenId, revocationReason = null, machineSecretKey } = params;
Outside this hunk (reference Lines 50-53):
-        headerParams: {
-          ...options.headerParams,
-          Authorization: `Bearer ${machineSecretKey}`,
-        },
+        headerParams: {
+          ...(options.headerParams ?? {}),
+          Authorization: `Bearer ${machineSecretKey}`,
+        },
Also consider adding JSDoc for this public method for consistency with the guidelines.

♻️ Duplicate comments (1)

integration/tests/machine-auth/m2m.test.ts (1)

83-86: Duplicate of prior suggestion on DRYing expiration value

Same note as above regarding extracting a constant for 30 minutes.

🧹 Nitpick comments (4)

packages/backend/src/api/__tests__/M2MTokenApi.test.ts (1)

68-71: LGTM: createToken with explicit machineSecretKey

Covers per-call auth; consider adding a test that passes claims to ensure they’re forwarded to bodyParams.
integration/tests/machine-auth/m2m.test.ts (3)
73-76: Switched to client.m2m.createToken — OK; consider DRYing expiration

Change aligns with the new API. Minor nit: reuse a constant for 30 minutes to avoid duplication across the file.

You could define once near the top:
const THIRTY_MINUTES_IN_SECONDS = 60 * 30 as const;
Then use:
-  secondsUntilExpiration: 60 * 30,
+  secondsUntilExpiration: THIRTY_MINUTES_IN_SECONDS,
94-99: Make token revocation best-effort to avoid teardown flakiness

Tokens may already be expired/revoked by the time afterAll runs. Using Promise.allSettled prevents unnecessary failures during teardown.

Apply this diff:
-    await client.m2m.revokeToken({
-      m2mTokenId: emailServerM2MToken.id,
-    });
-    await client.m2m.revokeToken({
-      m2mTokenId: analyticsServerM2MToken.id,
-    });
+    await Promise.allSettled([
+      client.m2m.revokeToken({ m2mTokenId: emailServerM2MToken.id }),
+      client.m2m.revokeToken({ m2mTokenId: analyticsServerM2MToken.id }),
+    ]);
168-170: Add an assertion that revoked tokens are rejected

Verifies behavior post-revocation and guards against regressions.

Apply this diff:
     await u.services.clerk.m2m.revokeToken({
       m2mTokenId: m2mToken.id,
     });
+    // Verify the revoked token is no longer accepted
+    const res3 = await u.page.request.get(app.serverUrl + '/api/protected', {
+      headers: {
+        Authorization: `Bearer ${m2mToken.token}`,
+      },
+    });
+    expect(res3.status()).toBe(401);
+    expect(await res3.text()).toBe('Unauthorized');

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d400782 and e987b33.

📒 Files selected for processing (6)

integration/tests/machine-auth/m2m.test.ts (6 hunks)
packages/backend/src/api/__tests__/M2MTokenApi.test.ts (9 hunks)
packages/backend/src/api/__tests__/factory.test.ts (3 hunks)
packages/backend/src/api/endpoints/M2MTokenApi.ts (2 hunks)
packages/backend/src/api/factory.ts (1 hunks)
packages/backend/src/tokens/verify.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (12)

**/*.{js,jsx,ts,tsx}