Merge branch 'release/core-2' into ds.fix/core-2-always-free-default

Author: dstaley

integration/tests/machine-auth/m2m.test.ts

@@ -42,10 +42,9 @@ test.describe('machine-to-machine auth @machine', () => {
 
         app.get('/api/protected', async (req, res) => {
           const token = req.get('Authorization')?.split(' ')[1];
-          
           try {
-            const m2mToken = await clerkClient.m2m.verifyToken({ token });
-            res.send('Protected response ' + m2mToken.id);
+            const m2mToken = await clerkClient.m2m.verify({ token });
+            res.send('Protected response ' + m2mToken.subject);
           } catch {
             res.status(401).send('Unauthorized');
           }
@@ -150,7 +149,7 @@ test.describe('machine-to-machine auth @machine', () => {
       },
     });
     expect(res.status()).toBe(200);
-    expect(await res.text()).toBe('Protected response ' + emailServerM2MToken.id);
+    expect(await res.text()).toBe('Protected response ' + emailServer.id);
 
     // Analytics server can access primary API server after adding scope
     await u.services.clerk.machines.createScope(analyticsServer.id, primaryApiServer.id);
@@ -165,9 +164,30 @@ test.describe('machine-to-machine auth @machine', () => {
       },
     });
     expect(res2.status()).toBe(200);
-    expect(await res2.text()).toBe('Protected response ' + m2mToken.id);
+    expect(await res2.text()).toBe('Protected response ' + analyticsServer.id);
     await u.services.clerk.m2m.revokeToken({
       m2mTokenId: m2mToken.id,
     });
   });
+
+  test('verifies JWT format M2M token via local verification', async ({ page, context }) => {
+    const u = createTestUtils({ app, page, context });
+
+    const client = createClerkClient({
+      secretKey: instanceKeys.get('with-api-keys').sk,
+    });
+    const jwtToken = await client.m2m.createToken({
+      machineSecretKey: emailServer.secretKey,
+      secondsUntilExpiration: 60 * 30,
+      tokenFormat: 'jwt',
+    });
+
+    const res = await u.page.request.get(app.serverUrl + '/api/protected', {
+      headers: { Authorization: `Bearer ${jwtToken.token}` },
+    });
+    expect(res.status()).toBe(200);
+    expect(await res.text()).toBe('Protected response ' + emailServer.id);
+    // JWT-format tokens are self-contained and not stored in BAPI, so revocation
+    // is not applicable — they expire naturally via the exp claim.
+  });
 });

packages/agent-toolkit/CHANGELOG.md

@@ -1,5 +1,39 @@
 # @clerk/agent-toolkit
 
+## 0.2.28
+
+### Patch Changes
+
+- Updated dependencies [[`76a5a1b`](https://github.com/clerk/javascript/commit/76a5a1b851819b4247c944ba0132f2cacd626962), [`7955e9d`](https://github.com/clerk/javascript/commit/7955e9dd90419c02fd51226d4fe335d42e7096a5), [`51bc9a9`](https://github.com/clerk/javascript/commit/51bc9a90554b83f04b33e836931f33b778bfc506)]:
+  - @clerk/backend@2.33.0
+  - @clerk/shared@3.47.2
+  - @clerk/types@4.101.20
+
+## 0.2.27
+
+### Patch Changes
+
+- Updated dependencies [[`8a0c404`](https://github.com/clerk/javascript/commit/8a0c404d05a88697fcc3a609fef25bd5ff9f9ef0)]:
+  - @clerk/shared@3.47.1
+  - @clerk/backend@2.32.2
+  - @clerk/types@4.101.19
+
+## 0.2.26
+
+### Patch Changes
+
+- Updated dependencies [[`c15c8a2`](https://github.com/clerk/javascript/commit/c15c8a2cd263bd777fd94fb4bdeae2cfb4a70aca)]:
+  - @clerk/backend@2.32.1
+
+## 0.2.25
+
+### Patch Changes
+
+- Updated dependencies [[`c00c524`](https://github.com/clerk/javascript/commit/c00c5246f340cf0339c5725cade90cfcd118727d), [`9c935ad`](https://github.com/clerk/javascript/commit/9c935adeda94af60219ed8b7c7f1f9c34fbd410d)]:
+  - @clerk/shared@3.47.0
+  - @clerk/backend@2.32.0
+  - @clerk/types@4.101.18
+
 ## 0.2.24
 
 ### Patch Changes

packages/agent-toolkit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/agent-toolkit",
-  "version": "0.2.24",
+  "version": "0.2.28",
   "description": "Clerk Toolkit for AI Agents",
   "homepage": "https://clerk.com/",
   "bugs": {

packages/astro/CHANGELOG.md

@@ -1,5 +1,39 @@
 # @clerk/astro
 
+## 2.17.8
+
+### Patch Changes
+
+- Updated dependencies [[`76a5a1b`](https://github.com/clerk/javascript/commit/76a5a1b851819b4247c944ba0132f2cacd626962), [`7955e9d`](https://github.com/clerk/javascript/commit/7955e9dd90419c02fd51226d4fe335d42e7096a5), [`51bc9a9`](https://github.com/clerk/javascript/commit/51bc9a90554b83f04b33e836931f33b778bfc506)]:
+  - @clerk/backend@2.33.0
+  - @clerk/shared@3.47.2
+  - @clerk/types@4.101.20
+
+## 2.17.7
+
+### Patch Changes
+
+- Updated dependencies [[`8a0c404`](https://github.com/clerk/javascript/commit/8a0c404d05a88697fcc3a609fef25bd5ff9f9ef0)]:
+  - @clerk/shared@3.47.1
+  - @clerk/backend@2.32.2
+  - @clerk/types@4.101.19
+
+## 2.17.6
+
+### Patch Changes
+
+- Updated dependencies [[`c15c8a2`](https://github.com/clerk/javascript/commit/c15c8a2cd263bd777fd94fb4bdeae2cfb4a70aca)]:
+  - @clerk/backend@2.32.1
+
+## 2.17.5
+
+### Patch Changes
+
+- Updated dependencies [[`c00c524`](https://github.com/clerk/javascript/commit/c00c5246f340cf0339c5725cade90cfcd118727d), [`9c935ad`](https://github.com/clerk/javascript/commit/9c935adeda94af60219ed8b7c7f1f9c34fbd410d)]:
+  - @clerk/shared@3.47.0
+  - @clerk/backend@2.32.0
+  - @clerk/types@4.101.18
+
 ## 2.17.4
 
 ### Patch Changes

packages/astro/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/astro",
-  "version": "2.17.4",
+  "version": "2.17.8",
   "description": "Clerk SDK for Astro",
   "keywords": [
     "auth",

packages/backend/CHANGELOG.md

@@ -1,5 +1,115 @@
 # Change Log
 
+## 2.33.0
+
+### Minor Changes
+
+- Added support for JWT token format when creating and verifying machine-to-machine (M2M) tokens. This enables fully **networkless verification** when using the public JWT key. ([#7883](https://github.com/clerk/javascript/pull/7883)) by [@wobsoriano](https://github.com/wobsoriano)
+
+  **Creating a JWT-format M2M token**
+
+  ```ts
+  const clerkClient = createClerkClient({
+    machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY,
+  });
+
+  const m2mToken = await clerkClient.m2m.createToken({
+    tokenFormat: 'jwt',
+  });
+
+  console.log('M2M token created:', m2mToken.token);
+  ```
+
+  **Verifying a token**
+
+  ```ts
+  const clerkClient = createClerkClient({
+    machineSecretKey: process.env.CLERK_MACHINE_SECRET_KEY,
+  });
+
+  const authHeader = req.headers.get('Authorization');
+  const token = authHeader.slice(7);
+
+  const verified = await clerkClient.m2m.verify(token);
+
+  console.log('Verified M2M token:', verified);
+  ```
+
+  **Networkless verification**
+
+  ```ts
+  const clerkClient = createClerkClient({
+    jwtKey: process.env.CLERK_JWT_KEY,
+  });
+
+  const authHeader = req.headers.get('Authorization');
+  const token = authHeader.slice(7);
+
+  const verified = await clerkClient.m2m.verify(token);
+
+  console.log('Verified M2M token:', verified);
+  ```
+
+- Add `list()` method to M2M tokens API to retrieve a list of machine-to-machine tokens for a given machine. ([#7939](https://github.com/clerk/javascript/pull/7939)) by [@wobsoriano](https://github.com/wobsoriano)
+
+  ```ts
+  // Retrieve M2M tokens for a specific machine
+  const response = await clerkClient.m2m.list({
+    subject: 'mch_1xxxxxxxxxxxxx',
+  });
+
+  console.log(response.data); // M2MToken[]
+  console.log(response.totalCount); // number
+  ```
+
+  Filter by revoked or expired tokens:
+
+  ```ts
+  const revokedTokens = await clerkClient.m2m.list({
+    subject: 'mch_1xxxxxxxxxxxxx',
+    revoked: true,
+  });
+
+  const expiredTokens = await clerkClient.m2m.list({
+    subject: 'mch_1xxxxxxxxxxxxx',
+    expired: true,
+  });
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`7955e9d`](https://github.com/clerk/javascript/commit/7955e9dd90419c02fd51226d4fe335d42e7096a5)]:
+  - @clerk/shared@3.47.2
+  - @clerk/types@4.101.20
+
+## 2.32.2
+
+### Patch Changes
+
+- Updated dependencies [[`8a0c404`](https://github.com/clerk/javascript/commit/8a0c404d05a88697fcc3a609fef25bd5ff9f9ef0)]:
+  - @clerk/shared@3.47.1
+  - @clerk/types@4.101.19
+
+## 2.32.1
+
+### Patch Changes
+
+- Updates `OrganizationInvitationStatus` to include `expired` to match the API updates. ([#7909](https://github.com/clerk/javascript/pull/7909)) by [@austincalvelage](https://github.com/austincalvelage)
+
+## 2.32.0
+
+### Minor Changes
+
+- Add support for Agent Tasks API endpoint which allows developers to create agent tasks that can be used to act on behalf of users through automated flows. ([#7897](https://github.com/clerk/javascript/pull/7897)) by [@tmilewski](https://github.com/tmilewski)
+
+  Export `createAgentTestingTask` helper for creating agent tasks via the Clerk Backend API from both `@clerk/testing/playwright` and `@clerk/testing/cypress` subpaths.
+
+### Patch Changes
+
+- Updated dependencies [[`c00c524`](https://github.com/clerk/javascript/commit/c00c5246f340cf0339c5725cade90cfcd118727d)]:
+  - @clerk/shared@3.47.0
+  - @clerk/types@4.101.18
+
 ## 2.31.2
 
 ### Patch Changes

packages/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/backend",
-  "version": "2.31.2",
+  "version": "2.33.0",
   "description": "Clerk Backend SDK - REST Client for Backend API & JWT verification utilities",
   "homepage": "https://clerk.com/",
   "bugs": {

packages/backend/src/__tests__/exports.test.ts

@@ -49,11 +49,9 @@ describe('subpath /internal exports', () => {
         "decorateObjectWithResources",
         "getAuthObjectForAcceptedToken",
         "getAuthObjectFromJwt",
-        "getMachineTokenType",
         "invalidTokenAuthObject",
         "isMachineToken",
         "isMachineTokenByPrefix",
-        "isMachineTokenType",
         "isTokenTypeAccepted",
         "makeAuthObjectSerializable",
         "reverificationError",

packages/backend/src/api/__tests__/AgentTaskApi.test.ts

@@ -0,0 +1,96 @@
+import { http, HttpResponse } from 'msw';
+import { describe, expect, it } from 'vitest';
+
+import { server, validateHeaders } from '../../mock-server';
+import { createBackendApiClient } from '../factory';
+
+describe('AgentTaskAPI', () => {
+  const apiClient = createBackendApiClient({
+    apiUrl: 'https://api.clerk.test',
+    secretKey: 'deadbeef',
+  });
+
+  const mockAgentTaskResponse = {
+    object: 'agent_task',
+    agent_id: 'agent_123',
+    task_id: 'task_456',
+    url: 'https://example.com/agent-task',
+  };
+
+  describe('create', () => {
+    it('converts nested onBehalfOf.userId to snake_case', async () => {
+      server.use(
+        http.post(
+          'https://api.clerk.test/v1/agents/tasks',
+          validateHeaders(async ({ request }) => {
+            const body = await request.json();
+
+            expect(body).toEqual({
+              on_behalf_of: {
+                user_id: 'user_123',
+              },
+              permissions: 'read,write',
+              agent_name: 'test-agent',
+              task_description: 'Test task',
+              redirect_url: 'https://example.com/callback',
+              session_max_duration_in_seconds: 1800,
+            });
+
+            return HttpResponse.json(mockAgentTaskResponse);
+          }),
+        ),
+      );
+
+      const response = await apiClient.agentTasks.create({
+        onBehalfOf: {
+          userId: 'user_123',
+        },
+        permissions: 'read,write',
+        agentName: 'test-agent',
+        taskDescription: 'Test task',
+        redirectUrl: 'https://example.com/callback',
+        sessionMaxDurationInSeconds: 1800,
+      });
+
+      expect(response.agentId).toBe('agent_123');
+      expect(response.taskId).toBe('task_456');
+      expect(response.url).toBe('https://example.com/agent-task');
+    });
+
+    it('converts nested onBehalfOf.identifier to snake_case', async () => {
+      server.use(
+        http.post(
+          'https://api.clerk.test/v1/agents/tasks',
+          validateHeaders(async ({ request }) => {
+            const body = await request.json();
+
+            expect(body).toEqual({
+              on_behalf_of: {
+                identifier: 'user@example.com',
+              },
+              permissions: 'read',
+              agent_name: 'test-agent',
+              task_description: 'Test task',
+              redirect_url: 'https://example.com/callback',
+            });
+
+            return HttpResponse.json(mockAgentTaskResponse);
+          }),
+        ),
+      );
+
+      const response = await apiClient.agentTasks.create({
+        onBehalfOf: {
+          identifier: 'user@example.com',
+        },
+        permissions: 'read',
+        agentName: 'test-agent',
+        taskDescription: 'Test task',
+        redirectUrl: 'https://example.com/callback',
+      });
+
+      expect(response.agentId).toBe('agent_123');
+      expect(response.taskId).toBe('task_456');
+    });
+  });
+});