Skip to content

feat(backend): [WIP] Add support for M2M JWT creation and verification#7883

Draft
wobsoriano wants to merge 10 commits intorelease/core-2from
rob/USER-4704-m2m-jwts
Draft

feat(backend): [WIP] Add support for M2M JWT creation and verification#7883
wobsoriano wants to merge 10 commits intorelease/core-2from
rob/USER-4704-m2m-jwts

Conversation

@wobsoriano
Copy link
Member

Description

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Add support for verifying M2M tokens in JWT format, mirroring the existing
OAuth JWT verification pattern.

Changes:
- Add isM2MJwt() to detect M2M JWTs by checking sub claim starts with 'mch_'
- Add isMachineJwt() helper to check for any machine JWT (OAuth or M2M)
- Update isMachineToken() and getMachineTokenType() to recognize M2M JWTs
- Add M2MToken.fromJwtPayload() to create M2MToken from verified JWT payload
- Add verifyJwtM2MToken() for local JWT verification using JWKS
- Update verifyM2MToken() to route JWT vs opaque token verification
- Update request.ts to reject machine JWTs when expecting session tokens
- Export isM2MJwt and isMachineJwt from internal.ts
@vercel
Copy link

vercel bot commented Feb 19, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Feb 20, 2026 6:55am

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 19, 2026

🦋 Changeset detected

Latest commit: 9740d2c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages
Name Type
@clerk/backend Minor
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/remix Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 19, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch rob/USER-4704-m2m-jwts

Comment @coderabbitai help to get the list of available commands and usage tips.

Add support for creating M2M tokens in JWT format in addition to the default
opaque format. The tokenFormat parameter accepts 'opaque' (default) or 'jwt'.

Changes:
- Add tokenFormat parameter to CreateM2MTokenParams type with JSDoc
- Pass tokenFormat parameter to BAPI in createToken method
- Add comprehensive tests for JWT format, opaque format, default behavior, and JWT with custom claims
- Apply linting fixes to machine.test.ts
@wobsoriano wobsoriano force-pushed the rob/USER-4704-m2m-jwts branch from 402db61 to 450ffdc Compare February 19, 2026 17:39
@wobsoriano wobsoriano changed the title feat(backend): Add M2M JWT token verification support feat(backend): [WIP] Add M2M JWT token verification support Feb 19, 2026
@wobsoriano wobsoriano marked this pull request as ready for review February 19, 2026 17:40
@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 19, 2026

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7883

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7883

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7883

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7883

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7883

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7883

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7883

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7883

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7883

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7883

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7883

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7883

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7883

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7883

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7883

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7883

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7883

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7883

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7883

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7883

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7883

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7883

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7883

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7883

commit: b833f2b

Updated test JWT tokens to include:
- Header: Added 'kid' field with instance ID
- Payload: Added 'jti' field for JWT ID

These fields are required by the M2M JWT verification schema
at edge (cloudflare-workers#1593) and ensure our tests use
realistic JWT tokens that match production behavior.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@wobsoriano wobsoriano changed the title feat(backend): [WIP] Add M2M JWT token verification support feat(backend): Add support for M2M JWT creation and verification Feb 19, 2026
@wobsoriano wobsoriano changed the title feat(backend): Add support for M2M JWT creation and verification feat(backend): [WIP] Add support for M2M JWT creation and verification Feb 19, 2026
@wobsoriano wobsoriano marked this pull request as draft February 19, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments