You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Patch Changes
Deprecate createPathMatcher() and its pattern types (PathMatcherParam, PathPattern, WithPathSegmentWildcard). Pattern-based path matching is being phased out along with the framework-level createRouteMatcher() helpers and will be removed in the next major version. Use your framework's native routing primitives to decide which paths to protect instead. (#9094) by @jacekradko
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Minor Changes
Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys
When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
response may carry a chained challenge, which the SDK resolves iteratively.
Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
package is type-only and does not change runtime behavior: the server returns the new status
(and the protectCheck field) only for instances where Protect mid-flow challenges have been
explicitly enabled — the feature is off by default and is not enabled for existing instances by
upgrading. The server additionally only emits the new status value to SDK versions that
understand it, so older clients never receive an unknown status.
If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
running the challenge described by protectCheck and submitting the proof via submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
signal and fall back to the status value for defense in depth.
The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
to a new protect-check route that runs the challenge SDK and resumes the flow on completion.
Patch Changes
Fix the payment method form getting stuck in a loading state after a failed card setup. Non-validation errors such as 3DS authentication failures are now displayed. (#9080) by @aeliox
Fix the organization profile modal close button overlapping the SSO configuration wizard's step header. (#9089) by @iagodahlem
Enlarge the show/hide password toggle button's hit area with added padding and rounded corners, making it easier to tap and giving it a clearer hover/focus target. (#9096) by @alexcarpenter
Polish the Protect check card: the loading spinner now hides while a challenge widget (e.g. Turnstile) is visible instead of spinning alongside it, only appears after a short delay so near-instant checks never flash it, and the card no longer reserves empty space above the spinner before a widget has rendered. (#9099) by @mwickett
Fix standalone <SignUp /> Protect checks so the verification card stays mounted while a solved challenge routes to the next step, while stale direct visits to the protect-check route return to the start of the sign-up flow. (#9082) by @mwickett
Fix tooltips rendering behind modals (for example on the organization profile Security page). Tooltips now layer above modal content, and pressing Escape or clicking outside while a tooltip is open inside a modal closes only the tooltip instead of also dismissing the modal. (#9093) by @alexcarpenter
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Minor Changes
Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys
When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
response may carry a chained challenge, which the SDK resolves iteratively.
Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
package is type-only and does not change runtime behavior: the server returns the new status
(and the protectCheck field) only for instances where Protect mid-flow challenges have been
explicitly enabled — the feature is off by default and is not enabled for existing instances by
upgrading. The server additionally only emits the new status value to SDK versions that
understand it, so older clients never receive an unknown status.
If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
running the challenge described by protectCheck and submitting the proof via submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
signal and fall back to the status value for defense in depth.
The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
to a new protect-check route that runs the challenge SDK and resumes the flow on completion.
Patch Changes
Fix the touchSession option documentation to link directly to the Frontend API touch endpoint. (#9097) by @SarahSoutoul
Polish the Protect check card: the loading spinner now hides while a challenge widget (e.g. Turnstile) is visible instead of spinning alongside it, only appears after a short delay so near-instant checks never flash it, and the card no longer reserves empty space above the spinner before a widget has rendered. (#9099) by @mwickett