Clerk
npx @buildinternet/releases get clerkRecently shipped CLI 2.0 with local webhooks and one-command user impersonation.
CLI 2.0 adds a local webhooks toolkit and user impersonation. clerk webhooks listen opens a relay tunnel with optional stable URL; clerk webhooks verify checks signatures offline. clerk user impersonate signs you in as any user for debugging.
Enterprise SSO now supports self-service delegation, JIT provisioning control, SAML login hint customization, and multi-value attribute mapping.
- A new Security tab in
<OrganizationProfile />lets customers' IT admins configure SSO without Dashboard access. - SAML connections can reject sign-ins from users without existing accounts via a Dashboard toggle or
disable_jitfield. - Each SAML connection can now send an email address, a custom attribute, or no login hint to the identity provider.
- Custom attributes from identity providers are written as arrays to
publicMetadata.
The OAuth consent screen is now hostable in your own app. The <OAuthConsent /> component renders the consent flow on your domain, styled to match your product.
Billing and antifraud updates.
- Organization billing plans can charge per member. Account credits let you adjust customer balances without changing subscription pricing.
- Clerk Protect can now issue an SDK-based challenge during sign-up and sign-in flows.
Deprecation and enforcement.
createRouteMatcher()is deprecated in@clerk/nextjsin favor of resource-based auth checks per page or layout.- Backend SDK now enforces
azpclaim validation whenauthorizedPartiesis configured. - CBC-mode SSL/TLS cipher suites will be phased out on Clerk-managed subdomains starting January 18, 2027.
Security fix in SSR serialization. Authed state embedded in <script> tags now escapes <, >, and / to prevent stored XSS from user-controllable session claims. Patched across @clerk/shared, @clerk/astro, @clerk/tanstack-react-start, and others.
Routine patch updates: Expo fixed Android native UI crashes from premature window attachment and duplicate initialization requests during API unavailability.