OAuth consent comes home and Clerk enforces auth at lint time
June 15–21, 2026
Clerk ships a hostable OAuth consent component, an experimental ESLint plugin that catches unprotected Next.js routes, and exclusive organization membership, while Better Auth fixes OIDC claim overrides and Auth0's Refresh Token Metadata reaches GA for Enterprise customers.
Host OAuth consent on your own domain with Clerk
The week's biggest story is Clerk's new <OAuthConsent /> component, which lets you host the OAuth consent screen on your own application domain and style it to match your brand. Until now, that screen lived exclusively on Clerk's Account Portal—a problem for apps integrating with OAuth clients, MCP servers, or agentic AI workflows, where sending users to a third-party domain mid-flow breaks UX and trust. The component ships across Clerk's full framework roster: Next.js, React, React Router, TanStack React Start, Astro, Vue, and Nuxt, with dashboard path configuration and organization selection when the user:org:read scope is requested.
Lint-time auth enforcement and other Clerk framework improvements
Clerk also introduced an experimental @clerk/eslint-plugin with a require-auth-protection rule for Next.js App Router pages and route handlers. The rule surfaces quick-fix suggestions to insert await auth.protect() at the top of unprotected functions, and a companion CLI command, clerk-next-fix-auth-protection, can bulk-apply fixes across a codebase or run in --dry-run mode to report gaps. This is a practical step toward making auth enforcement as automatic as a linter check.
On the SDK side, exclusive organization membership went live across the JavaScript SDK, the core clerk-js package, and @clerk/shared—organizations can now limit users to a single org, and members are auto-activated during the choose-organization session task instead of showing the picker. The Clerk Expo SDK received a significant fix for iOS development builds, linking the Clerk iOS SDK through React Native's Swift Package Manager podspec support (minimum RN version raised to 0.75). Meanwhile, the React SDK squashed a ReferenceError: global is not defined that could crash production builds in TanStack Start and React Router apps.
In UX improvements, Clerk UI v1.19.0 now foregrounds interactive bot-protection challenges during sign-in and sign-up, hiding other fields until the challenge is solved, and a companion fix ensures the captcha spotlight still fires correctly when an older clerk-js runtime pairs with a newer UI.
Better Auth tightens OIDC and fixes OAuth scope loss
Better Auth v1.7.0-beta.9 introduces a breaking change that should get your attention if you're customizing ID tokens: custom ID-token claims, extension claims, and per-issuance idTokenClaims can no longer override protected OIDC claims like iss, sub, and aud. The fix enforces the use of namespaced custom claims instead, bringing Better Auth's OAuth provider behavior in line with the spec. The beta also fixes the UserInfo endpoint to accept bearer tokens in form-encoded POST bodies and ensures authorization code replay returns invalid_grant while revoking previously issued tokens.
A concurrent beta patch fixes OAuth scope loss during re-authentication or token refresh—a subtle bug that could silently reduce a user's granted scopes—and rolls back the user row when account creation fails.
Auth0's Refresh Token Metadata exits beta
Auth0's Refresh Token Metadata is now generally available for Enterprise customers, letting you attach up to 25 custom key-value pairs to each refresh token via setMetadata in Post-Login Actions or the Management API. The metadata persists throughout the token's lifecycle and is accessible on the /userinfo and /tokeninfo endpoints.
Releases covered
- Clerk launches customizable OAuth consent screen with prebuilt component
- @clerk/eslint-plugin v0.1.0 introduces require-auth-protection rule for Next.js
- Clerk JavaScript SDK 6.20.0 adds exclusive organization membership
- Clerk Expo SDK 3.5.0 fixes iOS build and client syncing
- Clerk React SDK v6.10.2 fixes "global is not defined" ReferenceError in production builds
- Clerk UI v1.19.0 brings bot-protection challenge to foreground during sign-in
- Clerk JavaScript SDK 6.19.0 fixes inline captcha spotlight across version skews