releases.shpreview

Authorized-parties check now requires azp claim

@clerk/backend@3.11.1

1 fixThis release1 fixBug fixesAI-tallied from the release notes

Patch Changes

  • Enforce the azp (authorized party) claim when authorizedParties is configured. Previously, a session token that was missing the azp claim was accepted even when authorizedParties was set, allowing the authorized-parties check to be bypassed by omitting the claim. Now, when authorizedParties is configured, a token with a missing or empty azp claim is rejected. Tokens without azp continue to be accepted when no authorizedParties are configured. (#8877) by @dominic-clerk

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b]:

    • @clerk/shared@4.25.0

Fetched July 8, 2026