Authorized-parties check now requires azp claim
@clerk/backend@3.11.1
Patch Changes
-
Enforce the
azp(authorized party) claim whenauthorizedPartiesis configured. Previously, a session token that was missing theazpclaim was accepted even whenauthorizedPartieswas set, allowing the authorized-parties check to be bypassed by omitting the claim. Now, whenauthorizedPartiesis configured, a token with a missing or emptyazpclaim is rejected. Tokens withoutazpcontinue to be accepted when noauthorizedPartiesare configured. (#8877) by @dominic-clerk -
Updated dependencies [
6f97ef5,bab1f29,f2d9e4b]:- @clerk/shared@4.25.0
Fetched July 8, 2026

