releases.shpreview
ClerkClerk/JavaScript SDK

User email/phone replacement endpoints added; request body consumption fixed

@clerk/backend@3.5.0

June 3, 2026JavaScript SDKView original ↗
3 features4 fixesThis release3 featuresNew capabilities4 fixesBug fixesAI-tallied from the release notes

Minor Changes

  • Add support for new Backend API user endpoints: (#8694) by @dmoerner
    • users.replaceUserEmailAddress(userId, { emailAddress }) replaces all of a user's email addresses with a single verified, primary email address (PUT /users/{user_id}/email_address).
    • users.replaceUserPhoneNumber(userId, { phoneNumber }) replaces all of a user's phone numbers with a single verified, primary phone number (PUT /users/{user_id}/phone_number).
    • users.createUser now accepts banned and locked parameters to create a user that is already banned or locked.

Patch Changes

  • Emit the "session token from cookie is missing the azp claim" warning once per process instead of on every authenticated request. An azp-less cookie token is reused across requests, so the previous unguarded console.warn could flood production logs. (#8698) by @jacekradko

  • Stop authenticateRequest from consuming the incoming request body, which previously left downstream handlers unable to read it (for example a Hono POST route calling c.req.json()). (#8708) by @jacekradko

  • Prevent keyless mode from activating in CI and other automated environments in framework SDKs. (#8676) by @mwickett

  • Preserve custom claims when verifying JWT-format M2M tokens. M2MToken.fromJwtPayload previously hardcoded claims to null, so client.m2m.verify() (and request-level auth()) dropped any custom claims embedded in the token. Custom claims are now reconstructed from the verified payload by stripping only the structural claims the backend adds when minting the token (iss, sub, exp, nbf, iat, jti). User-supplied claims such as aud are preserved. Tokens without custom claims still return claims: null, consistent with the opaque-token path. (#8697) by @jacekradko

  • Strip private_metadata from the backend resource _raw payload in stripPrivateDataFromObject, preventing it from leaking into __clerk_ssr_state when a User/Organization resource is passed to buildClerkProps. (#8702) by @dominic-clerk

  • Updated dependencies [afb75e6, c3df67a, 86fd38f, 8d6bb56, 43dfefa, 5fc7b21, c2ba134]:

    • @clerk/shared@4.15.0

Fetched June 3, 2026

User email/phone replacement endpoints added; request body consumption fixed (@clerk/backend@3.5.0) — JavaScript SDK — releases.sh