releases.shpreview
ClerkClerk/JavaScript SDK

Instance-level organization RBAC APIs now available

@clerk/backend@3.6.0

June 10, 2026JavaScript SDKView original ↗
1 feature2 enhancements3 fixesThis release1 featureNew capabilities2 enhancementsImprovements to existing features3 fixesBug fixesAI-tallied from the release notes

Minor Changes

  • Add Backend API support for managing instance-level organization RBAC. createClerkClient() now exposes: (#8774) by @dmoerner
    • organizationPermissions — list, get, create, update, and delete organization permissions.
    • organizationRoles — list, get, create, update, and delete organization roles, plus assign/remove a permission to/from a role.
    • roleSets — list, get, create, update, add roles to, replace a role in, and replace a role set.

Patch Changes

  • Fix the return type of clerkClient.organizations.createOrganizationInvitationBulk() to PaginatedResourceResponse<OrganizationInvitation[]>. The Backend API returns the bulk-created invitations in a { data, totalCount } envelope (the same shape as getOrganizationInvitationList()), but the method was typed as OrganizationInvitation[], which did not match the value returned at runtime. (#8751) by @VihAMBR

  • Return IdPOAuthAccessToken timestamps in milliseconds when an OAuth access token is verified as a JWT. The expiration, createdAt, and updatedAt fields were previously populated with the JWT's raw second-based exp/iat values, making them inconsistent with the same fields on M2MToken and with the values returned when the token is fetched from the API. Comparing expiration against Date.now() now behaves as expected. The expired flag was already computed correctly and is unaffected. (#8771) by @jacekradko

  • Prevent an unhandled exception when verifying a machine token whose JWT payload has a missing or non-string sub. Such tokens are now classified and rejected with a typed verification error instead of throwing, so a crafted Authorization header can no longer surface as an unhandled error during request authentication. (#8744) by @jacekradko

  • Redact raw bearer credentials from the auth object's debug output. The debug payload (surfaced when an SDK enables middleware debug logging) previously included full session, machine, refresh, dev-browser and handshake tokens; each now exposes only a short, non-reconstructable prefix, matching how secretKey and jwtKey are already handled. (#8744) by @jacekradko

  • Add and improve JSDoc comments across public types and methods to support generated reference documentation for the /objects docs section. Exports a few previously-internal types (OnEventListener, OffEventListener, ClerkOptionsNavigation) so they can be referenced from the generated docs. (#8276) by @alexisintech

  • Updated dependencies [2d6670c, af706e3, 032632c, 0fece6f, b295af3, 8e1bd48]:

    • @clerk/shared@4.16.0

Fetched June 10, 2026