releases.shpreview

Machine tokens in __session cookie now rejected

@clerk/backend@3.11.7

1 fixThis release1 fixBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Patch Changes

  • Reject machine tokens (M2M and OAuth JWTs) presented in the __session cookie. Previously such a token could pass session verification and produce a signed-in state with the machine identity as userId, defeating if (userId) authorization checks. The cookie path now mirrors the existing header-path guard and returns a signed-out state for these tokens. (#9168) by @dominic-clerk

  • Updated dependencies [bcbdda6]:

    • @clerk/shared@4.25.5

Fetched July 16, 2026