Machine tokens in __session cookie now rejected
@clerk/backend@3.11.7
Patch Changes
-
Reject machine tokens (M2M and OAuth JWTs) presented in the
__sessioncookie. Previously such a token could pass session verification and produce a signed-in state with the machine identity asuserId, defeatingif (userId)authorization checks. The cookie path now mirrors the existing header-path guard and returns a signed-out state for these tokens. (#9168) by @dominic-clerk -
Updated dependencies [
bcbdda6]:- @clerk/shared@4.25.5
Fetched July 16, 2026

