feat(backend,nextjs): Add support for M2M JWT creation and verification

[wobsoriano]

Description

Cherry-picked from Core 2 PR #7883

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Added JWT-format support for machine-to-machine (M2M) tokens with local verification and custom claims.

• Bug Fixes / Behavior

  • Endpoints now reject machine tokens when only session tokens are accepted, preventing token-type misclassification.
  • Improved JWT-based machine token detection and routing for verification.

• Tests

  • Expanded test coverage for M2M creation, JWT verification, routing, and edge/error cases.

[changeset-bot]

🦋 Changeset detected

Latest commit: 13609a6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Feb 28, 2026 2:10am

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7955

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7955

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7955

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7955

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7955

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7955

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7955

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7955

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7955

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7955

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@7955

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7955

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7955

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7955

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7955

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7955

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7955

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7955

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7955

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7955

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7955

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7955

commit: 13609a6

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds JWT-format support for M2M tokens alongside opaque tokens: new M2MTokenFormat, token creation now accepts tokenFormat, and M2MToken.fromJwtPayload constructs tokens from JWT claims. Introduces local JWT verification utilities (verifyMachineJwt.ts) and routes verification via verifyM2MJwt/verifyOAuthJwt. Token detection expanded with isM2MJwt and isMachineJwt. Backend factory and M2MTokenApi constructor signatures updated to accept JWT-related options. Removes two internal exports, changes M2M id prefixes from m2m_ to mt_, tightens session-only endpoint handling for machine tokens, and adds extensive tests.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding M2M JWT creation and verification support across backend and nextjs packages.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/jwt/verifyMachineJwt.ts`:
- Line 89: The JWT header's `kid` must be validated before calling
resolveKeyAndVerifyJwt to avoid using undefined keys; in both verifyM2MJwt and
verifyOAuthJwt check that decoded.header.kid is a non-empty string and
throw/return a clear error (e.g., "missing JWT kid in header") if absent,
preventing downstream cache lookups like
loadClerkJwkFromPem/loadClerkJWKFromRemote from receiving `undefined`; update
the call sites that currently pass decoded.header.kid to first validate and fail
fast with a descriptive error when the kid is missing.

In `@packages/backend/src/tokens/verify.ts`:
- Around line 264-266: The code calls decodedResult.payload.sub.startsWith(...)
which can throw if sub is undefined or not a string; update the conditional in
the verify flow (the branch that currently checks M2M_SUBJECT_PREFIX) to first
ensure typeof decodedResult.payload.sub === 'string' (or use the existing
isM2MJwt type guard from machine.ts) before calling startsWith, and only call
verifyM2MJwt(token, decodedResult, options) when that guard passes; otherwise
fall through to the non-M2M verification path.

---

ℹ️ Review info

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 21c96e8 and 50e64c0.

📒 Files selected for processing (25)

• .changeset/clever-ways-raise.md
• integration/tests/machine-auth/m2m.test.ts
• packages/backend/src/__tests__/exports.test.ts
• packages/backend/src/api/__tests__/M2MTokenApi.test.ts
• packages/backend/src/api/endpoints/M2MTokenApi.ts
• packages/backend/src/api/factory.ts
• packages/backend/src/api/resources/M2MToken.ts
• packages/backend/src/api/resources/__tests__/M2MToken.test.ts
• packages/backend/src/errors.ts
• packages/backend/src/fixtures/index.ts
• packages/backend/src/fixtures/machine.ts
• packages/backend/src/internal.ts
• packages/backend/src/jwt/verifyMachineJwt.ts
• packages/backend/src/tokens/__tests__/authObjects.test.ts
• packages/backend/src/tokens/__tests__/machine.test.ts
• packages/backend/src/tokens/__tests__/verify.test.ts
• packages/backend/src/tokens/machine.ts
• packages/backend/src/tokens/request.ts
• packages/backend/src/tokens/verify.ts
• packages/express/src/__tests__/getAuth.test.ts
• packages/fastify/src/__tests__/getAuth.test.ts
• packages/nextjs/src/server/__tests__/clerkMiddleware.test.ts
• packages/nextjs/src/server/__tests__/getAuthDataFromRequest.test.ts
• packages/nextjs/src/server/data/getAuthDataFromRequest.ts
• packages/nextjs/src/server/protect.ts

💤 Files with no reviewable changes (1)

• packages/backend/src/tests/exports.test.ts

[wobsoriano]

changeset available in core 2