feat(backend,nextjs,remix,clerk-sdk-node): Support new secretKey prop

Add support for the new secretKey prop & CLERK_SECRET_KEY env variable and flag the old apiKey as deprecated

Author: chanioxaris

packages/backend/src/api/factory.ts

@@ -16,8 +16,13 @@ import {
 import { buildRequest } from './request';
 
 export type CreateBackendApiOptions = {
-  /* Backend API key */
-  apiKey: string;
+  /**
+   * Backend API key
+   * @deprecated Use `secretKey` instead.
+   */
+  apiKey?: string;
+  /* Secret Key */
+  secretKey?: string;
   /* Backend API URL */
   apiUrl?: string;
   /* Backend API version */

packages/backend/src/api/request.ts

@@ -62,12 +62,21 @@ const withLegacyReturn =
 
 export function buildRequest(options: CreateBackendApiOptions) {
   const request = async <T>(requestOptions: ClerkBackendApiRequestOptions): Promise<ClerkBackendApiResponse<T>> => {
-    const { apiKey, apiUrl = API_URL, apiVersion = API_VERSION, userAgent = USER_AGENT, httpOptions = {} } = options;
+    const {
+      apiKey,
+      secretKey,
+      apiUrl = API_URL,
+      apiVersion = API_VERSION,
+      userAgent = USER_AGENT,
+      httpOptions = {},
+    } = options;
     const { path, method, queryParams, headerParams, bodyParams } = requestOptions;
 
-    if (!apiKey) {
+    const key = secretKey || apiKey;
+
+    if (!key) {
       throw Error(
-        'Missing Clerk API Key. Go to https://dashboard.clerk.dev and get your Clerk API Key for your instance.',
+        'Missing Clerk Secret Key or API Key. Go to https://dashboard.clerk.dev and get your key for your instance.',
       );
     }
 
@@ -90,7 +99,7 @@ export function buildRequest(options: CreateBackendApiOptions) {
 
     // Build headers
     const headers = {
-      Authorization: `Bearer ${apiKey}`,
+      Authorization: `Bearer ${key}`,
       'Content-Type': 'application/json',
       'Clerk-Backend-SDK': userAgent,
       ...headerParams,

packages/backend/src/tokens/authObjects.ts

@@ -8,7 +8,11 @@ type CreateAuthObjectDebug = (data?: AuthObjectDebugData) => AuthObjectDebug;
 type AuthObjectDebug = () => unknown;
 
 export type SignedInAuthObjectOptions = {
-  apiKey: string;
+  /**
+   * @deprecated Use `secretKey` instead.
+   */
+  apiKey?: string;
+  secretKey?: string;
   apiUrl: string;
   apiVersion: string;
   token: string;
@@ -71,10 +75,11 @@ export function signedInAuthObject(
     org_slug: orgSlug,
     sub: userId,
   } = sessionClaims;
-  const { apiKey, apiUrl, apiVersion, token, session, user, organization } = options;
+  const { apiKey, secretKey, apiUrl, apiVersion, token, session, user, organization } = options;
 
   const { sessions } = createBackendApiClient({
     apiKey,
+    secretKey,
     apiUrl,
     apiVersion,
   });

packages/backend/src/tokens/errors.ts

@@ -25,7 +25,7 @@ export enum TokenVerificationErrorAction {
   ContactSupport = 'Contact support@clerk.dev',
   EnsureClerkJWT = 'Make sure that this is a valid Clerk generate JWT.',
   SetClerkJWTKey = 'Set the CLERK_JWT_KEY environment variable.',
-  SetClerkAPIKey = 'Set the CLERK_API_KEY environment variable.',
+  SetClerkSecretKeyOrAPIKey = 'Set the CLERK_SECRET_KEY or CLERK_API_KEY environment variable.',
 }
 
 export class TokenVerificationError extends Error {

packages/backend/src/tokens/factory.ts

@@ -14,7 +14,10 @@ import {
 
 export type CreateAuthenticateRequestOptions = {
   options: Partial<
-    Pick<AuthenticateRequestOptions, 'apiKey' | 'apiUrl' | 'apiVersion' | 'frontendApi' | 'publishableKey' | 'jwtKey'>
+    Pick<
+      AuthenticateRequestOptions,
+      'apiKey' | 'secretKey' | 'apiUrl' | 'apiVersion' | 'frontendApi' | 'publishableKey' | 'jwtKey'
+    >
   >;
   apiClient: ApiClient;
 };
@@ -23,6 +26,7 @@ export function createAuthenticateRequest(params: CreateAuthenticateRequestOptio
   const { apiClient } = params;
   const {
     apiKey: buildtimeApiKey = '',
+    secretKey: buildtimeSecretKey = '',
     jwtKey: buildtimeJwtKey = '',
     apiUrl = API_URL,
     apiVersion = API_VERSION,
@@ -32,6 +36,7 @@ export function createAuthenticateRequest(params: CreateAuthenticateRequestOptio
 
   const authenticateRequest = ({
     apiKey: runtimeApiKey,
+    secretKey: runtimeSecretKey,
     frontendApi: runtimeFrontendApi,
     publishableKey: runtimePublishableKey,
     jwtKey: runtimeJwtKey,
@@ -40,6 +45,7 @@ export function createAuthenticateRequest(params: CreateAuthenticateRequestOptio
     return authenticateRequestOriginal({
       ...rest,
       apiKey: runtimeApiKey || buildtimeApiKey,
+      secretKey: runtimeSecretKey || buildtimeSecretKey,
       apiUrl,
       apiVersion,
       frontendApi: runtimeFrontendApi || buildtimeFrontendApi,

packages/backend/src/tokens/keys.ts

@@ -89,12 +89,21 @@ export type LoadClerkJWKFromRemoteOptions = {
 } & (
   | {
       apiKey: string;
+      secretKey?: never;
       apiUrl?: string;
       apiVersion?: string;
       issuer?: never;
     }
   | {
       apiKey?: never;
+      secretKey: string;
+      apiUrl?: string;
+      apiVersion?: string;
+      issuer?: never;
+    }
+  | {
+      apiKey?: never;
+      secretKey?: never;
       apiUrl?: never;
       apiVersion?: never;
       issuer: string;
@@ -116,6 +125,7 @@ export type LoadClerkJWKFromRemoteOptions = {
  */
 export async function loadClerkJWKFromRemote({
   apiKey,
+  secretKey,
   apiUrl,
   apiVersion,
   issuer,
@@ -125,9 +135,10 @@ export async function loadClerkJWKFromRemote({
 }: LoadClerkJWKFromRemoteOptions): Promise<JsonWebKey> {
   if (skipJwksCache || !getFromCache(kid)) {
     let fetcher;
+    const key = secretKey || apiKey || '';
 
     if (apiUrl) {
-      fetcher = () => fetchJWKSFromBAPI(apiUrl, apiKey, apiVersion);
+      fetcher = () => fetchJWKSFromBAPI(apiUrl, key, apiVersion);
     } else if (issuer) {
       fetcher = () => fetchJWKSFromFAPI(issuer);
     } else {
@@ -181,11 +192,12 @@ async function fetchJWKSFromFAPI(issuer: string) {
   return response.json();
 }
 
-async function fetchJWKSFromBAPI(apiUrl: string = API_URL, apiKey: string, apiVersion: string = API_VERSION) {
-  if (!apiKey) {
+async function fetchJWKSFromBAPI(apiUrl: string = API_URL, key: string, apiVersion: string = API_VERSION) {
+  if (!key) {
     throw new TokenVerificationError({
-      action: TokenVerificationErrorAction.SetClerkAPIKey,
-      message: 'Missing Clerk API Key. Go to https://dashboard.clerk.dev and get your Clerk API Key for your instance.',
+      action: TokenVerificationErrorAction.SetClerkSecretKeyOrAPIKey,
+      message:
+        'Missing Clerk Secret Key or API Key. Go to https://dashboard.clerk.dev and get your key for your instance.',
       reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad,
     });
   }
@@ -195,7 +207,7 @@ async function fetchJWKSFromBAPI(apiUrl: string = API_URL, apiKey: string, apiVe
 
   const response = await runtime.fetch(url.href, {
     headers: {
-      Authorization: `Bearer ${apiKey}`,
+      Authorization: `Bearer ${key}`,
       'Content-Type': 'application/json',
     },
   });

packages/backend/src/tokens/request.ts

@@ -20,7 +20,9 @@ export type LoadResourcesOptions = {
   loadOrganization?: boolean;
 };
 
-export type RequiredVerifyTokenOptions = Required<Pick<VerifyTokenOptions, 'apiKey' | 'apiUrl' | 'apiVersion'>>;
+export type RequiredVerifyTokenOptions = Required<
+  Pick<VerifyTokenOptions, 'apiKey' | 'secretKey' | 'apiUrl' | 'apiVersion'>
+>;
 
 export type OptionalVerifyTokenOptions = Partial<
   Pick<VerifyTokenOptions, 'authorizedParties' | 'clockSkewInSeconds' | 'jwksCacheTtlInMs' | 'skipJwksCache' | 'jwtKey'>
@@ -192,6 +194,7 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
 
     const {
       apiKey,
+      secretKey,
       apiUrl,
       apiVersion,
       cookieToken,
@@ -203,7 +206,12 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
       loadOrganization,
     } = options;
 
-    const { sessions, users, organizations } = createBackendApiClient({ apiKey, apiUrl, apiVersion });
+    const { sessions, users, organizations } = createBackendApiClient({
+      apiKey,
+      secretKey,
+      apiUrl,
+      apiVersion,
+    });
 
     const [sessionResp, userResp, organizationResp] = await Promise.all([
       loadSession ? sessions.getSession(sessionId) : Promise.resolve(undefined),
@@ -222,6 +230,7 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
       sessionClaims,
       {
         apiKey,
+        secretKey,
         apiUrl,
         apiVersion,
         token: cookieToken || headerToken || '',
@@ -289,8 +298,9 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
   // prevent interstitial rendering
   // In production, script requests will be missing both uat and session cookies, which will be
   // automatically treated as signed out. This exception is needed for development, because the any // missing uat throws an interstitial in development.
-  const nonBrowserRequestInDevRule: InterstitialRule = ({ apiKey, userAgent }) => {
-    if (isDevelopmentFromApiKey(apiKey) && !userAgent?.startsWith('Mozilla/')) {
+  const nonBrowserRequestInDevRule: InterstitialRule = ({ apiKey, secretKey, userAgent }) => {
+    const key = secretKey || apiKey;
+    if (isDevelopmentFromApiKey(key) && !userAgent?.startsWith('Mozilla/')) {
       return signedOut(RequestErrorReason.HeaderMissingNonBrowser);
     }
     return undefined;
@@ -319,8 +329,10 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
     return undefined;
   };
 
-  const potentialFirstLoadInDevWhenUATMissing: InterstitialRule = ({ apiKey, clientUat }) => {
-    const res = isDevelopmentFromApiKey(apiKey);
+  const potentialFirstLoadInDevWhenUATMissing: InterstitialRule = ({ apiKey, secretKey, clientUat }) => {
+    const key = secretKey || apiKey;
+
+    const res = isDevelopmentFromApiKey(key);
     if (res && !clientUat) {
       return interstitial(RequestErrorReason.CookieUATMissing);
     }
@@ -329,6 +341,7 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
 
   const potentialRequestAfterSignInOrOurFromClerkHostedUiInDev: InterstitialRule = ({
     apiKey,
+    secretKey,
     referrer,
     host,
     forwardedHost,
@@ -338,15 +351,23 @@ export async function authenticateRequest(options: AuthenticateRequestOptions):
     const crossOriginReferrer =
       referrer &&
       checkCrossOrigin({ originURL: new URL(referrer), host, forwardedHost, forwardedPort, forwardedProto });
+    const key = secretKey || apiKey;
 
-    if (isDevelopmentFromApiKey(apiKey) && crossOriginReferrer) {
+    if (isDevelopmentFromApiKey(key) && crossOriginReferrer) {
       return interstitial(RequestErrorReason.CrossOriginReferrer);
     }
     return undefined;
   };
 
-  const potentialFirstRequestOnProductionEnvironment: InterstitialRule = ({ apiKey, clientUat, cookieToken }) => {
-    if (isProductionFromApiKey(apiKey) && !clientUat && !cookieToken) {
+  const potentialFirstRequestOnProductionEnvironment: InterstitialRule = ({
+    apiKey,
+    secretKey,
+    clientUat,
+    cookieToken,
+  }) => {
+    const key = secretKey || apiKey;
+
+    if (isProductionFromApiKey(key) && !clientUat && !cookieToken) {
       return signedOut(RequestErrorReason.CookieAndUATMissing);
     }
     return undefined;

packages/backend/src/tokens/verify.ts

@@ -12,12 +12,13 @@ export type VerifyTokenOptions = Pick<
   'authorizedParties' | 'audience' | 'issuer' | 'clockSkewInSeconds'
 > & { jwtKey?: string } & Pick<
     LoadClerkJWKFromRemoteOptions,
-    'apiKey' | 'apiUrl' | 'apiVersion' | 'jwksCacheTtlInMs' | 'skipJwksCache'
+    'apiKey' | 'secretKey' | 'apiUrl' | 'apiVersion' | 'jwksCacheTtlInMs' | 'skipJwksCache'
   >;
 
 export async function verifyToken(token: string, options: VerifyTokenOptions): Promise<JwtPayload> {
   const {
     apiKey,
+    secretKey,
     apiUrl,
     apiVersion,
     authorizedParties,
@@ -35,20 +36,16 @@ export async function verifyToken(token: string, options: VerifyTokenOptions): P
 
   if (jwtKey) {
     key = loadClerkJWKFromLocal(jwtKey);
-  } else if (apiKey) {
+  } else if (apiKey || secretKey) {
     // TODO: Fetch JWKS from Frontend API instead of Backend API
     //
     // Currently JWKS are fetched from Backend API without using the JWT issuer. This should change
     // with the new Backend key format so that the API Key is not required for token verification and
     // the jwks retrieval is driven from the current JWT header.
-    key = await loadClerkJWKFromRemote({
-      apiUrl,
-      apiKey,
-      apiVersion,
-      kid,
-      jwksCacheTtlInMs,
-      skipJwksCache,
-    });
+    const opts = apiKey
+      ? ({ apiUrl, apiKey, apiVersion, kid, jwksCacheTtlInMs, skipJwksCache } as LoadClerkJWKFromRemoteOptions)
+      : ({ apiUrl, secretKey, apiVersion, kid, jwksCacheTtlInMs, skipJwksCache } as LoadClerkJWKFromRemoteOptions);
+    key = await loadClerkJWKFromRemote(opts);
   } else {
     throw new TokenVerificationError({
       action: TokenVerificationErrorAction.SetClerkJWTKey,

packages/nextjs/src/middleware/utils/authenticateRequest.ts

@@ -1,6 +1,6 @@
 import { GetServerSidePropsContext } from 'next';
 
-import { API_KEY, clerkClient, FRONTEND_API, PUBLISHABLE_KEY } from '../../server';
+import { API_KEY, clerkClient, FRONTEND_API, PUBLISHABLE_KEY, SECRET_KEY } from '../../server';
 import { WithServerSideAuthOptions } from '../types';
 
 /**
@@ -15,6 +15,7 @@ export async function authenticateRequest(ctx: GetServerSidePropsContext, opts:
   return clerkClient.authenticateRequest({
     ...opts,
     apiKey: API_KEY,
+    secretKey: SECRET_KEY,
     frontendApi: FRONTEND_API,
     publishableKey: PUBLISHABLE_KEY,
     cookieToken,

packages/nextjs/src/server/clerk.ts

@@ -2,7 +2,8 @@ import { Clerk } from '@clerk/backend';
 
 export const API_URL = process.env.CLERK_API_URL || 'https://api.clerk.dev';
 export const API_VERSION = process.env.CLERK_API_VERSION || 'v1';
-export const API_KEY = process.env.CLERK_SECRET_KEY || process.env.CLERK_API_KEY || '';
+export const API_KEY = process.env.CLERK_API_KEY || '';
+export const SECRET_KEY = process.env.CLERK_SECRET_KEY || '';
 export const FRONTEND_API = process.env.NEXT_PUBLIC_CLERK_FRONTEND_API || '';
 export const PUBLISHABLE_KEY = process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY || '';
 

packages/nextjs/src/server/withClerkMiddleware.ts

@@ -3,7 +3,7 @@ import { NextMiddleware, NextMiddlewareResult } from 'next/dist/server/web/types
 import { NextFetchEvent, NextRequest, NextResponse } from 'next/server';
 
 import { constants as nextConstants } from '../constants';
-import { API_KEY, API_URL, clerkClient, FRONTEND_API, PUBLISHABLE_KEY } from './clerk';
+import { API_KEY, API_URL, clerkClient, FRONTEND_API, PUBLISHABLE_KEY, SECRET_KEY } from './clerk';
 import {
   getCookie,
   nextJsVersionCanOverrideRequestHeaders,
@@ -32,8 +32,8 @@ export const withClerkMiddleware: WithClerkMiddleware = (...args: unknown[]) =>
 
     const requestState = await clerkClient.authenticateRequest({
       ...opts,
-      // TODO: Make apiKey optional
       apiKey: API_KEY,
+      secretKey: SECRET_KEY,
       frontendApi: FRONTEND_API,
       publishableKey: PUBLISHABLE_KEY,
       cookieToken,

packages/remix/src/errors.ts

@@ -66,8 +66,8 @@ export const loader: LoaderFunction = args => rootAuthLoader(args, ({ auth }) =>
 })
 `);
 
-export const noApiKeyError = createErrorMessage(`
-A secretKey must be provided in order to use SSR and the exports from @clerk/remix/api.');
-If your runtime supports environment variables, you can add a CLERK_SECRET_KEY variable to your config.
+export const noSecretKeyOrApiKeyError = createErrorMessage(`
+A secretKey or apiKey must be provided in order to use SSR and the exports from @clerk/remix/api.');
+If your runtime supports environment variables, you can add a CLERK_SECRET_KEY or CLERK_API_KEY variable to your config.
 Otherwise, you can pass a secretKey parameter to rootAuthLoader or getAuth.
 `);