Keyless mode embeds secret keys in HTTP responses - fundamental security violation #6849
Description
Preliminary Checks
-
I have reviewed the documentation: https://clerk.com/docs
-
I have searched for existing issues: https://github.com/clerk/javascript/issues
-
I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)
-
This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.
Reproduction
xxx
Publishable key
pk_test_Y3V0ZS1zd2luZS0yOS5jbGVyay5hY2NvdW50cy5kZXYk
Description
Clerk's keyless mode puts secret keys in client HTTP responses via React props serialization.
Even if these are "anonymous" keys, any code path that puts "secretKey":"sk_test_..." in browser responses is a fundamental security violation.
I understand the "developer experience vs security" tension, but this pattern seems destined to become tomorrow's zero-day exploit when someone finds a way to escalate anonymous keys or trigger real key exposure through the same code path.
Environment
Node