From 46904c70f490b07f04890491a26fc2a8d1ee1460 Mon Sep 17 00:00:00 2001
From: panteliselef <panteliselef@outlook.com>
Date: Thu, 6 Feb 2025 10:16:36 +0200
Subject: [PATCH 1/2] fix(nextjs): Pass keyless credentials to request data
 only missing explicit keys

---
 .changeset/chilled-starfishes-jam.md          |  5 +++++
 packages/nextjs/src/server/clerkMiddleware.ts | 17 +++++++++++++----
 packages/nextjs/src/server/utils.ts           |  6 +++---
 3 files changed, 21 insertions(+), 7 deletions(-)
 create mode 100644 .changeset/chilled-starfishes-jam.md

diff --git a/.changeset/chilled-starfishes-jam.md b/.changeset/chilled-starfishes-jam.md
new file mode 100644
index 00000000000..ba4de5b4aa9
--- /dev/null
+++ b/.changeset/chilled-starfishes-jam.md
@@ -0,0 +1,5 @@
+---
+'@clerk/nextjs': patch
+---
+
+Fixes the "Unable to verify request ..." error occured when switching keys from an application running on keyless and a regular claimed application and there is a user signed-in.
diff --git a/packages/nextjs/src/server/clerkMiddleware.ts b/packages/nextjs/src/server/clerkMiddleware.ts
index 32593989f71..afa3e1f8e34 100644
--- a/packages/nextjs/src/server/clerkMiddleware.ts
+++ b/packages/nextjs/src/server/clerkMiddleware.ts
@@ -201,10 +201,16 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
         setRequestHeadersOnNextResponse(handlerResult, clerkRequest, { [constants.Headers.EnableDebug]: 'true' });
       }
 
-      decorateRequest(clerkRequest, handlerResult, requestState, resolvedParams, {
-        publishableKey: keyless?.publishableKey,
-        secretKey: keyless?.secretKey,
-      });
+      const keylessKeysForRequestData =
+        // Only pass keyless credentials when there are no explicit keys
+        secretKey === keyless?.secretKey
+          ? {
+              publishableKey: keyless?.publishableKey,
+              secretKey: keyless?.secretKey,
+            }
+          : {};
+
+      decorateRequest(clerkRequest, handlerResult, requestState, resolvedParams, keylessKeysForRequestData);
 
       return handlerResult;
     });
@@ -219,7 +225,10 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
 
       const resolvedParams = typeof params === 'function' ? params(request) : params;
       const keyless = getKeylessCookieValue(name => request.cookies.get(name)?.value);
+
       const isMissingPublishableKey = !(resolvedParams.publishableKey || PUBLISHABLE_KEY || keyless?.publishableKey);
+
+      console.log('isMIssing', isMissingPublishableKey);
       /**
        * In keyless mode, if the publishable key is missing, let the request through, to render `<ClerkProvider/>` that will resume the flow gracefully.
        */
diff --git a/packages/nextjs/src/server/utils.ts b/packages/nextjs/src/server/utils.ts
index df09682bd8a..eb79bb83ffb 100644
--- a/packages/nextjs/src/server/utils.ts
+++ b/packages/nextjs/src/server/utils.ts
@@ -185,7 +185,7 @@ const KEYLESS_ENCRYPTION_KEY = 'clerk_keyless_dummy_key';
  **/
 export function encryptClerkRequestData(
   requestData: Partial<AuthenticateRequestOptions>,
-  keylessMode: Pick<AuthenticateRequestOptions, 'publishableKey' | 'secretKey'>,
+  keylessModeKeys: Pick<AuthenticateRequestOptions, 'publishableKey' | 'secretKey'>,
 ) {
   const isEmpty = (obj: Record<string, any> | undefined) => {
     if (!obj) {
@@ -194,7 +194,7 @@ export function encryptClerkRequestData(
     return !Object.values(obj).some(v => v !== undefined);
   };
 
-  if (isEmpty(requestData) && isEmpty(keylessMode)) {
+  if (isEmpty(requestData) && isEmpty(keylessModeKeys)) {
     return;
   }
 
@@ -211,7 +211,7 @@ export function encryptClerkRequestData(
     ? ENCRYPTION_KEY || assertKey(SECRET_KEY, () => errorThrower.throwMissingSecretKeyError())
     : ENCRYPTION_KEY || SECRET_KEY || KEYLESS_ENCRYPTION_KEY;
 
-  return AES.encrypt(JSON.stringify({ ...keylessMode, ...requestData }), maybeKeylessEncryptionKey).toString();
+  return AES.encrypt(JSON.stringify({ ...keylessModeKeys, ...requestData }), maybeKeylessEncryptionKey).toString();
 }
 
 /**

From f3c99face588d186230f3d8dd651142c850762dc Mon Sep 17 00:00:00 2001
From: panteliselef <panteliselef@outlook.com>
Date: Thu, 6 Feb 2025 10:46:34 +0200
Subject: [PATCH 2/2] cleanup

---
 packages/nextjs/src/server/clerkMiddleware.ts | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/packages/nextjs/src/server/clerkMiddleware.ts b/packages/nextjs/src/server/clerkMiddleware.ts
index afa3e1f8e34..17ddcfcf965 100644
--- a/packages/nextjs/src/server/clerkMiddleware.ts
+++ b/packages/nextjs/src/server/clerkMiddleware.ts
@@ -225,10 +225,7 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
 
       const resolvedParams = typeof params === 'function' ? params(request) : params;
       const keyless = getKeylessCookieValue(name => request.cookies.get(name)?.value);
-
       const isMissingPublishableKey = !(resolvedParams.publishableKey || PUBLISHABLE_KEY || keyless?.publishableKey);
-
-      console.log('isMIssing', isMissingPublishableKey);
       /**
        * In keyless mode, if the publishable key is missing, let the request through, to render `<ClerkProvider/>` that will resume the flow gracefully.
        */