fix(backend): Support storing multiple local keys in JWK cache #6993

nikosdouvlis · 2025-10-15T14:42:39Z

Description

Fixed JWT public key caching in verifyToken() to support multi-instance scenarios. Public keys are now correctly cached per kid from the token header instead of using a single shared cache key.

Changed loadClerkJWKFromLocal to loadClerkJwkFromPem for loading keys in PEM format.
Updated key loading logic in verifyHandshakeToken and verifyToken functions.
Enhanced caching mechanism to avoid collisions with remote keys by prefixing local keys with "local-".

Checklist

pnpm test runs as expected.
pnpm build runs as expected.
(If applicable) JSDoc comments have been added or updated for any package exports
(If applicable) Documentation has been updated

Type of change

Summary by CodeRabbit

Bug Fixes
- Fixed intermittent token verification failures in multi-instance deployments by isolating JWT key caching per key identifier.
- Improved reliability when different public keys are used across instances.
Refactor
- Consolidated key loading to consistently accept PEM-formatted keys.
- Improved TypeScript typings for clearer verification option shapes.
Tests
- Added tests covering cache isolation, repeated lookups, and mixed-key scenarios.

- Changed `loadClerkJWKFromLocal` to `loadClerkJwkFromPem` for loading keys in PEM format. - Updated key loading logic in `verifyHandshakeToken` and `verifyToken` functions. - Enhanced caching mechanism to avoid collisions with remote keys by prefixing local keys with "local-".

changeset-bot · 2025-10-15T14:42:45Z

🦋 Changeset detected

Latest commit: 18fdacd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 19 packages

Name	Type
@clerk/backend	Patch
@clerk/shared	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-js	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/clerk-expo	Patch
@clerk/clerk-react	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2025-10-15T14:42:48Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 15, 2025 3:07pm

coderabbitai · 2025-10-15T14:42:53Z

Walkthrough

Updates JWT key loading and caching to use kid-scoped PEM-based keys and per-kid cache entries; replaces the local JWK loader with a PEM loader, updates verification and handshake flows, adjusts tests and fixtures, and adds a Simplify type re-export.

Changes

Cohort / File(s)	Summary
JWT key loading & verify `packages/backend/src/tokens/keys.ts`, `packages/backend/src/tokens/verify.ts`	Replaced local JWK loader with `loadClerkJwkFromPem({ kid, pem })`; cache keys are now per-kid (PEM entries prefixed `local-`). Remote JWKS loader accepts params object and caches each key by its own `kid`. `verifyToken` updated to use PEM loader, explicit `JsonWebKey`, and `Simplify` type.
Handshake `packages/backend/src/tokens/handshake.ts`	Switched from `loadClerkJWKFromLocal(jwtKey)` to `loadClerkJwkFromPem({ kid, pem: jwtKey })` and adjusted verify call to pass `key`.
Tests `packages/backend/src/tokens/__tests__/keys.test.ts`	Replaced local key loader usage with PEM-based loader; added tests for per-kid caching, cache identity, `local-` prefix collision avoidance, and distinct entries when `kid` differs. Added `MOCK_KID`.
Fixtures `packages/backend/src/fixtures/index.ts`	Updated exported `mockPEMJwk.kid` from `'local'` to `'local-test-kid'`.
Shared types `packages/shared/src/types/index.ts`, `packages/shared/src/types/utils.ts`	Added and exported `Simplify<T>` utility type; removed `_unstable_mock_type` export.
Changeset `.changeset/fix-multi-instance-jwt-caching.md`	Documented switch to kid-scoped JWT key caching for multi-instance deployments; no public signatures changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant Backend as verifyToken()
  participant Keys as keys.ts
  participant Cache as JWK Cache
  participant JWKS as Remote JWKS
  participant JWT as verifyJwt()

  Client->>Backend: verifyToken(token, { jwtKey?, kid, ... })
  alt jwtKey (PEM) provided
    Backend->>Keys: loadClerkJwkFromPem({ kid, pem })
    Keys->>Cache: get("local-" + kid)
    alt Cache hit
      Cache-->>Keys: JsonWebKey
    else Cache miss
      Keys->>Keys: parse PEM → build JWK (kid: "local-" + kid)
      Keys->>Cache: set("local-" + kid, JWK)
    end
    Keys-->>Backend: JsonWebKey
  else No PEM provided
    Backend->>Keys: loadClerkJWKFromRemote({ ..., kid })
    Keys->>Cache: get(kid)
    alt Cache hit
      Cache-->>Keys: JsonWebKey
    else Cache miss
      Keys->>JWKS: fetch JWKS
      JWKS-->>Keys: { keys[] }
      loop for each key
        Keys->>Cache: set(key.kid, key)
      end
      Keys->>Cache: get(kid)
    end
    Keys-->>Backend: JsonWebKey
  end
  Backend->>JWT: verifyJwt(token, { key })
  JWT-->>Backend: verification result
  Backend-->>Client: result

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I stash each key by kid, neat and tight,
In burrows of cache, labeled just right.
From PEM I nibble, from JWKS I glean,
No more collisions in the meadow green.
Thump-thump! Multi-burrow sync at last. 🐇🔑

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly and concisely describes the primary backend change, specifically fixing the JWK cache to support multiple local keys per kid, which aligns with the pull request’s objectives and main implementation updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch nikos/load-local-pem-cache

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2299669 and 18fdacd.

📒 Files selected for processing (1)

packages/backend/src/tokens/handshake.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

packages/backend/src/tokens/handshake.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Analyze (javascript-typescript)
GitHub Check: semgrep-cloud-platform/scan
GitHub Check: semgrep-cloud-platform/scan

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/backend/src/tokens/keys.ts (1)
52-86: Add explicit note about local- prefix in JSDoc

Enhance the existing JSDoc on loadClerkJwkFromPem to mention that the returned JWK’s kid is prefixed with "local-" to avoid cache collisions:
/**
 * Loads a local PEM key usually from process.env and transforms it to JsonWebKey format.
 * The result is cached on the module level to avoid unnecessary computations in subsequent invocations.
+ *
+ * Note: the returned JWK’s `kid` will be prefixed with "local-".  
+ * For example, passing `kid: "test"` yields `kid: "local-test"`.
 */

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1236c74 and 2299669.

📒 Files selected for processing (8)

.changeset/fix-multi-instance-jwt-caching.md (1 hunks)
packages/backend/src/fixtures/index.ts (1 hunks)
packages/backend/src/tokens/__tests__/keys.test.ts (2 hunks)
packages/backend/src/tokens/handshake.ts (3 hunks)
packages/backend/src/tokens/keys.ts (3 hunks)
packages/backend/src/tokens/verify.ts (3 hunks)
packages/shared/src/types/index.ts (1 hunks)
packages/shared/src/types/utils.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (11)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

.changeset/fix-multi-instance-jwt-caching.md

**/*.{js,jsx,ts,tsx}