fix(clerk-js): Do not treat 429 responses as authentication failures

[brkalow]

Summary

429 (Too Many Requests) responses were being caught by is4xxError and triggering handleUnauthenticated, which signs the user out. This caused a cascading failure pattern observed in production telemetry for a customer.

1. Token fetch fails with a legitimate 4xx (e.g. authentication_invalid)
2. handleUnauthenticated fires and calls /touch to recover
3. /touch returns 429 (rate limited)
4. 429 triggers handleUnauthenticated again (treated as auth failure)
5. Each retry hits 429 → infinite loop (30+ retries in 11 seconds observed)
6. User gets forcibly redirected to sign-in

Changes

• @clerk/shared: Add is429Error helper alongside existing is4xxError
• AuthCookieService.handleGetTokenError: Exclude 429 from triggering handleUnauthenticated — fall through to degraded status instead
• Clerk.setActive: Exclude 429 from triggering handleUnauthenticated, and also don't re-throw (swallow like other transient errors)
• Clerk.#touchCurrentSession: Exclude 429 from triggering handleUnauthenticated
• Session.getToken retry logic: Allow 429 to be retried with exponential backoff instead of immediately giving up (was blocked by is4xxError in shouldRetry)

Telemetry evidence (7-day window)

Event	Count
handleUnauthenticated triggered	650 (285 unique sessions)
/touch returning 429	Majority of request failed errors during cascades
Top offending session	59 handleUnauthenticated events from a single session

Test plan

• is429Error unit tests pass (true for 429, false for all other statuses including null/undefined)
• is4xxError unit tests pass (still returns true for 429 — no breaking change)
• All 59 Session tests pass
• All 488 clerk-js core tests pass (36 test files)
• Verify in staging that 429 from /touch no longer triggers sign-out
• Monitor telemetry for reduction in handleUnauthenticated triggered events

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Fixed handling of rate-limit (HTTP 429) responses so they no longer trigger sign-out; clients now enter a degraded state and retry, preserving signed-in sessions and avoiding recursive unauthenticated loops.

• Tests

  • Added resiliency tests covering 429 rate-limit scenarios and unauthenticated-edge cases to ensure stable runtime behavior under high traffic.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 6, 2026 9:03pm

[changeset-bot]

🦋 Changeset detected

Latest commit: f11e4d4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8004

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8004

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8004

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8004

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8004

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8004

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8004

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8004

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8004

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8004

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8004

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8004

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8004

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8004

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8004

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8004

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8004

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8004

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8004

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8004

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8004

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8004

commit: f11e4d4

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds two predicates, is429Error and isUnauthenticatedError, to shared error helpers and re-exports them. Call sites in AuthCookieService, clerk.ts, and Session.ts now use isUnauthenticatedError instead of a generic 4xx check so HTTP 429 responses are treated as rate-limited (degraded/retryable). A changeset documenting the fix was added. Integration tests were added for 429 resiliency and related unauthenticated scenarios.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: preventing 429 rate-limit responses from being treated as authentication failures, which is the core fix across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/clerk-js/src/core/clerk.ts`:
- Around line 1599-1602: setActive can still fail when newSession?.getToken()
throws a 429 because the current catch rethrows 429; change the getToken catch
so 429 is not rethrown — treat 429 like the throttling case and swallow it (or
route to the same non-throw handling) instead of throwing. Concretely, update
the catch around newSession?.getToken() in setActive/__internal_touch so that
you only rethrow for errors that are neither 4xx nor is429Error(e) (use
is4xxError(e) and is429Error(e) checks) and call this.handleUnauthenticated()
for 4xx errors as before; ensure is429Error(e) branch does not rethrow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: ac8cf484-1b7b-4811-9fc5-d1ebe64b67f2

📥 Commits

Reviewing files that changed from the base of the PR and between 79d0ecf and 3a4ea45.

📒 Files selected for processing (7)

• .changeset/fix-429-unauthenticated.md
• packages/clerk-js/src/core/auth/AuthCookieService.ts
• packages/clerk-js/src/core/clerk.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/shared/src/__tests__/error.spec.ts
• packages/shared/src/error.ts
• packages/shared/src/errors/helpers.ts

[jacekradko]

Nice!

[jacekradko]

I like it! Definitely a more correct approach to handling various 4XX status codes.