fix(clerk-js,shared): Improve ticket and SSO types for Future APIs

[dstaley]

Description

This PR improves compatibility with tickets in the new SignInFuture and SignUpFuture APIs. It adds the following:

• Support for the password parameter when using signIn.create()
• Support for strategy: 'ticket' when using signIn.create()
• Support for the strategy parameter when using signUp.create()
• Support for the password parameter when using signUp.create()
• Support for reusing the current sign-in attempt when calling signIn.sso()

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[changeset-bot]

🦋 Changeset detected

Latest commit: 9b0f086

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 8, 2026 3:28pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8267

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8267

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8267

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8267

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8267

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8267

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8267

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8267

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8267

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8267

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8267

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8267

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8267

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8267

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8267

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8267

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8267

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8267

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8267

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8267

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8267

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8267

commit: 9b0f086

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a4f04831-b045-4894-8998-9970d1600696

📥 Commits

Reviewing files that changed from the base of the PR and between 12ffd7f and 9b0f086.

📒 Files selected for processing (1)

• .changeset/famous-needles-laugh.md

✅ Files skipped from review due to trivial changes (1)

• .changeset/famous-needles-laugh.md

---

📝 Walkthrough

Walkthrough

This pull request updates SignIn and SignUp resource implementations and their type definitions. In SignIn, creation is now conditional: _create is invoked only when the resource lacks an id. In SignUp, the request body is built into a local body object and the code now chooses __internal_basePatch when an id exists or __internal_basePost otherwise. Type files signInFuture.ts and signUpFuture.ts add an optional password field and expand strategy unions to include additional strategies (e.g., TicketStrategy, enterprise strategies).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: improving ticket and SSO types for the Future APIs, which matches the substantial type additions and SSO logic improvements across multiple files.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear bulleted list of the improvements made (password parameter support, ticket strategy support, and SSO reuse support) that align with the file-level changes shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/clerk-js/src/core/resources/SignIn.ts (1)

1128-1154: ⚠️ Potential issue | 🔴 Critical

identifier is dropped when sso() reuses an existing sign-in

Line 1128 reads identifier, but Lines 1148-1154 only send it through _create() when no id exists. If id already exists, identifier is never applied, which can break enterprise SSO targeting and reuse stale state.

Suggested fix

-      if (!this.#resource.id) {
+      if (!this.#resource.id || Boolean(identifier)) {
         await this._create({
           strategy,
           ...routes,
           identifier,
         });
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/clerk-js/src/core/resources/SignIn.ts` around lines 1128 - 1154, The
current flow only sends identifier to the server when creating a new SignIn via
this._create, so when this.#resource.id exists the identifier is dropped; modify
the logic after computing routes (and after popup wrapping) to ensure identifier
is applied for existing sign-ins by calling the existing update/patch method
(e.g., this._update or the internal update helper) with { identifier } when
this.#resource.id is present, so identifier is always sent whether creating
(this._create) or reusing an existing sign-in; keep the popup/wrapped routes
logic unchanged and only add the identifier update for the existing resource
case.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/clerk-js/src/core/resources/SignUp.ts`:
- Around line 1029-1045: Add unit/integration tests that cover both SSO request
branches introduced in SignUp.ts: one test ensuring when this.#resource.id is
present the code calls __internal_basePatch with the expected path and body
(existing-resource SSO flow), and another ensuring when this.#resource.id is
absent it calls __internal_basePost with the expected path and body
(new-resource SSO flow); locate the behavior around the id-dependent branching
and assert the correct method (__internal_basePatch vs __internal_basePost),
request path (this.#resource.pathRoot), and body contents (strategy, routes,
unsafeMetadata, oidcPrompt, enterpriseConnectionId, emailAddress, captchaToken,
captchaWidgetType, captchaError) are sent.

---

Outside diff comments:
In `@packages/clerk-js/src/core/resources/SignIn.ts`:
- Around line 1128-1154: The current flow only sends identifier to the server
when creating a new SignIn via this._create, so when this.#resource.id exists
the identifier is dropped; modify the logic after computing routes (and after
popup wrapping) to ensure identifier is applied for existing sign-ins by calling
the existing update/patch method (e.g., this._update or the internal update
helper) with { identifier } when this.#resource.id is present, so identifier is
always sent whether creating (this._create) or reusing an existing sign-in; keep
the popup/wrapped routes logic unchanged and only add the identifier update for
the existing resource case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a203b9ab-0078-40a0-a968-1c8c503b9e06

📥 Commits

Reviewing files that changed from the base of the PR and between aa32bbc and 12ffd7f.

📒 Files selected for processing (4)

• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/core/resources/SignUp.ts
• packages/shared/src/types/signInFuture.ts
• packages/shared/src/types/signUpFuture.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add regression tests for the new SSO id-dependent request branching

Lines 1041-1045 changed request behavior (PATCH vs POST) based on existing id, but no tests are included in this PR context for these auth-path branches. Please add coverage for both existing-resource and new-resource SSO flows before merge.

As per coding guidelines "If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/clerk-js/src/core/resources/SignUp.ts` around lines 1029 - 1045, Add
unit/integration tests that cover both SSO request branches introduced in
SignUp.ts: one test ensuring when this.#resource.id is present the code calls
__internal_basePatch with the expected path and body (existing-resource SSO
flow), and another ensuring when this.#resource.id is absent it calls
__internal_basePost with the expected path and body (new-resource SSO flow);
locate the behavior around the id-dependent branching and assert the correct
method (__internal_basePatch vs __internal_basePost), request path
(this.#resource.pathRoot), and body contents (strategy, routes, unsafeMetadata,
oidcPrompt, enterpriseConnectionId, emailAddress, captchaToken,
captchaWidgetType, captchaError) are sent.

[wobsoriano]

looks good, left a question!

[wobsoriano]

So before this change, we always created a fresh SSO attempt here, even when a SignIn already existed?

[dstaley]

yes, in the new hooks (the previous hooks had this same "if existing, update, otherwise create" logic). I think the ticket flow is the only instance in which you'd want to SSO into an existing sign-in attempt.

[wobsoriano]

thanks!