feat(js): add clerk.oauthApplication.getConsentInfo

[jfoshee]

Description

Part of USER-3968

This is the first step in packaging/componentizing our OAuth Consent component. We have a couple primary SDK functions we need: fetching consent info, and posting the user's consent choice.

Separate PRs will add the hooks and other necessary functions. I wanted to start with something small to make sure I am using a good pattern.

I also did a manual test of this function in a local project. I can share that if needed.

Considerations

Is OAuthApplication a good name for the Resource? Or should it be just OAuth as was also suggested?

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 9, 2026 7:06pm

[changeset-bot]

🦋 Changeset detected

Latest commit: d623ef1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@clerk/clerk-js	Minor
@clerk/react	Minor
@clerk/shared	Minor
@clerk/chrome-extension	Patch
@clerk/expo	Patch
@clerk/nextjs	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nuxt	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds OAuth consent support: new OAuthApplication resource with fetchConsentInfo(params) that GETs /me/oauth/consent/{oauthClientId} (optional scope) and returns normalized consent metadata (application name/logo/url, clientId, state, scopes). Introduces shared TypeScript types (oauthApplication.ts) and re-exports them, exposes an oauthApplication namespace on the Clerk core and IsomorphicClerk, adds Vitest tests covering success, envelope normalization, error, and offline cases, and includes a changeset for a minor release.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions 'getConsentInfo' but the actual implementation uses 'fetchConsentInfo' throughout the codebase; this is misleading and does not match the primary change.	Update the PR title to 'feat(js): add clerk.oauthApplication.fetchConsentInfo' to accurately reflect the method name implemented in the changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is well-related to the changeset, explaining the purpose (first step in componentizing OAuth Consent), providing context (part of USER-3968), and documenting testing performed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/few-stamps-retire.md:
- Line 2: The changeset currently marks '@clerk/clerk-js' as a patch release but
this PR adds new public API (e.g., clerk.oauthApplication.fetchConsentInfo and
its public types), so update the changeset to use a minor bump instead of patch
by replacing the entry value 'patch' with 'minor' for the '@clerk/clerk-js'
package in the .changeset file so the release is versioned correctly.

In `@packages/clerk-js/src/core/resources/__tests__/OAuthApplication.test.ts`:
- Around line 30-63: The tests reference an outdated request contract for
OAuthApplication.fetchConsentInfo and should be updated: change the first test
that asserts BaseResource._fetch was not called to instead assert the current
behavior of OAuthApplication.fetchConsentInfo when BaseResource.clerk.session is
undefined (i.e., that BaseResource._fetch is invoked with the current request
shape rather than not being called); and update the second test's expected
BaseResource._fetch call (the expect on fetchSpy) to match the current
implementation of OAuthApplication.fetchConsentInfo (remove the explicit
sessionId assertion and adjust the call args to whatever the function now
sends—preserve method, encoded path, search/scope and { skipUpdateClient: true }
but do not assert sessionId if the implementation no longer includes it). Ensure
you reference OAuthApplication.fetchConsentInfo and BaseResource._fetch when
making the assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bf7a26bb-fb9a-49c6-b5ac-05f2ea9f3b06

📥 Commits

Reviewing files that changed from the base of the PR and between 4c03816 and 46c893c.

📒 Files selected for processing (9)

• .changeset/few-stamps-retire.md
• packages/clerk-js/src/core/clerk.ts
• packages/clerk-js/src/core/resources/OAuthApplication.ts
• packages/clerk-js/src/core/resources/__tests__/OAuthApplication.test.ts
• packages/clerk-js/src/core/resources/internal.ts
• packages/react/src/isomorphicClerk.ts
• packages/shared/src/types/clerk.ts
• packages/shared/src/types/index.ts
• packages/shared/src/types/oauthApplication.ts

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8275

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8275

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8275

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8275

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8275

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8275

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8275

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8275

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8275

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8275

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8275

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8275

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8275

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8275

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8275

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8275

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8275

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8275

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8275

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8275

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8275

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8275

commit: d623ef1

[jacekradko]

I think this is deviating from the standard convention of having camelCase property being returned for SDK consumers

[jfoshee]

ah yes, thanks @jacekradko

[dmoerner]

I thought this was an odd client id but I think it's actually good to verify that we url escape this to avoid path traversal issues.

[dmoerner]

Why do we coalesce here?

[jfoshee]

Seems to be the common pattern that callers to _fetch use .response. I assume that is for client piggybacking. We don't do that for this endpoint (it just uses json directly). But I guess it's good to make sure it will work either way. I added a unit test so we cover both cases.

[dmoerner]

"e.g." means "for example". Is space-delimited just an example of a scope string or is this something we should enforce?

[jfoshee]

😆 good catch

[dmoerner]

This looks good to me.

[wobsoriano]

looks good already! left a tiny comment

[wobsoriano]

Small nit: we don't use a fetch* prefix elsewhere in resources (closest precedents for non-standard verbs are Waitlist.join and Passkey.registerPasskey).

Not blocking, just wondering if getConsentInfo / retrieveConsentInfo or similar would sit better with the rest of the codebase. Happy to keep as-is if you prefer.

[jfoshee]

Oh cool, good catch. Looks like get is more common e.g. getSessions, getToken, getDomains, etc. I'll update it!

[wobsoriano]

thanks!