fix(backend): Verify signature before claims

[dominic-clerk]

Description

By verifying the signature first we avoid leaking information about which claims are valid if the signature isn't valid to begin with. Auth couldn't be bypassed, it leaked configuration details that could aid further attacks.

Fixes SDK-61

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 16, 2026 2:31pm

[changeset-bot]

🦋 Changeset detected

Latest commit: c8f0cca

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8332

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8332

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8332

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8332

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8332

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8332

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8332

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8332

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8332

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8332

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8332

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8332

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8332

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8332

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8332

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8332

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8332

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8332

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8332

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8332

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8332

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8332

commit: c8f0cca

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 9a5b19ef-c160-4789-bfc1-6808d3cd86b4

📥 Commits

Reviewing files that changed from the base of the PR and between 318ffa2 and c8f0cca.

📒 Files selected for processing (1)

• packages/backend/src/tokens/__tests__/request.test.ts

---

📝 Walkthrough

Walkthrough

Signature verification in JWT verification was reordered: after header checks the code now verifies the token signature first and only performs payload claim validations (exp, nbf, iat, aud, azp, sub, etc.) after a successful signature check. If signature verification fails, signature-related errors are returned immediately. Tests were updated to use async signed JWT helpers and to assert that signature errors are reported before claim errors. One test was changed to dynamically generate a signed token missing the sub claim. A changeset bumps @clerk/backend with a patch note describing the ordering change.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: reordering verification to check signature before claims, which is the core objective of the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the security rationale for the signature-before-claims reordering and referencing the associated issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wobsoriano]

Thanks Dominic!