Skip to content

chore(express,react,shared): Support dynamic options callback in clerkMiddleware#8398

Merged
wobsoriano merged 21 commits intomainfrom
rob/express-sdk-dynamic-keys
Apr 24, 2026
Merged

chore(express,react,shared): Support dynamic options callback in clerkMiddleware#8398
wobsoriano merged 21 commits intomainfrom
rob/express-sdk-dynamic-keys

Conversation

@wobsoriano
Copy link
Copy Markdown
Member

@wobsoriano wobsoriano commented Apr 24, 2026
edited
Loading

Description

app.use(clerkMiddleware((req) => ({
  publishableKey: req.hostname === 'domain-a.com' ? PK_A : PK_B,
})));

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@wobsoriano
docs: add accounts portal OAuth consent refactor spec
866e5af
@wobsoriano
feat(express): support dynamic options callback in clerkMiddleware
ad0617c 
Add ClerkMiddlewareOptionsCallback type so multi-domain/multi-tenant
apps can resolve publishableKey and secretKey per request:

  app.use(clerkMiddleware((req) => ({
    publishableKey: req.hostname === 'a.com' ? PK_A : PK_B,
    secretKey:      req.hostname === 'a.com' ? SK_A : SK_B,
  })));

Static options path is unchanged. Callback path awaits the function
result and creates the auth handler per request.
@wobsoriano
chore: remove doc
1a28062
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
clerk-js-sandbox Skipped Skipped Apr 24, 2026 9:47pm

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 24, 2026
edited
Loading

🦋 Changeset detected

Latest commit: f48bd81

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages
Name Type
@clerk/shared Patch
@clerk/react Patch
@clerk/express Patch
@clerk/astro Patch
@clerk/backend Patch
@clerk/chrome-extension Patch
@clerk/clerk-js Patch
@clerk/expo-passkeys Patch
@clerk/expo Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/localizations Patch
@clerk/msw Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch
@clerk/ui Patch
@clerk/vue Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@wobsoriano wobsoriano marked this pull request as ready for review April 24, 2026 14:27
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 24, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR enhances the Express middleware to support dynamic, request-based configuration through a callback pattern while introducing a cross-package utility for multi-domain setups. The clerkMiddleware function now accepts either static options or an async-capable callback that derives options from the incoming request. A new publishableKeyFromHost utility is added to the shared package and re-exported through internal entry points in both React and Express packages. Build configuration is extended to support the new internal export path, and comprehensive tests validate the callback behavior including Promise handling and request properties.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding support for dynamic options callback in clerkMiddleware across express, react, and shared packages.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The pull request description provides a clear example of the new feature: a callback function passed to clerkMiddleware that dynamically selects configuration based on request hostname.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 24, 2026
edited
Loading

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8398

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8398

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8398

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8398

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8398

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8398

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8398

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8398

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8398

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8398

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8398

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8398

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8398

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8398

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8398

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8398

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8398

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8398

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8398

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8398

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8398

commit: f48bd81

@wobsoriano
feat(shared): add publishableKeyFromHost utility for multi-domain setups
20655d2 
Derives a production publishable key from the current request hostname,
falling back to the configured key for development instances (pk_test_).
Built on the existing buildPublishableKey and isDevelopmentFromPublishableKey
helpers.

Re-exported from @clerk/react/internal so Replit and other multi-domain
apps can use it without additional dependencies:

  import { publishableKeyFromHost } from '@clerk/react/internal'

  // React
  <ClerkProvider publishableKey={publishableKeyFromHost(window.location.host, process.env.VITE_CLERK_PUBLISHABLE_KEY)}>

  // Express (with the new clerkMiddleware callback)
  clerkMiddleware((req) => ({
    publishableKey: publishableKeyFromHost(req.hostname, process.env.CLERK_PUBLISHABLE_KEY),
  }))
@wobsoriano
feat(express): expose publishableKeyFromHost from internal path
c3420c8 
Add @clerk/express/internal re-exporting publishableKeyFromHost from
@clerk/shared/keys. Mirrors the @clerk/react/internal pattern.

Also simplifies publishableKeyFromHost to take only host — buildPublishableKey
already handles dev vs prod detection via FAPI host patterns, so no
fallback key parameter is needed.

Usage:
  import { publishableKeyFromHost } from '@clerk/express/internal'

  clerkMiddleware((req) => ({
    publishableKey: publishableKeyFromHost(req.hostname),
  }))
@wobsoriano
fix(shared): restore fallbackKey param in publishableKeyFromHost
bb09a5a 
Without it, dev instances on localhost produce an incorrect pk_live_ key.
If fallbackKey is a pk_test_ key it is returned as-is; otherwise the key
is derived from the host for production multi-domain setups.
@wobsoriano
update doc
70bd92b
@github-actions github-actions Bot added the react label Apr 24, 2026
wobsoriano
wobsoriano commented Apr 24, 2026
View reviewed changes
Comment thread packages/shared/src/keys.ts Outdated
if (fallbackKey && isDevelopmentFromPublishableKey(fallbackKey)) {
return fallbackKey;
}
return buildPublishableKey(`clerk.${host.toLowerCase()}`);
Copy link
Copy Markdown
Member Author

@wobsoriano wobsoriano Apr 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

existing helper that converts a FAPI URL into a base64-encoded publishable key

https://github.com/clerk/javascript/blob/70bd92ba85539aefb880f33e5fcd8cc1f1199756/packages/shared/src/keys.ts#L38,L44

jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread .changeset/new-kangaroos-search.md Outdated
@wobsoriano wobsoriano changed the title feat(express): Support dynamic options callback in clerkMiddleware chore(express,react,shared): Support dynamic options callback in clerkMiddleware Apr 24, 2026
jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread .changeset/brave-lions-fly.md Outdated
jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread packages/express/src/internal.ts Outdated
@@ -0,0 +1 @@
export { publishableKeyFromHost } from '@clerk/shared/keys';
Copy link
Copy Markdown
Member

@jacekradko jacekradko Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 I am a little hesitant to add a whole new entrypoint to a package in a hotfix.. just seems a bit early for this

Copy link
Copy Markdown
Member Author

@wobsoriano wobsoriano Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you saying we should just export from @clerk/express or let them import as-is from @clerk/shared/keys?

Copy link
Copy Markdown
Member

@jacekradko jacekradko Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now I think I would suggest they import from @clerk/shared/keys until we are sure this is something we want to re-export from an SDK package.

Copy link
Copy Markdown
Member Author

@wobsoriano wobsoriano Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha

jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread packages/shared/src/keys.ts
jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread packages/shared/src/keys.ts Outdated
jacekradko
jacekradko reviewed Apr 24, 2026
View reviewed changes
Comment thread packages/shared/src/keys.ts Outdated
nikosdouvlis
nikosdouvlis approved these changes Apr 24, 2026
View reviewed changes
Comment thread packages/shared/src/keys.ts Outdated
Comment thread packages/shared/src/keys.ts
@wobsoriano wobsoriano merged commit 083c4c5 into main Apr 24, 2026
42 checks passed
@wobsoriano wobsoriano deleted the rob/express-sdk-dynamic-keys branch April 24, 2026 21:58
@clerk-cookie clerk-cookie mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacekradko jacekradko jacekradko left review comments

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

@thiskevinwang thiskevinwang thiskevinwang approved these changes

Assignees

No one assigned

Labels

express react

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wobsoriano @jacekradko @nikosdouvlis @thiskevinwang