Skip to content

feat(backend): Support recent BAPI users and email/phone features #8694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brkalow merged 2 commits into from
May 29, 2026
+45 −0
Merged

feat(backend): Support recent BAPI users and email/phone features #8694

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bdbdaa1
feat(backend): Support recent BAPI users and email/phone changes
dmoerner May 28, 2026
73c627e
chore: remove stale changeset
dmoerner May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .changeset/backend-user-replace-email-phone-and-banned-locked.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
'@clerk/backend': minor
---

Add support for new Backend API user endpoints:

- `users.replaceUserEmailAddress(userId, { emailAddress })` replaces all of a user's email addresses with a single verified, primary email address (`PUT /users/{user_id}/email_address`).
- `users.replaceUserPhoneNumber(userId, { phoneNumber })` replaces all of a user's phone numbers with a single verified, primary phone number (`PUT /users/{user_id}/phone_number`).
- `users.createUser` now accepts `banned` and `locked` parameters to create a user that is already banned or locked.
36 changes: 36 additions & 0 deletions packages/backend/src/api/endpoints/UserApi.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ import { joinPaths } from '../../util/path';
import { deprecated } from '../../util/shared';
import type {
DeletedObject,
EmailAddress,
OauthAccessToken,
OrganizationInvitation,
OrganizationMembership,
PhoneNumber,
User,
} from '../resources';
import type { PaginatedResourceResponse } from '../resources/Deserializer';
Expand Down Expand Up @@ -99,6 +101,10 @@ type CreateUserParams = {
totpSecret?: string;
backupCodes?: string[];
createdAt?: Date;
/** When set to `true`, the user is created already banned and cannot sign in. Requires the same plan support as the ban user endpoint. */
banned?: boolean;
/** When set to `true`, the user is created already locked. Requires the user lockout feature to be enabled on the instance. */
locked?: boolean;
} & UserMetadataParams &
(UserPasswordHashingParams | object);

Expand Down Expand Up @@ -212,6 +218,16 @@ type SetPasswordCompromisedParams = {
revokeAllSessions?: boolean;
};

type ReplaceUserEmailAddressParams = {
/** The new email address. Must adhere to the RFC 5322 specification for email address format. */
emailAddress: string;
};

type ReplaceUserPhoneNumberParams = {
/** The new phone number. Must adhere to the E.164 standard for phone number format. */
phoneNumber: string;
};

type UserID = {
userId: string;
};
Expand Down Expand Up @@ -259,6 +275,26 @@ export class UserAPI extends AbstractAPI {
});
}

public async replaceUserEmailAddress(userId: string, params: ReplaceUserEmailAddressParams) {
this.requireId(userId);

return this.request<EmailAddress>({
method: 'PUT',
path: joinPaths(basePath, userId, 'email_address'),
bodyParams: params,
});
}

public async replaceUserPhoneNumber(userId: string, params: ReplaceUserPhoneNumberParams) {
this.requireId(userId);

return this.request<PhoneNumber>({
method: 'PUT',
path: joinPaths(basePath, userId, 'phone_number'),
bodyParams: params,
});
}
Comment on lines +278 to +296
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify public async methods without explicit return types in UserApi.ts
rg -nP "public async [A-Za-z0-9_]+\([^)]*\)\s*\{" packages/backend/src/api/endpoints/UserApi.ts

Repository: clerk/javascript

Length of output: 1919

Add explicit Promise return types for new UserApi public methods

replaceUserEmailAddress and replaceUserPhoneNumber should declare : Promise<EmailAddress> / : Promise<PhoneNumber> for a stable public surface.

Proposed fix 
-  public async replaceUserEmailAddress(userId: string, params: ReplaceUserEmailAddressParams) {
+  public async replaceUserEmailAddress(
+    userId: string,
+    params: ReplaceUserEmailAddressParams,
+  ): Promise<EmailAddress> {
     this.requireId(userId);

     return this.request<EmailAddress>({
       method: 'PUT',
       path: joinPaths(basePath, userId, 'email_address'),
       bodyParams: params,
     });
   }

-  public async replaceUserPhoneNumber(userId: string, params: ReplaceUserPhoneNumberParams) {
+  public async replaceUserPhoneNumber(
+    userId: string,
+    params: ReplaceUserPhoneNumberParams,
+  ): Promise<PhoneNumber> {
     this.requireId(userId);

     return this.request<PhoneNumber>({
       method: 'PUT',
       path: joinPaths(basePath, userId, 'phone_number'),
       bodyParams: params,
     });
   }

Add tests covering these newly introduced API methods/endpoints.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/api/endpoints/UserApi.ts` around lines 278 - 296, Update
the public method signatures in UserApi so they explicitly declare Promise
return types: change replaceUserEmailAddress(userId: string, params:
ReplaceUserEmailAddressParams) to replaceUserEmailAddress(userId: string,
params: ReplaceUserEmailAddressParams): Promise<EmailAddress> and
replaceUserPhoneNumber(userId: string, params: ReplaceUserPhoneNumberParams):
Promise<PhoneNumber>; keep the existing this.request calls but ensure the
declared return types match the generic types passed to this.request, and add
unit/integration tests that call UserApi.replaceUserEmailAddress and
UserApi.replaceUserPhoneNumber to verify request shape and response handling for
the new endpoints.


public async updateUserProfileImage(userId: string, params: { file: Blob | File }) {
this.requireId(userId);

Expand Down
Loading