Change8

@clerk/backend@3.11.1

Breaking Changes
📦 clerkView on GitHub →
1 breaking🐛 1 fixes

Summary

This patch enforces the presence of the `azp` claim when `authorizedParties` is configured, fixing a security bypass, and updates dependencies.

⚠️ Breaking Changes

  • If you configure `authorizedParties`, session tokens that are missing the `azp` claim will now be rejected. Previously, these tokens were accepted, bypassing the authorized-parties check.

Migration Steps

  1. If you rely on session tokens missing the `azp` claim while using `authorizedParties`, ensure your tokens now include the `azp` claim.

🐛 Bug Fixes

  • Enforced the `azp` (authorized party) claim check when `authorizedParties` is configured, preventing bypasses via missing `azp` claims.