clerk · LauraBeatris · Jun 26, 2025 · Jun 26, 2025
diff --git a/.changeset/cool-geckos-stick.md b/.changeset/cool-geckos-stick.md
diff --git a/.changeset/easy-papers-hug.md b/.changeset/easy-papers-hug.md
diff --git a/.changeset/fair-ways-create.md b/.changeset/fair-ways-create.md
diff --git a/.changeset/giant-comics-argue.md b/.changeset/giant-comics-argue.md
diff --git a/.changeset/grumpy-lamps-study.md b/.changeset/grumpy-lamps-study.md
diff --git a/.changeset/real-grapes-occur.md b/.changeset/real-grapes-occur.md
diff --git a/.changeset/sad-mangos-double.md b/.changeset/sad-mangos-double.md
diff --git a/.changeset/shiny-candles-sneeze.md b/.changeset/shiny-candles-sneeze.md
diff --git a/.changeset/six-ears-wash.md b/.changeset/six-ears-wash.md
diff --git a/.changeset/smart-pandas-carry.md b/.changeset/smart-pandas-carry.md
diff --git a/.changeset/violet-terms-fix.md b/.changeset/violet-terms-fix.md
diff --git a/.changeset/warm-parents-take.md b/.changeset/warm-parents-take.md
diff --git a/.changeset/witty-hotels-add.md b/.changeset/witty-hotels-add.md
diff --git a/packages/agent-toolkit/CHANGELOG.md b/packages/agent-toolkit/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @clerk/agent-toolkit
 
+## 0.1.3
+
+### Patch Changes
+
+- Updated dependencies [[`f1be1fe`](https://github.com/clerk/javascript/commit/f1be1fe3d575c11acd04fc7aadcdec8f89829894), [`8bfdf94`](https://github.com/clerk/javascript/commit/8bfdf94646c54a5e13fcb81ebcb9df0209dbc6a1), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4), [`084e7cc`](https://github.com/clerk/javascript/commit/084e7cc5f6f6d101059bc8a6d60dc73f3262ef2f)]:
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+
 ## 0.1.2
 
 ### Patch Changes

diff --git a/packages/agent-toolkit/package.json b/packages/agent-toolkit/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clerk/agent-toolkit",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Clerk Toolkit for AI Agents",
   "homepage": "https://clerk.com/",
   "bugs": {

diff --git a/packages/astro/CHANGELOG.md b/packages/astro/CHANGELOG.md
@@ -1,5 +1,68 @@
 # @clerk/astro
 
+## 2.10.0
+
+### Minor Changes
+
+- Introduce feature or plan based authorization ([#6188](https://github.com/clerk/javascript/pull/6188)) by [@wobsoriano](https://github.com/wobsoriano)
+
+  ## `<Protect />`
+
+  ### Plan
+
+  ```html
+  <Protect plan="my-plan" />
+  ```
+
+  ### Feature
+
+  ```html
+  <Protect feature="my-feature" />
+  ```
+
+  ### Scoped per user or per org
+
+  ```html
+  <Protect feature="org:my-feature" />
+  <Protect feature="user:my-feature" />
+  <Protect plan="org:my-plan" />
+  <Protect plan="user:my-plan" />
+  ```
+
+  ## `useAuth()` in React
+
+  ### Plan
+
+  ```ts
+  const { has } = useAuth();
+  has({ plan: 'my-plan' });
+  ```
+
+  ### Feature
+
+  ```ts
+  const { has } = useAuth();
+  has({ feature: 'my-feature' });
+  ```
+
+  ### Scoped per user or per org
+
+  ```ts
+  const { has } = useAuth();
+
+  has({ feature: 'org:my-feature' });
+  has({ feature: 'user:my-feature' });
+  has({ plan: 'user:my-plan' });
+  has({ plan: 'org:my-plan' });
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`f1be1fe`](https://github.com/clerk/javascript/commit/f1be1fe3d575c11acd04fc7aadcdec8f89829894), [`8bfdf94`](https://github.com/clerk/javascript/commit/8bfdf94646c54a5e13fcb81ebcb9df0209dbc6a1), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4), [`084e7cc`](https://github.com/clerk/javascript/commit/084e7cc5f6f6d101059bc8a6d60dc73f3262ef2f)]:
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+
 ## 2.9.2
 
 ### Patch Changes

diff --git a/packages/astro/package.json b/packages/astro/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clerk/astro",
-  "version": "2.9.2",
+  "version": "2.10.0",
   "description": "Clerk SDK for Astro",
   "keywords": [
     "auth",

diff --git a/packages/backend/CHANGELOG.md b/packages/backend/CHANGELOG.md
@@ -1,5 +1,56 @@
 # Change Log
 
+## 2.3.0
+
+### Minor Changes
+
+- ## Optimize handshake payload delivery with nonce-based fetching ([#5905](https://github.com/clerk/javascript/pull/5905)) by [@jacekradko](https://github.com/jacekradko)
+
+  This change introduces a significant optimization to the handshake flow by replacing direct payload delivery with a nonce-based approach to overcome browser cookie size limitations.
+
+  ## Problem Solved
+
+  Previously, the handshake payload (an encoded JWT containing set-cookie headers) was sent directly in a cookie. Since browsers limit cookies to ~4KB, this severely restricted the practical size of session tokens, which are also JWTs stored in cookies but embedded within the handshake payload.
+
+  ## Solution
+
+  We now use a conditional approach based on payload size:
+
+  - **Small payloads (≤2KB)**: Continue using the direct approach for optimal performance
+  - **Large payloads (>2KB)**: Use nonce-based fetching to avoid cookie size limits
+
+  For large payloads, we:
+
+  1. Generate a short nonce (ID) for each handshake instance
+  2. Send only the nonce in the `__clerk_handshake_nonce` cookie
+  3. Use the nonce to fetch the actual handshake payload via a dedicated BAPI endpoint
+
+  ## New Handshake Flow (for payloads >2KB)
+
+  1. User visits `example.com`
+  2. Client app middleware triggers handshake → `307 FAPI/v1/client/handshake`
+  3. FAPI handshake resolves → `307 example.com` with `__clerk_handshake_nonce` cookie containing the nonce
+  4. Client app middleware makes `GET BAPI/v1/clients/handshake_payload?nonce=<nonce_value>` request (BAPI)
+  5. BAPI returns array of set-cookie header values
+  6. Client app middleware applies headers to the response
+
+  ## Traditional Flow (for payloads ≤2KB)
+
+  No changes. Continues to work as before with direct payload delivery in cookies for optimal performance.
+
+  ## Trade-offs
+
+  - **Added**: One additional BAPI call per handshake (only for payloads >2KB)
+  - **Removed**: Cookie size restrictions that previously limited session token size
+
+### Patch Changes
+
+- Ensure `__clerk_synced` is removed from cross-origin return-back urls ([#6196](https://github.com/clerk/javascript/pull/6196)) by [@tmilewski](https://github.com/tmilewski)
+
+- Updated dependencies [[`f1be1fe`](https://github.com/clerk/javascript/commit/f1be1fe3d575c11acd04fc7aadcdec8f89829894), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4)]:
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+
 ## 2.2.0
 
 ### Minor Changes

diff --git a/packages/backend/package.json b/packages/backend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clerk/backend",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Clerk Backend SDK - REST Client for Backend API & JWT verification utilities",
   "homepage": "https://clerk.com/",
   "bugs": {

diff --git a/packages/chrome-extension/CHANGELOG.md b/packages/chrome-extension/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Change Log
 
+## 2.5.1
+
+### Patch Changes
+
+- Updated dependencies [[`f1be1fe`](https://github.com/clerk/javascript/commit/f1be1fe3d575c11acd04fc7aadcdec8f89829894), [`58e9a2f`](https://github.com/clerk/javascript/commit/58e9a2f2962330d52682edf096dcba77fc082b9e), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4), [`036a853`](https://github.com/clerk/javascript/commit/036a8533d020b465b40e51e10ba24345edd36102)]:
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+
 ## 2.5.0
 
 ### Minor Changes

diff --git a/packages/chrome-extension/package.json b/packages/chrome-extension/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clerk/chrome-extension",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "description": "Clerk SDK for Chrome extensions",
   "keywords": [
     "auth",

diff --git a/packages/clerk-js/CHANGELOG.md b/packages/clerk-js/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Change Log
 
+## 5.69.2
+
+### Patch Changes
+
+- Fixes stale `SignIn` object on `authenticateWithRedirect` for `saml` and `enterprise_sso` custom flows ([#6160](https://github.com/clerk/javascript/pull/6160)) by [@LauraBeatris](https://github.com/LauraBeatris)
+
+  Previously, the same connection identifier would be used on every `authenticateWithRedirect` call leading to redirecting to the wrong identity provider
+
+- Fix SVG masking cross-browser compatibility in checkout complete component ([#6190](https://github.com/clerk/javascript/pull/6190)) by [@panteliselef](https://github.com/panteliselef)
+
+- Use hooks exported from `@clerk/shared` to query commerce data. ([#6159](https://github.com/clerk/javascript/pull/6159)) by [@panteliselef](https://github.com/panteliselef)
+
+- Do not display create organization form after accepting organization invitation on after-auth flow ([#6191](https://github.com/clerk/javascript/pull/6191)) by [@LauraBeatris](https://github.com/LauraBeatris)
+
+- Updated dependencies [[`65ca8f5`](https://github.com/clerk/javascript/commit/65ca8f5f6665597fc03f9f5e0bdb99fcab3d056c), [`f1be1fe`](https://github.com/clerk/javascript/commit/f1be1fe3d575c11acd04fc7aadcdec8f89829894), [`bffb42a`](https://github.com/clerk/javascript/commit/bffb42aaf266a188b9ae7d16ace3024d468a3bd4)]:
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+  - @clerk/[email protected]
+
 ## 5.69.1
 
 ### Patch Changes

diff --git a/packages/clerk-js/package.json b/packages/clerk-js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@clerk/clerk-js",
-  "version": "5.69.1",
+  "version": "5.69.2",
   "description": "Clerk JS library",
   "keywords": [
     "clerk",

diff --git a/packages/dev-cli/CHANGELOG.md b/packages/dev-cli/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @clerk/dev-cli
 
+## 0.0.12
+
+### Patch Changes
+
+- Add warning regarding Turbopack usage. ([#6189](https://github.com/clerk/javascript/pull/6189)) by [@dstaley](https://github.com/dstaley)
+
 ## 0.0.11
 
 ### Patch Changes