Skip to content

fix(clerk-js): Backport using JWT iat for token cache timing#8987

Open
thazhemadam wants to merge 1 commit into
clerk:release/core-2from
thazhemadam:at/backport-token-createdat-fix
Open

fix(clerk-js): Backport using JWT iat for token cache timing#8987
thazhemadam wants to merge 1 commit into
clerk:release/core-2from
thazhemadam:at/backport-token-createdat-fix

Conversation

@thazhemadam

@thazhemadam thazhemadam commented Jun 25, 2026

Copy link
Copy Markdown

Description

Backports using JWT iat for token cache timing from d5075a7 in #7317 to the Core 2 release line.

SessionTokenCache used cache insertion time as the start of a token’s lifetime, even though the lifetime itself comes from exp - iat. Tokens added to the cache after issuance could therefore stay in the fresh/stale windows too long and be returned after expiry.

Record the JWT iat as the cache start time once the token resolves, so stale-while-revalidate and expiry thresholds follow the token’s actual lifetime.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@changeset-bot

changeset-bot Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 2453740

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown

@jacekradko is attempting to deploy a commit to the Clerk Production Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6b0cfa13-a39c-4935-9e50-03c09af2c483

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@jacekradko @thazhemadam
fix(clerk-js): use JWT iat for token cache timing
2453740 
`SessionTokenCache` used cache insertion time as the start of a token’s
lifetime, even though the lifetime itself comes from `exp - iat`.
Tokens added to the cache after issuance could therefore stay in the
fresh/stale windows too long and be returned after expiry.

Record the JWT iat as the cache start time once the token resolves, so
stale-while-revalidate and expiry thresholds follow the token’s actual
lifetime.

(cherry picked from commit d5075a7
which was squashed and merged in
3ff86c4).
@thazhemadam thazhemadam force-pushed the at/backport-token-createdat-fix branch from c7767c2 to 2453740 Compare June 25, 2026 04:10
@thazhemadam thazhemadam reopened this Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thazhemadam @jacekradko