Merge branch 'main' into jacek/improve-auth-middleware-error-message

Author: jacekradko

.changeset/backend-proxy-forwarded-headers.md

@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fix `clerkFrontendApiProxy` to derive the `Clerk-Proxy-Url` header and Location rewrites from `x-forwarded-proto`/`x-forwarded-host` headers instead of the raw `request.url`. Behind a reverse proxy, `request.url` resolves to localhost, causing FAPI to receive an incorrect proxy URL. The fix uses the same forwarded-header resolution pattern as `ClerkRequest`.

.changeset/fastify-proxy-support.md

@@ -0,0 +1,5 @@
+---
+'@clerk/fastify': minor
+---
+
+Add Frontend API proxy support to `@clerk/fastify` via the `frontendApiProxy` option on `clerkPlugin`. When enabled, requests matching the proxy path (default `/__clerk`) are forwarded to Clerk's Frontend API, allowing Clerk to work in environments where direct API access is blocked by ad blockers or firewalls. The `proxyUrl` for auth handshake is automatically derived from the request when `frontendApiProxy` is configured.

.changeset/fix-429-unauthenticated.md

@@ -0,0 +1,6 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/shared': patch
+---
+
+Narrow the error conditions that trigger the unauthenticated flow (sign-out) to only high-confidence authentication failures (401, 422). Previously, all 4xx errors — including 429 rate limits — were treated as auth failures, which could sign users out during transient rate limiting. Non-auth errors from `setActive` now propagate to the caller instead of being silently swallowed.

.changeset/fix-express-proxy-path-guard.md

@@ -0,0 +1,5 @@
+---
+'@clerk/express': patch
+---
+
+Fix empty path fallback for `frontendApiProxy` to prevent intercepting all requests when `path` resolves to an empty string

.changeset/hono-proxy-support.md

@@ -0,0 +1,5 @@
+---
+'@clerk/hono': minor
+---
+
+Add Frontend API proxy support to `@clerk/hono` via the `frontendApiProxy` option on `clerkMiddleware`. When enabled, requests matching the proxy path (default `/__clerk`) are forwarded to Clerk's Frontend API, allowing Clerk to work in environments where direct API access is blocked by ad blockers or firewalls. The `proxyUrl` for auth handshake is automatically derived from the request when `frontendApiProxy` is configured.

.changeset/yellow-vans-beg.md

@@ -0,0 +1,5 @@
+---
+"@clerk/expo": minor
+---
+
+Adds support for Expo SDK 55

.github/workflows/ci.yml

@@ -305,6 +305,7 @@ jobs:
             "nuxt",
             "react-router",
             "custom",
+            "hono",
           ]
         test-project: ["chrome"]
         include:

integration/presets/envs.ts

@@ -136,6 +136,11 @@ const withWaitlistMode = withEmailCodes
   .setEnvVariable('private', 'CLERK_SECRET_KEY', instanceKeys.get('with-waitlist-mode').sk)
   .setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', instanceKeys.get('with-waitlist-mode').pk);
 
+const withEmailCodesProxy = withEmailCodes
+  .clone()
+  .setId('withEmailCodesProxy')
+  .setEnvVariable('private', 'CLERK_PROXY_ENABLED', 'true');
+
 const withSignInOrUpFlow = withEmailCodes
   .clone()
   .setId('withSignInOrUpFlow')
@@ -222,6 +227,7 @@ export const envs = {
   withDynamicKeys,
   withEmailCodes,
   withEmailCodes_destroy_client,
+  withEmailCodesProxy,
   withEmailCodesQuickstart,
   withEmailLinks,
   withKeyless,

integration/presets/longRunningApps.ts

@@ -86,6 +86,7 @@ export const createLongRunningApps = () => {
      * Hono apps
      */
     { id: 'hono.vite.withEmailCodes', config: hono.vite, env: envs.withEmailCodes },
+    { id: 'hono.vite.withEmailCodesProxy', config: hono.vite, env: envs.withEmailCodesProxy },
   ] as const;
 
   const apps = configs.map(longRunningApplication);

integration/templates/hono-vite/src/server/main.ts

@@ -8,10 +8,13 @@ import ViteExpress from 'vite-express';
 
 const app = new Hono();
 
+const proxyEnabled = process.env.CLERK_PROXY_ENABLED === 'true';
+
 app.use(
   '*',
   clerkMiddleware({
     publishableKey: process.env.VITE_CLERK_PUBLISHABLE_KEY,
+    ...(proxyEnabled ? { frontendApiProxy: { enabled: true } } : {}),
   }),
 );