fix: pass keyless keys to client

wobsoriano · wobsoriano · commit 7abc1bdf5cec · 2026-02-06T22:18:07.000-08:00
diff --git a/packages/astro/src/env.d.ts b/packages/astro/src/env.d.ts
@@ -34,6 +34,7 @@ declare namespace App {
     runtime: { env: InternalEnv };
     keylessClaimUrl?: string;
     keylessApiKeysUrl?: string;
+    keylessPublishableKey?: string;
   }
 }
 
diff --git a/packages/astro/src/server/clerk-middleware.ts b/packages/astro/src/server/clerk-middleware.ts
@@ -139,10 +139,14 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]): any => {
 
     decorateAstroLocal(clerkRequest, authObjectFn, context, requestState);
 
-    // Store keyless URLs for injection into client
+    // Store keyless data for injection into client
     if (keylessClaimUrl || keylessApiKeysUrl) {
       context.locals.keylessClaimUrl = keylessClaimUrl;
       context.locals.keylessApiKeysUrl = keylessApiKeysUrl;
+      // Also store the resolved publishable key so client can use it
+      if (keylessOptions?.publishableKey) {
+        context.locals.keylessPublishableKey = keylessOptions.publishableKey;
+      }
     }
 
     /**
diff --git a/packages/astro/src/server/get-safe-env.ts b/packages/astro/src/server/get-safe-env.ts
@@ -27,7 +27,8 @@ function getSafeEnv(context: ContextOrLocals) {
     domain: getContextEnvVar('PUBLIC_CLERK_DOMAIN', context),
     isSatellite: getContextEnvVar('PUBLIC_CLERK_IS_SATELLITE', context) === 'true',
     proxyUrl: getContextEnvVar('PUBLIC_CLERK_PROXY_URL', context),
-    pk: getContextEnvVar('PUBLIC_CLERK_PUBLISHABLE_KEY', context),
+    // Use keyless publishable key if available, otherwise read from env
+    pk: locals.keylessPublishableKey || getContextEnvVar('PUBLIC_CLERK_PUBLISHABLE_KEY', context),
     sk: getContextEnvVar('CLERK_SECRET_KEY', context),
     machineSecretKey: getContextEnvVar('CLERK_MACHINE_SECRET_KEY', context),
     signInUrl: getContextEnvVar('PUBLIC_CLERK_SIGN_IN_URL', context),
@@ -62,6 +63,8 @@ function getClientSafeEnv(context: ContextOrLocals) {
     proxyUrl: getContextEnvVar('PUBLIC_CLERK_PROXY_URL', context),
     signInUrl: getContextEnvVar('PUBLIC_CLERK_SIGN_IN_URL', context),
     signUpUrl: getContextEnvVar('PUBLIC_CLERK_SIGN_UP_URL', context),
+    // In keyless mode, pass the resolved publishable key to client
+    publishableKey: locals.keylessPublishableKey || getContextEnvVar('PUBLIC_CLERK_PUBLISHABLE_KEY', context),
     // Read from locals (set by middleware) instead of env vars
     keylessClaimUrl: locals.keylessClaimUrl,
     keylessApiKeysUrl: locals.keylessApiKeysUrl,

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ declare namespace App {`
`34`	`34`	`runtime: { env: InternalEnv };`
`35`	`35`	`keylessClaimUrl?: string;`
`36`	`36`	`keylessApiKeysUrl?: string;`
	`37`	`+ keylessPublishableKey?: string;`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`