clerk · wobsoriano · Jan 10, 2026 · Jan 8, 2026 · Jan 8, 2026 · coderabbitai
diff --git a/.changeset/weak-wombats-begin.md b/.changeset/weak-wombats-begin.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/packages/backend/src/tokens/__tests__/request.test.ts b/packages/backend/src/tokens/__tests__/request.test.ts
@@ -1393,7 +1393,7 @@ describe('tokens.authenticateRequest(options)', () => {
     });
 
     describe('Array of Accepted Token Types', () => {
-      test('accepts token when it is in the acceptsToken array', async () => {
+      test('accepts machine token when it is in the acceptsToken array', async () => {
         server.use(
           http.post(mockMachineAuthResponses.api_key.endpoint, () => {
             return HttpResponse.json(mockVerificationResults.api_key);
@@ -1409,8 +1409,83 @@ describe('tokens.authenticateRequest(options)', () => {
         expect(requestState).toBeMachineAuthenticated();
       });
 
-      test('returns unauthenticated state when token type is not in the acceptsToken array', async () => {
+      test('accepts session token in header when session_token is in the acceptsToken array', async () => {
+        server.use(
+          http.get('https://api.clerk.test/v1/jwks', () => {
+            return HttpResponse.json(mockJwks);
+          }),
+        );
+
+        const request = mockRequest({ authorization: `Bearer ${mockJwt}` });
+        const requestState = await authenticateRequest(
+          request,
+          mockOptions({ acceptsToken: ['session_token', 'api_key'] }),
+        );
+
+        expect(requestState).toBeSignedIn();
+        expect(requestState.toAuth()).toBeSignedInToAuth();
+      });
+
+      test('accepts session token in cookie when session_token is in the acceptsToken array', async () => {
+        server.use(
+          http.get('https://api.clerk.test/v1/jwks', () => {
+            return HttpResponse.json(mockJwks);
+          }),
+        );
+
+        const requestState = await authenticateRequest(
+          mockRequestWithCookies(
+            {},
+            {
+              __session: mockJwt,
+              __client_uat: '12345',
+            },
+          ),
+          mockOptions({ acceptsToken: ['session_token', 'api_key'] }),
+        );
+
+        // The key assertion: session token is accepted (not rejected as invalid token)
+        // Cookie-based auth may trigger handshake flow, but should not return TokenTypeMismatch
+        expect(requestState.tokenType).not.toBeNull();
+        expect(requestState.reason).not.toBe(AuthErrorReason.TokenTypeMismatch);
+      });
+
+      test('accepts machine token when acceptsToken array contains mixed token types', async () => {
+        server.use(
+          http.post(mockMachineAuthResponses.m2m_token.endpoint, () => {
+            return HttpResponse.json(mockVerificationResults.m2m_token);
+          }),
+        );
+
         const request = mockRequest({ authorization: `Bearer ${mockTokens.m2m_token}` });
+        const requestState = await authenticateRequest(
+          request,
+          mockOptions({ acceptsToken: ['session_token', 'm2m_token'] }),
+        );
+
+        expect(requestState).toBeMachineAuthenticated();
+      });
+
+      test('returns unauthenticated state when machine token type is not in the acceptsToken array', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockTokens.m2m_token}` });
+        const requestState = await authenticateRequest(
+          request,
+          mockOptions({ acceptsToken: ['api_key', 'oauth_token'] }),
+        );
+
+        expect(requestState).toBeMachineUnauthenticated({
+          tokenType: null,
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+        });
+        expect(requestState.toAuth()).toBeMachineUnauthenticatedToAuth({
+          tokenType: null,
+          isAuthenticated: false,
+        });
+      });
+
+      test('returns unauthenticated state when session token is provided but not in the acceptsToken array', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockJwt}` });
         const requestState = await authenticateRequest(
           request,
           mockOptions({ acceptsToken: ['api_key', 'oauth_token'] }),
@@ -1426,6 +1501,25 @@ describe('tokens.authenticateRequest(options)', () => {
           isAuthenticated: false,
         });
       });
+
+      test('returns unauthenticated state when no token is provided and acceptsToken array contains only machine tokens', async () => {
+        const requestState = await authenticateRequest(
+          mockRequestWithCookies(
+            {},
+            {
+              __session: mockJwt,
+              __client_uat: '12345',
+            },
+          ),
+          mockOptions({ acceptsToken: ['api_key', 'm2m_token'] }),
+        );
+
+        expect(requestState).toBeMachineUnauthenticated({
+          tokenType: null,
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+        });
+      });
     });
 
     describe('Token Location Validation', () => {

diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -782,7 +782,7 @@ export const authenticateRequest: AuthenticateRequest = (async (
   }
 
   if (authenticateContext.tokenInHeader) {
-    if (acceptsToken === 'any') {
+    if (acceptsToken === 'any' || Array.isArray(acceptsToken)) {
       return authenticateAnyRequestWithTokenInHeader();
     }
     if (acceptsToken === TokenType.SessionToken) {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		---
		---
Comment on lines +1 to +2 Copy link Contributor coderabbitai bot Jan 8, 2026 • edited Loading Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🟡 Minor Empty changeset content. The changeset file contains only YAML delimiters with no content describing the changes. Changeset files typically include the package name and a description of the change for version tracking and changelog generation. Verify whether this is intentional (e.g., auto-populated by tooling) or if content needs to be added manually. 🤖 Prompt for AI Agents `In @.changeset/weak-wombats-begin.md around lines 1 - 2, The changeset file is empty (only YAML delimiters); replace the empty content with a valid changeset YAML that names the affected package(s), specifies the release type (patch/minor/major), and includes a short descriptive summary of the change (and optionally author/PR) so changelog/version tooling can parse it; ensure the YAML is syntactically correct and not just '---' delimiters.` Copy link Member jacekradko Jan 8, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. @wobsoriano We should have a changeset for the backend pacakge Copy link Contributor coderabbitai bot Jan 8, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out! Copy link Member Author wobsoriano Jan 8, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. This was released in core 2 as well. Do we still need it here? Copy link Member jacekradko Jan 9, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. That's fair. We haven't really split the changesets this way for many of the core-2 + core-3 features so it feels odd to have this empty. All good though wobsoriano reacted with thumbs up emoji