fix(backend): handle multiple token types in acceptsToken array

[Ayush2k02]

Fixes token-type-mismatch error when using multiple acceptsToken values in authenticateRequest.

Problem

When acceptsToken is an array containing both session and machine token types (e.g., ['session_token', 'api_key']), the function would always route to the machine token authentication handler, causing session tokens to fail with token-type-mismatch errors.

Root Cause

In request.ts:784-792, the routing logic checked:

if (authenticateContext.tokenInHeader) {
  if (acceptsToken === 'any') {
    return authenticateAnyRequestWithTokenInHeader();
  }
  if (acceptsToken === TokenType.SessionToken) {  // ❌ FALSE when acceptsToken is an array
    return authenticateRequestWithTokenInHeader();
  }
  return authenticateMachineRequestWithTokenInHeader();  // ❌ Always executed for arrays
}

When acceptsToken is ['session_token', 'api_key'], the condition acceptsToken === TokenType.SessionToken evaluates to false (array !== string), causing all tokens to be routed to authenticateMachineRequestWithTokenInHeader().

Solution

Added routing logic that checks the actual token type when acceptsToken is an array:

// When acceptsToken is an array, route based on the actual token type
if (Array.isArray(acceptsToken)) {
  if (isMachineToken(authenticateContext.tokenInHeader)) {
    return authenticateMachineRequestWithTokenInHeader();
  }
  return authenticateRequestWithTokenInHeader();
}

Now:

• If the token is a machine token (api_key, m2m_token, oauth_token) → routes to machine handler
• Otherwise → routes to session token handler

Changes

• Modified authenticateRequest in packages/backend/src/tokens/request.ts to handle array routing correctly
• Added test for session_token in array with machine tokens
• Added test for api_key in array with session_token
• Added changeset for patch release

Testing

Added two new test cases:

1. ✅ session_token is accepted when in array with api_key
2. ✅ api_key is accepted when in array with session_token

Both scenarios now work correctly without token-type-mismatch errors.

Fixes #7520

Summary by CodeRabbit

Bug Fixes

• Fixed authentication routing to properly handle multiple accepted token types (e.g., session tokens and API keys), ensuring the appropriate authentication handler is correctly selected based on the actual token type in use.

Tests

• Added test coverage for multi-token authentication scenarios, verifying proper token type handling and routing behavior in various combinations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: a90fad5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages

Name	Type
@clerk/backend	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

@Ayush2k02 is attempting to deploy a commit to the Clerk Production Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request fixes authentication request routing when acceptsToken is configured as an array containing multiple token types. Previously, requests would fail with a token-type-mismatch error when using a valid token type that wasn't processed first. The fix introduces routing logic to inspect the actual token type in the request header and delegate to the appropriate authentication handler (machine token or session token verifier) based on what was actually sent, while preserving existing behavior for non-array acceptsToken configurations. Two test cases validate the fix for session and API key token scenarios.

Pre-merge checks

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: handling multiple token types in the acceptsToken array parameter, which is the core fix addressed by the PR.
Linked Issues check	✅ Passed	The code changes successfully address issue #7520: they implement routing logic to distinguish between session and machine tokens when acceptsToken is an array, include tests validating both token types are now accepted, and resolve the token-type-mismatch error previously occurring with session tokens in mixed arrays.
Out of Scope Changes check	✅ Passed	All changes remain focused on the stated objective: fixing token routing in the authenticateRequest function, adding corresponding tests, and creating a changeset. No unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Ayush2k02]

Hey, any updates on this !

[wobsoriano]

Hi there! We're back from vacation now. We should be able to check your pull request soon.

Thanks for your patience!