feat(expo): add hosted auth flow

[mikepitre]

Summary

Adds the Expo client SDK surface for hosted auth through Account Portal.

Expo apps can now start a hosted sign-in or sign-up flow in the system browser, return through a native callback, and activate the single Clerk session that ClerkGo attaches to the native client.

What Changed

• Adds useHostedAuth() through the opt-in @clerk/expo/hosted-auth subpath.
• Opens Account Portal with expo-web-browser / expo-auth-session.
• Generates and validates state for callback correlation.
• Generates a PKCE verifier/challenge pair and sends only the challenge when creating the hosted-auth attempt.
• Redeems the returned rotating token nonce from the Expo hosted-auth helper.
• Applies the returned /client payload to the existing Clerk client and activates the created native session.

Developer Experience

import { useHostedAuth } from '@clerk/expo/hosted-auth';

const { startHostedAuth } = useHostedAuth();

await startHostedAuth();
await startHostedAuth({ mode: 'sign-up' });

Apps may pass mode: 'sign-in' | 'sign-up', a custom redirectUrl, or authSessionOptions. The default Expo redirect URI is enough for the simulator/local flow.

Flow

1. The hook creates a redirect URL, random state, and PKCE verifier/challenge.
2. It asks ClerkGo to create a hosted-auth Account Portal URL.
3. It opens that URL with openAuthSessionAsync.
4. On callback, it validates the redirect URL and state.
5. It redeems the returned rotating_token_nonce with the original PKCE verifier.
6. It updates the current Clerk client instance and calls setActive with the created native session.

Security

• Uses a random state and verifies it on callback so the app only accepts the browser result for the auth attempt it initiated.
• Uses PKCE so ClerkGo stores the challenge at creation time and requires the matching verifier at redemption time.
• Sends the PKCE verifier in the FAPI request body, not in the URL.
• Validates callback protocol, host, and path against the initiated redirect URL before redeeming anything.
• Does not create or keep a web session in the SDK; the browser only drives Account Portal and the completed session is attached to the native client.
• Leaves production redirect-url allowlisting enforced by ClerkGo.

Implementation Notes

Hosted auth is exposed from @clerk/expo/hosted-auth so apps that import the default @clerk/expo package do not need to resolve optional Expo auth/browser/crypto peer dependencies unless they opt into this flow.

The completion request is a physical POST /v1/client with _method=GET in the form body. That lets the backend route to the existing /client read/rotation path while keeping the PKCE verifier out of query strings and logs.

The verifier-bound completion stays scoped to packages/expo/src/utils/hostedAuth.ts. Generic Client.reload() remains the normal GET reload path, so ClerkJS core does not gain hosted-auth-specific branches.

Screen Recording

Simulator.Screen.Recording.-.iPhone.Air.+.Watch.-.2026-06-24.at.14.08.05.mov

Related PRs

• ClerkGo: https://github.com/clerk/clerk_go/pull/19852
• Accounts: https://github.com/clerk/accounts/pull/1429

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 25, 2026 5:18am
swingset	Ready	Preview, Comment	Jun 25, 2026 5:18am

[changeset-bot]

🦋 Changeset detected

Latest commit: 63f5baa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 23 packages

Name	Type
@clerk/expo	Patch
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/electron	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/headless	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch
@clerk/swingset	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds hosted auth support for native Expo apps, with new hook and utility APIs, shared PKCE/codeVerifier plumbing, public re-exports, and tests.

Changes

Hosted Auth Flow for Expo

Layer / File(s)	Summary
Shared reload and FAPI params packages/shared/src/types/resource.ts, packages/clerk-js/src/core/resources/Client.ts, packages/clerk-js/src/core/__tests__/fapiClient.test.ts, packages/clerk-js/src/core/resources/__tests__/Client.test.ts	ClerkResourceReloadParams gains codeVerifier, Client.reload redeems hosted-auth callbacks with nonce and verifier, and the related FAPI/client tests cover the new request shape and query parameter.
Hosted auth utility packages/expo/src/utils/hostedAuth.ts	createHostedAuth resolves an FAPI client, POSTs /client/hosted_auth, validates the response payload, and surfaces API errors with retry-after data.
Hosted auth hook and exports packages/expo/src/hooks/useHostedAuth.ts, packages/expo/src/hooks/index.ts, packages/expo/src/types/index.ts, .changeset/hosted-auth-expo.md	useHostedAuth adds PKCE/state generation, callback validation, client reload and session activation, and the Expo hook/type re-exports and changeset entry expose the new API.
Hosted auth tests packages/expo/src/hooks/__tests__/useHostedAuth.test.ts	Vitest coverage exercises the hook’s success path, state and session fallback behavior, callback validation, and hosted-auth error cases with mocked Expo and Clerk modules.

Sequence Diagram(s)

sequenceDiagram
  participant useHostedAuth
  participant createHostedAuth
  participant expoWebBrowser
  participant Client
  participant clerk

  useHostedAuth->>createHostedAuth: create hosted-auth URL
  createHostedAuth->>clerk: POST /client/hosted_auth
  createHostedAuth-->>useHostedAuth: hosted-auth URL
  useHostedAuth->>expoWebBrowser: openAuthSessionAsync(hosted-auth URL, redirectUrl)
  expoWebBrowser-->>useHostedAuth: callback URL
  useHostedAuth->>Client: reload({ rotatingTokenNonce, codeVerifier })
  Client-->>useHostedAuth: updated client
  useHostedAuth->>clerk: setActive(created_session_id)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• wobsoriano

Poem

A bunny hopped through PKCE light,
With hosted auth all snug and right.
A nonce, a state, a code verifier too,
Then sessions clicked in, bright and new.
🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: adding Expo hosted auth flow support.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8960

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8960

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8960

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8960

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8960

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8960

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8960

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8960

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8960

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8960

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8960

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8960

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8960

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8960

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8960

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8960

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8960

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8960

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8960

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8960

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8960

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8960

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8960

commit: 63f5baa

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-25T05:19:37.359Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	0
🟢 Additions	1

---

@clerk/expo

Current version: 3.5.4
Recommended bump: MINOR → 3.6.0

Subpath ./hosted-auth

🟢 Additions (1)

Added: ./hosted-auth

New subpath export ./hosted-auth (4 exported members)

---

Report generated by Break Check

_{Last ran on 63f5baa.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/clerk-js/src/core/resources/Base.ts (1)

204-210: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Don't send the PKCE verifier through _baseGet.

Line 209 forwards codeVerifier on a hard-coded GET, and packages/clerk-js/src/core/fapiClient.ts serializes that field into the URL as code_verifier. That puts the PKCE secret in request URLs, which are routinely captured by logs, proxies, and request instrumentation. This redemption should go through a body-bearing request instead of the _baseGet path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/clerk-js/src/core/resources/Base.ts` around lines 204 - 210, The
_baseGet method in BaseResource is forwarding codeVerifier into a hard-coded GET
request, which causes fapiClient serialization to place the PKCE secret in the
URL. Update BaseResource._baseGet so it no longer passes codeVerifier through
the GET path; instead, route this redemption through a body-bearing request flow
or another non-URL transport, and keep the existing path/rotatingTokenNonce
behavior intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/expo/src/hooks/useHostedAuth.ts`:
- Around line 10-30: Add customer-facing JSDoc for the new public hosted-auth
exports so generated docs are populated and reviewable. Document HostedAuthMode,
StartHostedAuthParams, and StartHostedAuthReturnType with concise descriptions
of their purpose and fields, and add JSDoc on useHostedAuth explaining what the
hook provides. Also give useHostedAuth an explicit return type instead of
relying on inference, matching the repo’s public API guidelines and keeping the
exported surface in line with other SDK APIs.
- Around line 12-23: The public types in useHostedAuth are leaking optional Expo
browser dependencies into the `@clerk/expo` API surface. Update
StartHostedAuthParams and StartHostedAuthReturnType so they no longer reference
WebBrowser.AuthSessionOpenOptions, WebBrowser.WebBrowserAuthSessionResult, or
ClientResource directly in the exported declarations; instead, hide those behind
local/internal interfaces or move the hosted-auth-specific types into a separate
entrypoint. Ensure the exposed .d.ts for useHostedAuth only contains
dependency-agnostic types so consumers who do not install expo-auth-session or
expo-web-browser are not forced to resolve them.
- Around line 189-205: The callback URL validation in
callbackUrlMatchesRedirectUrl currently skips authority checking when the
redirect URL has an empty host, which allows unexpected authorities like
attacker-controlled hosts to pass for triple-slashed deep links. Update the
matching logic in useHostedAuth.ts to compare the callbackUrl host/authority and
pathname exactly against the parsed redirectUrl for hosted-auth callbacks,
instead of treating an empty expected host as a wildcard. Add a regression test
covering a redirectUrl such as myapp:///hosted-auth-callback and a mismatched
callbackUrl like myapp://attacker/hosted-auth-callback to ensure the authority
is rejected.

---

Outside diff comments:
In `@packages/clerk-js/src/core/resources/Base.ts`:
- Around line 204-210: The _baseGet method in BaseResource is forwarding
codeVerifier into a hard-coded GET request, which causes fapiClient
serialization to place the PKCE secret in the URL. Update BaseResource._baseGet
so it no longer passes codeVerifier through the GET path; instead, route this
redemption through a body-bearing request flow or another non-URL transport, and
keep the existing path/rotatingTokenNonce behavior intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 9713ccce-5bc5-4f09-bb0b-c9275074bbd5

📥 Commits

Reviewing files that changed from the base of the PR and between 52d310c and 4d734f0.

📒 Files selected for processing (10)

• .changeset/hosted-auth-expo.md
• packages/clerk-js/src/core/__tests__/fapiClient.test.ts
• packages/clerk-js/src/core/fapiClient.ts
• packages/clerk-js/src/core/resources/Base.ts
• packages/expo/src/hooks/__tests__/useHostedAuth.test.ts
• packages/expo/src/hooks/index.ts
• packages/expo/src/hooks/useHostedAuth.ts
• packages/expo/src/types/index.ts
• packages/expo/src/utils/hostedAuth.ts
• packages/shared/src/types/resource.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4d734f0d8b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5dfea68732

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/clerk-js/src/core/resources/Client.ts (1)

81-100: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Clarify docs for the new reload hosted-auth path.

This changes a public method’s behavior when rotatingTokenNonce and codeVerifier are paired, but there’s still no method-level JSDoc explaining when callers should use that path or that the verifier is redeemed from the request body. If Client.reload is reference-facing, please document it and loop in Docs. As per path instructions, "If a PR adds or changes public/reference-facing API surface area, check whether the corresponding JSDoc is present, accurate, and aligned with the implementation."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/clerk-js/src/core/resources/Client.ts` around lines 81 - 100,
`Client.reload` now has a hosted-auth branch when `rotatingTokenNonce` and
`codeVerifier` are present, but the public API lacks JSDoc describing when to
use it and that the verifier is sent in the request body. Add method-level
documentation on `Client.reload` explaining the two reload paths, the required
pairing of `rotatingTokenNonce` with `codeVerifier`, and that this path redeems
the verifier via the POST body; keep the docs aligned with the implementation
and note that Docs should be looped in for this reference-facing change.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/clerk-js/src/core/__tests__/fapiClient.test.ts`:
- Line 154: The test in fapiClient should cover both rotating token nonce
behavior and the security edge case that codeVerifier is never included in the
generated URL. Update the existing `adds rotating token nonce when provided`
test around `buildUrl()` to assert the nonce is present while also verifying
`code_verifier` is not emitted, using the same `FapiClient` URL-building path so
the regression is caught if PKCE data ever leaks.

---

Nitpick comments:
In `@packages/clerk-js/src/core/resources/Client.ts`:
- Around line 81-100: `Client.reload` now has a hosted-auth branch when
`rotatingTokenNonce` and `codeVerifier` are present, but the public API lacks
JSDoc describing when to use it and that the verifier is sent in the request
body. Add method-level documentation on `Client.reload` explaining the two
reload paths, the required pairing of `rotatingTokenNonce` with `codeVerifier`,
and that this path redeems the verifier via the POST body; keep the docs aligned
with the implementation and note that Docs should be looped in for this
reference-facing change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 745841d4-8924-4910-bab0-04c9e597e775

📥 Commits

Reviewing files that changed from the base of the PR and between 5dfea68 and 9b96d7f.

📒 Files selected for processing (6)

• packages/clerk-js/src/core/__tests__/fapiClient.test.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/clerk-js/src/core/resources/__tests__/Client.test.ts
• packages/expo/src/hooks/__tests__/useHostedAuth.test.ts
• packages/expo/src/hooks/useHostedAuth.ts
• packages/expo/src/utils/hostedAuth.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/expo/src/utils/hostedAuth.ts
• packages/expo/src/hooks/useHostedAuth.ts
• packages/expo/src/hooks/tests/useHostedAuth.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 585a66c643

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d0e5c32c92

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".