Improve key missing error handling with custom hooks

[thiskevinwang]

Description

This PR updates the Clerk Next.js SDK to provide more flexible handling for missing PUBLISHABLE_KEY and SECRET_KEY environment variables. Previously, the SDK would throw disruptive runtime errors, blocking Next.js app rendering.

Changes introduced:

1. New Hooks in clerkMiddleware:
   • Introduces onMissingPublishableKey and onMissingSecretKey options to ClerkMiddlewareOptions.
   • If a key is missing and a corresponding hook is provided:
     • If the hook returns a NextResponse, it is used as the middleware result.
     • If the hook returns void, the middleware proceeds by returning NextResponse.next() and setting x-clerk-auth-status: signed-out, allowing the app to render without crashing.
   • If no hook is provided for a missing key, the SDK retains its previous behavior of throwing an error.
2. Non-throwing Keyless Actions:
   • The unconditional error throw in packages/nextjs/src/app-router/keyless-actions.ts for a missing publishable key during keyless operations has been removed. It now returns null, allowing the application to continue gracefully.

How to test:

Configure the new hooks in your clerkMiddleware to observe the custom behavior when NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY or CLERK_SECRET_KEY are missing from your environment.

// pages/_middleware.ts or middleware.ts
import { clerkMiddleware } from '@clerk/nextjs/server';
import { NextResponse } from 'next/server';

export default clerkMiddleware((auth, req) => {
  // your existing middleware logic
}, {
  onMissingPublishableKey: (req) => {
    console.warn('Clerk: NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY is missing. Continuing unauthenticated.');
    // Example: redirect to a setup page or return a custom response
    // return NextResponse.redirect('/clerk-setup');
    // Returning void (or nothing) will continue the request with an unauthenticated state.
  },
  onMissingSecretKey: (req) => {
    console.error('Clerk: CLERK_SECRET_KEY is missing. This is a critical error.');
    // Example: return a 500 error page or a maintenance page
    return new NextResponse('Internal Server Error: Clerk configuration missing.', { status: 500 });
  },
});

If these hooks are not provided, the existing throwing behavior will remain.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

---

Slack Thread

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready	Visit Preview	💬 Add feedback	Aug 11, 2025 8:20pm

[panteliselef]

@thiskevinwang can you share here or in private what is the intention with these new hooks and what do they unlock ? Are they aimed for "internal" aka Clerk usage or for developers/customers ?

In this supposed to be a recovery mechanism when Keyless fails to work, or is it overriding Keyless ? Does it unlock a new way to create keys ?

[panteliselef]

If I understand the usage correctly those should only be executed in DEV. Also if we are thinking these hooks as something that will enable extra Clerk functionality we should prefix them with __internal_.

[panteliselef]

was this autogenerated ?

[panteliselef]

❓ Why is Keyless being affected by these changes ?

[panteliselef]

Can you clarify how this operates on the client ?

@clerk/clerk-react will throw if the publishable key is missing, since to the url encoded withing the PK is required to hotload clerk-js.