chore(nextjs)!: Throw when missing encryption key (#7360)

brkalow · web-flow · commit f56b6b9c7c87 · 2025-12-04T10:28:19.000+02:00
diff --git a/.changeset/moody-peaches-stare.md b/.changeset/moody-peaches-stare.md
@@ -0,0 +1,5 @@
+---
+'@clerk/nextjs': major
+---
+
+Throw an error when an encryption key is missing when passing a secret key at runtime `clerkMiddleware()`. To migrate, ensure your application specifies a `CLERK_ENCRYPTION_KEY` environment variable when passing `secretKey` as a runtime option.
diff --git a/packages/nextjs/src/server/errors.ts b/packages/nextjs/src/server/errors.ts
@@ -34,3 +34,5 @@ export const authSignatureInvalid = `Clerk: Unable to verify request, this usual
 export const encryptionKeyInvalid = `Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/reference/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`;
 
 export const encryptionKeyInvalidDev = `Clerk: Unable to decrypt request data.\n\nRefresh the page if your .env file was just updated. If the issue persists, ensure the encryption key is valid and properly set.\n\nFor more information, see: https://clerk.com/docs/reference/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)`;
+export const encryptionKeyMissing =
+  'Clerk: Missing `CLERK_ENCRYPTION_KEY`. Required for propagating `secretKey` middleware option. See docs: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_missing)';
diff --git a/packages/nextjs/src/server/utils.ts b/packages/nextjs/src/server/utils.ts
@@ -2,7 +2,6 @@ import type { AuthObject } from '@clerk/backend';
 import type { AuthenticateRequestOptions, ClerkRequest, RequestState } from '@clerk/backend/internal';
 import { constants } from '@clerk/backend/internal';
 import { isDevelopmentFromSecretKey } from '@clerk/shared/keys';
-import { logger } from '@clerk/shared/logger';
 import { isHttpOrHttps } from '@clerk/shared/proxy';
 import { handleValueOrFn, isProductionEnvironment } from '@clerk/shared/utils';
 import { NextResponse } from 'next/server';
@@ -15,6 +14,7 @@ import {
   authSignatureInvalid,
   encryptionKeyInvalid,
   encryptionKeyInvalidDev,
+  encryptionKeyMissing,
   missingDomainAndProxy,
   missingSignInUrlInDev,
 } from './errors';
@@ -200,12 +200,7 @@ export function encryptClerkRequestData(
   }
 
   if (requestData.secretKey && !ENCRYPTION_KEY) {
-    // TODO SDK-1833: change this to an error in the next major version of `@clerk/nextjs`
-    logger.warnOnce(
-      'Clerk: Missing `CLERK_ENCRYPTION_KEY`. Required for propagating `secretKey` middleware option. See docs: https://clerk.com/docs/reference/nextjs/clerk-middleware#dynamic-keys',
-    );
-
-    return;
+    throw new Error(encryptionKeyMissing);
   }
 
   const maybeKeylessEncryptionKey = isProductionEnvironment()

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/nextjs': major
 +---
++
 +Throw an error when an encryption key is missing when passing a secret key at runtime `clerkMiddleware()`. To migrate, ensure your application specifies a `CLERK_ENCRYPTION_KEY` environment variable when passing `secretKey` as a runtime option.