From 05d6c8ee056189cbe95530d518c8b6a1f0750d5d Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Mon, 30 Jun 2025 21:04:49 -0700
Subject: [PATCH 01/11] chore(backend): Introduce machine token secrets as
 authorization header

---
 .../src/api/endpoints/MachineTokensApi.ts     | 85 +++++++++++++++++++
 packages/backend/src/api/request.ts           |  2 +-
 2 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index 4c61f35d235..75887a5841b 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -1,10 +1,95 @@
 import { joinPaths } from '../../util/path';
+import type { ClerkBackendApiRequestOptions } from '../request';
 import type { MachineToken } from '../resources/MachineToken';
 import { AbstractAPI } from './AbstractApi';
 
 const basePath = '/m2m_tokens';
 
+type WithMachineTokenSecret<T> = T & { machineTokenSecret?: string | null };
+
+type CreateMachineTokenParams = WithMachineTokenSecret<{
+  name: string;
+  subject: string;
+  claims?: Record<string, any> | null;
+  scopes?: string[];
+  createdBy?: string | null;
+  secondsUntilExpiration?: number | null;
+}>;
+
+type UpdateMachineTokenParams = WithMachineTokenSecret<
+  {
+    m2mTokenId: string;
+    revoked?: boolean;
+  } & Pick<CreateMachineTokenParams, 'secondsUntilExpiration' | 'claims' | 'scopes'>
+>;
+
+type RevokeMachineTokenParams = WithMachineTokenSecret<{
+  m2mTokenId: string;
+  revocationReason?: string | null;
+}>;
+
 export class MachineTokensApi extends AbstractAPI {
+  /**
+   * Attaches the machine token secret as an Authorization header if present.
+   */
+  #withMachineTokenSecretHeader<T extends WithMachineTokenSecret<unknown>>(
+    options: ClerkBackendApiRequestOptions,
+    params: T,
+  ): ClerkBackendApiRequestOptions {
+    if (params.machineTokenSecret) {
+      return {
+        ...options,
+        headerParams: {
+          Authorization: `Bearer ${params.machineTokenSecret}`,
+        },
+      };
+    }
+    return options;
+  }
+
+  async create(params: CreateMachineTokenParams) {
+    return this.request<MachineToken>(
+      this.#withMachineTokenSecretHeader(
+        {
+          method: 'POST',
+          path: basePath,
+          bodyParams: params,
+        },
+        params,
+      ),
+    );
+  }
+
+  async update(params: UpdateMachineTokenParams) {
+    const { m2mTokenId, ...bodyParams } = params;
+    this.requireId(m2mTokenId);
+    return this.request<MachineToken>(
+      this.#withMachineTokenSecretHeader(
+        {
+          method: 'PATCH',
+          path: joinPaths(basePath, m2mTokenId),
+          bodyParams,
+        },
+        params,
+      ),
+    );
+  }
+
+  async revoke(params: RevokeMachineTokenParams) {
+    const { m2mTokenId, ...bodyParams } = params;
+    this.requireId(m2mTokenId);
+    return this.request<MachineToken>(
+      this.#withMachineTokenSecretHeader(
+        {
+          method: 'POST',
+          path: joinPaths(basePath, m2mTokenId, 'revoke'),
+          bodyParams,
+        },
+        params,
+      ),
+    );
+  }
+
   async verifySecret(secret: string) {
     return this.request<MachineToken>({
       method: 'POST',
diff --git a/packages/backend/src/api/request.ts b/packages/backend/src/api/request.ts
index 59eacf4fd0d..8ab4a80df9a 100644
--- a/packages/backend/src/api/request.ts
+++ b/packages/backend/src/api/request.ts
@@ -108,7 +108,7 @@ export function buildRequest(options: BuildRequestOptions) {
       ...headerParams,
     };
 
-    if (secretKey) {
+    if (secretKey && !headers.Authorization) {
       headers.Authorization = `Bearer ${secretKey}`;
     }
 

From ca7a8be3f4c8af1561dd87c29923d44db8a7d65b Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Mon, 30 Jun 2025 21:36:21 -0700
Subject: [PATCH 02/11] chore: clean up

---
 .../src/api/endpoints/MachineTokensApi.ts     | 24 +++++++++----------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index 75887a5841b..0484bd43dd3 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -29,18 +29,15 @@ type RevokeMachineTokenParams = WithMachineTokenSecret<{
 }>;
 
 export class MachineTokensApi extends AbstractAPI {
-  /**
-   * Attaches the machine token secret as an Authorization header if present.
-   */
-  #withMachineTokenSecretHeader<T extends WithMachineTokenSecret<unknown>>(
+  #withMachineTokenSecretHeader(
     options: ClerkBackendApiRequestOptions,
-    params: T,
+    machineTokenSecret?: string | null,
   ): ClerkBackendApiRequestOptions {
-    if (params.machineTokenSecret) {
+    if (machineTokenSecret) {
       return {
         ...options,
         headerParams: {
-          Authorization: `Bearer ${params.machineTokenSecret}`,
+          Authorization: `Bearer ${machineTokenSecret}`,
         },
       };
     }
@@ -48,20 +45,21 @@ export class MachineTokensApi extends AbstractAPI {
   }
 
   async create(params: CreateMachineTokenParams) {
+    const { machineTokenSecret, ...bodyParams } = params;
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
         {
           method: 'POST',
           path: basePath,
-          bodyParams: params,
+          bodyParams,
         },
-        params,
+        machineTokenSecret,
       ),
     );
   }
 
   async update(params: UpdateMachineTokenParams) {
-    const { m2mTokenId, ...bodyParams } = params;
+    const { m2mTokenId, machineTokenSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
@@ -70,13 +68,13 @@ export class MachineTokensApi extends AbstractAPI {
           path: joinPaths(basePath, m2mTokenId),
           bodyParams,
         },
-        params,
+        machineTokenSecret,
       ),
     );
   }
 
   async revoke(params: RevokeMachineTokenParams) {
-    const { m2mTokenId, ...bodyParams } = params;
+    const { m2mTokenId, machineTokenSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
@@ -85,7 +83,7 @@ export class MachineTokensApi extends AbstractAPI {
           path: joinPaths(basePath, m2mTokenId, 'revoke'),
           bodyParams,
         },
-        params,
+        machineTokenSecret,
       ),
     );
   }

From af6a27b1aaae8491b7148fb503f1f94f2d03845b Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 07:27:25 -0700
Subject: [PATCH 03/11] chore: use a more readable option for bapi proxy
 methods

---
 packages/backend/src/api/factory.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/backend/src/api/factory.ts b/packages/backend/src/api/factory.ts
index ce83dac4328..5283aafbc09 100644
--- a/packages/backend/src/api/factory.ts
+++ b/packages/backend/src/api/factory.ts
@@ -68,6 +68,7 @@ export function createBackendApiClient(options: CreateBackendApiOptions) {
       buildRequest({
         ...options,
         skipApiVersionInUrl: true,
+        requireSecretKey: false,
       }),
     ),
     oauthApplications: new OAuthApplicationsApi(request),

From fa942278dbdc71cc1b40ddee67e30a9b4e5cb408 Mon Sep 17 00:00:00 2001
From: Robert Soriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 08:13:09 -0700
Subject: [PATCH 04/11] chore: add initial changeset

---
 .changeset/hot-tables-worry.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/hot-tables-worry.md

diff --git a/.changeset/hot-tables-worry.md b/.changeset/hot-tables-worry.md
new file mode 100644
index 00000000000..2637253987a
--- /dev/null
+++ b/.changeset/hot-tables-worry.md
@@ -0,0 +1,5 @@
+---
+"@clerk/backend": minor
+---
+
+WIP M2M Tokens

From 8dcd6076c7850c5e6955f174c83ac88e277ba825 Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 11:43:40 -0700
Subject: [PATCH 05/11] chore: add machine_secret_key type to api keys api

---
 packages/backend/src/api/endpoints/APIKeysApi.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/api/endpoints/APIKeysApi.ts b/packages/backend/src/api/endpoints/APIKeysApi.ts
index bf0767d3a16..7e7d706a7a7 100644
--- a/packages/backend/src/api/endpoints/APIKeysApi.ts
+++ b/packages/backend/src/api/endpoints/APIKeysApi.ts
@@ -5,7 +5,7 @@ import { AbstractAPI } from './AbstractApi';
 const basePath = '/api_keys';
 
 type CreateAPIKeyParams = {
-  type?: 'api_key';
+  type?: 'api_key' | 'machine_secret_key';
   /**
    * API key name
    */

From 7bb3eb81f28a4913e5410f98cf353d7d0d282d9e Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 14:31:07 -0700
Subject: [PATCH 06/11] chore: reuse header consts

---
 packages/backend/src/api/request.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/api/request.ts b/packages/backend/src/api/request.ts
index a5c89e19212..29c5d1b3dcb 100644
--- a/packages/backend/src/api/request.ts
+++ b/packages/backend/src/api/request.ts
@@ -104,12 +104,12 @@ export function buildRequest(options: BuildRequestOptions) {
     // Build headers
     const headers = new Headers({
       'Clerk-API-Version': SUPPORTED_BAPI_VERSION,
-      'User-Agent': userAgent,
+      [constants.Headers.UserAgent]: userAgent,
       ...headerParams,
     });
 
-    if (secretKey && !headers.has('Authorization')) {
-      headers.set('Authorization', `Bearer ${secretKey}`);
+    if (secretKey && !headers.has(constants.Headers.Authorization)) {
+      headers.set(constants.Headers.Authorization, `Bearer ${secretKey}`);
     }
 
     let res: Response | undefined;

From 424a5a468c8f5e77945177fd7b33723af8021d52 Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 14:55:08 -0700
Subject: [PATCH 07/11] chore: rename to machine secret

---
 .../src/api/endpoints/MachineTokensApi.ts     | 48 +++++++++++--------
 packages/backend/src/tokens/verify.ts         |  2 +-
 2 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index 0484bd43dd3..11f038ef638 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -5,9 +5,9 @@ import { AbstractAPI } from './AbstractApi';
 
 const basePath = '/m2m_tokens';
 
-type WithMachineTokenSecret<T> = T & { machineTokenSecret?: string | null };
+type WithMachineSecret<T> = T & { machineSecret?: string | null };
 
-type CreateMachineTokenParams = WithMachineTokenSecret<{
+type CreateMachineTokenParams = WithMachineSecret<{
   name: string;
   subject: string;
   claims?: Record<string, any> | null;
@@ -16,28 +16,32 @@ type CreateMachineTokenParams = WithMachineTokenSecret<{
   secondsUntilExpiration?: number | null;
 }>;
 
-type UpdateMachineTokenParams = WithMachineTokenSecret<
+type UpdateMachineTokenParams = WithMachineSecret<
   {
     m2mTokenId: string;
     revoked?: boolean;
   } & Pick<CreateMachineTokenParams, 'secondsUntilExpiration' | 'claims' | 'scopes'>
 >;
 
-type RevokeMachineTokenParams = WithMachineTokenSecret<{
+type RevokeMachineTokenParams = WithMachineSecret<{
   m2mTokenId: string;
   revocationReason?: string | null;
 }>;
 
+type VerifyMachineTokenParams = WithMachineSecret<{
+  secret: string;
+}>;
+
 export class MachineTokensApi extends AbstractAPI {
   #withMachineTokenSecretHeader(
     options: ClerkBackendApiRequestOptions,
-    machineTokenSecret?: string | null,
+    machineSecret?: string | null,
   ): ClerkBackendApiRequestOptions {
-    if (machineTokenSecret) {
+    if (machineSecret) {
       return {
         ...options,
         headerParams: {
-          Authorization: `Bearer ${machineTokenSecret}`,
+          Authorization: `Bearer ${machineSecret}`,
         },
       };
     }
@@ -45,7 +49,7 @@ export class MachineTokensApi extends AbstractAPI {
   }
 
   async create(params: CreateMachineTokenParams) {
-    const { machineTokenSecret, ...bodyParams } = params;
+    const { machineSecret, ...bodyParams } = params;
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
         {
@@ -53,13 +57,13 @@ export class MachineTokensApi extends AbstractAPI {
           path: basePath,
           bodyParams,
         },
-        machineTokenSecret,
+        machineSecret,
       ),
     );
   }
 
   async update(params: UpdateMachineTokenParams) {
-    const { m2mTokenId, machineTokenSecret, ...bodyParams } = params;
+    const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
@@ -68,13 +72,13 @@ export class MachineTokensApi extends AbstractAPI {
           path: joinPaths(basePath, m2mTokenId),
           bodyParams,
         },
-        machineTokenSecret,
+        machineSecret,
       ),
     );
   }
 
   async revoke(params: RevokeMachineTokenParams) {
-    const { m2mTokenId, machineTokenSecret, ...bodyParams } = params;
+    const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
       this.#withMachineTokenSecretHeader(
@@ -83,16 +87,22 @@ export class MachineTokensApi extends AbstractAPI {
           path: joinPaths(basePath, m2mTokenId, 'revoke'),
           bodyParams,
         },
-        machineTokenSecret,
+        machineSecret,
       ),
     );
   }
 
-  async verifySecret(secret: string) {
-    return this.request<MachineToken>({
-      method: 'POST',
-      path: joinPaths(basePath, 'verify'),
-      bodyParams: { secret },
-    });
+  async verifySecret(params: VerifyMachineTokenParams) {
+    const { secret, machineSecret } = params;
+    return this.request<MachineToken>(
+      this.#withMachineTokenSecretHeader(
+        {
+          method: 'POST',
+          path: joinPaths(basePath, 'verify'),
+          bodyParams: { secret },
+        },
+        machineSecret,
+      ),
+    );
   }
 }
diff --git a/packages/backend/src/tokens/verify.ts b/packages/backend/src/tokens/verify.ts
index ad76138290b..79cc31e9176 100644
--- a/packages/backend/src/tokens/verify.ts
+++ b/packages/backend/src/tokens/verify.ts
@@ -206,7 +206,7 @@ async function verifyMachineToken(
 ): Promise<MachineTokenReturnType<MachineToken, MachineTokenVerificationError>> {
   try {
     const client = createBackendApiClient(options);
-    const verifiedToken = await client.machineTokens.verifySecret(secret);
+    const verifiedToken = await client.machineTokens.verifySecret({ secret });
     return { data: verifiedToken, tokenType: TokenType.MachineToken, errors: undefined };
   } catch (err: any) {
     return handleClerkAPIError(TokenType.MachineToken, err, 'Machine token not found');

From 1dbd41b5b92f46d59a56a82c1b5c1172eb5bd13d Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 15:00:40 -0700
Subject: [PATCH 08/11] chore: clean up

---
 .../backend/src/api/endpoints/MachineTokensApi.ts   | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index 11f038ef638..eb5a70d3b62 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -33,7 +33,10 @@ type VerifyMachineTokenParams = WithMachineSecret<{
 }>;
 
 export class MachineTokensApi extends AbstractAPI {
-  #withMachineTokenSecretHeader(
+  /**
+   * Overrides the instance secret with the machine secret.
+   */
+  #withMachineSecretHeader(
     options: ClerkBackendApiRequestOptions,
     machineSecret?: string | null,
   ): ClerkBackendApiRequestOptions {
@@ -51,7 +54,7 @@ export class MachineTokensApi extends AbstractAPI {
   async create(params: CreateMachineTokenParams) {
     const { machineSecret, ...bodyParams } = params;
     return this.request<MachineToken>(
-      this.#withMachineTokenSecretHeader(
+      this.#withMachineSecretHeader(
         {
           method: 'POST',
           path: basePath,
@@ -66,7 +69,7 @@ export class MachineTokensApi extends AbstractAPI {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
-      this.#withMachineTokenSecretHeader(
+      this.#withMachineSecretHeader(
         {
           method: 'PATCH',
           path: joinPaths(basePath, m2mTokenId),
@@ -81,7 +84,7 @@ export class MachineTokensApi extends AbstractAPI {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
     return this.request<MachineToken>(
-      this.#withMachineTokenSecretHeader(
+      this.#withMachineSecretHeader(
         {
           method: 'POST',
           path: joinPaths(basePath, m2mTokenId, 'revoke'),
@@ -95,7 +98,7 @@ export class MachineTokensApi extends AbstractAPI {
   async verifySecret(params: VerifyMachineTokenParams) {
     const { secret, machineSecret } = params;
     return this.request<MachineToken>(
-      this.#withMachineTokenSecretHeader(
+      this.#withMachineSecretHeader(
         {
           method: 'POST',
           path: joinPaths(basePath, 'verify'),

From 7c3063c4cbceeb699dd3937f03dd50c2e3104b6a Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 15:55:30 -0700
Subject: [PATCH 09/11] chore: add secret property to create method

---
 packages/backend/src/api/endpoints/MachineTokensApi.ts | 8 +++++---
 packages/backend/src/api/resources/JSON.ts             | 1 +
 packages/backend/src/api/resources/MachineToken.ts     | 4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index eb5a70d3b62..aa4fb2bbc33 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -32,6 +32,8 @@ type VerifyMachineTokenParams = WithMachineSecret<{
   secret: string;
 }>;
 
+type MachineTokenWithoutSecret = Omit<MachineToken, 'secret'>;
+
 export class MachineTokensApi extends AbstractAPI {
   /**
    * Overrides the instance secret with the machine secret.
@@ -68,7 +70,7 @@ export class MachineTokensApi extends AbstractAPI {
   async update(params: UpdateMachineTokenParams) {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
-    return this.request<MachineToken>(
+    return this.request<MachineTokenWithoutSecret>(
       this.#withMachineSecretHeader(
         {
           method: 'PATCH',
@@ -83,7 +85,7 @@ export class MachineTokensApi extends AbstractAPI {
   async revoke(params: RevokeMachineTokenParams) {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
-    return this.request<MachineToken>(
+    return this.request<MachineTokenWithoutSecret>(
       this.#withMachineSecretHeader(
         {
           method: 'POST',
@@ -97,7 +99,7 @@ export class MachineTokensApi extends AbstractAPI {
 
   async verifySecret(params: VerifyMachineTokenParams) {
     const { secret, machineSecret } = params;
-    return this.request<MachineToken>(
+    return this.request<MachineTokenWithoutSecret>(
       this.#withMachineSecretHeader(
         {
           method: 'POST',
diff --git a/packages/backend/src/api/resources/JSON.ts b/packages/backend/src/api/resources/JSON.ts
index faea4ed7424..cb697a720ba 100644
--- a/packages/backend/src/api/resources/JSON.ts
+++ b/packages/backend/src/api/resources/JSON.ts
@@ -701,6 +701,7 @@ export interface SamlAccountConnectionJSON extends ClerkResourceJSON {
 export interface MachineTokenJSON extends ClerkResourceJSON {
   object: typeof ObjectType.MachineToken;
   name: string;
+  secret: string;
   subject: string;
   scopes: string[];
   claims: Record<string, any> | null;
diff --git a/packages/backend/src/api/resources/MachineToken.ts b/packages/backend/src/api/resources/MachineToken.ts
index 1d19837bcdf..40cb3ae65fc 100644
--- a/packages/backend/src/api/resources/MachineToken.ts
+++ b/packages/backend/src/api/resources/MachineToken.ts
@@ -4,6 +4,7 @@ export class MachineToken {
   constructor(
     readonly id: string,
     readonly name: string,
+    readonly secret: string,
     readonly subject: string,
     readonly scopes: string[],
     readonly claims: Record<string, any> | null,
@@ -17,10 +18,11 @@ export class MachineToken {
     readonly updatedAt: number,
   ) {}
 
-  static fromJSON(data: MachineTokenJSON) {
+  static fromJSON(data: MachineTokenJSON): MachineToken {
     return new MachineToken(
       data.id,
       data.name,
+      data.secret,
       data.subject,
       data.scopes,
       data.claims,

From db38ca5bd8714bd780ebe009ed46d084713345d4 Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Tue, 1 Jul 2025 16:22:29 -0700
Subject: [PATCH 10/11] chore: remove machine secret type from api key creation

---
 packages/backend/src/api/endpoints/APIKeysApi.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/api/endpoints/APIKeysApi.ts b/packages/backend/src/api/endpoints/APIKeysApi.ts
index 7e7d706a7a7..bf0767d3a16 100644
--- a/packages/backend/src/api/endpoints/APIKeysApi.ts
+++ b/packages/backend/src/api/endpoints/APIKeysApi.ts
@@ -5,7 +5,7 @@ import { AbstractAPI } from './AbstractApi';
 const basePath = '/api_keys';
 
 type CreateAPIKeyParams = {
-  type?: 'api_key' | 'machine_secret_key';
+  type?: 'api_key';
   /**
    * API key name
    */

From 5ce88eece43a498006680ec2f3655136740b2702 Mon Sep 17 00:00:00 2001
From: wobsoriano <sorianorobertc@gmail.com>
Date: Wed, 2 Jul 2025 13:47:04 -0700
Subject: [PATCH 11/11] chore: make secret property optional

---
 packages/backend/src/api/endpoints/MachineTokensApi.ts | 8 +++-----
 packages/backend/src/api/resources/JSON.ts             | 2 +-
 packages/backend/src/api/resources/MachineToken.ts     | 4 ++--
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/packages/backend/src/api/endpoints/MachineTokensApi.ts b/packages/backend/src/api/endpoints/MachineTokensApi.ts
index aa4fb2bbc33..eb5a70d3b62 100644
--- a/packages/backend/src/api/endpoints/MachineTokensApi.ts
+++ b/packages/backend/src/api/endpoints/MachineTokensApi.ts
@@ -32,8 +32,6 @@ type VerifyMachineTokenParams = WithMachineSecret<{
   secret: string;
 }>;
 
-type MachineTokenWithoutSecret = Omit<MachineToken, 'secret'>;
-
 export class MachineTokensApi extends AbstractAPI {
   /**
    * Overrides the instance secret with the machine secret.
@@ -70,7 +68,7 @@ export class MachineTokensApi extends AbstractAPI {
   async update(params: UpdateMachineTokenParams) {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
-    return this.request<MachineTokenWithoutSecret>(
+    return this.request<MachineToken>(
       this.#withMachineSecretHeader(
         {
           method: 'PATCH',
@@ -85,7 +83,7 @@ export class MachineTokensApi extends AbstractAPI {
   async revoke(params: RevokeMachineTokenParams) {
     const { m2mTokenId, machineSecret, ...bodyParams } = params;
     this.requireId(m2mTokenId);
-    return this.request<MachineTokenWithoutSecret>(
+    return this.request<MachineToken>(
       this.#withMachineSecretHeader(
         {
           method: 'POST',
@@ -99,7 +97,7 @@ export class MachineTokensApi extends AbstractAPI {
 
   async verifySecret(params: VerifyMachineTokenParams) {
     const { secret, machineSecret } = params;
-    return this.request<MachineTokenWithoutSecret>(
+    return this.request<MachineToken>(
       this.#withMachineSecretHeader(
         {
           method: 'POST',
diff --git a/packages/backend/src/api/resources/JSON.ts b/packages/backend/src/api/resources/JSON.ts
index cb697a720ba..3d000941ef3 100644
--- a/packages/backend/src/api/resources/JSON.ts
+++ b/packages/backend/src/api/resources/JSON.ts
@@ -701,7 +701,7 @@ export interface SamlAccountConnectionJSON extends ClerkResourceJSON {
 export interface MachineTokenJSON extends ClerkResourceJSON {
   object: typeof ObjectType.MachineToken;
   name: string;
-  secret: string;
+  secret?: string;
   subject: string;
   scopes: string[];
   claims: Record<string, any> | null;
diff --git a/packages/backend/src/api/resources/MachineToken.ts b/packages/backend/src/api/resources/MachineToken.ts
index 40cb3ae65fc..3b9340c09dc 100644
--- a/packages/backend/src/api/resources/MachineToken.ts
+++ b/packages/backend/src/api/resources/MachineToken.ts
@@ -4,7 +4,6 @@ export class MachineToken {
   constructor(
     readonly id: string,
     readonly name: string,
-    readonly secret: string,
     readonly subject: string,
     readonly scopes: string[],
     readonly claims: Record<string, any> | null,
@@ -16,13 +15,13 @@ export class MachineToken {
     readonly creationReason: string | null,
     readonly createdAt: number,
     readonly updatedAt: number,
+    readonly secret?: string,
   ) {}
 
   static fromJSON(data: MachineTokenJSON): MachineToken {
     return new MachineToken(
       data.id,
       data.name,
-      data.secret,
       data.subject,
       data.scopes,
       data.claims,
@@ -34,6 +33,7 @@ export class MachineToken {
       data.creation_reason,
       data.created_at,
       data.updated_at,
+      data.secret,
     );
   }
 }