feat(backend): Add TypeDoc comments to OAuth Application endpoints #6378

SarahSoutoul · 2025-07-23T17:17:24Z

Description

What does this solve?

Linear: https://linear.app/clerk/issue/DOCS-10504/document-oauth-applications-js-backend-sdk-endpoints

Currently, the clerk docs don't have any information around the OAuth applications JS Backend SDK endpoints. This PR adds documentation for the backend OAuthApplication object type. This PR works in conjunction with this one here: clerk/clerk-docs#2447.

Used the following links for information:

What changed?

Added JSdoc comments to the Backend OAuthApplication object type to be used in clerk-docs
Added new properties that appear in the BAPI docs
Updated the OAuthApplicationJSON with new properties

Checklist

pnpm test runs as expected.
pnpm build runs as expected.
(If applicable) JSDoc comments have been added or updated for any package exports
(If applicable) Documentation has been updated

Type of change

Summary by CodeRabbit

New Features
- OAuth applications now expose additional metadata: client website URL and logo/image.
- New indicators show whether an app was dynamically registered, requires a consent screen, and enforces PKCE.
- These fields are available in API responses and can be surfaced in relevant views.

changeset-bot · 2025-07-23T17:17:28Z

⚠️ No Changeset found

Latest commit: 93eb1a4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel · 2025-07-23T17:17:29Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Aug 22, 2025 10:19pm

coderabbitai · 2025-08-18T18:04:56Z

📝 Walkthrough

Walkthrough

Adds five new OAuth application fields across the backend SDK: JSON contract (OAuthApplicationJSON) gains client_uri, client_image_url, dynamically_registered, consent_screen_enabled, and pkce_required. The OAuthApplication class’s constructor is extended to include corresponding readonly properties (clientUri, clientImageUrl, dynamicallyRegistered, consentScreenEnabled, pkceRequired). The fromJSON factory maps the new JSON fields into the constructor before the existing public flag. No other files or logic paths are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Document OAuth applications js backend sdk endpoints (DOCS-10504)	❌	No documentation changes; only type/model updates in code.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Add new properties to OAuthApplicationJSON: client_uri, client_image_url, dynamically_registered, consent_screen_enabled, pkce_required (packages/backend/src/api/resources/JSON.ts)	The linked issue requests documentation work, not schema/type additions.
Extend OAuthApplication constructor and fromJSON mapping with new fields (packages/backend/src/api/resources/OAuthApplication.ts)	Implements runtime/model changes unrelated to documenting existing endpoints.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 0

🔭 Outside diff range comments (1)

packages/backend/src/api/resources/OAuthApplication.ts (1)
90-90: Add explicit return type to public static factory

Project guidelines require explicit return types for public APIs.
-static fromJSON(data: OAuthApplicationJSON) {
+static fromJSON(data: OAuthApplicationJSON): OAuthApplication {

🧹 Nitpick comments (6)

packages/backend/src/api/resources/JSON.ts (1)
323-327: Add TSDoc for the newly added OAuthApplicationJSON fields

These types are exported and part of the public API surface. Adding brief comments will improve generated docs and keep parity with the class docs added in OAuthApplication.ts.

Apply something along these lines:
   client_id: string;
-  client_uri: string | null;
-  client_image_url: string | null;
-  dynamically_registered: boolean;
-  consent_screen_enabled: boolean;
-  pkce_required: boolean;
+  /** The public-facing URL of the OAuth application, often shown on consent screens. */
+  client_uri: string | null;
+  /** URL to the application's icon/logo. */
+  client_image_url: string | null;
+  /** Whether this application was created via dynamic client registration (RFC 7591). */
+  dynamically_registered: boolean;
+  /** Whether a consent screen is shown in the auth flow. Cannot be disabled for dynamically registered apps. */
+  consent_screen_enabled: boolean;
+  /** Whether PKCE is required for this application. */
+  pkce_required: boolean;
packages/backend/src/api/resources/OAuthApplication.ts (5)
3-5: Good addition of the class-level docs

Nice, concise overview. Consider linking to the BAPI reference for discoverability.

Example tweak:
 /**
- * The Backend `OAuthApplication` object holds information about an OAuth application.
+ * The Backend `OAuthApplication` object holds information about an OAuth application.
+ * See: https://clerk.com/docs/reference/backend-api/tag/oauth-applications
 */
16-18: Remove “new” from property descriptions

These properties describe an OAuth application resource in any state, not just right after creation. The “new” qualifier is misleading.
- * The name of the new OAuth application.
+ * The name of the OAuth application.
@@
- * Scopes for the new OAuth application.
+ * Scopes configured for the OAuth application.
@@
- * An array of redirect URIs of the new OAuth application.
+ * The list of redirect URIs configured for the OAuth application.
Also applies to: 48-51, 52-55

44-47: Clarify relationship between public clients and PKCE

The current text suggests PKCE can be used if the client is public, which is true but underspecified given the new pkceRequired flag. Tighten the language to avoid confusion.
- * Indicates whether the client is public. If true, the Proof Key of Code Exchange (PKCE) flow can be used.
+ * Indicates whether the client is public (cannot safely keep a client secret).
+ * Public clients must use PKCE; confidential clients may also use PKCE.
96-101: Defensive defaults for newly added fields (back-compat with older backends)

If any existing installations don’t yet return these properties, the runtime values would be undefined. Default them to safe values.
-      data.client_uri,
-      data.client_image_url,
-      data.dynamically_registered,
-      data.consent_screen_enabled,
-      data.pkce_required,
+      data.client_uri ?? null,
+      data.client_image_url ?? null,
+      data.dynamically_registered ?? false,
+      data.consent_screen_enabled ?? false,
+      data.pkce_required ?? false,
If the BAPI guarantees they’re always present, keeping the current mapping is fine. Otherwise, these defaults prevent undefined from leaking into the public API at runtime.

90-113: Add unit tests for JSON mapping of new fields

No tests in this PR. Add a test that feeds an OAuthApplicationJSON with the new fields and asserts the resulting instance properties, plus a test where the new fields are omitted (if you adopt defensive defaults).

I can scaffold a Jest test like:

constructs a minimal OAuthApplicationJSON,

calls OAuthApplication.fromJSON,

asserts clientUri/clientImageUrl/dynamicallyRegistered/consentScreenEnabled/pkceRequired mapping.
Would you like me to draft it?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8e66e73 and c65c5d1.

📒 Files selected for processing (2)

packages/backend/src/api/resources/JSON.ts (1 hunks)
packages/backend/src/api/resources/OAuthApplication.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{js,jsx,ts,tsx}