chore(backend): Add M2M token list method

[wobsoriano]

Description

This PR adds a new method in the M2M token API to list all M2M tokens by a machine (BAPI proxy doc).

Also fixes incorrect mock IDs in unit tests

Resolves USER-4822

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

Release Notes

New Features

• Added M2M token listing functionality with advanced filtering capabilities, including filtering by subject, revoked status, and expiration status.
• Included pagination support with configurable limit and offset parameters for efficient retrieval of large token sets.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Feb 26, 2026 7:08pm

[changeset-bot]

🦋 Changeset detected

Latest commit: b55941c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Minor
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch rob/get-m2m-tokens

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7939

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7939

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7939

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7939

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7939

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7939

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7939

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7939

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7939

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7939

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7939

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7939

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7939

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7939

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7939

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7939

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7939

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7939

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7939

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7939

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7939

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7939

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7939

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7939

commit: b55941c

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

packages/backend/src/api/endpoints/M2MTokenApi.ts (1)

83-89: Add JSDoc and an explicit return type to the new public list API.

This keeps the public surface consistent and clearer for SDK consumers.

Proposed update

+  /**
+   * Retrieves machine-to-machine tokens for a specific machine.
+   */
-  async list(queryParams: GetM2MTokenListParams) {
+  async list(queryParams: GetM2MTokenListParams): Promise<PaginatedResourceResponse<M2MToken[]>> {
     return this.request<PaginatedResourceResponse<M2MToken[]>>({
       method: 'GET',
       path: basePath,
       queryParams,
     });
   }

Based on learnings: "enforce explicit return type annotations for exported functions and public APIs," and as per coding guidelines: "All public APIs must be documented with JSDoc."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/backend/src/api/endpoints/M2MTokenApi.ts` around lines 83 - 89, The
exported async method list lacks an explicit return type and JSDoc; update the
public API by adding a JSDoc block describing the method, its parameter
(queryParams: GetM2MTokenListParams) and its return value, and annotate the
function signature with an explicit return type
Promise<PaginatedResourceResponse<M2MToken[]>> (the function named list that
calls this.request should be updated accordingly).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/api/endpoints/M2MTokenApi.ts`:
- Around line 83-89: The list method in M2MTokenApi does not validate the
required machine identifier (subject) from GetM2MTokenListParams before making
the request; add input validation in the list(queryParams:
GetM2MTokenListParams) function to check that queryParams.subject exists, is a
non-empty string (trimmed) and meets any expected format, throw a clear Error
(or return a rejected Promise) for invalid values, and sanitize/trim the subject
before passing queryParams to this.request so only validated data is sent.

In `@packages/backend/src/api/resources/Deserializer.ts`:
- Around line 80-85: The M2M branch can return totalCount as undefined and uses
any[]; tighten the isM2MTokenResponse type guard so it asserts payload has a
numeric total_count and an array m2m_tokens of unknown (not any), update the
guard implementation (the one defined around lines 117-123) to check typeof
payload.total_count === 'number' and Array.isArray(payload.m2m_tokens'), then
change the mapping in the branch that uses jsonToObject to treat items as
unknown (e.g. map(item => jsonToObject(item) as U)) and set totalCount =
payload.total_count as number so the returned PaginatedResourceResponse<U>
always has a number totalCount.

---

Nitpick comments:
In `@packages/backend/src/api/endpoints/M2MTokenApi.ts`:
- Around line 83-89: The exported async method list lacks an explicit return
type and JSDoc; update the public API by adding a JSDoc block describing the
method, its parameter (queryParams: GetM2MTokenListParams) and its return value,
and annotate the function signature with an explicit return type
Promise<PaginatedResourceResponse<M2MToken[]>> (the function named list that
calls this.request should be updated accordingly).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8a0c404 and 6663583.

📒 Files selected for processing (4)

• .changeset/shiny-apples-travel.md
• packages/backend/src/api/__tests__/M2MTokenApi.test.ts
• packages/backend/src/api/endpoints/M2MTokenApi.ts
• packages/backend/src/api/resources/Deserializer.ts