feat(clerk-js,shared): Remove expired_token retry flow

[nikosdouvlis]

Why

The previous session token is now always sent in the /tokens POST body (via the token param in #8105), so the backend no longer needs to request it via a 422 missing_expired_token error and a retry with ?expired_token=<jwt> in the query string.

This also removes JWT leakage from query strings. The old flow sent the full JWT as a URL search param, which is visible in access logs, proxies, and referrer headers. The new token body param avoids this.

What

• Remove MissingExpiredTokenError class from @clerk/shared
• Remove the catch-and-retry logic in Session.#createTokenResolver
• Remove 4 related tests

Note: isUnauthenticatedError still treats 422 as unauthenticated. This is left as-is for now since other 422 error codes may still indicate invalid session state.

Test plan

• Existing token refresh flows still work
• 422 errors are no longer retried with expired_token
• No regression in sign-in/sign-out flows

[changeset-bot]

🦋 Changeset detected

Latest commit: 3eb6e94

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@clerk/shared	Patch
@clerk/clerk-js	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/chrome-extension	Patch
@clerk/expo-passkeys	Patch
@clerk/expo	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 18, 2026 1:50pm