fix(js,ui,shared): Handle unsafeMetadata in transfer flows

[tmilewski]

Description

Port of Core 2 changes: #7646

Summary

• Fixes unsafeMetadata being lost when users are transferred between sign-in and sign-up flows during OAuth/SSO authentication
• Adds unsafeMetadata to HandleOAuthCallbackParams type and propagates it through transfer flows
• Ensures metadata provided to <SignIn> or <SignUp> components is preserved when OAuth transfers occur

Problem

When unsafeMetadata is passed to <SignIn unsafeMetadata={{ foo: 'bar' }} /> or <SignUp unsafeMetadata={{ foo: 'bar' }} />, the metadata was lost in two scenarios:

1. OAuth/SSO Callback Transfer: When a user signs in via OAuth but no account exists, the system transfers to sign-up by calling signUp.create({ transfer: true }) without passing unsafeMetadata

2. Combined Flow Transfer: When the combined sign-in/sign-up flow detects a non-existent identifier and transfers to sign-up, signUp.create() was called without unsafeMetadata

Solution

• Added unsafeMetadata field to HandleOAuthCallbackParams type
• Pass unsafeMetadata from params to signUp.create() during OAuth transfer in clerk.ts
• Added unsafeMetadata to HandleCombinedFlowTransferProps and pass it to signUp.create() in handleCombinedFlowTransfer.ts
• Pass unsafeMetadata from context to SSO callback components in both SignIn and SignUp routes

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Propagates additional sign-up metadata (unsafeMetadata) through OAuth/combined-flow transfers and sign-in/sign-up callbacks.

• Tests

  • Added tests verifying unsafeMetadata is passed through (including explicit undefined handling) during transfer flows.

• Chores

  • Added a changeset entry for this update.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: de66595

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 23, 2026 6:02pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7661

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7661

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7661

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7661

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7661

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7661

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7661

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7661

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7661

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7661

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7661

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7661

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7661

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7661

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7661

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7661

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7661

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7661

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7661

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7661

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7661

commit: de66595

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR propagates an optional unsafeMetadata field through OAuth transfer and combined sign-up flows. Changes: add unsafeMetadata?: SignUpUnsafeMetadata to HandleOAuthCallbackParams; include unsafeMetadata when calling signUp.create in clerk-js and in the combined-flow transfer handler; pass unsafeMetadata through relevant UI components and callbacks; add tests asserting unsafeMetadata is forwarded to signUp.create. A new changeset file with two YAML document separators (---) was added under .changeset.

Possibly related PRs

• clerk/javascript PR 7647: Makes the same code-level changes to propagate unsafeMetadata through HandleOAuthCallbackParams, combined-flow transfer props, signUp.create invocations, and test expectations.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding support for unsafeMetadata during transfer flows across js, ui, and shared packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jacekradko]

Just a changeset update