@clerk/nextjs encryption error on next@15 after upgrading to version 6.10.1

[Gavin-Hofer]

Preliminary Checks

• I have reviewed the documentation: https://clerk.com/docs

• I have searched for existing issues: https://github.com/clerk/javascript/issues

• I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)

• This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.

Reproduction

https://github.com/Gavin-Hofer/clerk-server-action-encryption-error

Publishable key

pk_test_YnVyc3RpbmctdGljay05Ni5jbGVyay5hY2NvdW50cy5kZXYk

Description

Description of Error

After upgrading @clerk/nextjs from version 6.9.15 to 6.10.1, server actions started failing on await currentUser() with the following error:

 ⨯ Error: Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)
    at v (.next/server/chunks/85.js:33:677)
    at y (.next/server/chunks/85.js:33:639)
    at l (.next/server/chunks/85.js:17:32492)
    at <unknown> (.next/server/chunks/85.js:15:30598)
    at <unknown> (.next/server/chunks/85.js:15:30225)
    at k (.next/server/chunks/85.js:15:31759)
    at async m (.next/server/app/page.js:1:32973)
    at async h (.next/server/app/page.js:1:33057) {
  digest: '689539690'
}

Implementation-specific Details

• Instead of using NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY, I have an environment variable called CLERK_PUBLISHABLE_KEY that I pass to <ClerkProvider> and clerkMiddleware at runtime (this is so I can use the same docker image with both test and live keys).
• This error did not happen when using the default environment variables instead of passing them at runtime as described above.

Replication Instructions

1. Add your clerk keys to .env.local. Note: the publishable key should be called CLERK_PUBLISHABLE_KEY not NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY.

CLERK_PUBLISHABLE_KEY=pk_***
CLERK_SECRET_KEY=sk_***

2. Generate a CLERK_ENCRYPTION_KEY and add it to .env.local:

echo CLERK_ENCRYPTION_KEY=$(openssl rand -base64 32) >> .env.local

3. Create a production build (error not seen in development mode)

npm run build

4. Run and try to load the page

npm run start

Expected Error

When I attempt to load the page I get an error in the server component render. It errors out on the line:

const user = await currentUser();

With the following error message (on the server):

 ⨯ Error: Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)
    at v (.next/server/chunks/85.js:33:677)
    at y (.next/server/chunks/85.js:33:639)
    at l (.next/server/chunks/85.js:17:32492)
    at <unknown> (.next/server/chunks/85.js:15:30598)
    at <unknown> (.next/server/chunks/85.js:15:30225)
    at k (.next/server/chunks/85.js:15:31759)
    at async m (.next/server/app/page.js:1:32973)
    at async h (.next/server/app/page.js:1:33057) {
  digest: '689539690'
}

This happens whether or not you are logged in.

Environment

System:
    OS: macOS 15.2
    CPU: (16) arm64 Apple M3 Max
    Memory: 8.69 GB / 64.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.13.1 - ~/.nvm/versions/node/v22.13.1/bin/node
    npm: 10.9.2 - ~/.nvm/versions/node/v22.13.1/bin/npm
    pnpm: 9.14.4 - ~/Library/pnpm/pnpm
  Browsers:
    Chrome: 131.0.6778.267
    Safari: 18.2
  npmPackages:
    @clerk/nextjs: ^6.10.1 => 6.10.1 
    @eslint/eslintrc: ^3 => 3.2.0 
    @types/node: ^20 => 20.17.16 
    @types/react: ^19 => 19.0.8 
    @types/react-dom: ^19 => 19.0.3 
    eslint: ^9 => 9.18.0 
    eslint-config-next: 15.1.6 => 15.1.6 
    next: 15.1.6 => 15.1.6 
    postcss: ^8 => 8.5.1 
    react: ^19.0.0 => 19.0.0 
    react-dom: ^19.0.0 => 19.0.0 
    tailwindcss: ^3.4.1 => 3.4.17 
    typescript: ^5 => 5.7.3

[Gavin-Hofer]

Notes:

• When I originally noticed this issue, it was not affecting server-rendered pages like it is (for me) in the attached example, but it was affecting server actions.
• I tried adding around the ClerkProvider and a loading.tsx but neither made any change to the behavior.

[panteliselef]

Hey @Gavin-Hofer, thanks for opening an issue. I followed your steps and make sure that i was not using the NEXT_PUBLIC_ prefix, but I couldn't reproduce.

I tried with other versions of @clerk/nextjs, tried on development and production (pnpm start), and signed in or signed out.

Also you are mentioning server actions here, but there are none in the reproduction you provided.

[Gavin-Hofer]

Thanks for looking into this @panteliselef. I just pushed an update to add a page to test calling a server action from the client under the /test-server-action path. But today it mysteriously started working on my end too so I can no longer reproduce. I'll post an update if I manage to reproduce it again.

[Gavin-Hofer]

So I found I am still able to reproduce if I switch back to my previous commit (without the /test-server-action page). The only difference between these two is adding the page.tsx under /test-server-action and actions.ts. Somehow after adding these files the original error doesn't occur and the error doesn't occur when hitting the server action either.

Also, I get the same behavior even in a fresh private browsing session. I'll see if I can replicate it in a docker container.

[Gavin-Hofer]

Update: I removed the /test-server-action path because that made the original error go away.
I built a docker image (ARM64) to replicate the error in and pushed it to dockerhub:

Here's the replication instructions with the docker image (assuming you already have CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, and CLERK_ENCRYPTION_KEY in .env.local):

1. Run the docker container:

docker run -p 3000:3000 --env-file .env.local gavinhofer302/clerk-server-action-encryption-error:latest

2. Go to http://localhost:3000/, and you should see a page like this if the error happened:

If this doesn't work, the only other differences I can think of are:
a) Maybe it only happens on ARM chips? I originally saw it on a T4G EC2 instance, and since then only tested on my Mac.
b) Maybe something with my specific Clerk account or keys? (when it happened before I observed it with both the test and live keys so this seems unlikely)

[Gavin-Hofer]

Update

I managed to replicate the issue with server actions on my side, and added a new page /test-server-actions.

It was pretty particular about whether the error would show up, for example the error wouldn't show up if I had any client components anywhere in the app or if I had any static pages. These were different conditions than I originally saw so I think it's just super finicky (when I originally observed the issue, it was calling the server action from a client component, which I couldn't replicate here).

To rule out it being something specific to building on my machine I set up a github actions pipeline to build a multiplatform image for both linux/amd64 and linux/arm64, and I get the error with both. Here's how I'm running:

# Arm64 version
docker run -p 3000:3000 --env-file .env.local gavinhofer302/clerk-server-action-encryption-error:latest

# Amd64 version (emulated)
docker run -p 3000:3000 --env-file .env.local --platform linux/amd64 gavinhofer302/clerk-server-action-encryption-error:latest

Here's a link to the build log: https://github.com/Gavin-Hofer/clerk-server-action-encryption-error/actions/runs/12968289689

[panteliselef]

Hello @Gavin-Hofer, we were able to reproduce, and we are working on a fix.

[OllieJennings]

I am also seeing this issue on cloudflare-workers using opennextjs-cloudflare.

It might be an opennextjs issue, however part of me thinks its related to the crypto-js stuff as its all on the decrypting it fails, because if l run opennextjs locally it works.