feat(expo): Chris/mobile 405 react native components release

[chriscanin]

Description

These changes can be tested by using the snapshot that will be commented in this PR discussion, and installing that into the expo quickstart repo on the branch: chris/mobile-343-bridge-android-to-a-native-module-that-is-available-in-the
(same branch name as here).

https://linear.app/clerk/issue/MOBILE-342/bridge-ios-to-a-native-module-that-is-available-in-the-expo-sdk
MOBILE-289
https://linear.app/clerk/issue/MOBILE-289/expo-google-universal-sign-in

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Native Expo UI: AuthView, InlineAuthView, UserButton, UserProfileView (modal & inline) and native plugin support
  • Native auth flows: Google Sign‑In and Apple Sign‑In; new native session/events hooks and client token access

• Bug Fixes

  • More reliable native↔JS session sync, improved lifecycle/unmount guards, and clearer error handling

• Documentation

  • Native iOS setup guide and native components README

• Chores

  • Expo plugin, packaging, podspec and package version updates

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 4, 2026 9:54pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 21933a6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/expo	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[brkalow]

ditto, is the order important here to warrant the disables?

[brkalow]

consider using existing TokenCache if possible, or make it clear why we can't

[brkalow]

Do we need to diverge from the other SDKs here and continue exporting these?

[brkalow]

why the need for type casting now?

[brkalow]

What integration testing tools are available for react native / expo? Would be great to start seeing those get built out.

Maestro seems popular? https://docs.expo.dev/eas/workflows/examples/e2e-tests/

[jacekradko]

I think this should be split up into its own changeset so we don't have contaminate changelogs

[jacekradko]

Code review

Found 5 issues:

1. Changeset set-minimum-expo-53.md lists packages with no code changes as major bumps. @clerk/shared, @clerk/localizations, and @clerk/expo-passkeys are declared as major but have zero file changes in this PR. The changeset body describes "Removed legacy subpath exports" for these packages, but no such removals exist in the diff. This will cause incorrect major version releases for unchanged packages when changesets runs.

javascript/.changeset/set-minimum-expo-53.md

Lines 1 to 6 in 5f3be94

	---
	'@clerk/expo': major
	'@clerk/shared': major
	'@clerk/react': major
	'@clerk/localizations': major
	'@clerk/expo-passkeys': major

2. Manual version bump in packages/expo/package.json conflicts with changeset automation. The version was manually set to 2.19.24 (from 2.19.10 on main), skipping 14 patch versions. This repo uses changesets to manage versions; manual bumps in package.json will conflict with the automated release pipeline.

javascript/packages/expo/package.json

Lines 2 to 4 in 5f3be94

	"name": "@clerk/expo",
	"version": "2.19.24",
	"description": "Clerk React Native/Expo library",

3. app.plugin.js is now 581 lines of standalone JavaScript, diverging from the TypeScript source. Previously this was a one-line shim (module.exports = require('./dist/plugin/withClerkExpo')). It now contains a full standalone implementation of withClerkExpo, withClerkIOS, withClerkAndroid, and withClerkGoogleSignIn while src/plugin/withClerkExpo.ts also exists and is modified. This creates two diverging implementations -- one type-checked and tested, one not.

javascript/packages/expo/app.plugin.js

Lines 1 to 10 in 5f3be94

	/**
	* Expo config plugin for @clerk/clerk-expo
	* Automatically configures iOS and Android to work with Clerk native components
	*
	* When this plugin is used:
	* 1. iOS is configured with Swift Package Manager dependency for clerk-ios
	* 2. Android is configured with packaging exclusions for dependencies
	*
	* Native modules are registered via react-native.config.js and standard
	* React Native autolinking (RCTViewManager / ReactPackage).

4. Generated build artifacts committed to source control. app.plugin.d.ts and app.plugin.d.ts.map are generated TypeScript declaration files that should not be in source control. These are non-standard for this repo where build output goes to dist/.

javascript/packages/expo/app.plugin.d.ts

Lines 1 to 6 in 5f3be94

	export = withClerkExpo;
	/**
	* Combined Clerk Expo plugin
	*/
	declare function withClerkExpo(config: any): any;
	//# sourceMappingURL=app.plugin.d.ts.map

5. fraudProtection.ts React Native bypass creates an infinite retry loop. When document is undefined, managedChallenge returns { captchaError: 'modal_component_not_ready' }. In execute(), this causes __internal_sendCaptchaToken to be skipped (line 72), but captchaRetryCount is only incremented in the inner catch (line 77) -- which is never hit since managedChallenge resolves successfully. The code then calls return await cb() (line 85) which re-throws requires_captcha, re-enters the outer catch, and the cycle repeats indefinitely. The captchaAttemptsExceeded() guard at line 30 is only checked on fresh execute() calls, not within the loop.

javascript/packages/clerk-js/src/core/fraudProtection.ts

Lines 69 to 95 in 5f3be94

	try {
	const captchaParams: any = await this.managedChallenge(clerk);
	if (captchaParams?.captchaError !== 'modal_component_not_ready') {
	await this.client.getOrCreateInstance().__internal_sendCaptchaToken(captchaParams);
	this.captchaRetryCount = 0; // Reset the retry count on success
	}
	} catch (err) {
	this.captchaRetryCount++;
	throw err;
	} finally {
	// Resolve the exception placeholder promise so that other exceptions can be handled
	resolve();
	this.inflightException = null;
	}
	return await cb();
	}
	}
	public managedChallenge(clerk: Clerk) {
	// In React Native environments, DOM-based captcha challenges are not supported.
	// Return a no-op result to avoid hanging on DOM APIs that don't exist.
	if (typeof document === 'undefined') {
	return Promise.resolve({ captchaError: 'modal_component_not_ready' });
	}
	return new this.CaptchaChallengeImpl(clerk).managedInModal({ action: 'verify' });

---

Additionally, several issues scored just below the threshold (75/100) that may warrant attention: initStartedRef not reset on unmount blocking StrictMode re-initialization, waitForLoad calling addOnLoaded which only exists on IsomorphicClerk (not the HeadlessBrowserClerk returned by createClerkInstance), static import of optional expo-secure-store, TurboModuleRegistry.getEnforcing crashing at import time for optional Google Sign-In, sessionSyncedRef set before setActive succeeds permanently blocking retries, silent error swallowing in useUserProfileModal/UserButton, and unconditional console.log calls in production code (useNativeAuthEvents.ts).

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}