[BUG] Clerk: Error: Clerk: Unable to decrypt request data, this usually means the encryption key is invalid.

[jenslys]

Describe the bug

Been having issue trying to setup a NextJS 15 app with Opennextjs.
It seems to work fine locally when using NextJS 14.2.23 but i get the following error from the middleware when trying to access a protected page on NextJS 15:

✘ [ERROR] ⨯ Error: Clerk: Unable to decrypt request data, this usually means the encryption key is invalid. Ensure the encryption key is properly set. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware#dynamic-keys. (code=encryption_key_invalid)

      at T (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:85:338)
      at C (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:85:295)
      at j (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:85:988)
      at <unknown> (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:89:804)
      at <unknown> (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:89:417)
      at en (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:89:2041)
      at async eo (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-X1f6pQ/worker.js:89:2650) {
    digest: '509120350'
  }

Steps to reproduce

Replication of bug:
https://github.com/jenslys/clerk-opennext-bug

1. Fill in .env.local -> cp .env.example .env.local
1. create dev.vars -> echo "NEXTJS_ENV=development" > .dev.vars
1. bun install
1. bun run preview
1. Login with clerk and try to navigate to /protected

Expected behavior

Clerk should be able to decrypt key middleware should work

@opennextjs/cloudflare version

0.3.9

Wrangler version

3.105.0

next info output

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.2.0: Fri Dec  6 19:02:41 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6030
  Available memory (MB): 36864
  Available CPU cores: 12
Binaries:
  Node: 20.11.1
  npm: 10.2.4
  Yarn: 1.22.22
  pnpm: 10.0.0
Relevant Packages:
  next: 15.1.5 // There is a newer version (15.1.6) available, upgrade recommended! 
  eslint-config-next: 15.1.5
  react: 19.0.0
  react-dom: 19.0.0
  typescript: 5.7.3
Next.js Config:
  output: N/A
 ⚠ There is a newer version (15.1.6) available, upgrade recommended! 
   Please try the latest canary version (`npm install next@canary`) to confirm the issue still exists before creating a new issue.
   Read more - https://nextjs.org/docs/messages/opening-an-issue

Additional context

I have also posted a ticket regarding this in the Clerk discord, linked here, since i am unsure if this is a Clerk issue or Opennextjs issue:
https://discord.com/channels/856971667393609759/1329736080962097162

[jenslys]

Update (25.05.2025)

Manually setting the keys in the middleware produces a different error output:

	export default clerkMiddleware(
	  async (auth, req) => {
	    if (isProtectedRoute(req)) await auth.protect();
	  },
	  {
	    debug: true,
+	    secretKey: "mykeyhere",
+	    publishableKey: "mykeyhere"
	  }
	);

✘ [ERROR] ⨯ Error: Clerk: Unable to verify request, this usually means the Clerk middleware did not run. Ensure Clerk's middleware is properly integrated and matches the current route. For more information, see: https://clerk.com/docs/references/nextjs/clerk-middleware. (code=auth_signature_invalid)

      at <unknown> (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:463:1331)
      at j (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:463:1623)
      at <unknown> (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:467:804)
      at <unknown> (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:467:417)
      at en (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:467:2041)
      at async ei (Users/jenslys/Code/my-next-app/.wrangler/tmp/dev-IvWaFv/worker.js:467:2781) {
    digest: '2618587694'
  }

[jenslys]

Update 29.1.2025 from Clerk support

[vicb]

because it's jsonc :)

process.env will only be populated after the first requests comes in - meaning that using process.env at top level will not always work: when the isolate (~server) first fires up, process.env will be empty. It only gets populated after the first request comes in.

[OllieJennings]

@vicb & @jenslys i am having this issue.

The middleware seems to be fine once you supply the dynamic keys. So initial load it seems to work, but when requesting data via route handlers, this is where it struggles and l also get the:

Clerk: Unable to decrypt request data, this usually means the encryption key is invalid.

I am on NextJS v15, and the latest opennextjs-cloudflare.

So deploying on Vercel and other places work, so now I am pretty sure it's a bug in opennextjs.

It seems like route handlers cannot use the clerk functions.

[vicb]

I'm not sure how to reproduce:

$ next build
   ▲ Next.js 15.1.5
   - Environments: .env

   Creating an optimized production build ...
 ✓ Compiled successfully
 ✓ Linting and checking validity of types    
 ✓ Collecting page data    
Error occurred prerendering page "/protected". Read more: https://nextjs.org/docs/messages/prerender-error
Error: @clerk/clerk-react: The publishableKey passed to Clerk is invalid. You can get your Publishable key at https://dashboard.clerk.com/last-active?path=api-keys. (key=pk_KEY)

Please add more instructions.

[jenslys]

I'm not sure how to reproduce:

$ next build
   ▲ Next.js 15.1.5
   - Environments: .env

   Creating an optimized production build ...
 ✓ Compiled successfully
 ✓ Linting and checking validity of types    
 ✓ Collecting page data    
Error occurred prerendering page "/protected". Read more: https://nextjs.org/docs/messages/prerender-error
Error: @clerk/clerk-react: The publishableKey passed to Clerk is invalid. You can get your Publishable key at https://dashboard.clerk.com/last-active?path=api-keys. (key=pk_KEY)

Please add more instructions.

Did you populate the env with your clerk credentials?

[vicb]

Did you populate the env with your clerk credentials?

Please include all required steps in the repro. This will save us time.

I think that the issue is in that clerk code:

https://github.com/clerk/javascript/blob/db6e05341db28fb1f7aeeec14fc7e3e6c33afd21/packages/nextjs/src/server/utils.ts#L259-L263

function decryptData(data: string, key: string) {
  const decryptedBytes = AES.decrypt(data, key);
  const encoded = decryptedBytes.toString(encUtf8);
  return JSON.parse(encoded);
}

AES.decrypt(data, key); seems to come from crypto-js.

It returns an object:

{
  words: [ -532749996, 950152586, 1494648915, 110546737 ],
  sigBytes: -33
}

So decryptedBytes.toString(encUtf8) is an empty string ("")

edit: The parameters to decrypt when this fails are:

{ data: 'U2FsdGVkX19c08J8gVACpKeovMuGqb+LJdB9l18zW8c=', key: '' }

[jenslys]

Linking as this might be related then:
clerk/javascript#4989
clerk/javascript#5024

[jenslys]

Testing with the referenced clerk PR did not yield any better results:
jenslys/clerk-opennext-bug#2