fix(ui): Add Forgot password? option to the SignInStart screen

[Ephem]

Description

When strict user enumeration protection is enabled, we use a combined error for missing identifier and password. When someone uses the hidden instant password field on SignInStart (through password managers), but that password is wrong, this means they stay on the SignInStart screen and see the error there, instead of being redirected to /factor-one which is the normal path.

SignInStart has not previously had the "Forgot password?" option, so the only way to recover has been to remove the password and click continue, which is not great UX.

This PR adds a "Forgot password?" to the password field on SignInStart. It makes this happen by retrying the signIn create with just the identifier first to set things up, and then navigating to the /factor-one screen with a query param (__clerk_reset_password=true, gets reset on exit)

Trying to click forgot password when identifier field is empty will result in the same validation error as when clicking continue.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[changeset-bot]

🦋 Changeset detected

Latest commit: 0dae904

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/ui	Patch
@clerk/chrome-extension	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 4, 2026 9:38am

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8733

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8733

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8733

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8733

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8733

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8733

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8733

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8733

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8733

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8733

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8733

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8733

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8733

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8733

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8733

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8733

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8733

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8733

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8733

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8733

commit: 0dae904

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements a "Forgot password?" action on the sign-in start page to improve account recovery under strict user enumeration protection. The changes introduce a new URL parameter constant (SIGN_IN_RESET_PASSWORD_INTENT_PARAM) to coordinate state between SignInStart and SignInFactorOne. SignInStart now renders a forgot-password action on the password field and handles the click by validating required fields and navigating to factor-one with the reset-intent parameter. SignInFactorOne detects this parameter and displays the appropriate screen (reset password or alternative methods), cleaning up the parameter on exit. Tests verify the end-to-end flow, and supporting infrastructure updates enable proper test fixture setup with query parameters.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a 'Forgot password?' option to the SignInStart screen, which is the primary objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly explains the UX issue, the implemented solution, and includes screenshots demonstrating the feature.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-04T09:43:42.094Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	1
🟢 Additions	0

🤖 This report was reviewed by claude-sonnet-4-6.

Note
Break Check could not snapshot 3 subpaths; the diff below excludes them.

• @clerk/astro ./env: Internal Error: Unable to determine module for: /home/runner/_work/javascript/javascript/packages/astro/env.d.ts You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/shared ./cookie: Internal Error: Unable to follow symbol for "Cookies" You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/testing ./cypress: Symbol not found for identifier: Cypress

---

@clerk/shared

Version: 4.15.0 → 4.14.0
Recommended bump: MINOR

Subpath ./apiUrlFromPublishableKey

🟡 Non-breaking Changes (1)

Modified: apiUrlFromPublishableKey

- apiUrlFromPublishableKey: (publishableKey: string) => "https://api.lclclerk.com" | "https://api.clerkstage.dev" | "https://api.clerk.com"
+ apiUrlFromPublishableKey: (publishableKey: string) => "https://api.clerk.com" | "https://api.lclclerk.com" | "https://api.clerkstage.dev"

Static analyzer: Breaking change in function apiUrlFromPublishableKey: Return type changed: "https://api.lclclerk.com"|"https://api.clerkstage.dev"|"https://api.clerk.com" → "https://api.clerk.com"|"https://api.lclclerk.com"|"https://api.clerkstage.dev"

🤖 AI review (reclassified as non-breaking) (99%): The union members are identical; only their order changed, and TypeScript union types are order-independent — no well-typed consumer code is affected.

---

Report generated by Break Check

_{Last ran on 0dae904. Pushes that change no tracked declarations (no API surface change vs. base) are skipped and don't update this comment.}