clerk · octoper · Dec 17, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 17, 2025
diff --git a/.changeset/evil-points-fly.md b/.changeset/evil-points-fly.md
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Renaming `__experimental_passwordCompromised` to `__experimental_setPasswordCompromised` and introducing `__experimental_unsetPasswordCompromised`
diff --git a/integration/testUtils/usersService.ts b/integration/testUtils/usersService.ts
@@ -89,7 +89,7 @@ export type UserService = {
   createFakeOrganization: (userId: string) => Promise<FakeOrganization>;
   getUser: (opts: { id?: string; email?: string }) => Promise<User | undefined>;
   createFakeAPIKey: (userId: string) => Promise<FakeAPIKey>;
-  passwordCompromised: (userId: string) => Promise<void>;
+  setPasswordCompromised: (userId: string) => Promise<void>;
 };
 
 /**
@@ -236,8 +236,8 @@ export const createUserService = (clerkClient: ClerkClient) => {
           clerkClient.apiKeys.revoke({ apiKeyId: apiKey.id, revocationReason: reason }),
       } satisfies FakeAPIKey;
     },
-    passwordCompromised: async (userId: string) => {
-      await withErrorLogging('passwordCompromised', () => clerkClient.users.__experimental_passwordCompromised(userId));
+    setPasswordCompromised: async (userId: string) => {
+      await clerkClient.users.__experimental_setPasswordCompromised(userId);
     },
   };
 

diff --git a/integration/tests/session-tasks-sign-in-reset-password.test.ts b/integration/tests/session-tasks-sign-in-reset-password.test.ts
@@ -19,7 +19,7 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasksResetPassword
       const user = u.services.users.createFakeUser();
       const createdUser = await u.services.users.createBapiUser(user);
 
-      await u.services.users.passwordCompromised(createdUser.id);
+      await u.services.users.setPasswordCompromised(createdUser.id);
 
       // Performs sign-in
       await u.po.signIn.goTo();
@@ -66,7 +66,7 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasksResetPassword
       const user = u.services.users.createFakeUser();
       const createdUser = await u.services.users.createBapiUser(user);
 
-      await u.services.users.passwordCompromised(createdUser.id);
+      await u.services.users.setPasswordCompromised(createdUser.id);
       const fakeOrganization = u.services.organizations.createFakeOrganization();
       await u.services.organizations.createBapiOrganization({
         name: fakeOrganization.name,

diff --git a/packages/backend/src/api/endpoints/UserApi.ts b/packages/backend/src/api/endpoints/UserApi.ts
@@ -199,6 +199,10 @@ type DeleteUserExternalAccountParams = {
   externalAccountId: string;
 };
 
+type SetPasswordCompromisedParams = {
+  revokeAllSessions?: boolean;
+};
+
 type UserID = {
   userId: string;
 };
@@ -448,14 +452,25 @@ export class UserAPI extends AbstractAPI {
     });
   }
 
-  public async __experimental_passwordCompromised(userId: string) {
+  public async __experimental_setPasswordCompromised(
+    userId: string,
+    params: SetPasswordCompromisedParams = {
+      revokeAllSessions: false,
+    },
+  ) {
+    this.requireId(userId);
+    return this.request<User>({
+      method: 'POST',
+      path: joinPaths(basePath, userId, 'password', 'set_compromised'),
+      bodyParams: params,
+    });
+  }
+
+  public async __experimental_unsetPasswordCompromised(userId: string) {
     this.requireId(userId);
     return this.request<User>({
       method: 'POST',
-      path: joinPaths(basePath, userId, 'password_compromised'),
-      bodyParams: {
-        revokeAllSessions: false,
-      },
+      path: joinPaths(basePath, userId, 'password', 'unset_compromised'),
     });
   }
 }