#Uncaught Error: InvalidSecret

1 messages · Page 1 of 1 (latest)

ashen masonBOT
#

Hi @grand furnace. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

It looks like you're encountering an "InvalidSecret" error when trying to sign in with Convex Auth. This typically means the password provided doesn't match the stored password for the account.

In development environments, these error messages are more descriptive, but in production, they're intentionally stripped of details for security reasons. This is why you're seeing the generic "Server Error" message along with the error code.

How to handle auth errors properly

The current recommended approach for handling specific auth errors like "InvalidSecret" is to create a custom provider. This is because Convex Auth intentionally strips detailed error messages in production to prevent information leakage.

There's ongoing work to improve error handling in Convex Auth. The team is considering approaches like:

  1. Using ConvexErrors for expected auth failures
  2. Creating custom error types that can be checked with TypeScript
  3. Providing better error handling patterns for common scenarios

For now, you can implement a custom HTTP action to handle authentication and return appropriate error messages:

http.route({
  path: '/sign-in',
  method: 'POST',
  handler: httpAction(async (ctx, request) => {
    const { provider, params } = await request.json();
    const { signIn } = useAuthActions()

    try {
      const signinResult = await signIn(provider, params)

      return new Response(JSON.stringify(signinResult), {
        status: 200,
        headers: {
          "Content-Type": "application/json",
          "Access-Control-Allow-Origin": "*",
          "Access-Control-Allow-Methods": "POST, OPTIONS",
          "Access-Control-Allow-Headers": "Content-Type",
        }
      })
    } catch (error: any) {
      return new Response(error, { status: 400 })
    }
  })
})
#

Common auth errors you might want to handle include:

  • InvalidSecret (wrong password)
  • InvalidAccountId (account not found)
  • TooManyFailedAttempts (login rate limit exceeded)

The Convex team is aware of this limitation and is working on improving the error handling experience for auth flows.

Discord support thread contains more discussion about this issue and potential solutions.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: