#noauthprovider

Error from middleware:

✓ Compiled middleware in 2ms
 ✓ Compiled in 68ms
Returning false from isAuthenticated because Error: {"code":"NoAuthProvider","message":"No auth provider found matching the given token"}
    at async isAuthenticated (../../../src/nextjs/server/index.tsx:321:11)
    at async (middleware.ts:11:12)
    at async (../../../src/nextjs/server/index.tsx:239:8)
   9 | export default convexAuthNextjsMiddleware(async (request, { convexAuth }) => {
  10 |     if (isSignInPage(request)) {
> 11 |         if (await convexAuth.isAuthenticated()) {
     |            ^
  12 |             return nextjsMiddlewareRedirect(request, "/");
  13 |         }
  14 |     } else { {
  
}

The auth.config.ts:

export default {
    providers: [
        {
            domain: process.env.CONVEX_SITE_URL,
            applicationID: "convex",
        },
    ],
};

The auth.ts:

import { convexAuth } from "@convex-dev/auth/server";
import Authentik from '@auth/core/providers/authentik';

export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({
    providers: [
        Authentik({
            clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
            clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
            issuer: process.env.AUTH_AUTHENTIK_ISSUER,
            profile(profile) {
                return {
                    id: profile.sub,
                    name: profile.name,
                    email: profile.email,
                    groups: profile.groups
                }
            }
        }),
    ],
    callbacks: {
        async createOrUpdateUser(
            ctx,
            { existingUserId, profile, provider, type, shouldLink },
        ) {
            ...
        },
    }
});

Hi @untold spade. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

The error message:

Returning false from isAuthenticated because Error: {"code":"NoAuthProvider","message":"No auth provider found matching the given token"}

indicates that Convex Auth cannot find a matching authentication provider for the token being presented in your Next.js middleware.

Common Causes & Solutions

1. Provider Configuration Mismatch

• The auth.config.ts file and the convex/auth.ts file must both correctly list your authentication providers.
• The domain in your auth.config.ts provider should match the domain expected by your authentication provider and Convex backend. If you are using a custom provider (like Authentik), ensure that the domain and applicationID are set correctly and that environment variables are being loaded as expected.

2. Environment Variables

• Double-check that process.env.CONVEX_SITE_URL is set to the correct value and is available at build and runtime. If this is undefined or incorrect, Convex Auth will not be able to match the provider.
• Similarly, ensure all Authentik-related environment variables (AUTH_AUTHENTIK_CLIENT_ID, etc.) are set and available.

3. Syncing Configuration

• After updating your auth.config.ts, you must run npx convex dev or npx convex deploy to sync the configuration to your backend. If you skip this step, the backend will not recognize your new or updated provider configuration [Convex & Auth0: Debugging authentication].

4. Token Source

• If you have previously run your app with a different provider or on a different domain/port, you may have stale cookies or tokens in your browser. Try clearing your browser cookies and local storage for your app's domain [Discord: Are we sure this is working?].

5. Provider Export in auth.ts

• You are correctly exporting isAuthenticated from convexAuth, which is required for recent versions of Convex Auth [Discord: Middleware Issue on our Nextjs project].

Next Steps

1. Check that all environment variables are set and available.
2. Ensure the domain in auth.config.ts matches what your provider expects.
3. Run npx convex dev or npx convex deploy after any config changes.
4. Clear cookies/local storage in your browser.
5. Restart your Next.js and Convex dev servers.

If after these steps you still see the NoAuthProvider error, double-check that the provider configuration in both auth.config.ts and auth.ts is consistent and that the environment variables are not undefined at runtime.

If you continue to have issues, please provide the actual value of process.env.CONVEX_SITE_URL and confirm that it matches the expected domain for your Convex deployment and Authentik provider.

References:

• Convex & Auth0: Debugging authentication
• Discord: Middleware Issue on our Nextjs project
• Discord: Are we sure this is working?

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel
the following env variables are set in the scope of convex
AUTH_AUTHENTIK_CLIENT_ID=
AUTH_AUTHENTIK_CLIENT_SECRET=
AUTH_AUTHENTIK_ISSUER=
AUTH_LOG_LEVEL=debug
JWKS=
JWT_PRIVATE_KEY=
SITE_URL=http://localhost:3001

and printing the site url in a convex function yields:
CONVEX_SITE_URL=http://127.0.0.1:3211

the env variables on nextjs application side (.env.local)
CONVEX_SELF_HOSTED_URL='http://127.0.0.1:3210'
CONVEX_SELF_HOSTED_ADMIN_KEY='convex-self-hosted|...'
NEXT_PUBLIC_CONVEX_URL=http://127.0.0.1:3210

Let me check the knowledge base for you again. One moment! :books:

Based on your environment variable setup, there is a key mismatch between the SITE_URL (used for OAuth redirects and provider configuration) and the CONVEX_SITE_URL (used internally by Convex for HTTP Actions and as the backend's public URL).

Key points from the knowledge sources:

• The Convex backend uses CONVEX_SITE_URL as the origin for OAuth callback URLs and as the domain for provider configuration. This value should match the public HTTP Actions URL of your Convex deployment, which is typically something like http://127.0.0.1:3211 for self-hosted local development [General OAuth Setup].
• SITE_URL is used for redirecting back to your site after sign-in, but the provider domain in your Convex config should match CONVEX_SITE_URL, not SITE_URL [Manual Auth Setup].
• Your Next.js frontend should use NEXT_PUBLIC_CONVEX_URL to point to the Convex backend (http://127.0.0.1:3210), which is correct for the client [Configuring Deployment URL].

What this means for your setup:

• In your Convex backend, CONVEX_SITE_URL is set to http://127.0.0.1:3211, but SITE_URL is set to http://localhost:3001. This mismatch can cause issues with provider discovery and token validation, as Convex expects the provider domain to match CONVEX_SITE_URL.
• Your provider configuration in auth.config.ts should use process.env.CONVEX_SITE_URL for the domain, and you must ensure that your OAuth provider (Authentik) is configured to use http://127.0.0.1:3211 as the callback URL, not http://localhost:3001.

Actionable steps:

1. Set SITE_URL to match CONVEX_SITE_URL in your Convex backend environment variables:

   SITE_URL=<http://127.0.0.1:3211>
   

   This ensures that all redirects and provider domain checks are consistent.

2. Update your OAuth provider (Authentik) configuration to use http://127.0.0.1:3211/api/auth/callback/authentik as the callback URL.

3. Restart your Convex backend after updating environment variables.

4. Verify that your auth.config.ts uses process.env.CONVEX_SITE_URL for the provider domain:

   export default {
     providers: [
       {
         domain: process.env.CONVEX_SITE_URL,
         applicationID: "convex",
       },
     ],
   };
   

If you follow these steps, the "NoAuthProvider" error should be resolved, as Convex will be able to match the incoming token's issuer with the configured provider domain [General OAuth Setup].

If you continue to have issues, double-check that all environment variables are being loaded correctly and that there are no typos in your callback URLs or provider configuration.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel
no. 1 causes a redirect to http://localhost:3211/?code=73081763 which errors with no actionable routes

no. 2 is already set
no. 3 has no effect
no. 4 is the current configuration

Let me check the knowledge base for you again. One moment! :books:

Thank you for the clarification. Based on your description:

• When you set SITE_URL to match CONVEX_SITE_URL (e.g., <http://127.0.0.1:3211>), the OAuth flow redirects to <http://localhost:3211/?code=...> and you see a "no actionable routes" error.

From the knowledge sources, this error typically means that the redirect is going to the root of your Convex HTTP Actions server, but there is no route defined there to handle the request. For OAuth, the redirect/callback URL must include the /api/auth/callback/<provider> path, not just the root URL.

What to check:

1. Callback URL Configuration:
   Your OAuth provider (Authentik) must be configured to redirect to:

   <http://127.0.0.1:3211/api/auth/callback/authentik>
   

   not just <http://127.0.0.1:3211/.>
   This is explicitly required in the Convex Auth documentation for all OAuth providers [General OAuth Setup].

2. SITE_URL vs. CONVEX_SITE_URL:

   • SITE_URL is used for redirecting users back to your frontend after authentication.
   • CONVEX_SITE_URL is used for the backend's HTTP Actions and should match the domain used in your OAuth provider's callback URL.

3. No Actionable Routes:
   If you see "no actionable routes," it means the request is hitting a URL that Convex does not have a handler for. Only /api/auth/callback/<provider> and other defined HTTP routes will work [Manual Setup].

Summary of what to do:

• Double-check your Authentik OAuth app's callback URL. It must be:

  <http://127.0.0.1:3211/api/auth/callback/authentik>
  

• Do not use the root URL (/) as a callback.
• After updating, retry the OAuth flow.

If you have already set the callback URL correctly and still see this error, the knowledge sources do not provide further troubleshooting steps for this specific scenario. In that case, please provide the exact callback URL being used and any additional error messages for further assistance.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel is there any issue with the payload of the jwt?

{
  "sub": "jx786b6cfmxpmbcx62y9z3dv0x7gv0kn|jh79bb4vjpv7qbprg375rftk6h7gvnpj",
  "iat": 1748535080,
  "iss": "http://127.0.0.1:3211",
  "aud": "convex",
  "exp": 1748538680
}

given prior context?

Let me check the knowledge base for you again. One moment! :books:

Based on the knowledge sources, your JWT payload appears to have the required fields for Convex custom authentication:

{
  "sub": "jx786b6cfmxpmbcx62y9z3dv0x7gv0kn|jh79bb4vjpv7qbprg375rftk6h7gvnpj",
  "iat": 1748535080,
  "iss": "<http://127.0.0.1:3211",>
  "aud": "convex",
  "exp": 1748538680
}

Required fields for Convex custom JWT/OIDC:

• sub: Subject (user identifier)
• iat: Issued at
• iss: Issuer (must match the domain or issuer in your auth.config.ts)
• aud: Audience (must match the applicationID in your auth.config.ts)
• exp: Expiration

Your payload matches these requirements. The iss field is "<http://127.0.0.1:3211",> which should match the domain or issuer in your Convex auth.config.ts. The aud is "convex", which should match your applicationID [Custom JWT Provider].

Potential issues to check (based on knowledge sources):

• The iss and aud fields must match exactly (including protocol and port) with your Convex backend configuration [Debugging Authentication].
• The JWT must be signed with the correct algorithm (RS256 or ES256 are supported) and the Convex backend must be able to fetch and verify the public key from your JWKS endpoint if using asymmetric signing [Custom JWT Provider].
• If you are still seeing NoAuthProvider errors, double-check that the auth.config.ts is deployed and that the environment variables are loaded as expected.

Summary:
There is no obvious issue with the payload itself, assuming your Convex backend configuration matches the iss and aud values and the JWT is properly signed. If you are still encountering errors, the problem is likely elsewhere (e.g., configuration mismatch, signing key, or JWKS endpoint), not with the payload fields themselves.

If you need to debug further, follow the step-by-step guide in the Convex docs to ensure all configuration matches [Debugging Authentication].

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel lets circle back round to the original error

Returning false from isAuthenticated because Error: {"code":"NoAuthProvider","message":"No auth provider found matching the given token"}
    at async isAuthenticated (../../../src/nextjs/server/index.tsx:321:11)
    at async (middleware.ts:12:12)
    at async (../../../src/nextjs/server/index.tsx:239:8)
  10 |     console.info('begin middleware', await convexAuth.getToken());
  11 |     if (isSignInPage(request)) {
> 12 |         if (await convexAuth.isAuthenticated()) {
     |            ^
  13 |             return nextjsMiddlewareRedirect(request, "/");
  14 |         }
  15 |     } else { {
  
}

Let me check the knowledge base for you again. One moment! :books:

The error message:

Returning false from isAuthenticated because Error: {"code":"NoAuthProvider","message":"No auth provider found matching the given token"}

means that Convex Auth is unable to find a provider configuration that matches the iss (issuer) and aud (audience) fields in the JWT token being presented. This is a common issue when there is a mismatch between the provider configuration in your Convex backend and the values in the JWT.

Based on the knowledge sources, here are the most likely causes and solutions:

1. Provider Configuration Mismatch

Your auth.config.ts should have a provider with a domain that matches the iss field in your JWT, and an applicationID that matches the aud field. For example:

export default {
  providers: [
    {
      domain: process.env.CONVEX_SITE_URL, // should match "iss" in JWT
      applicationID: "convex",             // should match "aud" in JWT
    },
  ],
};

If process.env.CONVEX_SITE_URL is not exactly "<http://127.0.0.1:3211"> (including protocol and port), Convex will not recognize the token and will return NoAuthProvider [Stack: NextAuth Adapter].

2. Environment Variable Consistency

The value of CONVEX_SITE_URL must be set and available in your Convex backend environment, and it must match the iss in the JWT. If there is any mismatch (e.g., localhost vs 127.0.0.1, or a different port), the provider will not be found [Discord: Are we sure this is working?].

3. Deploying Configuration

After changing auth.config.ts or environment variables, you must restart your Convex backend (e.g., npx convex dev or npx convex deploy) so the new configuration is loaded [Discord: Middleware Issue on our Nextjs project].

4. Stale or Incorrect Tokens

If you previously authenticated with a different provider or domain, your browser may have a stale token. Clear your cookies and local storage before testing again [Discord: Are we sure this is working?].

5. Provider Export in auth.ts

For recent versions of Convex Auth, you must export isAuthenticated from your convex/auth.ts file:

export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({
  // ...
});

If this is missing, you may see related errors, but your code already includes this [Discord: Middleware Issue on our Nextjs project].

Summary:
The error is almost always caused by a mismatch between the domain in your Convex provider config and the iss in your JWT, or between the applicationID and the aud. Double-check that these values match exactly, including protocol and port, and that your environment variables are set and loaded correctly in the Convex backend. Restart your backend after making changes, and clear your browser's cookies and local storage before testing again.

If you have verified all of the above and the error persists, the knowledge sources do not provide further troubleshooting steps for this specific error.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel no indication any of these things are wrong

Let me check the knowledge base for you again. One moment! :books:

Thank you for your patience and for clarifying that you have already checked the typical causes (provider config, environment variables, deployment, and token freshness) and found no indication that any of these are wrong.

Based on the knowledge sources, the error:

Returning false from isAuthenticated because Error: {"code":"NoAuthProvider","message":"No auth provider found matching the given token"}

always points to a mismatch between the JWT's iss/aud and the provider configuration in Convex. However, if you have verified that:

• The iss in your JWT exactly matches the domain in your auth.config.ts
• The aud in your JWT exactly matches the applicationID in your auth.config.ts
• All environment variables are set and loaded correctly
• You have restarted your Convex backend after changes
• You have cleared cookies/local storage

and you are still seeing this error, the knowledge sources do not provide any further troubleshooting steps or alternative causes for this specific error. The documentation and support threads consistently point to configuration mismatches as the root cause, and do not mention any other underlying issues that could result in a NoAuthProvider error.

If all configuration is correct and the error persists, the knowledge sources do not contain enough information to explain or resolve the issue beyond what has already been discussed. In this case, you may need to seek direct support from the Convex team or community for deeper investigation, as the available documentation does not cover additional edge cases for this error.

If you have any new symptoms or error messages, please share them, as that may help narrow down the issue further based on the knowledge sources.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@fierce parcel why is the isAuthenticated call not appearing in convex logs?

Let me check the knowledge base for you again. One moment! :books:

I'm sorry, but the knowledge sources do not explicitly mention why the isAuthenticated call in Next.js middleware would not appear in the Convex logs. The available documentation and support threads focus on configuration, debugging authentication, and common error messages, but do not detail the internal logging behavior of the isAuthenticated function or its interaction with Convex logs.

If you are expecting to see log output from isAuthenticated in the Convex dashboard or server logs and do not, this specific scenario is not addressed in the provided sources. If you need to debug authentication issues, the recommended approach is to add explicit logging in your Convex functions (such as logging the result of ctx.auth.getUserIdentity()), as described in the debugging guides, but there is no mention of automatic logging for isAuthenticated calls in middleware or elsewhere [Debugging Authentication].

If you need more detailed tracing, you may want to enable verbose logging as described in the debugging documentation, but again, the sources do not guarantee that every isAuthenticated call will be logged by default [Debugging].

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: