#getting this error in console with using convex auth

Hi @dreamy mica. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

The error you're seeing:

Failed to insert or update a document in table "users" because it does not match the schema: Object is missing the required field password. Consider wrapping the field validator in v.optional(...) if this is expected.

means that your Convex schema for the users table requires a password field (password: v.string()), but when a user signs up (in this case, via Google OAuth), no password is provided—only fields like email, name, and image are present.

OAuth providers like Google do not supply a password, so the password field will always be missing for those users. To fix this, you should make the password field optional in your schema:

users: defineTable({
  email: v.string(),
  name: v.string(),
  password: v.optional(v.string()), // Make password optional
  // ...other fields
})

This change allows users created via OAuth (who won't have a password) to be inserted into the table without violating the schema. Only require the password field if you are certain all authentication flows (including OAuth) will provide it, which is not the case for most setups.

For more on customizing the users table schema and handling required/optional fields, see the official documentation: Customizing Schema.

If you want to keep the password field required for password-based signups but optional for OAuth, you must ensure your schema and authentication flows are aligned, or handle user creation logic accordingly in your provider's profile callback or a custom createOrUpdateUser callback. But for most cases, making the field optional is the correct solution when supporting multiple auth methods.

If you have further issues, check your schema and the data being inserted, and ensure all required fields are present for each signup method you support.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin getting this error now
'Uncaught Error: Failed to insert or update a document in table "users" because it does not match the schema: Object contains extra field emailVerificationTime that is not in the validator.\n\nObject: {email: "[email protected]", emailVerificationTime: 1751151694425.0, image: "https://lh3.googleusercontent.com/a/ACg8ocJQ-qJHwtfp5Z1_x9FTWV1IB1vOBvCGusjnVtS0VIKiRRFMRQ=s96-c", name: "David Benavidez"}\nValidator: v.object({email: v.string(), name: v.string()})\n\n'

this is my schema
users: defineTable({
name: v.string(),
email: v.string(),
}).index("email", ["email"]),

Let me check the knowledge base for you again. One moment! :books:

The error occurs because your schema for the users table only allows the fields name and email, but Convex Auth is trying to insert a user document that also includes the field emailVerificationTime. By default, Convex enforces strict schema validation: any extra fields not defined in the schema will cause an error like the one you’re seeing.

To resolve this, you need to add all fields that Convex Auth may insert into the users table to your schema. For Google OAuth and other providers, fields like emailVerificationTime, image, and possibly others are included by default.

Update your schema to include these fields, marking them as optional if they may not always be present:

users: defineTable({
  name: v.string(),
  email: v.string(),
  emailVerificationTime: v.optional(v.number()),
  image: v.optional(v.string()),
  // Add any other fields you expect
}).index("email", ["email"]),

This will allow documents with those extra fields to be inserted without schema validation errors. For more details, see the Convex Auth schema customization docs: Customizing Schema.

If you want to see all fields that might be inserted, you can temporarily disable schema validation to inspect the inserted documents, as suggested in the community discussions. But in general, you should align your schema with the fields provided by your authentication providers to avoid these errors Customizing Schema.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin getting this error now
6/28/2025, 456 PM [CONVEX M(auth:store)] Uncaught Error: Missing environment variable JWT_PRIVATE_KEY

6/28/2025, 456 PM [CONVEX A(auth:signIn)] Uncaught Error: Uncaught Error: Missing environment variable JWT_PRIVATE_KEY

however I set this already
npx convex env set AUTH_GOOGLE_SECRET

Let me check the knowledge base for you again. One moment! :books:

The error message:

Missing environment variable JWT_PRIVATE_KEY

indicates that your Convex backend is expecting the environment variable JWT_PRIVATE_KEY to be set, but it is not found. Setting AUTH_GOOGLE_SECRET is not sufficient—these are two different environment variables for different purposes.

• AUTH_GOOGLE_SECRET is used for Google OAuth.
• JWT_PRIVATE_KEY is required by Convex Auth for signing JWTs.

To resolve this, you need to generate a private key and set it as JWT_PRIVATE_KEY in your Convex environment variables. Here’s how you can do it:

1. Generate the private key
   Use the provided script to generate the key:

   import { exportJWK, exportPKCS8, generateKeyPair } from "jose";
   
   const keys = await generateKeyPair("RS256", { extractable: true });
   const privateKey = await exportPKCS8(keys.privateKey);
   const publicKey = await exportJWK(keys.publicKey);
   const jwks = JSON.stringify({ keys: [{ use: "sig", ...publicKey }] });
   
   process.stdout.write(
     `JWT_PRIVATE_KEY="${privateKey.trimEnd().replace(/\n/g, " ")}"`,
   );
   process.stdout.write("\n");
   process.stdout.write(`JWKS=${jwks}`);
   process.stdout.write("\n");
   

   (Manual Setup Guide)

2. Set the environment variable
   Copy the output for JWT_PRIVATE_KEY and set it in your Convex deployment:

   npx convex env set JWT_PRIVATE_KEY "<your-private-key>"
   

   Make sure you do this for the correct environment (dev or prod) as needed.

3. Set the JWKS variable as well
   The public key (JWKS) should also be set in your Convex environment variables.

If you only set AUTH_GOOGLE_SECRET and not JWT_PRIVATE_KEY, Convex Auth will not work and you will see this error. Make sure both are set as described above Manual Setup Guide.

If you continue to see the error after setting the variable, double-check that you set it in the correct deployment (dev or prod) and that there are no typos in the variable name.

For more details, see the Convex Auth setup documentation: Manual Setup.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I need to set a private and public key?

howis this releated to Oauth

Let me check the knowledge base for you again. One moment! :books:

Yes, you need to set both a private and public key when using Convex Auth, even with OAuth providers like Google.

Why?
Convex Auth uses JWTs (JSON Web Tokens) to represent authenticated users. When a user signs in (via OAuth or other methods), Convex Auth issues a JWT signed with your private key. The Convex backend then verifies this JWT using the corresponding public key. This process ensures that only tokens issued by your backend are trusted, and it is a standard part of implementing secure authentication flows, including OAuth.

How is this related to OAuth?
OAuth providers (like Google) authenticate the user and provide your backend with user information. Your backend then creates a session for the user and issues a JWT (signed with your private key) that Convex uses to identify the user in subsequent requests. The public key is used by Convex to verify the authenticity of these JWTs.

This is why, as part of the Convex Auth setup, you are required to generate a private/public key pair and set them as environment variables (JWT_PRIVATE_KEY and JWKS) in your Convex deployment Manual Setup Guide.

If you skip this step, Convex Auth cannot issue or verify JWTs, and authentication will fail—even if you have configured OAuth providers like Google.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin
6/28/2025, 4:20:32 PM [CONVEX M(auth:store)] Uncaught TypeError: "pkcs8" must be PKCS#8 formatted string

6/28/2025, 4:20:32 PM [CONVEX A(auth:signIn)] Uncaught Error: Uncaught TypeError: "pkcs8" must be PKCS#8 formatted string

Let me check the knowledge base for you again. One moment! :books:

The error:

Uncaught TypeError: "pkcs8" must be PKCS#8 formatted string

means that the value you set for the JWT_PRIVATE_KEY environment variable is not in the correct PKCS#8 format, or it was not set properly.

What to check:

1. Correct Key Format:
   The private key must be a valid PKCS#8 PEM string (it should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----). If you generated the key using the script from the Convex docs, make sure you copied the entire output exactly as shown, including all header/footer lines and no extra spaces or line breaks in the wrong places Manual Setup Guide.

2. Setting the Variable:
   When setting the environment variable, ensure you use the correct command and paste the value exactly as output by the script. For example:

   npx convex env set JWT_PRIVATE_KEY "-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----"
   

   If you see \n in the string, make sure it matches the format expected by Convex (the script in the docs replaces newlines with spaces for compatibility).

3. No Typos or Truncation:
   Double-check that the key was not accidentally truncated or altered when copying/pasting.

If you follow the steps in the Convex Auth manual setup guide to generate and set the key, this error should be resolved Manual Setup Guide.

If you continue to have issues, try regenerating the key using the script provided in the docs and carefully set the environment variable again.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin where can I get Authenticated and UnAuthenticated wrappers

Let me check the knowledge base for you again. One moment! :books:

You can get the Authenticated and Unauthenticated wrappers from the convex/react package. These are React components provided by Convex to help you conditionally render UI based on the user's authentication state.

Example usage:

import { Authenticated, Unauthenticated, AuthLoading } from "convex/react";

function App() {
  return (
    <div>
      <Authenticated>
        {/* Content for authenticated users */}
      </Authenticated>
      <Unauthenticated>
        {/* Content for unauthenticated users */}
      </Unauthenticated>
      <AuthLoading>
        {/* Content while authentication state is loading */}
      </AuthLoading>
    </div>
  );
}

These components use the authentication state from Convex and will render their children only when the user is in the corresponding state. You can find more details and usage examples in the Convex documentation Module: react and in the Convex Auth guides Convex & Clerk: React.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I can see my convex auth jwt token and refresh token but Authenticated wrapper is not working, my logic in still showing from my unauthenticated wrapper

Let me check the knowledge base for you again. One moment! :books:

If you can see your Convex Auth JWT token and refresh token, but the <Authenticated> wrapper is not rendering its content (and your UI is still showing the <Unauthenticated> content), there are a few common causes based on the knowledge sources:

1. Convex Auth State vs. Provider Auth State:
   It's important to use Convex's own auth state, not just the state from your auth provider (like Clerk or Auth0). There is a short window where your provider may show you as authenticated, but Convex has not yet received or validated the token. Always use the useConvexAuth() hook or the <Authenticated>/<Unauthenticated> wrappers from convex/react to check authentication state, not the provider's hooks (Convex & Clerk: React, Convex & Auth0).

2. Token Propagation Delay:
   After signing in, there is a brief period where the JWT is available on the client, but Convex has not yet received and validated it over the WebSocket connection. During this time, <Authenticated> will not render its children, and <AuthLoading> or <Unauthenticated> may be shown. This is a known race condition, and adding a delay after sign-in (not recommended for production) can "fix" it, but the real solution is to ensure you only redirect or show protected content after Convex's auth state is fully updated (Discord: Redirecting to a protected route after a successful sign-in not working properly).

3. Component Tree Placement:
   Make sure that the components using Convex queries or the <Authenticated> wrapper are children of the Convex auth provider and, if using Clerk, are not relying on Clerk's <SignedIn>/<SignedOut> wrappers. Only the Convex wrappers will reflect the backend's authenticated state (Convex & Clerk: React, Discord: Migrating from Clerk components - Expo).

4. Missing HTTP Route Setup:
   If you are using Convex Auth, make sure you have added the required HTTP routes in your Convex backend setup. Missing this step can cause the Convex auth state to never update, even if you see tokens on the client. See the note from a user who fixed this by adding auth.addHttpRoutes(http); to their http.ts (Discord: Authentication not updating).

Summary of what to check:

• Use only Convex's <Authenticated>, <Unauthenticated>, and <AuthLoading> wrappers for auth state.
• Wait for Convex's auth state to update before redirecting or showing protected content.
• Ensure your backend is set up with the required HTTP routes for Convex Auth.
• Make sure your component tree is correct and not mixing provider and Convex auth state.

If you have done all of the above and the issue persists, double-check your Convex backend logs for errors and ensure your environment variables and schema are set up correctly.

For more details, see:

• Convex & Clerk: React
• Convex & Auth0: Logged-in and logged-out views
• Discord: Authentication not updating
• Discord: Redirecting to a protected route after a successful sign-in not working properly

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin Failed to authenticate: "Auth provider discovery of https://adorable-robin-86.convex.site failed", check your server auth config

Let me check the knowledge base for you again. One moment! :books:

The error message:

Failed to authenticate: "Auth provider discovery of https://adorable-robin-86.convex.site failed", check your server auth config

means that Convex is unable to discover or validate the authentication provider at the specified URL. This typically happens when the Convex backend tries to fetch the OpenID Connect discovery document (usually at /.well-known/openid-configuration) from the given domain and either receives an error (like 404 Not Found) or the response is not in the expected format.

Common causes and solutions based on the knowledge sources:

1. Incorrect or Incomplete Auth Provider Configuration:
   Double-check your auth.config.ts (or equivalent) to ensure the domain field for your provider is set correctly. The domain should point to a valid OpenID Connect provider, not your Convex deployment URL, unless you are running your own OIDC provider at that URL. If you are using a third-party provider (like Clerk, Auth0, or Google), the domain should match their issuer URL, not your Convex site URL (Discord: Auth Provider Discovery Failed).

2. Self-Hosting or Custom Providers:
   If you are self-hosting or using a custom provider, ensure that the provider exposes a valid OpenID Connect discovery document at the expected endpoint. If the endpoint returns a 404 or is misconfigured, you will see this error. Also, make sure your Convex deployment and environment variables are up to date and match your provider's configuration (Discord: Auth Provider Discovery Failed).

3. Provider Discovery Document Issues:
   If the discovery document exists but contains invalid fields (such as an empty or malformed registration_endpoint), Convex may fail to parse it. Removing or correcting problematic fields in the provider's metadata can resolve the issue (Discord: Custom Auth Error: "Auth provider discovery ... failed").

What to do:

• Verify that your auth.config.ts is pointing to the correct OIDC provider domain.
• If you are not running an OIDC provider at <https://adorable-robin-86.convex.site,> update your config to use the correct provider domain.
• If you are running your own provider, ensure the discovery document is accessible and correctly formatted.
• After making changes, redeploy your Convex backend (npx convex dev or npx convex deploy).

If you continue to have issues, review the Convex auth debug guide for more troubleshooting steps.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin
export default {
providers: [
{
domain: process.env.CONVEX_SITE_URL,
applicationID: "convex",
},
],
};

Let me check the knowledge base for you again. One moment! :books:

Your auth.config.ts:

export default {
  providers: [
    {
      domain: process.env.CONVEX_SITE_URL,
      applicationID: "convex",
    },
  ],
};

What this does:
This configuration sets up a custom authentication provider for Convex Auth, where:

• domain is set to the value of the CONVEX_SITE_URL environment variable.
• applicationID is set to "convex".

When to use this:
This pattern is used when you are running your own OpenID Connect (OIDC) or custom JWT provider at your Convex deployment URL. It is commonly seen in advanced or self-hosted setups, or when using Convex Auth as your authentication provider. The domain must match the iss (issuer) field in the JWTs your provider issues, and the applicationID must match the aud (audience) field in those JWTs (Manual Setup Guide, NextAuth Adapter Guide).

Important notes:

• If you are using a third-party provider (like Clerk, Auth0, or Google), you should set domain to the provider's issuer URL, not your Convex site URL (Custom OIDC Provider).
• If you are not running an OIDC provider at your Convex deployment URL, this config will cause provider discovery to fail, resulting in errors like "Auth provider discovery ... failed" (Discord: Auth Provider Discovery Failed).
• Make sure your environment variable CONVEX_SITE_URL is set correctly and matches the expected issuer URL.

If you are following the Convex Auth manual setup or integrating with NextAuth, this config is correct. Otherwise, for third-party providers, use their issuer domain instead.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I'm not seeing the error anymore, but useConvexAuth isAuthenticated returns false but I can see my tokens in localstorage

this my is main tsx
import { StrictMode } from "react";
import { createRoot } from "react-dom/client";
import "./index.css";
import { ConvexAuthProvider } from "@convex-dev/auth/react";
import { ConvexReactClient } from "convex/react";
import { ConvexQueryClient } from "@convex-dev/react-query";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { RouterProvider, createRouter } from "@tanstack/react-router";
import { routeTree } from "./routeTree.gen";
import "@mantine/core/styles.css";
import { MantineProvider } from "@mantine/core";

const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL);
const convexQueryClient = new ConvexQueryClient(convex);

const queryClient = new QueryClient({
defaultOptions: {
queries: {
queryKeyHashFn: convexQueryClient.hashFn(),
queryFn: convexQueryClient.queryFn(),
},
},
});

convexQueryClient.connect(queryClient);

// Create the router with context
const router = createRouter({
routeTree,
defaultPreload: "intent",
context: {
queryClient,
},
});

// Register the router instance for type safety
declare module "@tanstack/react-router" {
interface Register {
router: typeof router;
}
}

createRoot(document.getElementById("root")!).render(
<StrictMode>
<MantineProvider>
<ConvexAuthProvider client={convex}>
<QueryClientProvider client={queryClient}>
<RouterProvider router={router} />
</QueryClientProvider>
</ConvexAuthProvider>
</MantineProvider>
</StrictMode>
);

Let me check the knowledge base for you again. One moment! :books:

If you can see your Convex Auth tokens in localStorage but useConvexAuth().isAuthenticated is returning false, this usually means that the Convex backend has not accepted or validated the token yet, or there is a mismatch between the client and server authentication state.

Based on the knowledge sources, here are the most common causes and solutions:

1. Token Propagation Delay:
   There is often a short delay after sign-in where the token is present in localStorage, but the Convex client has not yet sent it to the backend or the backend has not validated it. During this time, isAuthenticated will remain false. This is a known race condition, especially right after sign-in or page reload. You should always use the Convex auth state (useConvexAuth or <Authenticated>) and not the provider's state for gating access, and wait for isAuthenticated to become true before redirecting or showing protected content (Convex & Clerk: React, Convex & Auth0: React).

2. Backend Auth Configuration:
   If your backend is not correctly configured with the right auth provider or the required HTTP routes, the Convex client will not be able to validate the token, and isAuthenticated will stay false. Double-check your auth.config.ts and ensure you have run npx convex dev or npx convex deploy after making changes. Also, make sure you have added the required HTTP routes for Convex Auth in your backend setup (Convex & Clerk: Debugging authentication, Convex & Auth0: Debugging authentication).

3. Schema or Environment Variable Issues:
   If there are schema mismatches or missing environment variables (like JWT_PRIVATE_KEY), authentication may silently fail. Check your Convex logs for any errors related to auth or schema validation (Manual Setup Guide).

4. Component Tree Placement:
   Make sure that all components using Convex queries or useConvexAuth are children of the ConvexAuthProvider. In your code, this appears to be correct.

5. Debugging Steps:

   • Try clearing localStorage and cookies, or running in an incognito window, to rule out stale state (Debugging).
   • Enable verbose logging on the client by passing { verbose: true } to your ConvexReactClient constructor to get more insight into what is happening (Debugging).

If you have checked all of the above and the issue persists, there may be a deeper configuration or propagation issue. The knowledge sources do not provide a more specific solution for this scenario, but these are the recommended steps based on similar issues reported by other users.

If you see any errors in your Convex backend logs, those can provide more clues as to what is going wrong.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin retrieved tokens, is null: false
eauthentication failed, could not fetch a new token [v4]
auth state to {"state":"noAuth"} [v4]
attempting to reauthenticate: Auth provider discovery of failed [v2]

Let me check the knowledge base for you again. One moment! :books:

Your logs indicate several key issues:

• retrieved tokens, is null: false
  This means your client is retrieving tokens from storage, and they are not null.

• authentication failed, could not fetch a new token [v4]
  The client attempted to refresh or fetch a new token and failed.

• auth state to {"state":"noAuth"} [v4]
  The Convex client has set its authentication state to "noAuth", meaning it considers the user unauthenticated.

• attempting to reauthenticate: Auth provider discovery of failed [v2]
  The client tried to reauthenticate, but failed to discover the auth provider. The error message is incomplete, but typically it would say something like "Auth provider discovery of [URL] failed".

What this means

Based on the knowledge sources, this pattern of errors usually means:

1. Auth Provider Discovery Failure:
   The Convex client is unable to discover or validate the authentication provider. This often happens if the domain in your auth.config.ts is not set to a valid OpenID Connect provider, or if the URL is missing or incorrect. If the domain is empty or not reachable, provider discovery will fail and authentication cannot proceed (Discord: Auth Provider Discovery Failed).

2. Token Fetch/Refresh Failure:
   Even though tokens are present in storage, if the backend cannot validate them (due to provider discovery failure or misconfiguration), the client will not be able to fetch or refresh tokens, and will set the auth state to unauthenticated.

What to check

• Check your auth.config.ts:
  Ensure the domain field is set to a valid OpenID Connect provider URL. If you are not running an OIDC provider at your Convex deployment URL, do not set the domain to your Convex site URL. For third-party providers, use their issuer URL.

• Check environment variables:
  Make sure all required environment variables are set, and that the domain is not empty or undefined.

• Redeploy after changes:
  After updating your config, run npx convex dev or npx convex deploy to sync changes.

• Review backend logs:
  Check your Convex backend logs for more detailed error messages about provider discovery or token validation.

If you continue to see "Auth provider discovery of [URL] failed", it means the Convex backend cannot reach or validate the provider at the specified domain. Double-check your configuration and ensure the provider is accessible and correctly set up (Discord: Auth Provider Discovery Failed).

If the knowledge sources do not cover your exact setup or you are still stuck, please provide the full error message and your current auth.config.ts for more targeted help.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin if im using convex auth, what would my openid connect provider url be

Let me check the knowledge base for you again. One moment! :books:

If you are using Convex Auth as your authentication provider, your OpenID Connect (OIDC) provider URL (the "issuer" or domain in your auth.config.ts) should be set to your Convex deployment URL, which is the value of your CONVEX_SITE_URL environment variable. For example, it might look like:

<https://adorable-robin-86.convex.site>

This is because Convex Auth acts as the OIDC provider in this setup, and your Convex deployment exposes the necessary OIDC endpoints (such as /.well-known/openid-configuration and /.well-known/jwks.json) at this URL, as described in the setup guides:

Because domain is set to the value of the built-in CONVEX_SITE_URL environment variable, you’re telling your Convex backend to check with itself for the public key it should use to validate JWTs. The applicationID value must match the “audience” set on the JWT.
Convex Adapter for Auth.js (NextAuth) Setup Guide

and

Add these to your convex/auth.config.js file:

export default {  
  providers: [  
    {  
      domain: "<https://your.issuer.url.com",>  
      applicationID: "your-application-id",  
    },  
  ],  
};  

The applicationID property must exactly match the aud field of your JWT and the domain property must exactly match the iss field of the JWT.
Custom OIDC Provider

So, your OIDC provider URL is your Convex deployment URL (e.g., <https://adorable-robin-86.convex.site>) when using Convex Auth.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I've set that as my domain but still getting the same error

Let me check the knowledge base for you again. One moment! :books:

If you have set your Convex deployment URL (e.g., <https://adorable-robin-86.convex.site>) as the domain in your auth.config.ts and are still seeing the "Auth provider discovery of ... failed" error, here are the most likely causes and troubleshooting steps based on the knowledge sources:

1. Missing or Incorrect OIDC Endpoints
   Convex Auth expects your deployment to expose the OpenID Connect discovery document at /.well-known/openid-configuration and the JWKS at /.well-known/jwks.json. If these endpoints are not available or not correctly configured, provider discovery will fail.

   • Make sure you have added the required HTTP routes in your Convex backend. Specifically, your http.ts should include routes for these endpoints, as shown in the NextAuth Adapter Guide.

2. Environment Variables Not Set
   The endpoints above rely on environment variables like JWKS (for the public key) and CONVEX_SITE_URL. If these are missing or misconfigured, the endpoints may not work, causing discovery to fail.

   • Double-check that you have set JWKS and any other required variables in your Convex deployment settings (Manual Setup Guide).

3. Backend Not Redeployed
   After making changes to your configuration or environment variables, you must redeploy your Convex backend using npx convex dev or npx convex deploy to apply the changes (Debugging Authentication).

4. Self-Hosting or Version Issues
   If you are self-hosting Convex, ensure you are running a recent version that supports Convex Auth and OIDC endpoints. Some users have reported issues with older versions or with self-hosted setups missing required endpoints (Discord: Auth Provider Discovery Failed).

5. Check Endpoint Accessibility
   Try visiting <https://adorable-robin-86.convex.site/.well-known/openid-configuration> in your browser. You should see a JSON document describing your OIDC provider. If you get a 404 or an error, your backend is not exposing the required endpoints.

If you have verified all of the above and the error persists, please check your Convex backend logs for more detailed error messages, as they may provide additional clues.

If you are still stuck, please share your http.ts configuration and confirm that the OIDC endpoints are accessible in your deployment. The knowledge sources do not provide further troubleshooting steps beyond these points.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I went to check endpoint accessibilty and I can see json document

here is my https.ts
import { httpRouter } from "convex/server";
import { auth } from "./auth";

const http = httpRouter();

auth.addHttpRoutes(http);

export default http;

Let me check the knowledge base for you again. One moment! :books:

Given your setup:

• You have set your Convex deployment URL as the domain in your auth.config.ts.
• Your http.ts correctly includes auth.addHttpRoutes(http);.
• You can access the OIDC discovery document at /.well-known/openid-configuration.

But you are still seeing "Auth provider discovery of ... failed".

Based on the knowledge sources, here are the most relevant checks and next steps:

1. Environment Variables:
   Double-check that all required environment variables are set, especially JWKS (the public key set) and JWT_PRIVATE_KEY (the private key). Missing or misconfigured environment variables are a common cause of discovery or validation failures, even if the endpoints are accessible (Manual Setup Guide).

2. Redeploy After Changes:
   After setting or updating environment variables, make sure you have redeployed your Convex backend using npx convex dev or npx convex deploy so the changes take effect (Debugging Authentication).

3. Check for Backend Errors:
   Review your Convex backend logs for any errors related to authentication, environment variables, or schema issues. Sometimes, the logs will provide more specific information about what is failing during provider discovery (Debugging Authentication).

4. OIDC Document Content:
   Even if the OIDC discovery document is accessible, ensure its content is valid and does not contain problematic fields (such as an empty or malformed registration_endpoint). Invalid fields in the discovery document can cause Convex to fail parsing it (Discord: Custom Auth Error).

If all of the above are correct and you still see the error, the knowledge sources do not provide further troubleshooting steps for this scenario. At this point, the most likely issues are with environment variables or subtle misconfigurations in the OIDC document content.

If you can share the actual content of your OIDC discovery document (with sensitive info redacted), that may help further diagnose the issue.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin it is working now, it was because of my public key was incorrect. Now how would I set up a pathless authenticated route?

Let me check the knowledge base for you again. One moment! :books:

Great to hear your authentication is working!

For pathless authenticated routes (i.e., layouts or wrappers that enforce authentication for all nested routes, without being tied to a specific path), the recommended approach with Convex (and TanStack Router/Start) is to use a layout component that checks authentication state and conditionally renders its children. This is demonstrated in the Discord support threads:

You can create a layout route (e.g., _authenticated) that wraps all protected routes. Inside this layout, use the useConvexAuth() hook to check authentication and redirect or render accordingly:

// Example: app/routes/_authenticated/route.tsx
import { useConvexAuth } from "@convex-dev/react-query";
import { Navigate, Outlet } from "@tanstack/react-router";
import { LoadingSpinner } from "@/components/ui/loading-spinner";

function AuthenticatedLayout() {
  const { isLoading, isAuthenticated } = useConvexAuth();

  if (isLoading) {
    return <LoadingSpinner fullScreen />;
  }

  if (!isAuthenticated) {
    return <Navigate to="/login" />;
  }

  return <Outlet />; // Renders nested protected routes
}

This pattern ensures that all child routes of _authenticated are protected, without needing to specify authentication logic on every individual route. The layout itself is "pathless" in the sense that it doesn't correspond to a user-facing page, but acts as a guard for its children (Discord: Setting up protected routes in TanStack Start).

Summary:

• Create a layout route (e.g., _authenticated) that wraps protected routes.
• Use useConvexAuth() in the layout to enforce authentication.
• Render <Outlet /> for authenticated users, or redirect otherwise.

This is the recommended and community-validated approach for pathless authenticated layouts with Convex and modern React routers.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin do I need a index.tsx under _authenticated

Let me check the knowledge base for you again. One moment! :books:

You do not strictly need an index.tsx under your _authenticated layout route for authentication to work. The _authenticated layout itself (e.g., app/routes/_authenticated/route.tsx) acts as a guard and will protect all its nested routes by wrapping them with the authentication logic.

However, if you want to have a default page that loads when a user navigates directly to /authenticated (or whatever your layout path is), you can add an index.tsx as the default child route. Otherwise, only the nested routes will be accessible, and navigating directly to the layout path may result in a blank page or a 404, depending on your router setup.

This pattern is shown in community examples, where the layout route handles authentication and the nested routes provide the actual content (Discord: Setting up protected routes in TanStack Start).

Summary:

• You do not need an index.tsx for authentication to work.
• Add index.tsx if you want a default page for the layout route.
• The authentication guard should be in the layout route (e.g., _authenticated/route.tsx).

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin what about retrieving user info, can you show me query and how I can access it from my UI, should I add this data in context?

Let me check the knowledge base for you again. One moment! :books:

To retrieve user info in Convex, you typically create a query on the backend that fetches the current user's document, and then call this query from your UI using useQuery. You do not need to add this data to a custom React context—Convex's React hooks handle reactivity and caching for you.

1. Backend: User Query Example

Here’s a common pattern for a query that returns the current user's info:

import { query } from "./_generated/server";
import { getAuthUserId } from "@convex-dev/auth/server";

export const currentUser = query({
  args: {},
  handler: async (ctx) => {
    const userId = await getAuthUserId(ctx);
    if (userId === null) {
      return null;
    }
    return await ctx.db.get(userId);
  },
});

This query uses getAuthUserId to get the authenticated user's ID and then fetches the user document from the database. If the user is not authenticated, it returns null (Authorization: Get currently signed-in user ID).

2. Frontend: Accessing User Info in the UI

You can access this query in your UI with Convex's useQuery hook:

import { useQuery } from "convex/react";
import { api } from "../convex/_generated/api";

function UserProfile() {
  const user = useQuery(api.users.currentUser);

if (user === undefined) {
return <div>Loading...</div>;
}
if (user === null) {
return <div>Not authenticated</div>;
}
return (
<div>
<h2>Welcome, {user.name}</h2>
<p>Email: {user.email}</p>
</div>
);
}

This will automatically re-render if the user info changes or if the authentication state changes ([Discord: Supabase Auth and Convex](<https://discord.com/channels/1019350475847499849/1377346967189066010>), [Stack: Real-Time User Profiles](<https://stack.convex.dev/build-real-time-user-profiles-with-convex-and-clerk#3-fetching-user-information>)).

### 3. **Should You Add User Data to Context?**

**No, you do not need to add user data to a custom React context.**  
Convex's `useQuery` hook already provides reactive, cached access to your backend data. If you need user info in multiple places, simply call `useQuery(api.users.currentUser)` wherever you need it. Convex will deduplicate and cache the query automatically.

---

**Summary:**  
- Write a backend query to fetch the current user.
- Use `useQuery` in your UI to access user info.
- No need for a custom context; use Convex's hooks for reactivity and caching.

For more details and examples, see the [Convex Auth documentation](<https://labs.convex.dev/auth/authz#use-authentication-state-in-backend-functions>) and [community discussions](<https://discord.com/channels/1019350475847499849/1377346967189066010>).
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------

@dapper basin should I refresh page when signing in a user\

Let me check the knowledge base for you again. One moment! :books:

You should not need to refresh the page when signing in a user with Convex Auth. The recommended approach is to rely on Convex's authentication state hooks (useConvexAuth, <Authenticated>, <Unauthenticated>, <AuthLoading>) to reactively update your UI when the authentication state changes.

However, some users have reported a short delay or race condition after sign-in, where the UI does not immediately reflect the authenticated state. This is because there is a brief period where the token is available on the client, but Convex has not yet validated it over the WebSocket connection. During this time, isAuthenticated may still be false, and <Authenticated> will not render its children. Adding a manual page refresh is not recommended as a solution; instead, you should wait for the Convex auth state to update before redirecting or showing protected content (Discord: Redirecting to a protected route after a successful sign-in not working properly).

Summary:

• Do not refresh the page on sign-in.
• Use Convex's auth state hooks/components and wait for isAuthenticated to become true before redirecting or rendering protected content.
• If you experience delays, this is a known race condition, and the recommended solution is to wait for the Convex auth state to update, not to refresh the page.

If you are experiencing persistent issues where the state does not update, double-check your Convex Auth setup and backend configuration.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin what about when signing out a user

Let me check the knowledge base for you again. One moment! :books:

When signing out a user with Convex Auth, you do not need to refresh the page. The recommended approach is to use the provided sign-out function (such as signOut from useAuthActions or your auth provider), and then rely on Convex's authentication state hooks or wrapper components to update your UI reactively.

For example, with Convex Auth:

import { useAuthActions } from "@convex-dev/auth/react";

export function SignOut() {
  const { signOut } = useAuthActions();
  return <button onClick={() => void signOut()}>Sign out</button>;
}

After calling signOut, Convex's auth state (useConvexAuth, <Authenticated>, <Unauthenticated>) will update automatically, and your UI will re-render to reflect the signed-out state. There is no need for a manual page refresh (Convex Auth: Authorization).

If you experience a delay or see errors after signing out, ensure your queries and UI handle the unauthenticated state gracefully, as unauthenticated state can occur at any time and queries should not assume a user is always present (Discord: How to correctly signOut with clerk).

Summary:

• Do not refresh the page on sign-out.
• Use Convex's auth state hooks/components to update your UI.
• Ensure your queries and UI handle unauthenticated state properly.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin what is I want the user to go back to homepage after logging out

Let me check the knowledge base for you again. One moment! :books:

If you want the user to go back to the homepage after logging out, you should perform a redirect after the sign-out action completes. With Convex Auth, the signOut function does not automatically redirect the user, so you need to handle this in your UI logic.

For example, after calling signOut, you can use your router to navigate to the homepage. Here’s a typical pattern:

import { useAuthActions } from "@convex-dev/auth/react";
import { useRouter } from "your-router-library"; // e.g., react-router, next/router, etc.

export function SignOutButton() {
  const { signOut } = useAuthActions();
  const router = useRouter();

  const handleSignOut = async () => {
    await signOut();
    router.push("/"); // Redirect to homepage
  };

  return <button onClick={handleSignOut}>Sign out</button>;
}

This approach is consistent with the Convex Auth documentation, which shows that sign-out only invalidates the session and does not perform navigation for you (Convex Auth: Authorization).

If you are using a framework like Next.js, you can also pass a redirectTo parameter to the sign-out function if your setup supports it, as shown in the NextAuth integration:

await signOut({ redirectTo: "/" });

(Convex with Auth.js (NextAuth) Tips)

Summary:

• Call signOut to log the user out.
• After sign-out, use your router to redirect the user to the homepage.
• The redirect is not automatic; you must handle it in your UI logic.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin what about dealing with user roles, should I do that with claims on token or fetch that from user db.

How would I do that for each one

Let me check the knowledge base for you again. One moment! :books:

When dealing with user roles in Convex, you have two main options: storing roles as claims in the authentication token (JWT) or fetching them from the user database. Each approach has trade-offs, and the best choice depends on your application's needs.

1. Roles as Claims in the Token

• How it works:
  The user's roles are included as custom claims in the JWT issued by your authentication provider. When you call ctx.auth.getUserIdentity(), these roles are available directly in the identity object.

• Example:
  With Auth0, roles can be present in the identity object:

  const identity = await ctx.auth.getUserIdentity();
  const roles = identity.roles;
  

  Discord: Auth0 custom claims

• Pros:

  • Fast access to roles (no extra DB query).
  • Roles are cryptographically signed and tamper-proof.

• Cons:

  • Roles are only updated when a new token is issued. If a user's roles change, the change won't be reflected until the token is refreshed.
  • Not all providers or setups support custom claims easily.

2. Roles in the User Database

• How it works:
  Roles are stored in your Convex database, typically in the user document or a related table. You fetch the user's roles as part of your authorization logic in Convex functions.

• Example:
  You might have a helper like:

  async function getCurrentUser(ctx) {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) return null;
    return await ctx.db
      .query('users')
      .withIndex('by_token', (q) => q.eq('tokenIdentifier', identity.tokenIdentifier))
      .unique();
  }
  // Then check user.roles or similar
  

  Authentication Best Practices: Convex, Clerk and Next.js

• Pros:

  • Always up-to-date, as changes in the DB are reflected immediately.
  • More flexible for complex role/permission models.

• Cons:

  • Requires a DB query for each authorization check (though Convex queries are efficient and reactive).

Which Should You Use?

• Use token claims if you want fast, stateless access and roles don't change often.
• Use the database if you need real-time updates to roles or have complex access logic.

In practice, many Convex users store roles in the database for flexibility and up-to-date access control. You can also combine both: put basic roles in the token for quick checks, and fetch from the DB for sensitive or complex permissions.

Summary:

• Token claims: Fast, but not always up-to-date.
• Database: Always current, more flexible, but requires a query.

Both approaches are supported in Convex, and you can choose based on your needs (Discord: Auth0 custom claims, Authentication Best Practices: Convex, Clerk and Next.js).

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin I'm using Google Oauth, how can I add claims to token

Let me check the knowledge base for you again. One moment! :books:

When using Google OAuth with Convex Auth, you cannot directly add custom claims to the token issued by Google—Google controls the contents of its ID tokens, and only standard OpenID claims (like email, name, etc.) are included. You cannot inject arbitrary custom claims into these tokens.

Convex Auth will expose the standard fields provided by Google in the user identity object you get from ctx.auth.getUserIdentity(). The fields available depend on the scopes you request from Google and the user's profile, but custom claims are not supported in this flow (Auth in Functions).

If you need to associate additional data (like roles or organization) with a user authenticated via Google OAuth, the recommended approach is to store that data in your Convex database (e.g., in the users table) and fetch it as needed in your backend functions. This is a common pattern discussed in the Convex community and documentation.

Summary:

• You cannot add custom claims to Google OAuth tokens.
• Store extra user data in your Convex database and fetch it as needed in your backend logic.

If you need more advanced control over token claims, you would need to use a custom authentication provider or issue your own JWTs, which is not possible with standard Google OAuth integration in Convex (Auth in Functions).

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin so in this case, I should have the roles for my user in db

Let me check the knowledge base for you again. One moment! :books:

Yes, if you are using Google OAuth with Convex Auth, you should store the roles for your user in your Convex database. Since Google OAuth tokens do not support adding custom claims, the recommended approach is to keep any additional user information—such as roles—in your own database and fetch it as needed in your backend functions. This pattern is supported and described in the Convex documentation and community discussions Authentication Best Practices: Convex, Clerk and Next.js, Storing Users in the Convex Database.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin can you give an example of how this would work? For example if user is trying to make a mutation or query but user must be a paid user

Let me check the knowledge base for you again. One moment! :books:

Certainly! Here’s how you can enforce that only users with a specific role (e.g., "paid") can perform a mutation or query in Convex, storing the role in your users table (since Google OAuth tokens cannot have custom claims):

1. Store the Role in the Users Table

Your users table might look like this:

users: defineTable({
  name: v.string(),
  email: v.string(),
  role: v.string(), // e.g., "free", "paid", "admin"
}).index("by_token", ["tokenIdentifier"]),

(Storing Users in the Convex Database)

2. Helper to Fetch the Current User

Create a helper function to fetch the current user from the database using their token identifier:

export async function getCurrentUser(ctx) {
  const identity = await ctx.auth.getUserIdentity();
  if (!identity) return null;
  return await ctx.db
    .query("users")
    .withIndex("by_token", (q) => q.eq("tokenIdentifier", identity.tokenIdentifier))
    .unique();
}

(Authentication Best Practices: Convex, Clerk and Next.js)

3. Enforce Role in a Mutation

In your mutation, check the user's role before proceeding:

import { mutation } from "./_generated/server";
import { getCurrentUser } from "./users"; // path to your helper

export const paidOnlyMutation = mutation({
args: { /* your args here */ },
handler: async (ctx, args) => {
const user = await getCurrentUser(ctx);
if (!user || user.role !== "paid") {
throw new Error("You must be a paid user to perform this action.");
}
// ...rest of your mutation logic
},
});

([Authentication Best Practices: Convex, Clerk and Next.js](<https://stack.convex.dev/authentication-best-practices-convex-clerk-and-nextjs#securing-your-convex-backend>))

---

**Summary:**  
- Store the user's role in your Convex database.
- Fetch the user in your backend function.
- Check the role before allowing the action.

This is the recommended and secure way to enforce role-based access with Google OAuth and Convex.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------

@dapper basin what about if checking if a user can update their own post, should I use get user identity? Or fetch the entire user from db

Let me check the knowledge base for you again. One moment! :books:

To check if a user can update their own post, you should use ctx.auth.getUserIdentity() to get the authenticated user's identity, and then compare their unique identifier (such as tokenIdentifier or subject) to the owner field on the post. This approach is recommended in the Convex documentation and best practices, as it avoids relying on spoofable fields like email and ensures the check is based on authenticated, non-spoofable data.

You do not need to fetch the entire user document from the database just to check ownership, unless you need additional user information for your logic. The key is to use the unique, non-spoofable identifier from the identity object.

Example pattern:

const identity = await ctx.auth.getUserIdentity();
if (identity === null) {
  throw new Error("Unauthorized");
}
const post = await ctx.db.get(postId);
if (!post || post.authorTokenIdentifier !== identity.tokenIdentifier) {
  throw new Error("Unauthorized");
}
// Proceed with update...

This pattern is highlighted in the best practices documentation, which states:

Access control checks should either use ctx.auth.getUserIdentity() or a function argument that is unguessable (e.g. a UUID, or a Convex ID, provided that this ID is never exposed to any client but the one user). In particular, don't use a function argument which could be spoofed (e.g. email) for access control checks.

— Best Practices: Use some form of access control for all public functions

So, for ownership checks, use the identity from ctx.auth.getUserIdentity() and compare it to the post's owner field. Only fetch the user from the database if you need more user details for your logic.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin so what unique values can I use, what about userID

Let me check the knowledge base for you again. One moment! :books:

The unique values you can use for identifying users in Convex are:

• tokenIdentifier: This is a stable and globally unique string for the user, combining the subject (user ID from the provider) and issuer (the provider's domain). It is always present in the identity object and is recommended for uniquely identifying users, especially when supporting multiple auth providers.

  "A stable and globally unique string for this identity (i.e. no other user, even from a different identity provider, will have the same string.) JWT claims: sub + iss"
  UserIdentity Properties

• subject: This is the user’s unique ID from the identity provider. It is always present, but may not be globally unique if you support multiple providers.

  "Identifier for the end-user from the identity provider, not necessarily unique across different providers."
  UserIdentity Properties

• userId: If you store users in your Convex database, you can use the Convex document _id for the user. This is a good choice if you want to use Convex’s internal IDs as foreign keys in other tables.

  "Similarly to the store user mutation, you can retrieve the current user's ID, or throw an error if the user hasn't been stored."
  Using the current user's document ID

Best Practice:

• For access control and ownership checks, use tokenIdentifier or the Convex user document _id (if you store users in your database).
• Do not use spoofable fields like email for access control (Best Practices).

Example:
When creating a post, store the user's tokenIdentifier or user document _id as the author. When checking permissions, compare the current user's tokenIdentifier or _id to the post's author field.

This ensures your access control is secure and not vulnerable to spoofing.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin#2237 so when making a post for a user, I should use tokenIdentiier and add that to post table

Let me check the knowledge base for you again. One moment! :books:

Yes, when creating a post for a user in Convex, you should use the user's tokenIdentifier and store it in the post's author (or equivalent) field. This is a stable and globally unique identifier for the user, and is recommended for access control and ownership checks. The Convex documentation specifically recommends using tokenIdentifier or the Convex user document _id for these purposes, and not using spoofable fields like email Best Practices: Use some form of access control for all public functions.

Example:

const identity = await ctx.auth.getUserIdentity();
if (!identity) throw new Error("Unauthorized");

await ctx.db.insert("posts", {
  body: args.body,
  authorTokenIdentifier: identity.tokenIdentifier,
});

Later, when checking if a user can update or delete a post, compare the current user's tokenIdentifier to the one stored on the post. This ensures secure and non-spoofable access control.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin can I webscrape with convex?

Let me check the knowledge base for you again. One moment! :books:

Yes, you can perform web scraping with Convex, but it must be done inside an action (not a query or mutation), since only actions are allowed to make external network requests such as fetch. There are several examples in the knowledge sources where Convex actions are used to scrape data from websites.

For example, you can use libraries like cheerio to parse HTML after fetching it in an action:

import * as cheerio from "cheerio";
import { action } from "./_generated/server";

export const scrapeWebsite = action({
  args: { url: v.string() },
  handler: async (ctx, { url }) => {
    const html = await fetch(url).then(res => res.text());
    const $ = cheerio.load(html);
    // Extract data using cheerio selectors
    const title = $("title").text();
    return { title };
  },
});

This pattern is used in community projects, such as scraping GitHub repo pages to extract contributor and dependent counts Scraping data from a website.

Important notes:

• Scraping must be done in an action, not a query or mutation, because only actions can make network requests Functions.
• There are memory and execution time limits for actions (e.g., 10 minutes timeout, 512MB for Node.js actions) Actions: Limits.
• If you need to use Node.js-specific packages (like Puppeteer), you must use "use node"; actions, but be aware of bundle size and runtime limitations Discord: Puppeteer and external packages.

In summary: Yes, you can webscrape with Convex by using actions and libraries like cheerio, but be mindful of Convex's action limitations and only perform network requests in actions.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin can I use puppeteer?

Let me check the knowledge base for you again. One moment! :books:

You can attempt to use Puppeteer with Convex actions, but there are significant limitations and challenges:

• Bundle Size Limits: Puppeteer and its dependencies are very large. Convex has strict limits on the total size of your source code bundle and external packages (45MB zipped, 240MB unzipped). Puppeteer often exceeds these limits, especially because it requires a browser binary (Discord: Puppeteer and external packages, Bundling: External packages).
• Known Issues: The Convex documentation explicitly states that Puppeteer is known not to work at this time because the browser binary installation exceeds the size limit (Bundling: External packages).
• Community Experience: Users have tried marking Puppeteer and related packages as external dependencies, but still hit the size limits or run into other issues. Even if you manage to get under the size limit, launching the browser in the Convex environment may fail (Discord: Puppeteer and external packages).

Summary:
Puppeteer is not currently supported in Convex actions due to bundle size and environment limitations. If you need to scrape websites, consider using lighter-weight solutions (like cheerio with fetch), or run Puppeteer in a separate service outside of Convex and call it from a Convex action.

For more details, see the official documentation: Bundling: External packages.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin what about cheerio

Let me check the knowledge base for you again. One moment! :books:

Yes, you can use cheerio with Convex actions for web scraping. Cheerio is a lightweight library for parsing and querying HTML, and it works well in Convex actions because it does not require a browser environment or large binaries.

The recommended approach is to use an action to fetch the HTML content and then parse it with cheerio. Here’s an example from the knowledge sources:

import * as cheerio from "cheerio";
import { action } from "./_generated/server";

export const scrapeWebsite = action({
  args: { url: v.string() },
  handler: async (ctx, { url }) => {
    const html = await fetch(url).then(res => res.text());
    const $ = cheerio.load(html);
    // Extract data using cheerio selectors
    const title = $("title").text();
    return { title };
  },
});

This pattern is used in community projects, such as scraping GitHub repo pages to extract contributor and dependent counts Scraping data from a website.

Key points:

• Scraping must be done in an action, not a query or mutation, because only actions can make network requests.
• Cheerio is supported and works well for HTML parsing in Convex actions.

So, cheerio is a good choice for web scraping in Convex.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin is it possible to sync data between deployments? I have a team with 2 devs and we want to have a shared convex db

Let me check the knowledge base for you again. One moment! :books:

Yes, it is possible for a team to have a shared Convex database, but the standard workflow is that each developer has their own personal development deployment, and there is one shared production deployment per project. This allows each developer to work independently without interfering with others, but all team members can deploy to and share the production deployment.

If you want to share data between deployments (for example, to populate a dev deployment with data from production or another dev deployment), you can use the Backup / Restore or Data Import / Export features. This allows you to back up data from one deployment and restore or import it into another, effectively syncing data between deployments. However, there is no built-in real-time sync between separate deployments; data sharing is done via these manual processes (Typical team development workflow).

"Backup / Restore can be used to populate a dev deployment with data from a prod deployment. Data import can be used to populate a dev deployment with synthetic seed data."
— Typical team development workflow

If your goal is for both developers to work on the same data in real time, you should both use the same deployment (typically the production deployment for shared work, or a shared dev deployment if you set it up that way). By default, personal dev deployments are isolated per user.

Summary:

• Each developer has their own dev deployment by default.
• The team shares a single production deployment.
• You can manually sync data between deployments using backup/restore or import/export.
• For real-time shared data, work in the same deployment.

There is no built-in automatic real-time sync between separate deployments according to the current knowledge sources.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin we both don't need to work on the data in real time, it's just for reading

Let me check the knowledge base for you again. One moment! :books:

If you and your teammate only need to read the same data (not write or collaborate in real time), you can periodically export data from one deployment and import it into another. Convex provides tools for this:

• Export data from one deployment using the dashboard or the CLI (npx convex export).
• Import data into another deployment using the CLI (npx convex import).

This process allows you to sync data for read-only purposes between deployments, but it is a manual process and not automatic or real-time. This approach is recommended for scenarios like seeding dev deployments with production data or sharing a snapshot of data for development or testing Data Import & Export, Typical team development workflow.

If you want to experiment with big changes and then revert, you can also use snapshot export/import as described in the Convex Stack guide Use snapshot export to experiment with big changes.

Summary:

• Use export/import or backup/restore to manually sync data for read-only access between deployments.
• There is no built-in automatic or real-time sync between deployments for this use case.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@dapper basin so what if I have a team of 10 devs? we would need to have the same shared data in each of our instances

Let me check the knowledge base for you again. One moment! :books:

If you have a team of 10 developers and want each of your dev instances to have the same shared data, the recommended approach is to manually sync data using Convex’s import/export or backup/restore features. There is no built-in automatic or real-time sync between dev deployments; each developer’s dev deployment is isolated by default.

Here’s how you can keep data in sync across all dev instances:

1. Export data from a source deployment (e.g., production or a “master” dev instance) using npx convex export or the dashboard.
2. Import data into each developer’s dev deployment using npx convex import (with the appropriate options for your data and tables).

This process can be repeated whenever you want to refresh everyone’s data. It is manual, but it’s the supported way to share data snapshots across multiple dev environments Data Import & Export, Typical team development workflow.

"Backup / Restore can be used to populate a dev deployment with data from a prod deployment. Data import can be used to populate a dev deployment with synthetic seed data."
— Typical team development workflow

There is no built-in feature for automatic or real-time data sync between dev deployments. If you need everyone to always see the same data, you would need to coordinate these manual syncs or have everyone work in the same shared deployment (which is not the default dev workflow).

Summary:

• Use export/import or backup/restore to manually sync data across dev deployments.
• There is no automatic or real-time sync between dev deployments in Convex.
• Each developer’s dev deployment is isolated by default.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: