#The "Runtimes" document says

Query and mutation functions are further restricted by the runtime to be deterministic. This allows Convex to automatically retry them by the system as necessary.
However, it also appears to include the "Web Crypto APIs" (crypto, SubtleCrypto) in the supported libraries.

What does this mean for the use of cryptographic APIs which require non-deterministic behavior to ensure security properties?

Hi @rustic storm. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Convex enforces determinism in query and mutation functions to guarantee safe retries and consistent results. This means that any use of cryptographic APIs within these functions must also be deterministic. The documentation clarifies that while the Web Crypto APIs (such as crypto and SubtleCrypto) are available in the default Convex runtime, their use in queries and mutations is subject to these determinism constraints.

For example, Convex provides a "seeded" pseudo-random number generator for Math.random() and ensures that Date.now() is fixed for the duration of a function execution, so that repeated runs with the same arguments yield the same results. This approach is necessary to maintain the transactional and retry guarantees of Convex's sync engine. The documentation does not explicitly detail how non-deterministic cryptographic operations (like key generation or random IV creation) are handled, but it is implied that only deterministic uses of the Web Crypto APIs are permitted in queries and mutations. If you attempt to use non-deterministic features, Convex will provide helpful error messages to prevent accidental violations of determinism Functions: Runtimes – Restrictions on queries and mutations.

If you need to perform cryptographic operations that require true randomness or non-determinism (such as secure key generation), you should use an action function instead. Actions are not subject to the same determinism requirements and can safely use non-deterministic cryptographic APIs Functions: Runtimes – Actions.

In summary:

• Deterministic cryptographic operations (e.g., HMAC, hashing with fixed inputs) can be used in queries and mutations.
• Non-deterministic cryptographic operations (e.g., key generation, random IVs) should be performed in actions, not in queries or mutations.

If you need more details about which specific Web Crypto features are supported or how determinism is enforced for cryptographic APIs, the knowledge sources do not provide further specifics.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: