#Configure Convex Auth on local machine with Expo

I am developing an app with Expo React Native and using Convex Auth as my authentication provider. I'm trying to sign up with Google but the backend fails with this response 8/9/2025, 4:25:38 PM [CONVEX H(GET /api/auth/callback/google)] [ERROR] 'server responded with an error in the response body\n at checkOAuthBodyError (../../node_modules/oauth4webapi/src/index.ts:2781:15)\n at async processGenericAccessTokenResponse (../../node_modules/oauth4webapi/src/index.ts:3457:2)\n at async processAuthorizationCodeOpenIDResponse (../../node_modules/oauth4webapi/src/index.ts:3961:22)\n at async handleOAuth (../../node_modules/@convex-dev/auth/src/server/oauth/callback.ts:163:21)\n at async <anonymous> (../../node_modules/@convex-dev/auth/src/server/implementation/index.ts:326:72)\n at async invokeFunction (../../node_modules/convex/src/server/impl/registration_impl.ts:80:2)\n at async invokeHttpAction (../../node_modules/convex/src/server/impl/registration_impl.ts:453:0)\n at async <anonymous> (../../node_modules/convex/src/server/router.ts:322:16)'. The browser shows This Convex deployment is running.

Hi @next badger. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Based on your error and the provided knowledge sources, here are the key steps and troubleshooting tips for configuring Convex Auth with Google OAuth in a local Expo React Native environment:

1. Callback URL and Google OAuth Setup

• The Authorized redirect URI for Google OAuth must match your Convex deployment’s HTTP Actions URL, ending with /api/auth/callback/google. For local development, this will look like:

  <https://<your-deployment-name>.convex.site/api/auth/callback/google>
  

  You can find your HTTP Actions URL in the Convex dashboard under Settings → URL & Deploy Key. Note that it ends in .site, not .cloud General OAuth Setup, Google OAuth Instructions.

• In your Google Cloud project, set:

  • Authorized JavaScript origins: e.g., <http://localhost:8081> (or whatever your Expo dev server uses)
  • Authorized redirect URIs: as above

2. Environment Variables

• Set the following environment variables in your Convex backend (either via the dashboard or CLI):

  npx convex env set AUTH_GOOGLE_ID <your-google-client-id>
  npx convex env set AUTH_GOOGLE_SECRET <your-google-client-secret>
  

• Also, set the SITE_URL environment variable to your local dev URL (e.g., <http://localhost:8081> for Expo web, or your custom scheme for mobile). For example:

  npx convex env set SITE_URL <http://localhost:8081>
  

  Manual Setup

3. Common Pitfalls

• SITE_URL mismatch: If SITE_URL does not match the domain you are using for redirects, you will get errors. For Expo, you may need to adjust this depending on whether you are running on web or mobile. If you need to support both, see the workaround for custom redirect handling Discord: SITE_URL can't be set for both web and mobile.
• Import issues: Make sure your Expo app only imports from convex/_generated and not server-side code, or you may run into module resolution errors Discord: Error(s) in expo.

4. Debugging

• Enable verbose logging in Convex Auth to get more details about the error. Instructions are here: Debugging Convex Auth.
• The error you’re seeing (server responded with an error in the response body) often means the OAuth flow is misconfigured—typically a mismatch in redirect URIs, client ID/secret, or environment variables.

5. Expo-Specific Notes

• For local development, Expo typically uses <http://localhost:8081> as the origin. Make sure this is reflected in both your Google OAuth settings and your Convex SITE_URL.
• If you are running both web and native, you may need to set up custom redirect logic as described above.

Summary:
Double-check your Google OAuth client settings, Convex environment variables (especially SITE_URL), and ensure your callback URL matches exactly. Enable verbose logging for more details. If you continue to see the error, it is almost always due to a misconfiguration in one of these areas Google OAuth Instructions, General OAuth Setup, Manual Setup.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@coarse ice i configured the expo app correctly now i am getting this server error ```8/9/2025, 11:26:06 PM [CONVEX M(auth:store)] [DEBUG] 'verifyCodeAndSignInImpl args:' {
params: {
email: undefined,
phone: undefined
},
provider: undefined,
verifier: 'kh7czfnfxr0sszwvrhgj1n1nh97nbhrs',
generateTokens: true,
allowExtraProviders: false
}
8/9/2025, 11:26:06 PM [CONVEX M(auth:store)] Uncaught TypeError: Cannot read properties of null (reading 'toString')
at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:16:0)
at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

8/9/2025, 11:26:06 PM [CONVEX A(auth:signIn)] Uncaught Error: Uncaught TypeError: Cannot read properties of null (reading 'toString')```

Let me check the knowledge base for you again. One moment! :books:

The error you are seeing:

Uncaught TypeError: Cannot read properties of null (reading 'toString')
    at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:16:0)
    at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
    at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

is caused by the fact that both email and phone are undefined in the params object passed to verifyCodeAndSignInImpl. This means that when the code tries to operate on these values (likely calling .toString()), it encounters null or undefined, resulting in the error.

This typically happens if the form or function that triggers the sign-in is not passing the required email (or phone) parameter. In the context of Convex Auth with Expo, this is often due to:

• The form data not being correctly constructed or passed to the signIn function.
• The field names in your form not matching what Convex Auth expects (e.g., email or phone).
• A missing or incorrect step in your sign-in flow where the user’s email or phone should be collected and sent.

What to check:

1. Ensure you are passing the correct parameters:
   When calling signIn, make sure you are including the email (or phone) field in the parameters. For example:

   const formData = new FormData();
   formData.append("email", email);
   formData.append("code", code);
   await signIn("otp", formData);
   

   If you are using a custom function, double-check that the email or phone is being set and not left as undefined.

2. Check your form field names:
   Make sure your input fields are named correctly and their values are being captured and sent to the backend.

3. Review the sign-in flow:
   If you are using a multi-step flow (e.g., first sending the email, then the code), ensure that the email is preserved and passed along with the code in the final step.

This issue has been seen before when the code parameter is submitted without the corresponding email or phone, leading to a backend error when Convex Auth tries to process the sign-in see similar issue and solution.

Summary:
You need to ensure that the email (or phone) parameter is present and not undefined when calling the sign-in function. Double-check your form handling and the parameters you pass to Convex Auth.

If you continue to have issues, please share the relevant code snippet where you call signIn and construct your form data, as this will help pinpoint the problem more precisely.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@coarse ice i am trying to sign-in with google

Let me check the knowledge base for you again. One moment! :books:

Based on your error and the fact that you are trying to sign in with Google using Convex Auth in an Expo app, it appears that the backend is receiving a request to verify a code (likely for OTP or email sign-in), but the required parameters (email or phone) are missing. This is not expected for a Google OAuth flow.

For Google sign-in, the flow should not involve verifyCodeAndSignInImpl with email or phone parameters. Instead, it should redirect the user to Google, handle the OAuth callback, and create a session based on the returned tokens.

Possible causes and troubleshooting steps:

1. Incorrect Provider Used:
   Make sure you are calling the sign-in function with the "google" provider, not "otp" or another provider that expects an email or phone parameter.

2. Expo Redirect Handling:
   If you are using Expo, ensure that your redirect URI is correctly set up in both your Google Cloud Console and your Convex Auth configuration. The redirect URI should match exactly, and you should be using the Google OAuth flow, not an OTP/email flow Google OAuth Instructions.

3. Convex Auth Configuration:
   Your convex/auth.ts should look like this:

   import Google from "@auth/core/providers/google";
   import { convexAuth } from "@convex-dev/auth/server";
   
   export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({
     providers: [Google],
   });
   

   Make sure you have set the required environment variables (AUTH_GOOGLE_ID, AUTH_GOOGLE_SECRET) as described in the docs Provider configuration in auth.ts.

4. Frontend Call:
   When triggering Google sign-in from your Expo app, ensure you are calling:

   await signIn("google");
   

   and not passing parameters intended for OTP or email sign-in.

5. Check for Expo/React Native Limitations:
   Convex Auth’s Google OAuth flow is designed for web, and using it in Expo/React Native may require additional handling for redirects. The knowledge sources indicate that native Google sign-in (using @react-native-google-signin/google-signin) is not directly supported by Convex Auth out of the box, and the recommended approach is to use the in-app web browser for the OAuth flow Discord: Convex Auth with Expo and Native Apple and Google Sign In.

Summary:
Your error suggests the backend is receiving a request for a code-based sign-in, not a Google OAuth sign-in. Double-check that you are calling signIn("google") and that your OAuth configuration and redirect URIs are correct. If you are trying to use native Google sign-in, be aware that Convex Auth currently expects the web-based OAuth flow, not the native token exchange.

If you continue to see this error, please provide the code snippet where you trigger the Google sign-in in your Expo app, as this will help clarify if the correct provider and flow are being used.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@coarse ice The url I get back from the call to Google doesn't give me a code const result = await openAuthSessionAsync(redirect.toString(), redirectTo); if (result.type === 'success') { const { url } = result;

Let me check the knowledge base for you again. One moment! :books:

When using Convex Auth with Google OAuth in an Expo React Native app, the expected flow is:

1. You call signIn("google") (or similar), which returns a redirect URL.
2. You open this URL in a browser session (e.g., with openAuthSessionAsync).
3. After the user completes the Google sign-in, they are redirected to the Convex callback URL (e.g., <https://your-deployment.convex.site/api/auth/callback/google>).
4. Convex Auth handles the callback, processes the code with Google, and then redirects the user back to your app (e.g., to your redirectTo URL).

Key Point:
The URL you receive in your app after the OAuth flow should not contain the original Google code parameter. Instead, Convex Auth handles the code exchange server-side and then redirects the user back to your app with a session established. This is by design—Convex Auth abstracts away the OAuth code exchange for you (General OAuth Setup, Google OAuth Instructions).

If you are expecting to see a code parameter from Google in the URL returned to your app, that will not happen with Convex Auth. The code is only present in the redirect from Google to Convex, not from Convex back to your app.

If you need the Google authorization code for direct API access (e.g., Google Calendar):

• This is not supported by Convex Auth’s standard flow. Convex Auth is designed to handle authentication, not to expose the raw Google OAuth code to the client. This limitation is confirmed by Convex support staff:

  "The code param should be present here ... but it’s not actually used for the auth flow as Convex Auth isn’t accessing Google API’s, so I believe it’s just not being referenced at all. ... The recommended approach is to sign up and then request additional scopes."
  Discord: Getting Authorization Code from redirect URI (using Convex Auth w/ Google Provider)

Summary:

• The URL you get back after openAuthSessionAsync will not contain a Google code parameter.
• Convex Auth handles the code exchange internally and does not expose the code to your client.
• If you need the raw Google code for further API access, Convex Auth does not currently support this use case.

If you need to access Google APIs on behalf of the user, you may need to implement a custom OAuth flow outside of Convex Auth or use a different authentication provider that supports exposing the authorization code.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@coarse ice This is the entire error

8/10/2025, 7:11:38 AM [CONVEX M(auth:store)] [INFO] '`auth:store` type: verifyCodeAndSignIn'
8/10/2025, 7:11:38 AM [CONVEX M(auth:store)] [DEBUG] 'verifyCodeAndSignInImpl args:' {
  params: {
    email: undefined,
    phone: undefined
  },
  provider: undefined,
  verifier: 'kh76bakenq9vemaegs5zt6kxj57ndp1a',
  generateTokens: true,
  allowExtraProviders: false
}
8/10/2025, 7:11:39 AM [CONVEX M(auth:store)] Uncaught TypeError: Cannot read properties of null (reading 'toString')
    at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:12:0)
    at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
    at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

8/10/2025, 7:11:39 AM [CONVEX A(auth:signIn)] Uncaught Error: Uncaught TypeError: Cannot read properties of null (reading 'toString')
    at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:12:0)
    at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
    at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

    at async handleOAuthProvider (../../node_modules/@convex-dev/auth/src/server/implementation/signIn.ts:226:14)
    at async handler (../../node_modules/@convex-dev/auth/src/server/implementation/index.ts:416:26)

@coarse ice this is the error 8/10/2025, 7:11:38 AM [CONVEX M(auth:store)] [INFO] 'auth:store type: verifyCodeAndSignIn'
8/10/2025, 7:11:38 AM [CONVEX M(auth:store)] [DEBUG] 'verifyCodeAndSignInImpl args:' {
params: {
email: undefined,
phone: undefined
},
provider: undefined,
verifier: 'kh76bakenq9vemaegs5zt6kxj57ndp1a',
generateTokens: true,
allowExtraProviders: false
}
8/10/2025, 7:11:39 AM [CONVEX M(auth:store)] Uncaught TypeError: Cannot read properties of null (reading 'toString')
at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:12:0)
at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

8/10/2025, 7:11:39 AM [CONVEX A(auth:signIn)] Uncaught Error: Uncaught TypeError: Cannot read properties of null (reading 'toString')
at sha256 (../../node_modules/@convex-dev/auth/src/server/implementation/utils.ts:12:0)
at verifyCodeOnly (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:123:27)
at verifyCodeAndSignInImpl (../../node_modules/@convex-dev/auth/src/server/implementation/mutations/verifyCodeAndSignIn.ts:60:23)

at async handleOAuthProvider (../../node_modules/@convex-dev/auth/src/server/implementation/signIn.ts:226:14)
at async handler (../../node_modules/@convex-dev/auth/src/server/implementation/index.ts:416:26)

Let me check the knowledge base for you again. One moment! :books:

Your error log shows that the Convex Auth backend is attempting to run the verifyCodeAndSignIn flow, but both email and phone parameters are undefined, and the provider is also undefined. This leads to a TypeError when the backend tries to process these values:

Uncaught TypeError: Cannot read properties of null (reading 'toString')
    at sha256 ...

This error typically occurs when the sign-in flow is expecting an OTP or email/phone-based authentication, but the required parameters are missing. However, you mentioned you are trying to sign in with Google, which should not trigger this code path.

Based on the knowledge sources:

• For Google OAuth, the flow should not involve verifyCodeAndSignInImpl with email or phone parameters. Instead, it should redirect the user to Google, handle the OAuth callback, and create a session based on the returned tokens. If you see this error, it usually means the frontend is not correctly initiating the Google OAuth flow, or the provider is not being specified when calling signIn (Discord: Similar error context, Discord: Similar error context).

• Make sure you are calling the sign-in function with the "google" provider, like this:

  await signIn("google");
  

  and not with "otp" or without specifying a provider.

• If you are using Expo, ensure that your redirect handling is correct and that you are not accidentally triggering an OTP/email sign-in flow.

• This issue has been seen before when the code parameter is submitted without the corresponding email or phone, leading to a backend error when Convex Auth tries to process the sign-in (Discord: Similar error context).

Summary:
This error indicates that the backend is receiving a request for a code-based sign-in (OTP/email), not a Google OAuth sign-in. Double-check that you are calling signIn("google") and that your OAuth configuration and redirect URIs are correct. If you are still seeing this error, please review your frontend code to ensure the correct provider is being used and that the Google OAuth flow is being properly initiated.

If you need more specific help, please share the code snippet where you trigger the Google sign-in in your Expo app.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@coarse ice Before that error there is another log 8/10/2025, 7:11:38 AM [CONVEX H(GET /api/auth/callback/google)] [DEBUG] 'USE_PKCECODEVERIFIER' { value: undefined } 8/10/2025, 7:11:38 AM [CONVEX H(GET /api/auth/callback/google)] [DEBUG] 'CLEAR_PKCECODEVERIFIER' { cookie: { name: 'googleOAuthpkce', options: { httpOnly: true, sameSite: 'none', secure: true, path: '/', partitioned: true } } } 8/10/2025, 7:11:38 AM [CONVEX H(GET /api/auth/callback/google)] [ERROR] 'server responded with an error in the response body\n at checkOAuthBodyError (../../node_modules/oauth4webapi/src/index.ts:2781:15)\n at async processGenericAccessTokenResponse (../../node_modules/oauth4webapi/src/index.ts:3457:2)\n at async processAuthorizationCodeOpenIDResponse (../../node_modules/oauth4webapi/src/index.ts:3961:22)\n at async handleOAuth (../../node_modules/@convex-dev/auth/src/server/oauth/callback.ts:163:21)\n at async <anonymous> (../../node_modules/@convex-dev/auth/src/server/implementation/index.ts:326:72)\n at async invokeFunction (../../node_modules/convex/src/server/impl/registration_impl.ts:80:2)\n at async invokeHttpAction (../../node_modules/convex/src/server/impl/registration_impl.ts:453:0)\n at async <anonymous> (../../node_modules/convex/src/server/router.ts:322:16)'

Let me check the knowledge base for you again. One moment! :books:

Your new log provides a crucial clue:

[CONVEX H(GET /api/auth/callback/google)] [DEBUG] 'USE_PKCECODEVERIFIER' { value: undefined }

This means that when Convex Auth is handling the Google OAuth callback, the PKCE code verifier is missing (undefined). The PKCE code verifier is required to securely complete the OAuth flow. Without it, the backend cannot exchange the authorization code for tokens, which leads to the error you see:

[ERROR] 'server responded with an error in the response body ...'

Why is this happening?

• The PKCE code verifier is typically stored in a secure, HTTP-only cookie during the initial OAuth request and then read during the callback.
• If the cookie is missing, not set, or not sent back to the server (often due to browser, platform, or configuration issues), Convex Auth cannot complete the OAuth flow.

Relevant knowledge source:

There should be a __Host-<provider id>OAuthpkce cookie set. Can you check the network tab for whether it is being set? Any warnings in the response headers from the initial redirect to your backend? ... Ok, so the pkce cookie is missing.
— Discord: Convex Auth Error with Microsoft Entra

Common causes in Expo/React Native:

• Some browsers or in-app browsers (like those used by Expo) do not persist or send cookies as expected, especially with SameSite=None; Secure cookies.
• This is a known issue with PKCE-based OAuth flows in mobile environments, and has been reported by other Convex users as well (Discord: PKCE Error in Safari).

What can you do?

• Make sure you are using the latest version of @convex-dev/auth, as there have been recent fixes for OAuth and PKCE handling in mobile and Expo environments (Discord: React Native Expo 53 + convex auth).
• If you are still seeing this issue, it is likely due to limitations in how Expo/React Native handle cookies and redirects. This is a known challenge and may not have a complete workaround in Convex Auth at this time.
• If you need to support Google OAuth in Expo, you may need to consider alternative approaches or monitor for updates from the Convex team.

Summary:
The error is caused by the missing PKCE code verifier, which is likely due to cookie handling issues in the Expo/React Native environment. This is a known limitation, and there is not currently a documented workaround in the knowledge sources for Convex Auth in this scenario. If you are on the latest version and still see this, you may need to follow up with the Convex team for further support or consider alternative authentication flows.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: