#Invalid origin on convex auth signin

8 messages · Page 1 of 1 (latest)

wind jackal Aug 29, 2025, 5:36 AM

I’m trying to sign in to Convex from my Next.js app hosted on an ec2 instance and I keep getting an Invalid origin response. I already tried using corsRouter with debug: true, but still see the same error. Am I missing something in the CORS setup, or is this error actually coming from somewhere else (e.g. wrong NEXT_PUBLIC_CONVEX_URL / deployment mismatch)?”

twin cometBOT Aug 29, 2025, 5:36 AM

Hi @wind jackal. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

This error is almost always about allowed origins, not generic CORS headers on your own routes.

Checklist to fix:

Confirm your frontend is talking to the correct Convex deployment URL.
- In Next.js, NEXT_PUBLIC_CONVEX_URL must be your Convex deployment URL (the .cloud URL, or your self-hosted deployment URL), not your website’s URL. A mismatch can cause auth to hit the wrong host and fail (e.g. trying Next.js /api/auth instead of Convex’s) (Configuring Deployment URL).
If using Next.js + Convex Auth, ensure the middleware is set up and running in production so Next.js /api/auth is proxied to Convex correctly. Add verbose logs to confirm it’s executing (Self Hosted Auth, Convex Auth + Next.js headers error).
If you’re calling Convex HTTP actions directly from the browser, you must return proper CORS headers from those actions (and handle preflight). Example patterns are in the docs; you may need to echo the specific origin instead of “*” if you use credentials (HTTP Actions: CORS, Guide to CORS).
If you enabled tools that add request headers (e.g. Sentry), ensure those headers are allowed by your CORS handling. We’ve seen failures when a new header (like sentry-trace) isn’t whitelisted, leading to CORS-like errors during auth flows (Clerk installation failing with convex).

For custom domains, make sure your production domain(s) are added to allowed origins for your deployment; otherwise requests from your EC2-hosted domain can be rejected. Pro customers can request changes via support if needed (CORS/allowed origins for custom domain).
If using OAuth providers, ensure the callback URL matches your Convex Site URL (the .site host, or self-hosted site origin/port), not the cloud URL or your Next.js domain (Discord OAuth callback URL).

If you share:

Your NEXT_PUBLIC_CONVEX_URL
Whether you’re using Next.js middleware with Convex Auth
The exact domain you’re loading the app on
Whether Sentry or other middleware is adding headers

…I can help pinpoint which of the above is causing the “Invalid origin.”

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@wind jackal Kapa.ai is still learning and improving, please let me know how I did by reacting below.

wind jackal Aug 29, 2025, 5:38 AM

domain is my own custom domain from aws, no middleware aside from the one from convex auth docs