#WorkOS Authkit with Next.js

4 messages · Page 1 of 1 (latest)

marble maple
#

I'm getting this error:

No auth provider found matching the given token. Check that your JWT's issuer and audience match one of your configured providers: [CustomJWT(issuer=https://api.workos

Code:

// page.tsx (Next.js)
const { accessToken } = await withAuth();

await preloadQuery(api.runs.list, {}, { token: accessToken });

// convex/runs.ts
export const list = query({
  handler: async (ctx) => {

    const identity = await ctx.auth.getIdentity();

    return await ctx.db
      .query("items")
      .take(10);
  },
});

// auth.config.ts
const clientId = process.env.WORKOS_CLIENT_ID;

const authConfig = {
  providers: [
    {
      type: "customJwt",
      issuer: `https://api.workos.com/`,
      algorithm: "RS256",
      applicationID: clientId,
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
    },
    {
      type: "customJwt",
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
  ],
};

export default authConfig;
unborn iceBOT
#

Hi @marble maple. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

The error message:

No auth provider found matching the given token. Check that your JWT's issuer and audience match one of your configured providers: [CustomJWT(issuer=<https://api.workos>

indicates that the JWT being sent to Convex does not have an issuer (iss) or audience (aud) claim that matches any of the providers configured in your auth.config.ts.

Troubleshooting Steps

1. Check the JWT Claims

  • Issuer (iss): Decode your JWT (e.g., at jwt.io) and check the value of the iss claim. It must exactly match one of the issuer fields in your auth.config.ts.
  • Audience (aud): The aud claim in your JWT must match the applicationID field in your provider config.

For example, if your JWT has:

{
  "iss": "<https://api.workos.com",>
  "aud": "client_01XXXXXXXXXXXXXXX"
}

Then your provider config should have:

{
  type: "customJwt",
  issuer: "<https://api.workos.com",>
  applicationID: "client_01XXXXXXXXXXXXXXX",
  ...
}

Note: The trailing slash in the issuer can cause mismatches. If your JWT has iss: "<https://api.workos.com"> (no trailing slash), your config should also use issuer: "<https://api.workos.com"> (no trailing slash) see this discussion.

2. Remove Trailing Slash if Needed

Your current config uses issuer: "<https://api.workos.com/"> (with a trailing slash). If your JWT's iss claim does not have the trailing slash, update your config to:

issuer: "<https://api.workos.com">

This has been a common source of issues and was specifically called out as a fix by the community and Convex support staff see here.

3. Ensure the aud Claim is Set

#

If your JWT is missing the aud claim, you need to configure your WorkOS JWT template to include it, and set its value to match your applicationID in Convex. This is required for Convex to validate the token see docs.

4. Sync Your Config

After making changes to auth.config.ts, run:

npx convex dev

or

npx convex deploy

to sync your configuration to the backend see docs.

Summary

  • Match the issuer exactly (no trailing slash if not present in JWT).
  • Set the aud claim in your JWT to match applicationID.
  • Sync your config after changes.

If you follow these steps, the error should be resolved. If you continue to have issues, double-check the actual JWT claims and your provider config for any mismatches.

For more details and examples, see the official Convex & WorkOS AuthKit guide and the related Discord threads here.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: