#Convex self hosted

8 messages · Page 1 of 1 (latest)

dire joltBOT Nov 10, 2025, 3:27 PM

Hi @chrome parrot. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Based on the knowledge sources provided, I can offer some guidance on your Convex Self-Hosted + Better Auth setup, though there are some limitations in the available information.

Key Findings

The knowledge sources indicate that Convex Auth (the authentication library) does not fully support self-hosted deployments yet. According to the self-hosted deployment documentation:

"If you're using Convex Auth, follow the manual instructions to set up. The CLI does not support self-hosted deployments yet."

Middleware Considerations

While the knowledge sources show several examples of Next.js middleware with Convex Auth, these examples are primarily for Convex Cloud deployments. The middleware pattern typically looks like this (from the Next.js server-side authentication guide):

import {
  convexAuthNextjsMiddleware,
  createRouteMatcher,
  nextjsMiddlewareRedirect,
} from "@convex-dev/auth/nextjs/server";
 
const isProtectedRoute = createRouteMatcher(["/product(.*)"]);
 
export default convexAuthNextjsMiddleware(async (request, { convexAuth }) => {
  if (isProtectedRoute(request) && !(await convexAuth.isAuthenticated())) {
    return nextjsMiddlewareRedirect(request, "/signin");
  }
});

However, this is specifically for @convex-dev/auth, not Better Auth with self-hosted Convex.

Recommended Approach

Based on the authentication best practices documentation, the knowledge sources emphasize that:

Convex is a public API by default - authentication must be enforced at multiple layers
Server-side (Convex) protection is essential - Always validate authentication within your Convex functions using authComponent.getAuthUser(ctx) and role checks

The knowledge sources suggest that for production deployments, you should:

Protect routes with client-side checks (using hooks like useSession())
Most importantly, always validate authentication and authorization in your Convex mutations/queries themselves

Limitations

I'm sorry, but the knowledge sources do not contain specific information about:

Better Auth middleware configuration with Convex Self-Hosted
Debugging session detection issues between development and production environments
Specific environment variable configurations for Better Auth with self-hosted Convex

For your specific issue with middleware not detecting the logged-in user in production, I'd recommend focusing on ensuring your Convex functions themselves properly validate the user's authentication and role, as this is the most reliable security layer according to the documentation.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@chrome parrot Kapa.ai is still learning and improving, please let me know how I did by reacting below.

chrome parrot Nov 10, 2025, 3:29 PM

but i am using better-auth, no convex auth @dire jolt

dire joltBOT Nov 10, 2025, 3:29 PM

Let me check the knowledge base for you again. One moment! :books:

You're absolutely right, and I apologize for the confusion in my previous response. Let me clarify based on the knowledge sources about Better Auth with Convex.

Better Auth with Convex

The knowledge sources do contain information about using Better Auth with Convex. According to the Better Auth Next.js guide, Better Auth is a supported authentication solution that integrates with Convex through the @convex-dev/better-auth component.

Middleware and Server-Side Authentication

However, I need to be transparent: the knowledge sources do not contain specific documentation about Next.js middleware configuration for Better Auth with Convex.

The available documentation shows:

How to set up Better Auth with Convex in Next.js
How to create route handlers that proxy auth requests
How to use server-side authentication with convexAuthNextjsToken() for fetching data

From a Discord discussion about Better Auth + Convex, there's mention of JWT tokens being stored in cookies (better-auth.session_token and better-auth.convex_jwt), which suggests that server-side authentication should work through these cookies.

Your Specific Issue

For your production issue where the middleware doesn't detect the logged-in user, the knowledge sources don't provide specific troubleshooting steps for Better Auth middleware with self-hosted Convex.

The most relevant guidance from the knowledge sources is to ensure that:

Your Convex functions validate authentication using authComponent.getAuthUser(ctx) (as shown in the Better Auth setup)
You're using the correct environment variables for your self-hosted deployment

I'm sorry, but the knowledge sources do not contain enough information about debugging Better Auth middleware issues specifically with Convex Self-Hosted in production environments. You may need to reach out to the Convex community or support for more specific guidance on this configuration.