#Dev Wrokdlow With Previews

I would like you to help me figure out what is a good and safe workflow with Vercel, WorkOS and Convex using Previews.

Should each developer use their own "dev" deployment when working on a feature or should they connect to the generated "preview" deployment?

How to best manage users in each environment? WorkOS seems to have fixed environments so it doesn't seem possible to create users per preview deployment, all preview deployments will need to share the WorkOS preview environment.

Hi @ebon gulch. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Here’s what the docs and support threads support, and where they’re silent.

1. Dev vs preview: who should use what?

Per‑developer dev deployments are still the primary workflow.

• Convex is designed so each team member gets their own dev deployment when they run npx convex dev. [Typical workflow]
• Support explicitly recommends not sharing a single dev deployment because code and schema are hot‑reloaded; two people would constantly overwrite each other’s changes. [Understanding dev deployments]

So for day‑to‑day feature work:

• Each developer should:
  • Run against their own dev deployment.
  • Optionally import data from prod/staging into their dev deployment when needed. [Understanding dev deployments]

Preview deployments are for PR / branch review, not for local dev.

• Convex preview deployments are created per Git branch via npx convex deploy in Vercel/Netlify, using a preview deploy key. [Preview deployments; Vercel previews]
• They are:
  • Fresh backends with their own data and config.
  • Short‑lived (auto‑cleaned after 5–14 days). [Preview deployments]

So the safe pattern is:

• Local work: each dev uses their own dev deployment.
• Code review / QA: CI deploys to a preview deployment for that branch.
• Production: a single prod deployment. [Deploying to production]

2. Staging vs preview

If you need a permanent shared environment (e.g. for beta testers):

• Use a separate Convex project whose prod deployment acts as “staging”. [Production staging env]
• This is also the recommended workaround for stricter access control / isolation. [Key management thread]

So you might have:

• Project A: dev deployments per dev + “prod” = staging.
• Project B: “prod” = real production. [Key management thread]

3. WorkOS / AuthKit environments across dev, preview, prod

The docs distinguish:

• Dev deployments: Convex can auto‑provision and configure a WorkOS AuthKit environment per dev deployment using authKit.dev in convex.json, and write credentials into .env.local. [Automatic AuthKit; Project config]
• Preview deployments: You typically use project‑level AuthKit environments shared across all previews, because build‑time env vars on Vercel/Netlify are hard to vary per preview. [Project vs deployment AuthKit]
• Prod deployment: Has its own WorkOS production environment and credentials. [Config dev/prod instances; Automatic AuthKit]

The docs explicitly say:

• Deployment‑specific AuthKit environments are possible but “difficult to set up automatically,” and shared project‑level environments are generally a better fit for preview/prod. [Project vs deployment AuthKit]

So for your question:

WorkOS seems to have fixed environments so it doesn't seem possible to create users per preview deployment, all preview deployments will need to share the WorkOS preview environment.

The docs confirm the recommended setup is:

• One WorkOS “preview” environment shared by all Convex preview deployments in that project.
• Each preview Convex deployment has its own DB, but they all authenticate against the same WorkOS environment. [Project vs deployment AuthKit; Automatic AuthKit]

They do not document a pattern where each preview deployment gets its own separate WorkOS environment, and they suggest that’s not the intended path.

4. Putting it together: a safe workflow

Based on the docs:

1. Local dev
   • Each dev runs npx convex dev → gets their own Convex dev deployment. [Typical workflow]
   • Auth:
     • Use authKit.dev in convex.json so Convex auto‑provisions/configures a WorkOS environment and writes WORKOS_* into .env.local. [Automatic AuthKit; Recommended config]

2. Preview / PRs (Vercel)

   • Configure a preview deploy key as CONVEX_DEPLOY_KEY for Vercel Preview env. [Vercel previews]
   • Configure project‑level AuthKit preview environment in Convex and copy its WORKOS_* vars into Vercel Preview env. [Automatic AuthKit; Project vs deployment AuthKit]
   • Each PR → Vercel Preview + Convex preview deployment with its own DB, but shared WorkOS preview environment.

3. Staging (optional but often useful)

   • Separate Convex project whose prod deployment is “staging”; Vercel “Preview” or “Production” env can point to it depending on your branching model. [Production staging env; Key management thread]

4. Production

   • Single Convex prod deployment.
   • Separate WorkOS production environment and WORKOS_* vars in Vercel Production env. [Config dev/prod instances; Recommended config]

5. User management per environment

From the docs:

• Convex data is fully isolated per deployment (dev, preview, prod, staging). [Deployments; Preview deployments]
• WorkOS users:
  • Dev: can be per‑dev environment (via auto‑provisioning).
  • Preview: shared project‑level environment across all previews.
  • Prod: separate production environment.

The docs do not describe a supported way to have per‑preview WorkOS environments automatically; they explicitly steer you toward shared project‑level environments for preview/prod. [Project vs deployment AuthKit]

If you want to explore patterns beyond that (e.g. manual per‑preview WorkOS envs), that’s outside what the current docs cover.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path the linked documentation on how to get the auto-provisioning working is a bit sparce.

I have an existing WorkOS account. It is not clear to me how to proceed from there.

Let me check the knowledge base for you again. One moment! :books:

You’re right that it’s a bit split across pages. Here’s the flow that is documented for using an existing WorkOS account with Convex’s AuthKit integration.

1. Set up AuthKit in your existing WorkOS account

From your existing WorkOS dashboard:

1. Go to Authentication → AuthKit and click Set up AuthKit if you haven’t already. [Convex & AuthKit]
2. Go through the setup wizard until step 4: Add default redirect endpoint URI.
   • Set the Redirect URI to your app’s /callback route, e.g.
     <http://localhost:3000/callback> for local dev. [Convex & AuthKit]
3. Finish the AuthKit setup.

Then:

4. From the Get started page in WorkOS, copy:
   • WORKOS_CLIENT_ID
   • WORKOS_API_KEY [Convex & AuthKit]

2. Configure Convex backend to validate WorkOS tokens

In your Convex project, create convex/auth.config.ts and wire it to your WorkOS Client ID.

The docs show this pattern (same for React and Next.js): [Client configuration; Next.js config]

// convex/auth.config.ts
const clientId = process.env.WORKOS_CLIENT_ID;

const authConfig = {
  providers: [
    {
      type: "customJwt",
      issuer: `<https://api.workos.com/`,>
      algorithm: "RS256",
      applicationID: clientId,
      jwks: `<https://api.workos.com/sso/jwks/${clientId}`,>
    },
    {
      type: "customJwt",
      issuer: `<https://api.workos.com/user_management/${clientId}`,>
      algorithm: "RS256",
      jwks: `<https://api.workos.com/sso/jwks/${clientId}`,>
    },
  ],
};

export default authConfig;

Then:

1. Add WORKOS_CLIENT_ID to your local .env (no NEXT_PUBLIC_): [Config dev/prod instances]

   WORKOS_CLIENT_ID=client_01XXXXXXXXXXXXXXXXXXXXXXXX
   

2. In the Convex dashboard, set WORKOS_CLIENT_ID for your dev deployment to the same value. [Config dev/prod instances]

3. Run:

   npx convex dev
   

   This syncs auth.config.ts to the backend. If WORKOS_CLIENT_ID is missing, Convex will show an error with a link to set it in the dashboard. [Client configuration]

3. Configure WorkOS AuthKit client‑side (React or Next.js)

You now need the AuthKit SDK in your app and to point it at Convex.

Environment variables (dev)

For dev, the docs recommend: [Config dev/prod instances]

WORKOS_CLIENT_ID="client_01XXXXXXXXXXXXXXXXXXXXXXXX"
WORKOS_API_KEY="sk_test_..."                # server-side only
WORKOS_COOKIE_PASSWORD="at_least_32_chars"  # for Next.js AuthKit
NEXT_PUBLIC_WORKOS_REDIRECT_URI="<http://localhost:3000/callback">

(For React/Vite, use VITE_WORKOS_CLIENT_ID / VITE_WORKOS_REDIRECT_URI instead.) [Client configuration]

Install the SDK

• React:

  npm install @workos-inc/authkit-react @convex-dev/workos
  ``` [[Client configuration](<https://docs.convex.dev/auth/authkit/#client-configuration>)]
  
  

• Next.js:

  npm install @workos-inc/authkit-nextjs @convex-dev/workos
  ``` [[Next.js config](<https://docs.convex.dev/auth/authkit/#nextjs>)]
  
  

Then follow the framework‑specific section:

• React: wrap your app with AuthKitProvider and ConvexProviderWithAuthKit, passing WorkOS’s useAuth() hook. [Client configuration]
• Next.js:
  • Add middleware.ts using authkitMiddleware. [Next.js config]
  • Add routes:
    • app/callback/route.ts with handleAuth()
    • app/sign-in/route.ts using getSignInUrl()
    • (and similarly for sign‑up, etc.) [Next.js config]

4. (Optional) Use Convex’s auto‑provisioning with an existing WorkOS account

Auto‑provisioning is driven by convex.json and doesn’t require Convex to own your WorkOS account; it just needs WORKOS_CLIENT_ID and WORKOS_API_KEY to be present. [Automatic AuthKit]

A typical config: [Recommended configuration]

{
  "authKit": {
    "dev": {
      "configure": {
        "redirectUris": ["<http://localhost:3000/callback"],>
        "appHomepageUrl": "<http://localhost:3000",>
        "corsOrigins": ["<http://localhost:3000"]>
      },
      "localEnvVars": {
        "WORKOS_CLIENT_ID": "${authEnv.WORKOS_CLIENT_ID}",
        "WORKOS_API_KEY": "${authEnv.WORKOS_API_KEY}",
        "NEXT_PUBLIC_WORKOS_REDIRECT_URI": "<http://localhost:3000/callback">
      }
    },
    "preview": {
      "configure": {
        "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
        "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
        "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
      }
    },
    "prod": {
      "environmentType": "production",
      "configure": {
        "redirectUris": [
          "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}/callback">
        ],
        "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
        "corsOrigins": ["<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}"]>
      }
    }
  }
}

What this does (per docs): [Automatic AuthKit]

• On npx convex dev / deploy:
  • Finds WORKOS_CLIENT_ID / WORKOS_API_KEY (from your existing WorkOS account) in env or Convex dashboard.
  • Uses WORKOS_API_KEY to configure that WorkOS environment (redirect URIs, CORS, etc.).
  • For dev, writes localEnvVars into .env.local.

For preview/prod, the docs recommend using project‑level AuthKit environments and copying their credentials into your hosting provider’s env vars (e.g. Vercel). [Project vs deployment AuthKit]

5. Debugging if it “works” but Convex says unauthenticated

If users can sign in via WorkOS but useConvexAuth() shows isAuthenticated: false, the docs list common causes: [Debugging authentication]

• WORKOS_CLIENT_ID mismatch between Convex and WorkOS.
• Missing env vars in Convex dashboard.
• Redirect URI mismatch.
• Missing aud claim in the WorkOS JWT (Convex requires aud to match your applicationID / client ID).

If you tell me whether you’re on React or Next.js and whether you want auto‑provisioning or just manual wiring, I can map these steps to a very concrete checklist for that setup using only what’s in the docs.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path how do I provision a WorkOS environment for each preview environment? How do I provision a WorkOS environment for each developer?

Let me check the knowledge base for you again. One moment! :books:

There isn’t a fully documented way to provision a separate WorkOS environment per Convex preview deployment or per developer. The docs describe what is supported and recommended, and it’s more limited than what you’re asking for.

1. What Convex + WorkOS AuthKit do support

Convex’s AuthKit integration can:

• Provision and configure AuthKit environments automatically for dev deployments when you use authKit.dev in convex.json. [Automatic AuthKit]
• Configure existing AuthKit environments (dev, preview, prod) when WORKOS_CLIENT_ID and WORKOS_API_KEY are present. [Automatic AuthKit]

The recommended pattern is:

• Dev: per‑developer Convex dev deployments, each with its own AuthKit environment (auto‑provisioned) or shared ones, depending on how you configure authKit.dev. [Automatic AuthKit; Recommended config]
• Preview + Prod: use project‑level AuthKit environments, shared across all preview deployments and across all prod deployments, because build‑time env vars on Vercel/Netlify are hard to vary per deployment. [Project vs deployment AuthKit]

The docs explicitly say:

Deployment-specific AuthKit environments can be created for any deployment are difficult set up automatically so shared project-level environments are generally a better fit. [Project vs deployment AuthKit]

So:

• Per‑developer environments: supported and automated for dev.
• Per‑preview environments: technically possible in WorkOS, but not supported/automated by Convex; docs recommend shared project‑level environments instead.

2. Per‑developer WorkOS environments (dev)

For dev, Convex can provision/configure AuthKit environments automatically when you have authKit.dev in convex.json. [Automatic AuthKit]

Example config: [Recommended config]

{
  "authKit": {
    "dev": {
      "configure": {
        "redirectUris": ["<http://localhost:3000/callback"],>
        "appHomepageUrl": "<http://localhost:3000",>
        "corsOrigins": ["<http://localhost:3000"]>
      },
      "localEnvVars": {
        "WORKOS_CLIENT_ID": "${authEnv.WORKOS_CLIENT_ID}",
        "WORKOS_API_KEY": "${authEnv.WORKOS_API_KEY}",
        "NEXT_PUBLIC_WORKOS_REDIRECT_URI": "<http://localhost:3000/callback">
      }
    }
  }
}

How this works, per docs: [Automatic AuthKit]

• When a dev runs npx convex dev:
  • Convex looks for WORKOS_CLIENT_ID / WORKOS_API_KEY in the environment or in the Convex deployment.
  • For dev deployments, Convex can create an AuthKit environment (if using a Convex‑managed WorkOS account) and then configure it using the configure block.
  • It writes the localEnvVars into .env.local for that developer.

This is the documented mechanism for “per‑developer” WorkOS environments: each dev’s Convex dev deployment can have its own associated AuthKit environment, and Convex manages the wiring. [Automatic AuthKit]

3. Per‑preview WorkOS environments

For preview deployments (e.g. Vercel Preview):

• Convex supports configuring an AuthKit environment via authKit.preview in convex.json, but not provisioning a new WorkOS environment per preview deployment. [Automatic AuthKit; Project vs deployment AuthKit]

The recommended setup is:

• Create a project‑level AuthKit environment for previews in the Convex dashboard.
• Copy its WORKOS_CLIENT_ID, WORKOS_API_KEY, etc. into your hosting provider’s Preview env vars (e.g. Vercel). [Automatic AuthKit; Project vs deployment AuthKit]

Then use something like:

{
  "authKit": {
    "preview": {
      "configure": {
        "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
        "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
        "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
      }
    }
  }
}

This means:

• All preview Convex deployments share the same WorkOS “preview” environment.
• Each preview Convex deployment still has its own database and config, but authentication goes through the shared WorkOS environment. [Project vs deployment AuthKit]

The docs explicitly note that deployment‑specific AuthKit environments are “difficult to set up automatically” and recommend shared project‑level environments instead; they do not document a supported way to auto‑provision a new WorkOS environment per preview deployment. [Project vs deployment AuthKit]

4. Summary

• Per developer (dev): Use Convex dev deployments with authKit.dev in convex.json. Convex can provision/configure a WorkOS AuthKit environment and write WORKOS_* into each dev’s .env.local. This is the documented way to get per‑developer environments. [Automatic AuthKit; Recommended config]
• Per preview deployment: The docs do not describe a way to provision a unique WorkOS environment per preview deployment. Instead, they recommend a shared project‑level AuthKit environment for all previews, configured via authKit.preview and env vars in your hosting provider. [Project vs deployment AuthKit]

Anything beyond that (e.g. scripting WorkOS API calls yourself to create an environment per preview) is not covered in the Convex docs, so I can’t give a documented, supported procedure for it.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path okay so

1. prod has a project level (shared) environment
   2.1) preview has a project level (shared) environment
   2.2) each preview deployment can however configure their own redirect URL etc to make preview deployments on Vercel work with the shared secrets
   3.1) Convex can manage WorkOS and create a dev environment for each developer
   3.2) first time one runs npx convex dev convex can set up this environment if it manages WorkOS

How do I allow Convex to Manage WorkOS? Where are the settings for that?

Let me check the knowledge base for you again. One moment! :books:

You’ve summarized the model correctly, and your questions line up with how Convex’s AuthKit auto‑provisioning is intended to work.

The missing piece is: “letting Convex manage WorkOS” is done via the Convex dashboard integration + convex.json, not via a local config toggle.

1. Where you “allow Convex to manage WorkOS”

Convex manages WorkOS AuthKit via:

1. The WorkOS / AuthKit integration in the Convex dashboard, and
2. The authKit section in convex.json in your repo. [Automatic AuthKit; Project config]

The docs describe it like this:

• Convex can create AuthKit environments in a WorkOS account made on your behalf and then configure them, driven by convex.json. [Automatic AuthKit]
• In the Convex dashboard, under Settings → Integrations → WorkOS Authentication, you create AuthKit environments (dev / preview / prod) and Convex stores the corresponding WORKOS_CLIENT_ID / WORKOS_API_KEY as AuthKit credentials for that project. Those are what ${authEnv.WORKOS_CLIENT_ID} / ${authEnv.WORKOS_API_KEY} refer to in convex.json. [Automatic AuthKit; Recommended configuration]

Once that integration is set up, Convex has permission (via the stored WORKOS_API_KEY) to call the WorkOS API and configure environments.

2. How Convex uses that to auto‑provision / configure

Auto‑provisioning is triggered purely by convex.json + a code push (npx convex dev / npx convex deploy):

{
  "authKit": {
    "dev": {
      "configure": {
        "redirectUris": ["<http://localhost:3000/callback"],>
        "appHomepageUrl": "<http://localhost:3000",>
        "corsOrigins": ["<http://localhost:3000"]>
      },
      "localEnvVars": {
        "WORKOS_CLIENT_ID": "${authEnv.WORKOS_CLIENT_ID}",
        "WORKOS_API_KEY": "${authEnv.WORKOS_API_KEY}",
        "NEXT_PUBLIC_WORKOS_REDIRECT_URI": "<http://localhost:3000/callback">
      }
    },
    "preview": {
      "configure": {
        "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
        "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
        "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
      }
    },
    "prod": {
      "environmentType": "production",
      "configure": {
        "redirectUris": [
          "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}/callback">
        ],
        "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
        "corsOrigins": ["<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}"]>
      }
    }
  }
}

[Recommended configuration]

Mechanics (from the docs): [Automatic AuthKit]

• On npx convex dev / deploy, the CLI:
  1. Looks for WORKOS_CLIENT_ID / WORKOS_API_KEY:
     • First in the build environment / .env.local.
     • Then in the Convex deployment’s env vars.
  2. If it finds AuthKit credentials (from the dashboard integration), it:
     • For dev:
       • May create an AuthKit environment (if needed) and
       • Writes localEnvVars into .env.local for that developer.
     • For dev / preview / prod:
       • Uses WORKOS_API_KEY to configure that WorkOS environment according to the configure block (redirect URIs, CORS, etc.).

The “Convex manages WorkOS” part is exactly this: Convex holds the WorkOS API key (via the integration) and uses it automatically when it sees authKit in convex.json. [Automatic AuthKit]

3. Per‑developer dev environments (your 3.1 / 3.2)

For dev:

• Each developer runs npx convex dev → Convex creates a dev deployment.
• With authKit.dev present and the WorkOS integration configured, Convex:
  • Ensures there is an AuthKit environment for that dev deployment.
  • Writes WORKOS_CLIENT_ID / WORKOS_API_KEY / redirect URI into that dev’s .env.local according to localEnvVars. [Automatic AuthKit; Project vs deployment AuthKit]

That’s how you get “Convex creates a dev environment for each developer” without any extra manual step beyond:

1. Enabling the WorkOS AuthKit integration in the Convex dashboard for the project.
2. Having an authKit.dev block in convex.json.

4. Per‑preview & prod (your 1 / 2.1 / 2.2)

The docs confirm your understanding:

• Prod: one project‑level AuthKit environment, configured via authKit.prod and used by the production deployment. [Automatic AuthKit; Config dev/prod instances]
• Preview:
  • One project‑level AuthKit environment shared by all preview deployments. [Project vs deployment AuthKit]
  • Each preview deployment can still have its own redirect URI / CORS via authKit.preview.configure using buildEnv.VERCEL_BRANCH_URL, etc., so Vercel previews work with the shared secrets. [Recommended configuration]

The docs explicitly say deployment‑specific AuthKit environments are “difficult to set up automatically” and recommend these shared project‑level environments for preview/prod. [Project vs deployment AuthKit]

So, concretely:

1. In the Convex dashboard, under your project’s settings, enable the WorkOS Authentication / AuthKit integration and create the dev/preview/prod AuthKit environments there (this is where Convex stores authEnv.WORKOS_CLIENT_ID / authEnv.WORKOS_API_KEY). [Automatic AuthKit]
2. In your repo, add an authKit section to convex.json (like the example above).
3. Run npx convex dev:
   • For each dev, Convex will now be able to create/configure a WorkOS AuthKit environment and write the right WORKOS_* values into .env.local. [Automatic AuthKit]

If you’d like, paste your current convex.json (with secrets redacted) and I can point out exactly what to add/change to align with this flow.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path I receive an error that "A WorkOS team already exists with <email>. Please select a different email address."

How can I connect the integration with an existing WorkOS project?

Let me check the knowledge base for you again. One moment! :books:

That specific error isn’t described in the docs, but there is a closely related limitation documented for the WorkOS integration: a single email address can only be associated with one WorkOS workspace. [Platform not authorized]

From the troubleshooting section:

You'll need to use a different email address to create your new WorkOS Workspace as an email address can only be associated with a single WorkOS workspace. [Platform not authorized]

So, based on what is documented:

• When Convex’s integration flow tries to create or link a WorkOS team/workspace and sees that your email is already tied to another WorkOS workspace, you get an error like the one you’re seeing.
• The docs do not describe a way to “attach” Convex’s integration to an arbitrary existing WorkOS project/workspace from that state.

They do document two supported paths when the integration is in a bad state:

1. Ask WorkOS to restore permissions if Convex was previously connected and then removed:

   • Contact WorkOS support and ask them to restore your platform API key’s access to the team. [Platform not authorized]

2. Disconnect and re‑provision the WorkOS integration from Convex’s side (this creates a new WorkOS workspace/team, not reuse an existing one):

   npx convex integration workos disconnect-team
   npx convex integration workos provision-team
   

   [Platform not authorized]

However, the docs do not explain a flow like:

“I already have a WorkOS project X; please point this Convex project at that exact WorkOS project X instead of creating a new one.”

So I can’t give you a documented, step‑by‑step way to do that. The only clearly documented options are:

• Use a different email to create a new WorkOS workspace for Convex to manage. [Platform not authorized]
• Or, if you previously had Convex linked to a WorkOS workspace and it broke, use the disconnect/provision commands or contact WorkOS support to restore access. [Platform not authorized]

If you need to reuse a specific existing WorkOS project, that’s not covered in the current Convex docs; you’d likely need to coordinate with WorkOS support and/or Convex support to have them wired up manually.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

Hi @worn path , I set things up and things are mostly working, but it seems to me that there is only one single preview environment? How can multiple people work in parallel in this setup? The convex.json does configure WorkOS on each preview deploy, but it does so with the latest preview deploy. Meaning if there are 2 people working in parallel, whoever pushed latest will overwrite the configurations of the preview environment.

Let me check the knowledge base for you again. One moment! :books:

You’ve understood the current behavior correctly, and the limitation you’re seeing is real given how AuthKit auto‑configuration works today.

What the docs say about preview AuthKit environments

For previews, Convex explicitly recommends project‑level (shared) AuthKit environments, not one per preview deployment:

Deployment-specific AuthKit environments can be created for any deployment are difficult set up automatically so shared project-level environments are generally a better fit. [Project vs deployment AuthKit]

And the recommended convex.json example shows a single authKit.preview block that uses Vercel build env vars to set redirect URIs / CORS for “preview” in general, not per‑deployment: [Recommended configuration]

"preview": {
  "configure": {
    "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
    "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
    "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
  }
}

The auto‑provisioning flow is:

• On each preview deploy, Convex finds the same preview AuthKit environment (project‑level) and configures it using that configure block. [Automatic AuthKit]

So if two branches deploy in parallel, they are both configuring the same WorkOS preview environment; the last deploy “wins” in terms of redirect URIs / CORS.

The docs do not describe any mechanism to:

• Create a separate WorkOS environment per preview deployment, or
• Keep multiple different redirect URI / CORS configurations in one WorkOS environment simultaneously.

They explicitly say that deployment‑specific AuthKit environments are “difficult to set up automatically” and recommend shared project‑level ones instead. [Project vs deployment AuthKit]

How to work in parallel given this

Based on the docs, the intended parallel‑work story is:

• Per‑developer Convex dev deployments (each with its own AuthKit environment) for day‑to‑day work. [Automatic AuthKit; Recommended configuration]
• Shared preview AuthKit environment for all preview deployments, accepting that its configuration is global and updated on each deploy. [Project vs deployment AuthKit]

The docs don’t offer a way around the “last deploy overwrites preview AuthKit config” issue; they just recommend this shared‑environment model for previews and per‑developer isolation at the dev‑deployment level.

So:

• Multiple people can work in parallel, but:
  • Their local dev environments are fully isolated (separate Convex + AuthKit envs).
  • Their preview environments share one WorkOS preview environment whose redirect URIs / CORS are updated on each deploy.

If you need truly isolated auth configuration per preview deployment, that’s beyond what the current Convex + AuthKit docs describe as supported or automated.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path "Their preview environments share one WorkOS preview environment whose redirect URIs / CORS are updated on each deploy."

In practice this means that only one preview branch can be active, so the entire team can only work on one feature at a time. Otherwise the Vercel preview deployments will be overwritten by eachother. If the CORS and callback URI settings don't work per Vercel preview deploy, then how can people share their work with QA for example?

<@&1228088700710293556> "Their preview environments share one WorkOS preview environment whose redirect URIs / CORS are updated on each deploy."

In practice this means that only one preview branch can be active, so the entire team can only work on one feature at a time. Otherwise the Vercel preview deployments will be overwritten by eachother. If the CORS and callback URI settings don't work per Vercel preview deploy, then how can people share their work with QA for example?

@worn path "Their preview environments share one WorkOS preview environment whose redirect URIs / CORS are updated on each deploy."

In practice this means that only one preview branch can be active, so the entire team can only work on one feature at a time. Otherwise the Vercel preview deployments will be overwritten by eachother. If the CORS and callback URI settings don't work per Vercel preview deploy, then how can people share their work with QA for example?

Let me check the knowledge base for you again. One moment! :books:

You’re right to call out this tension. The current docs describe the shared‑preview‑AuthKit model, but they don’t go on to explain “how to do QA on multiple branches at once” with it, and they don’t document a clean, fully isolated per‑preview‑branch AuthKit setup.

What is documented:

• For preview deployments, Convex recommends project‑level (shared) AuthKit environments, not one per preview deployment:

  Deployment-specific AuthKit environments can be created for any deployment are difficult set up automatically so shared project-level environments are generally a better fit. [Project vs deployment AuthKit]

• The recommended authKit.preview config uses Vercel build env vars to set redirect URIs and CORS, but it still targets a single WorkOS preview environment: [Recommended configuration]

  "preview": {
    "configure": {
      "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
      "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
      "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
    }
  }
  

• On each preview deploy, the CLI:

  1. Finds the AuthKit environment using WORKOS_CLIENT_ID / WORKOS_API_KEY.
  2. Uses WORKOS_API_KEY to configure that environment according to the configure block. [Automatic AuthKit]

  There’s no mention of keeping multiple redirect/CORS configs in parallel for different preview URLs.

So, based on the docs alone:

• Yes, all preview branches share one WorkOS preview environment, and its redirect URIs / CORS are updated on each deploy.
• The docs do not describe a way to:
  • Have WorkOS maintain separate redirect/CORS settings per Vercel preview deployment, or
  • Automatically provision a distinct WorkOS environment per preview deployment.

They explicitly say that deployment‑specific AuthKit environments are “difficult to set up automatically” and recommend shared project‑level environments instead. [Project vs deployment AuthKit]

Because of that, the documentation does not give a clear, supported pattern that guarantees “any number of preview branches can all be QA’d simultaneously with independent AuthKit config.” It also doesn’t explicitly say “only one preview can be active,” but the behavior you’re describing (last deploy wins) is consistent with what’s written.

The only clearly documented ways to get isolation today are:

• Per‑developer dev deployments with their own AuthKit environments, for day‑to‑day work. [Automatic AuthKit]
• Separate Convex projects (e.g. a dedicated staging project) if you need a long‑lived environment distinct from production. [Project vs deployment AuthKit]

But the docs do not go further to describe a robust multi‑preview‑branch QA story with AuthKit; they stop at the shared preview environment recommendation. So I can’t point you to a documented configuration that fully solves the “multiple QA previews at once” problem with WorkOS AuthKit auto‑provisioning.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

Is it possible to point these developer environments in the preview build of vercel?

@worn path Is it possible to point these developer environments in the preview build of vercel?

So wh

Let me check the knowledge base for you again. One moment! :books:

I’m not seeing anything in the docs that describes a supported way to have a Vercel preview build automatically point at each developer’s personal dev deployment.

What is documented for Vercel previews is:

• Preview builds are meant to point at Convex preview deployments, created via npx convex deploy with a preview deploy key. [Vercel previews]
• npx convex deploy will:
  • Create (or update) a Convex preview deployment for the branch.
  • Set CONVEX_URL (or a similar env var) in the build environment so your frontend points at that preview deployment. [Vercel previews]
• If you need extra Convex env vars per preview deployment (e.g. Vercel URLs), you can set them with npx convex env set --preview-name $VERCEL_GIT_COMMIT_REF ... in your build script. [Vercel URL env]

The documented model is:

• Local dev: each developer uses their own dev deployment via npx convex dev. [Understanding dev deployments]
• Vercel preview builds: each branch gets its own Convex preview deployment, not a dev deployment. [Preview deployments; Vercel previews]

There’s no mention of wiring Vercel previews to personal dev deployments, and the CLI options around previews (--preview-create, --preview-run, --preview-name for env set) all operate on preview deployments, not dev ones. [CLI deploy; Vercel URL env]

So, based on the docs:

• Supported / documented: Vercel preview → Convex preview deployment.
• Not documented: Vercel preview → Convex dev deployment (per developer).

If you want QA to see exactly what’s on a dev’s personal backend, that wiring isn’t covered in the current Convex + Vercel docs.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

@worn path maybe I am misunderstanding, is it possible that in the shared preview WorkOS environment the integration sets multiple redirect URL-s up, and thus each active Vercel preview deployment can work with the shared data?

Let me check the knowledge base for you again. One moment! :books:

The knowledge sources don’t say this explicitly, but they strongly suggest the opposite: the current Convex+AuthKit integration assumes one WorkOS preview environment whose redirect/CORS config is overwritten on each preview deploy, not accumulated.

What we do know from the docs:

• For previews, Convex recommends a shared, project‑level AuthKit environment, not one per preview deployment. [Project vs deployment AuthKit]

• On each code push, the CLI:

  uses WORKOS_API_KEY to configure the environment based on the configure section of the relevant authKit object. [Automatic AuthKit]

• The recommended authKit.preview config is:

  "preview": {
    "configure": {
      "redirectUris": ["<https://${buildEnv.VERCEL_BRANCH_URL}/callback"],>
      "appHomepageUrl": "<https://${buildEnv.VERCEL_PROJECT_PRODUCTION_URL}",>
      "corsOrigins": ["<https://${buildEnv.VERCEL_BRANCH_URL}"]>
    }
  }
  

  [Recommended configuration]

There is no mention of Convex appending to an existing list of redirect URIs / CORS origins in WorkOS, or of keeping multiple preview URLs active at once. The wording “configure the environment based on the configure section” reads as “set it to this,” not “merge with what’s already there,” and nothing in the docs describes multi‑preview coexistence.

So:

• It is possible in raw WorkOS to have multiple redirect URIs configured, but
• The Convex AuthKit auto‑configuration flow is only documented as “set the config to what’s in convex.json for this deploy,” and
• There is no documented behavior that would guarantee “each active Vercel preview deployment adds its URL to the shared WorkOS preview environment without removing the others.”

Because of that, I can’t confidently say that “yes, the integration will maintain multiple redirect URLs so all previews work at once.” The docs simply don’t state that, and the described mechanism (re‑configuring the environment on each deploy) points toward the “last deploy wins” behavior you’re already observing.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: