What is needed to start with convex-workos?

Install the WorkOS AuthKit and Convex packages, configure two provider entries in convex/auth.config.ts, set the required environment variables, and wrap your app with the AuthKitProvider and ConvexProviderWithAuthKit.

Why are there two provider entries in auth.config.ts?

WorkOS requires two JWT issuers: one for the standard issuer and another for user management; both must be configured.

How do I manage client IDs and redirects for different frameworks?

Use framework-specific env vars: VITE_WORKOS_CLIENT_ID and VITE_WORKOS_REDIRECT_URI for Vite/React, NEXT_PUBLIC_WORKOS_REDIRECT_URI for Next.js, and mirror the WORKOS_CLIENT_ID in the Convex dashboard environment.

convex-workos

Use Caution

npx machina-cli add skill PolarCoding85/convex-agent-skillz/convex-workos-skill --openclaw

Files (1)

SKILL.md

7.5 KB

Convex + WorkOS AuthKit

Provider-specific patterns for integrating WorkOS AuthKit with Convex.

Required Configuration

1. auth.config.ts

// convex/auth.config.ts
const clientId = process.env.WORKOS_CLIENT_ID;

export default {
  providers: [
    {
      type: 'customJwt',
      issuer: 'https://api.workos.com/',
      algorithm: 'RS256',
      applicationID: clientId,
      jwks: `https://api.workos.com/sso/jwks/${clientId}`
    },
    {
      type: 'customJwt',
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: 'RS256',
      jwks: `https://api.workos.com/sso/jwks/${clientId}`
    }
  ]
};

Note: WorkOS requires TWO provider entries for different JWT issuers.

2. Environment Variables

# .env.local (Vite/React)
VITE_WORKOS_CLIENT_ID=client_01...
VITE_WORKOS_REDIRECT_URI=http://localhost:5173/callback

# .env.local (Next.js)
WORKOS_CLIENT_ID=client_01...
WORKOS_API_KEY=sk_test_...
WORKOS_COOKIE_PASSWORD=your_32_char_minimum_password_here
NEXT_PUBLIC_WORKOS_REDIRECT_URI=http://localhost:3000/callback

# Convex Dashboard Environment Variables
WORKOS_CLIENT_ID=client_01...

Client Setup

React (Vite)

// src/main.tsx
import { AuthKitProvider, useAuth } from "@workos-inc/authkit-react";
import { ConvexProviderWithAuthKit } from "@convex-dev/workos";
import { ConvexReactClient } from "convex/react";

const convex = new ConvexReactClient(import.meta.env.VITE_CONVEX_URL);

ReactDOM.createRoot(document.getElementById("root")!).render(
  <AuthKitProvider
    clientId={import.meta.env.VITE_WORKOS_CLIENT_ID}
    redirectUri={import.meta.env.VITE_WORKOS_REDIRECT_URI}
  >
    <ConvexProviderWithAuthKit client={convex} useAuth={useAuth}>
      <App />
    </ConvexProviderWithAuthKit>
  </AuthKitProvider>
);

Install: npm install @workos-inc/authkit-react @convex-dev/workos

Next.js App Router

// components/ConvexClientProvider.tsx
'use client';

import { ReactNode, useCallback, useRef } from 'react';
import { ConvexReactClient, ConvexProviderWithAuth } from 'convex/react';
import { AuthKitProvider, useAuth, useAccessToken } from '@workos-inc/authkit-nextjs/components';

const convex = new ConvexReactClient(process.env.NEXT_PUBLIC_CONVEX_URL!);

export function ConvexClientProvider({ children }: { children: ReactNode }) {
  return (
    <AuthKitProvider>
      <ConvexProviderWithAuth client={convex} useAuth={useAuthFromAuthKit}>
        {children}
      </ConvexProviderWithAuth>
    </AuthKitProvider>
  );
}

function useAuthFromAuthKit() {
  const { user, loading: isLoading } = useAuth();
  const { accessToken, loading: tokenLoading, error: tokenError } = useAccessToken();

  const loading = (isLoading ?? false) || (tokenLoading ?? false);
  const authenticated = !!user && !!accessToken && !loading;

  const stableAccessToken = useRef<string | null>(null);
  if (accessToken && !tokenError) {
    stableAccessToken.current = accessToken;
  }

  const fetchAccessToken = useCallback(async () => {
    if (stableAccessToken.current && !tokenError) {
      return stableAccessToken.current;
    }
    return null;
  }, [tokenError]);

  return {
    isLoading: loading,
    isAuthenticated: authenticated,
    fetchAccessToken,
  };
}

Install: npm install @workos-inc/authkit-nextjs @convex-dev/workos

Next.js Middleware

// middleware.ts
import { authkitMiddleware } from '@workos-inc/authkit-nextjs';

export default authkitMiddleware({
  middlewareAuth: {
    enabled: true,
    unauthenticatedPaths: ['/', '/sign-in', '/sign-up']
  }
});

export const config = {
  matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api|trpc)(.*)']
};

Next.js Auth Routes

// app/callback/route.ts
import { handleAuth } from '@workos-inc/authkit-nextjs';
export const GET = handleAuth();

// app/sign-in/route.ts
import { redirect } from 'next/navigation';
import { getSignInUrl } from '@workos-inc/authkit-nextjs';
export async function GET() {
  return redirect(await getSignInUrl());
}

// app/sign-up/route.ts
import { redirect } from 'next/navigation';
import { getSignUpUrl } from '@workos-inc/authkit-nextjs';
export async function GET() {
  return redirect(await getSignUpUrl());
}

CORS Configuration (React/Vite only)

For React apps, configure CORS in WorkOS Dashboard:

Authentication > Sessions > Cross-Origin Resource Sharing (CORS)
Click Manage
Add your dev domain: http://localhost:5173
Add your prod domain when deploying

UI Components

import { useAuth } from "@workos-inc/authkit-react"; // or authkit-nextjs/components
import { Authenticated, Unauthenticated } from "convex/react";

function App() {
  const { user, signIn, signOut } = useAuth();

  return (
    <>
      <Authenticated>
        <button onClick={() => signOut()}>Sign out</button>
        <Content />
      </Authenticated>
      <Unauthenticated>
        <button onClick={() => signIn()}>Sign in</button>
      </Unauthenticated>
    </>
  );
}

Auto-Provisioning (Development)

Convex can auto-create WorkOS environments for development:

Run template: npm create convex@latest -- -t react-vite-authkit
Follow prompts to link Convex team with WorkOS
Dev deployments auto-provision WorkOS environments

Configured automatically:

Redirect URI
CORS origin
Local environment variables in .env.local

Limitations:

Only works for dev deployments
Production must be manually configured

Dev vs Prod Configuration

Environment	API Key	Redirect URI
Development	`sk_test_...`	`http://localhost:3000/callback`
Production	`sk_live_...`	`https://your-domain.com/callback`

Set different WORKOS_CLIENT_ID in Convex Dashboard for dev vs prod deployments.

WorkOS-Specific Troubleshooting

Issue	Cause	Fix
CORS error	Domain not added	Add domain in WorkOS Dashboard > Sessions > CORS
Token validation fails	Wrong issuer	Check BOTH providers in auth.config.ts
Missing `aud` claim	JWT config	Check WorkOS JWT configuration
"Platform not authorized"	Workspace unlinked	Run `npx convex integration workos disconnect-team` then `provision-team`

"Platform not authorized" Error

npx convex integration workos disconnect-team
npx convex integration workos provision-team

Note: Use a different email if creating new WorkOS workspace.

DO ✅

Include BOTH provider entries in auth.config.ts (different issuers)
Configure CORS for React/Vite apps
Use useConvexAuth() not WorkOS's useAuth() for auth state
Set WORKOS_CLIENT_ID in Convex Dashboard
Use 32+ char WORKOS_COOKIE_PASSWORD for Next.js

DON'T ❌

Forget the second provider entry (user_management issuer)
Skip CORS configuration for browser-based apps
Use WorkOS auth hooks to gate Convex queries
Hardcode the client ID (use env var)
Use same WorkOS env for dev and prod

Source

git clone https://github.com/PolarCoding85/convex-agent-skillz/blob/main/.claude/skills/convex-workos-skill/SKILL.mdView on GitHub

Overview

This skill provides provider-specific patterns for integrating WorkOS AuthKit with Convex. It covers configuring ConvexProviderWithAuthKit, handling auto-provisioning, and troubleshooting WorkOS authentication issues.

How This Skill Works

Configure auth.config.ts with two customJwt providers for the distinct WorkOS JWT issuers. Then wrap your app with AuthKitProvider and ConvexProviderWithAuthKit (React/Vite) or ConvexProviderWithAuth in Next.js, wiring in the appropriate clientId and redirectUri. Environment variables and install steps are provided to support both React and Next.js setups.

When to Use It

Setting up WorkOS AuthKit for a Convex app (React/Vite or Next.js).
Configuring ConvexProviderWithAuthKit to enable authenticated Convex calls.
Enabling auto-provisioning of users via WorkOS.
Troubleshooting WorkOS-specific authentication issues (JWT issuers, JWKS, etc.).
Migrating an existing Convex app to WorkOS-based authentication.

Quick Start

Step 1: Install the required WorkOS AuthKit and Convex packages for your framework.
Step 2: Create auth.config.ts with two customJwt providers using the WorkOS issuers and JWKS endpoints.
Step 3: Wrap your app with AuthKitProvider and ConvexProviderWithAuthKit (or ConvexProviderWithAuth for Next.js) and set clientId/redirectUri from your env vars.

Best Practices

Provide two provider entries for different JWT issuers as required by WorkOS.
Store client IDs and URIs in framework-specific env vars (Vite/Next).
Keep JWKS URLs stable and aligned with the corresponding issuer in auth.config.ts.
Wrap the app at the root with AuthKitProvider and ConvexProviderWithAuthKit to ensure tokens are available globally.
Test across React/Vite and Next.js setups, including middleware, to verify token loading and auth flow.

Example Use Cases

React/Vite app wrapped with AuthKitProvider and ConvexProviderWithAuthKit around the root.
Next.js App Router: ConvexClientProvider.tsx uses ConvexProviderWithAuth together with AuthKitProvider.
Next.js Middleware configured with authkitMiddleware to protect routes and define unauthenticated paths.
auth.config.ts includes two provider entries for WorkOS issuer and user_management issuer.
Environment variables configured per framework (VITE_WORKOS_CLIENT_ID and NEXT_PUBLIC_WORKOS_REDIRECT_URI).

Frequently Asked Questions

Add this skill to your agents