workos-convex-debug

Debug and troubleshoot WorkOS AuthKit authentication issues with Convex. Use when authentication fails, JWT validation errors occur, user identity returns null, email claims are missing, admin access checks fail, or sign in button does not work. Supports Netlify deployment.

6 stars

byget-convex

View on GitHub Installation ↓

Best use case

workos-convex-debug is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using workos-convex-debug should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/workos-convex-debug/SKILL.md --create-dirs "https://raw.githubusercontent.com/get-convex/components-submissions-directory/main/.cursor/skills/workos-convex-debug/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/workos-convex-debug/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How workos-convex-debug Compares

Feature / Agent	workos-convex-debug	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# WorkOS Convex Debug Skill

> **Always check official docs for the latest information:**
> - Troubleshooting: https://docs.convex.dev/auth/authkit/troubleshooting
> - Convex Debugging Auth: https://docs.convex.dev/auth/debug
> - WorkOS AuthKit: https://workos.com/docs/authkit
> - Netlify Docs: https://docs.netlify.com/

## When to use this skill

Use this skill when you encounter:

- Sign in button does nothing
- User is authenticated but `useConvexAuth()` returns `isAuthenticated: false`
- `ctx.auth.getUserIdentity()` returns `null`
- Email or name fields are undefined in identity
- Admin access check returns false for valid admin users
- JWT validation errors
- OAuth callback redirect issues
- Environment variable configuration problems

## Diagnostic checklist

Run through these checks in order:

### 1. Verify environment variables are set

**Frontend (.env.local):**

```bash
VITE_CONVEX_URL=https://your-deployment.convex.cloud
VITE_WORKOS_CLIENT_ID=client_01XXXXXXXXXXXXXXXXXX
VITE_WORKOS_REDIRECT_URI=http://localhost:5173/callback
```

**Convex Dashboard:**

- Navigate to Settings > Environment Variables
- Verify `WORKOS_CLIENT_ID` is set

### 2. Verify auth config is deployed

Run `npx convex dev` and look for "Convex functions ready!" message.

If you see an error about `WORKOS_CLIENT_ID`:
1. Follow the link in the error message
2. Paste your WorkOS Client ID
3. Save and wait for deployment

### 3. Check WorkOS Dashboard configuration

**Redirect URIs:**
- Must include `http://localhost:5173/callback` for local dev
- Must include production callback URL

**CORS Origins:**
- Must include `http://localhost:5173` for local dev
- Must include production origin

**JWT Template:**
- Must include `email` claim (see Problem 2 below)

## Common problems and solutions

### Problem 1: Sign in button does nothing

**Symptom:** Clicking Sign In has no effect. No redirect to WorkOS.

**Root cause:** Using deprecated `getSignInUrl()` or incorrect event handler.

**Solution:** Use `signIn()` directly from the AuthKit hook:

```typescript
import { useAuth } from "@workos-inc/authkit-react";

function SignInButton() {
  const { signIn } = useAuth();
  
  return (
    <button
      onClick={() => {
        localStorage.setItem("authReturnPath", window.location.pathname);
        signIn();
      }}
    >
      Sign In
    </button>
  );
}
```

**Do not use:**
- `getSignInUrl()` (deprecated)
- Manual URL construction
- Direct navigation to WorkOS URLs

### Problem 2: Email is undefined in identity

**Symptom:** `ctx.auth.getUserIdentity()` returns user but `identity.email` is undefined.

**Root cause:** WorkOS JWT templates do not include email claim by default.

**Solution:** Configure JWT template in WorkOS Dashboard:

1. Go to WorkOS Dashboard > Authentication > JWT Templates
2. Edit the default template
3. Add claims:

```json
{
  "email": "{{user.email}}",
  "name": "{{user.first_name}} {{user.last_name}}",
  "picture": "{{user.profile_picture_url}}"
}
```

4. Save and redeploy

**Verification:** After fix, identity should include:

```typescript
{
  tokenIdentifier: "https://api.workos.com/user_management/client_xxx|user_yyy",
  subject: "user_yyy",
  issuer: "https://api.workos.com/user_management/client_xxx",
  email: "user@example.com",
  name: "User Name",
  pictureUrl: "https://..."
}
```

### Problem 3: JWT validation fails intermittently

**Symptom:** Authentication works for some users but not others. "Invalid token" errors.

**Root cause:** Only one JWT provider configured. WorkOS issues JWTs from two issuers:
1. SSO: `https://api.workos.com/`
2. User Management: `https://api.workos.com/user_management/{clientId}`

**Solution:** Configure both providers in `convex/auth.config.ts`:

```typescript
const clientId = process.env.WORKOS_CLIENT_ID;

export default {
  providers: [
    {
      type: "customJwt",
      issuer: "https://api.workos.com/",
      algorithm: "RS256",
      applicationID: clientId,
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
    },
    {
      type: "customJwt",
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
    },
  ],
};
```

Run `npx convex dev` after changing this file.

### Problem 4: Callback redirects before auth completes

**Symptom:** After login, user lands on page showing "not authenticated" briefly.

**Root cause:** Callback component redirects before AuthKit finishes token exchange.

**Solution:** Wait for AuthKit loading state:

```typescript
function AuthCallback() {
  const { isLoading, user, signIn } = useAuth();
  const [authFailed, setAuthFailed] = useState(false);
  const hasAuthCode = useMemo(
    () => new URLSearchParams(window.location.search).has("code"),
    []
  );

  useEffect(() => {
    // Wait for AuthKit to finish
    if (isLoading) {
      return;
    }

    // Only redirect after session established
    if (user) {
      window.location.replace(returnPath);
      return;
    }

    // Auth code present but no user = exchange failed
    if (hasAuthCode) {
      setAuthFailed(true);
      return;
    }

    window.location.replace(returnPath);
  }, [hasAuthCode, isLoading, returnPath, user]);

  return (
    <div>
      {authFailed ? (
        <button onClick={() => signIn()}>Try Again</button>
      ) : (
        <div>Finishing sign in...</div>
      )}
    </div>
  );
}
```

### Problem 5: useConvexAuth returns false after login

**Symptom:** User successfully logs in via WorkOS, but `useConvexAuth()` returns `isAuthenticated: false`.

**Root cause:** Backend not correctly configured to validate tokens.

**Diagnostic steps:**

1. Check `convex/auth.config.ts` exists and has both providers
2. Verify `WORKOS_CLIENT_ID` is set in Convex Dashboard
3. Run `npx convex dev` to deploy config
4. Check browser console for JWT validation errors

**Common causes:**
- Missing `WORKOS_CLIENT_ID` environment variable
- Only one JWT provider configured
- Auth config not deployed after changes

### Problem 6: Admin check returns false for valid admin

**Symptom:** User with `@yourdomain.com` email shows as non-admin.

**Root cause:** Usually Problem 2 (email not in JWT claims).

**Debugging:**

```typescript
// Add logging in your admin check
export const isAdmin = query({
  args: {},
  returns: v.boolean(),
  handler: async (ctx) => {
    const identity = await ctx.auth.getUserIdentity();
    console.log("Identity:", JSON.stringify(identity, null, 2));
    
    if (!identity) {
      console.log("No identity");
      return false;
    }
    
    const email = identity.email;
    console.log("Email:", email);
    
    if (!email) {
      console.log("No email in identity");
      return false;
    }
    
    return email.endsWith("@yourdomain.com");
  },
});
```

Check Convex Dashboard Logs for output.

### Problem 7: Platform not authorized error

**Symptom:**

```
WorkOSPlatformNotAuthorized: Your WorkOS platform API key is not authorized 
to access this team.
```

**Root cause:** WorkOS workspace has been disconnected from Convex.

**Solution:** Reconnect or create new workspace:

```bash
npx convex integration workos disconnect-team
npx convex integration workos provision-team
```

Note: You may need a different email for the new WorkOS workspace.

### Problem 8: Missing aud claim error

**Symptom:** Token validation fails with audience claim error.

**Root cause:** WorkOS JWTs may not include `aud` (audience) claim by default.

**Solution:** Check WorkOS Dashboard JWT configuration:
- Ensure audience claim is set to your Client ID
- Or configure Convex to not require audience validation

## Debug logging

### Frontend logging

```typescript
function DebugAuth() {
  const { user, isLoading } = useAuth();
  const { isAuthenticated, isLoading: convexLoading } = useConvexAuth();
  
  console.log("AuthKit state:", { user, isLoading });
  console.log("Convex state:", { isAuthenticated, convexLoading });
  
  return null;
}
```

### Backend logging

```typescript
export const debugIdentity = query({
  args: {},
  returns: v.any(),
  handler: async (ctx) => {
    const identity = await ctx.auth.getUserIdentity();
    console.log("Full identity:", JSON.stringify(identity, null, 2));
    return identity;
  },
});
```

View logs in Convex Dashboard > Logs.

## Environment variable troubleshooting

### Verify Vite picks up env vars

```typescript
// In your app, temporarily add:
console.log("VITE_WORKOS_CLIENT_ID:", import.meta.env.VITE_WORKOS_CLIENT_ID);
console.log("VITE_WORKOS_REDIRECT_URI:", import.meta.env.VITE_WORKOS_REDIRECT_URI);
```

If undefined:
1. Ensure variables start with `VITE_`
2. Restart dev server after changing `.env.local`
3. Verify `.env.local` is in project root

### Verify Convex picks up env vars

Check Convex Dashboard > Settings > Environment Variables

If `WORKOS_CLIENT_ID` shows error in logs:
1. Click the link in the error
2. Set the value
3. Wait for redeployment

## Production vs development

### Different callback URLs

**Development:**
```
VITE_WORKOS_REDIRECT_URI=http://localhost:5173/callback
```

**Netlify Production:**
```
VITE_WORKOS_REDIRECT_URI=https://yourdomain.netlify.app/components/callback
```

**Custom Domain Production:**
```
VITE_WORKOS_REDIRECT_URI=https://yourdomain.com/callback
```

All callback URLs must be added to WorkOS Dashboard > Redirect URIs.

### Different CORS origins

Add all to WorkOS Dashboard > Sessions > CORS:
- `http://localhost:5173`
- `https://yourdomain.netlify.app`
- `https://yourdomain.com` (if using custom domain)

### Different Convex deployments

Set `WORKOS_CLIENT_ID` separately for:
- Development deployment
- Production deployment

### Netlify specific issues

**MIME type error on Netlify:**

If you see `Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html"`:

1. Ensure `netlify.toml` exists with SPA redirect:
```toml
[[redirects]]
  from = "/*"
  to = "/index.html"
  status = 200
```

2. Ensure `vite.config.ts` uses `base: "/"` for Netlify hosting
3. Clear Netlify cache and redeploy

**Callback not working on Netlify:**

1. Verify redirect URI in `.env.production` matches what's in WorkOS Dashboard
2. Ensure the callback path includes any base path (e.g., `/components/callback`)
3. Check Netlify Functions logs for any errors

## Quick fixes reference

| Symptom | Quick fix |
|---------|-----------|
| Sign in does nothing | Use `signIn()` not `getSignInUrl()` |
| Email undefined | Configure JWT template in WorkOS |
| Intermittent failures | Add both JWT providers |
| Callback timing | Wait for `isLoading` to be false |
| Admin check fails | Check email claim in JWT template |
| Platform error | Reconnect WorkOS workspace |

## When to escalate

If none of these solutions work:

1. Check Convex Discord for similar issues
2. Check WorkOS documentation updates
3. Review recent changes to auth config
4. Test with minimal reproduction

## Source links

- Troubleshooting guide: https://docs.convex.dev/auth/authkit/troubleshooting
- Convex debugging auth: https://docs.convex.dev/auth/debug
- WorkOS JWT templates: https://workos.com/docs/authentication/jwt-templates
- Convex auth functions: https://docs.convex.dev/auth/functions-auth
- WorkOS API reference: https://workos.com/docs/reference

Related Skills

workos-convex-auth

from get-convex/components-submissions-directory

Set up and configure WorkOS AuthKit authentication with Convex backend. Use when integrating AuthKit, configuring JWT providers, setting up environment variables, or implementing sign in and sign out flows with React and Vite. Supports Netlify deployment.

convex-scale-optimization

from get-convex/components-submissions-directory

Patterns for scaling read-heavy Convex apps to millions of users. Use when optimizing bandwidth, reducing query costs, fixing slow queries, creating digest tables, replacing reactive subscriptions with one-shot fetches, adding compound indexes, debouncing writes, rate-controlling backfills, or running npx convex insights. Trigger when users mention "scale", "bandwidth", "performance", "optimize", "slow queries", "expensive queries", "digest table", "denormalize", or "thundering herd" in the context of Convex.

convex-design-system

from get-convex/components-submissions-directory

Convex UI component patterns from the live Storybook preview. Use when building React components, forms, modals, navigation, feedback states, or app layouts that should match the current Convex design system. Applies to both shared primitives and dashboard style product UI.

convex-self-hosting

from get-convex/components-submissions-directory

Integrate Convex static self hosting into existing apps using the latest upstream instructions from get-convex/self-hosting every time. Use when setting up upload APIs, HTTP routes, deployment scripts, migration from external hosting, or troubleshooting static deploy issues across React, Vite, Next.js, and other frontends.

convex-return-validators

from get-convex/components-submissions-directory

Guide for when to use and when not to use return validators in Convex functions. Use this skill whenever the user is writing Convex queries, mutations, or actions and needs guidance on return value validation. Also trigger when the user asks about Convex type safety, runtime validation, AI-generated Convex code, Convex AI rules, Convex security best practices, or when they're debugging return type issues in Convex functions. Trigger this skill when users mention "validators", "returns", "return type", or "exact types" in the context of Convex development. Also trigger when writing or reviewing Convex AI rules or prompts that instruct LLMs how to write Convex code.

convex-doctor

from get-convex/components-submissions-directory

Static analysis checklist for Convex backends covering 72 rules across security, performance, correctness, schema, architecture, configuration, and client-side patterns. Use when writing, reviewing, or auditing Convex code. Trigger on mentions of "convex-doctor", "health score", "static analysis", "anti-patterns", "audit convex", or before shipping backend changes.

convex

from get-convex/components-submissions-directory

Routes general Convex requests to the right project skill. Use when the user asks which Convex skill to use or gives an underspecified Convex app task.

convex-setup-auth

from get-convex/components-submissions-directory

Sets up Convex auth, identity mapping, and access control. Use for login, auth providers, users tables, protected functions, or roles in a Convex app.

convex-quickstart

from get-convex/components-submissions-directory

Creates or adds Convex to an app. Use for new Convex projects, npm create convex@latest, frontend setup, env vars, or the first npx convex dev run.

convex-performance-audit

from get-convex/components-submissions-directory

Audits Convex performance for reads, subscriptions, write contention, and function limits. Use for slow features, insights findings, OCC conflicts, or read amplification.

convex-migration-helper

from get-convex/components-submissions-directory

Plans Convex schema and data migrations with widen-migrate-narrow and @convex-dev/migrations. Use for breaking schema changes, backfills, table reshaping, or zero-downtime rollouts.

convex-create-component

from get-convex/components-submissions-directory

Builds reusable Convex components with isolated tables and app-facing APIs. Use for new components, reusable backend modules, integrations, or component boundary work.