convex-setup-auth
get-convex/agent-skills
Set up secure authentication in Convex with user management and access control.
What is convex-setup-auth?
Implements authentication, identity mapping, and access control for Convex apps. Use this when setting up login, auth providers, user management, protected functions, or roles. Supports Convex Auth, Clerk, WorkOS AuthKit, Auth0, and custom JWT providers.
- Guides selection of the right auth provider for your Convex app
- Sets up authentication in Convex functions using ctx.auth.getUserIdentity()
- Implements user management and identity mapping in the Convex database
- Creates protected backend functions with proper server-side identity verification
- Configures auth providers (Convex Auth, Clerk, WorkOS AuthKit, Auth0, custom JWT)
- Establishes authorization patterns for ownership, roles, and team access
How to install convex-setup-auth
npx skills add https://github.com/get-convex/agent-skills --skill convex-setup-auth- A Convex project already initialized
- Decision on which auth provider to use (Convex Auth, Clerk, WorkOS AuthKit, Auth0, or custom JWT)
How to use convex-setup-auth
- 1.Determine which auth provider your app needs or already uses
- 2.Read the official docs for your chosen provider and the matching local reference file (convex-auth.md, clerk.md, workos-authkit.md, or auth0.md)
- 3.Follow the provider's setup instructions for package installation and environment variables
- 4.Configure convex/auth.config.ts according to your provider's reference guide
- 5.Wire up the auth provider on the client side for your framework (React, Vite, Next.js)
- 6.Implement authentication checks in protected backend functions using ctx.auth.getUserIdentity()
- 7.Add app-level user storage (users table) only if your app actually requires it
- 8.Test login, logout, and protected function access to verify the setup
Use cases
- Setting up authentication for a new Convex app from scratch
- Implementing a users table and identity mapping for user management
- Creating protected queries and mutations that verify the caller's identity
- Integrating an existing auth provider (Clerk, Auth0, etc.) with Convex backend
- Adding role-based or team-based access control to backend functions
- Full-stack developers building Convex apps with authentication
- Backend engineers implementing secure user identity verification
- Teams migrating to Convex from other backends with existing auth systems
- Developers integrating third-party auth providers with Convex
convex-setup-auth FAQ
Check your repo for existing dependencies (@clerk/*, @workos-inc/*, @auth0/*) or auth files. If none exist, Convex Auth is a good default. Clerk is best if you want hosted auth features. WorkOS AuthKit and Auth0 are for existing integrations. Ask the user if the repo doesn't make it obvious.
Only if your app actually needs to store user documents in Convex. Not every app requires a users table. For Convex Auth, follow the official docs which manage user records internally. For third-party providers, add app-level user storage only if your app requirements call for it.
Use ctx.auth.getUserIdentity() to verify the caller's identity server-side. Never trust client-provided user IDs. Check that identity exists and matches the resource being accessed before returning data.
If the provider is fully set up and you only need a one-line fix, this skill may not be necessary. This skill is for initial setup, user management, or significant auth changes. For minor fixes, consult the provider's documentation directly.
After local setup, follow your provider's production configuration steps (API keys, domain setup, etc.). Verify environment variables are set correctly in your production deployment. Test the real sign-up and sign-in flow in production before going live.
Full instructions (SKILL.md)
Source of truth, from get-convex/agent-skills.
name: convex-setup-auth description: Sets up Convex auth, identity mapping, and access control. Use for login, auth providers, users tables, protected functions, or roles in a Convex app.
Convex Authentication Setup
Implement secure authentication in Convex with user management and access control.
When to Use
- Setting up authentication for the first time
- Implementing user management (users table, identity mapping)
- Creating authentication helper functions
- Setting up auth providers (Convex Auth, Clerk, WorkOS AuthKit, Auth0, custom JWT)
When Not to Use
- Auth for a non-Convex backend
- Pure OAuth/OIDC documentation without a Convex implementation
- Debugging unrelated bugs that happen to surface near auth code
- The auth provider is already fully configured and the user only needs a one-line fix
First Step: Choose the Auth Provider
Convex supports multiple authentication approaches. Do not assume a provider.
Before writing setup code:
- Ask the user which auth solution they want, unless the repository already makes it obvious
- If the repo already uses a provider, continue with that provider unless the user wants to switch
- If the user has not chosen a provider and the repo does not make it obvious, ask before proceeding
Common options:
- Convex Auth - good default when the user wants auth handled directly in Convex
- Clerk - use when the app already uses Clerk or the user wants Clerk's hosted auth features
- WorkOS AuthKit - use when the app already uses WorkOS or the user wants AuthKit specifically
- Auth0 - use when the app already uses Auth0
- Custom JWT provider - use when integrating an existing auth system not covered above
Look for signals in the repo before asking:
- Dependencies such as
@clerk/*,@workos-inc/*,@auth0/*, or Convex Auth packages - Existing files such as
convex/auth.config.ts, auth middleware, provider wrappers, or login components - Environment variables that clearly point at a provider
After Choosing a Provider
Read the provider's official guide and the matching local reference file:
- Convex Auth: official docs, then
references/convex-auth.md - Clerk: official docs, then
references/clerk.md - WorkOS AuthKit: official docs, then
references/workos-authkit.md - Auth0: official docs, then
references/auth0.md
The local reference files contain the concrete workflow, expected files and env vars, gotchas, and validation checks.
Use those sources for:
- package installation
- client provider wiring
- environment variables
convex/auth.config.tssetup- login and logout UI patterns
- framework-specific setup for React, Vite, or Next.js
For shared auth behavior, use the official Convex docs as the source of truth:
- Auth in Functions for
ctx.auth.getUserIdentity() - Storing Users in the Convex Database for optional app-level user storage
- Authentication for general auth and authorization guidance
- Convex Auth Authorization when the provider is Convex Auth
Prefer official docs over recalled steps, because provider CLIs and Convex Auth
internals change between versions. Inventing setup from memory risks outdated
patterns. For third-party providers, only add app-level user storage if the app
actually needs user documents in Convex. Not every app needs a users table.
For Convex Auth, follow the Convex Auth docs and built-in auth tables rather
than adding a parallel users table plus storeUser flow, because Convex Auth
already manages user records internally. After running provider initialization
commands, verify generated files and complete the post-init wiring steps the
provider reference calls out. Initialization commands rarely finish the entire
integration.
Core Pattern: Protecting Backend Functions
The most common auth task is checking identity in Convex functions.
// Bad: trusting a client-provided userId
export const getMyProfile = query({
args: { userId: v.id("users") },
handler: async (ctx, args) => {
return await ctx.db.get(args.userId);
},
});
// Good: verifying identity server-side
export const getMyProfile = query({
args: {},
handler: async (ctx) => {
const identity = await ctx.auth.getUserIdentity();
if (!identity) throw new Error("Not authenticated");
return await ctx.db
.query("users")
.withIndex("by_tokenIdentifier", (q) =>
q.eq("tokenIdentifier", identity.tokenIdentifier),
)
.unique();
},
});
Workflow
- Determine the provider, either by asking the user or inferring from the repo
- Ask whether the user wants local-only setup or production-ready setup now
- Read the matching provider reference file
- Follow the official provider docs for current setup details
- Follow the official Convex docs for shared backend auth behavior, user storage, and authorization patterns
- Only add app-level user storage if the docs and app requirements call for it
- Add authorization checks for ownership, roles, or team access only where the app needs them
- Verify login state, protected queries, environment variables, and production configuration if requested
If the flow blocks on interactive provider or deployment setup, ask the user explicitly for the exact human step needed, then continue after they complete it. For UI-facing auth flows, offer to validate the real sign-up or sign-in flow after setup is done. If the environment has browser automation tools, you can use them. If it does not, give the user a short manual validation checklist instead.
Reference Files
Provider References
references/convex-auth.mdreferences/clerk.mdreferences/workos-authkit.mdreferences/auth0.md
Checklist
- Chosen the correct auth provider before writing setup code
- Read the relevant provider reference file
- Asked whether the user wants local-only setup or production-ready setup
- Used the official provider docs for provider-specific wiring
- Used the official Convex docs for shared auth behavior and authorization patterns
- Only added app-level user storage if the app actually needs it
- Did not invent a cross-provider
userstable orstoreUserflow for Convex Auth - Added authentication checks in protected backend functions
- Added authorization checks where the app actually needs them
- Clear error messages ("Not authenticated", "Unauthorized")
- Client auth provider configured for the chosen provider
- If requested, production auth setup is covered too
Related skills
More from get-convex/agent-skills and the wider catalog.
convex-quickstart
Set up a working Convex backend and frontend in minutes, from scratch or in an existing app.
convex-performance-audit
Diagnose and fix Convex performance issues: reads, subscriptions, write contention, and function limits.
convex-migration-helper
Plan and execute safe Convex schema migrations with widen-migrate-narrow pattern and batched data backfills.
convex-create-component
Create reusable Convex components with isolated tables and app-facing APIs.
convex
Routes Convex requests to the right specialized skill or guidance.