Authentication
Authentication allows you to identify users and restrict what data they can see and edit.
Convex is compatible with most authentication providers because it uses OpenID Connect (based on OAuth) ID tokens in the form of JWTs to authenticate WebSocket connections or RPCs. These JWTs can be provided by any service implementing the appropriate OAuth endpoints to verify them, including your own Convex backend.
Third-party authentication platforms
Leveraging a Convex integration with a third-party auth provider provides the most comprehensive authentication solutions. Integrating another service provides a ton of functionality like passkeys, two-factor auth, spam protection, and more on top of the authentication basics.
- Clerk is newer and has better Next.js and React Native support
- Auth0 is more established with more bells and whistles
- Custom Auth Integration allow any OpenID Connect-compatible identity provider to be used for authentication
After you integrate one of these, learn more about accessing authentication information in Functions and storing user information in the Database.
Convex Auth
For client-side React and React Native mobile apps you can implement auth directly in Convex with the Convex Auth library. This npm package runs on your Convex deployment and helps you build a custom sign-up/sign-in flow via social identity providers, one-time email or SMS access codes, or via passwords.
Convex Auth is in beta (it isn't complete and may change in backward-incompatible ways) and doesn't provide as many features as third party auth integrations. Since it doesn't require signing up for another service it's the quickest way to get auth up and running.
Convex Auth is currently a beta feature. If you have feedback or feature requests, let us know on Discord!
Support for Next.js is under active development. If you'd like to help test this experimental support please give it a try!
Debugging
If you run into issues consult the Debugging guide.
Service Authentication
Servers you control or third party services can call Convex functions but may not be able to obtain OpenID JWTs and often do not represent the actions of a specific user.
Say you're running some inference on a Modal server written in Python. When that server subscribes to a Convex query it doesn't do so with credentials of a particular end-user, rather it's looking for relevant tasks for any users that need that inference task, say summarizing and translating a conversation, completed.
To provide access to Convex queries, mutations, and actions to an external service you can write public functions accessible to the internet that check a shared secret, for example from an environment variable, before doing anything else.
