WorkOS AuthKit + Convex Playbook
Canonical Doc
Primary reference: references/playbook.md.
If you are working inside this repo, the same content is mirrored at docs/workos-convex-authkit-playbook.md for humans.
Workflow (Fast Triage)
- •Repro in the browser.
- •Prefer lower envs (dev/preview) with real AuthKit accounts instead of any auth bypass.
- •Open
/admin/auth-debug.- •Goal: disambiguate WorkOS session vs WorkOS token vs Convex token acceptance.
- •Map the symptom to the known failure modes below.
- •Validate with real CLI signals (Convex logs + a
convex run) before calling it fixed.
Decision Tree
- •If WorkOS
userisnull:- •Check
apps/web/src/proxy.tsroute protection/redirects and that/callbackmatches the configured redirect URI. - •Confirm
WORKOS_COOKIE_PASSWORDis set and sufficiently long.
- •Check
- •If WorkOS
userexists but token hook errors / token loading flaps:- •Inspect
/admin/auth-debugtoken hookerror. - •Check Vercel logs for WorkOS refresh errors (429 /
invalid_grant). - •Audit
apps/web/src/components/providers.tsx: do not force refresh in a retry loop; prefergetAccessToken().
- •Inspect
- •If WorkOS token fetch succeeds but Convex is
authenticated: false:- •Decode JWT claims (Auth Debug page shows them).
- •Verify
issandaudalign withpackages/backend/convex/auth.config.ts. - •Confirm
WORKOS_CLIENT_IDis set for the Convex deployment env (JWKS URL depends on it).
- •If preview login fails with
redirect-uri-invalid:- •WorkOS redirect URIs are exact-match.
- •Ensure preview config uses the canonical deployment domain:
- •
packages/backend/convex.jsonpreview usesbuildEnv.VERCEL_URL. - •
apps/web/src/proxy.tsuseshttps://${VERCEL_URL}for previews.
- •
- •If users are “randomly” logged out:
- •Look for background
GET /sign-outin HAR/network. - •If present, fix UI to avoid prefetch-triggered side effects:
- •
apps/web/src/components/header.tsxsetsprefetch={false}on the sign-out link.
- •
- •Look for background
Commands (Copy/Paste)
bash
# Local web
cd apps/web
bun run dev
# Local convex
cd packages/backend
bun run dev:setup
# Prod debugging
npx convex logs --prod --tail
npx convex run --prod tpwdAdmin:listPlans '{}'
Test Accounts (Lower Envs)
- •Preferred: create AuthKit email+password users in dev/preview using throwaway inboxes.
- •Use
tmp/authkit_test_accounts.json(gitignored) as the repeatable source for the current machine’s test credentials. - •For inboxing, use Maildrop or plus-addressing (see
docs/workos-convex-authkit-playbook.md).