Description
The auth.config.ts provided in this template does not seem to work with @workos/authkit-tanstack-react-start version 0.4.x. The JWT tokens issued by the newer version of the WorkOS AuthKit library have a different format than what the Convex auth config expects.
Environment
@workos/authkit-tanstack-react-start: 0.4.1 (template uses 0.1.0)- Convex: latest
- TanStack Start: v1.x
Steps to Reproduce
- Clone the template
- Update
@workos/authkit-tanstack-react-start to 0.4.1 (or install fresh with latest)
- Configure WorkOS credentials
- Attempt to access an authenticated Convex query
Expected Behavior
Convex should validate the JWT token from WorkOS and ctx.auth.getUserIdentity() should return the user identity.
Actual Behavior
Convex returns null for ctx.auth.getUserIdentity() and the following error appears:
{
"code": "NoAuthProvider",
"message": "No auth provider found matching the given token. Check that your JWT's issuer and audience match one of your configured providers: [CustomJWT(issuer=https://api.workos.com/user_management/client_XXXX, app_id=none), CustomJWT(issuer=https://api.workos.com/, app_id=client_XXXX)]"
}Root Cause Analysis
I decoded the JWT token issued by WorkOS AuthKit v0.4.1 and found:
{
"iss": "https://api.workos.com",
"sub": "user_XXXX",
"sid": "session_XXXX",
"jti": "XXXX",
"exp": 1768067540,
"iat": 1768067240
}Key observations:
- The
iss claim is https://api.workos.com (NO trailing slash)
- There is NO
aud claim in the token
The template's auth.config.ts expects:
providers: [
{
type: 'customJwt',
issuer: 'https://api.workos.com/', // WITH trailing slash
applicationID: clientId, // Expects 'aud' claim
// ...
},
{
type: 'customJwt',
issuer: `https://api.workos.com/user_management/${clientId}`, // Different path
// ...
},
]Neither provider matches because:
- First provider: Issuer has trailing slash (
https://api.workos.com/ vs https://api.workos.com) AND expects an aud claim which doesn't exist
- Second provider: Issuer path is completely different (
/user_management/... vs root)
Attempted Fixes
-
Removing the trailing slash from issuer: Convex rejects the config with error:
This auth configuration appears potentially insecure: Provider at index 0 has an issuer that is shared among many applications, so must specify an ApplicationID to check against an 'aud' field of a JWT.
-
Removing applicationID: Same security error as above.
Description
The
auth.config.tsprovided in this template does not seem to work with@workos/authkit-tanstack-react-startversion 0.4.x. The JWT tokens issued by the newer version of the WorkOS AuthKit library have a different format than what the Convex auth config expects.Environment
@workos/authkit-tanstack-react-start:0.4.1(template uses0.1.0)Steps to Reproduce
@workos/authkit-tanstack-react-startto0.4.1(or install fresh with latest)Expected Behavior
Convex should validate the JWT token from WorkOS and
ctx.auth.getUserIdentity()should return the user identity.Actual Behavior
Convex returns
nullforctx.auth.getUserIdentity()and the following error appears:{ "code": "NoAuthProvider", "message": "No auth provider found matching the given token. Check that your JWT's issuer and audience match one of your configured providers: [CustomJWT(issuer=https://api.workos.com/user_management/client_XXXX, app_id=none), CustomJWT(issuer=https://api.workos.com/, app_id=client_XXXX)]" }Root Cause Analysis
I decoded the JWT token issued by WorkOS AuthKit v0.4.1 and found:
{ "iss": "https://api.workos.com", "sub": "user_XXXX", "sid": "session_XXXX", "jti": "XXXX", "exp": 1768067540, "iat": 1768067240 }Key observations:
issclaim ishttps://api.workos.com(NO trailing slash)audclaim in the tokenThe template's
auth.config.tsexpects:Neither provider matches because:
https://api.workos.com/vshttps://api.workos.com) AND expects anaudclaim which doesn't exist/user_management/...vs root)Attempted Fixes
Removing the trailing slash from issuer: Convex rejects the config with error:
Removing
applicationID: Same security error as above.