DiscordSign up
SKILLS.SH

convex-setup-auth

Set up Convex authentication with the right provider, user management, and access control patterns. Supports multiple auth providers: Convex Auth, Clerk, WorkOS AuthKit, Auth0, and custom JWT, with provider detection from repo signals Guides you through choosing a provider, configuring client and backend wiring, environment variables, and convex/auth.config.ts setup Covers authentication checks in protected functions, optional app-level user storage, and authorization patterns for ownership and roles Includes reference files for each provider with concrete workflows, expected files, gotchas, and validation steps

INSTALLATION
npx skills add https://github.com/get-convex/agent-skills --skill convex-setup-auth
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Convex Authentication Setup

Implement secure authentication in Convex with user management and access

control.

When to Use

  • Setting up authentication for the first time
  • Implementing user management (users table, identity mapping)
  • Creating authentication helper functions
  • Setting up auth providers (Convex Auth, Clerk, WorkOS AuthKit, Auth0, custom

JWT)

When Not to Use

  • Auth for a non-Convex backend
  • Pure OAuth/OIDC documentation without a Convex implementation
  • Debugging unrelated bugs that happen to surface near auth code
  • The auth provider is already fully configured and the user only needs a

one-line fix

First Step: Choose the Auth Provider

Convex supports multiple authentication approaches. Do not assume a provider.

Before writing setup code:

  • Ask the user which auth solution they want, unless the repository already

makes it obvious

  • If the repo already uses a provider, continue with that provider unless the

user wants to switch

  • If the user has not chosen a provider and the repo does not make it obvious,

ask before proceeding

Common options:

the user wants auth handled directly in Convex

  • Clerk - use when the app already uses

Clerk or the user wants Clerk's hosted auth features

already uses WorkOS or the user wants AuthKit specifically

  • Auth0 - use when the app already uses

Auth0

  • Custom JWT provider - use when integrating an existing auth system not covered

above

Look for signals in the repo before asking:

  • Dependencies such as @clerk/*, @workos-inc/*, @auth0/*, or Convex Auth

packages

  • Existing files such as convex/auth.config.ts, auth middleware, provider

wrappers, or login components

  • Environment variables that clearly point at a provider

After Choosing a Provider

Read the provider's official guide and the matching local reference file:

references/convex-auth.md

references/clerk.md

references/workos-authkit.md

references/auth0.md

The local reference files contain the concrete workflow, expected files and env

vars, gotchas, and validation checks.

Use those sources for:

  • package installation
  • client provider wiring
  • environment variables
  • convex/auth.config.ts setup
  • login and logout UI patterns
  • framework-specific setup for React, Vite, or Next.js

For shared auth behavior, use the official Convex docs as the source of truth:

ctx.auth.getUserIdentity()

for optional app-level user storage

authorization guidance

provider is Convex Auth

Prefer official docs over recalled steps, because provider CLIs and Convex Auth

internals change between versions. Inventing setup from memory risks outdated

patterns. For third-party providers, only add app-level user storage if the app

actually needs user documents in Convex. Not every app needs a users table.

For Convex Auth, follow the Convex Auth docs and built-in auth tables rather

than adding a parallel users table plus storeUser flow, because Convex Auth

already manages user records internally. After running provider initialization

commands, verify generated files and complete the post-init wiring steps the

provider reference calls out. Initialization commands rarely finish the entire

integration.

Core Pattern: Protecting Backend Functions

The most common auth task is checking identity in Convex functions.

// Bad: trusting a client-provided userId

export const getMyProfile = query({

  args: { userId: v.id("users") },

  handler: async (ctx, args) => {

    return await ctx.db.get(args.userId);

  },

});
// Good: verifying identity server-side

export const getMyProfile = query({

  args: {},

  handler: async (ctx) => {

    const identity = await ctx.auth.getUserIdentity();

    if (!identity) throw new Error("Not authenticated");

    return await ctx.db

      .query("users")

      .withIndex("by_tokenIdentifier", (q) =>

        q.eq("tokenIdentifier", identity.tokenIdentifier),

      )

      .unique();

  },

});

Workflow

  • Determine the provider, either by asking the user or inferring from the repo
  • Ask whether the user wants local-only setup or production-ready setup now
  • Read the matching provider reference file
  • Follow the official provider docs for current setup details
  • Follow the official Convex docs for shared backend auth behavior, user

storage, and authorization patterns

  • Only add app-level user storage if the docs and app requirements call for it
  • Add authorization checks for ownership, roles, or team access only where the

app needs them

  • Verify login state, protected queries, environment variables, and production

configuration if requested

If the flow blocks on interactive provider or deployment setup, ask the user

explicitly for the exact human step needed, then continue after they complete

it. For UI-facing auth flows, offer to validate the real sign-up or sign-in flow

after setup is done. If the environment has browser automation tools, you can

use them. If it does not, give the user a short manual validation checklist

instead.

Reference Files

Provider References

  • references/convex-auth.md
  • references/clerk.md
  • references/workos-authkit.md
  • references/auth0.md

Checklist

  • Chosen the correct auth provider before writing setup code
  • Read the relevant provider reference file
  • Asked whether the user wants local-only setup or production-ready setup
  • Used the official provider docs for provider-specific wiring
  • Used the official Convex docs for shared auth behavior and authorization

patterns

  • Only added app-level user storage if the app actually needs it
  • Did not invent a cross-provider users table or storeUser flow for

Convex Auth

  • Added authentication checks in protected backend functions
  • Added authorization checks where the app actually needs them
  • Clear error messages ("Not authenticated", "Unauthorized")
  • Client auth provider configured for the chosen provider
  • If requested, production auth setup is covered too
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card