Authorization header in HTTP endpoints
We are using Convex for the backend, and we are exposing a couple of http endpoints. We need to be able to support sending the Authorization header (in the format of
Authorization: Bearer <api token>) to our backend. We did not have any success with sending/extracting the <api token> header in our backend. Please see the below code snippet; the authHeader is null.
Is there any way to enable sending the auth header in a request?14 Replies
What you're describing sounds like it should work, and nothing jumps out to me from looking at the code snippets. We support setting
Authorization: Bearer <token>, where <token> is a JWT-encoded OpenID Connect identity token. This should populate auth.getUserIdentity() in the httpEndpoint with the appropriate user (and also the header should not be null).
Is this what you're trying to do? Are you able to set and read other headers from your HTTP endpoints?The API token is something that we manage; they are the API keys that we generate and give to the end user to access our application.
@samira.barouti are you able to get the
User-Agent header, for example?That I am able to get:
On a side note: we are using clerk for auth for actions/mutations/etc.
Can you print the request as it is sent from your Python script using
requests, to confirm the Authorization header is there?I think currently we only support sending something like a Clerk token in the
Authorization header for an HTTP endpoint. As a workaround, using another header name for this API token should hopefully unblock you?@ballingt to follow up on this. If I make a request like:
curl -X POST https://hearty-crocodile-ABC.convex.site/test -d '{"name": "bob"}' -H "Content-Type: application/json" -H "X-API-key: apikeyvalue"
my http endpoint get the request and I can process it. If I call:
curl -X POST https://hearty-crocodile-ABC.convex.site/test -d '{"name": "bob"}' -H "Content-Type: application/json" -H "Authorization: Bearer apikeyvalue"
I get:
{"code":"InvalidHeader","message":"Invalid Authorization header"}%
and my http endpoint never gets the request
and my http endpoint never gets the request
Ah ok, that makes sense
@sshader unfortunately this does not unblock us since some of our user are using clients that can only set the bearer token (we don't always control the client library, just the api endpoint)
there might have been some misunderstanding during an earlier conversation that led us to believe that if we used an http endpoint we could be in control of the authorization but I don't think we explicitly said we'd need to use bearer tokens.
Yeah -- Convex is currently special casing the
Authorization header, which means we're not supporting your use case of passing the api key in the Authorization header (but would allow any other header name as your example demonstrates).
Your use case seems pretty reasonable, so we're brainstorming on our end some ways to support this.thanks, makes sense. Auth is always a challenge!
After discussing internally, we are confident we can make this work, and that allowing the Authorization header to pass through is the right behavior. Will follow up when it's live.
ok, thanks!
@tylerkohn @samira.barouti you should be able to pass
Authorization: Bearer blah in the header and have it pass through. Thanks for your patience!