Authenticating Http API
Calling mutations and queries created on a convex project using http api (mydomain.convex.cloud/api/query).
I want to secure this endpoint on my convex project using cors to allow only my main application to talk with convex. Right now if I called this endpoint and specified a query or mutation name in the body I would be able to call it and get back results.
I already checked the authentication part on convex docs, but what I need is my app to call this api only. So adding a constant bearer token on my main app is kinda useless..
Can anyone please help with this.
2 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
convex.cloud/api/query will always be public from all domains (think of it as Convex's public HTTP API for interacting with your functions).
If you want an HTTP API with CORS headers that are scoped to just your application (like your own public API), you can create HTTP actions (https://docs.convex.dev/functions/http-actions).
If you want to define functions that are only callable by other convex functions, you want internal functions (https://docs.convex.dev/functions/internal-functions).
If you're looking to just generally lock down public functions, you probably want to put them behind some form of auth (https://docs.convex.dev/auth) and rely on that to prevent potentially malicious traffic vs. restricting it just to requests originating from your frontend domain.
If you want to share more about what your end goal is with securing your endpoints, happy to help moreHTTP Actions | Convex Developer Hub
HTTP actions allow you to build an HTTP API right in Convex!
Internal Functions | Convex Developer Hub
Internal functions can only be called by other functions
Authentication | Convex Developer Hub
Add authentication to your Convex app.