sbkl
sbklโ€ข10mo ago

convex auth session across subdomains

Is there a way to make a convex auth session valid across subdomains of a same domain like it is for clerk by default?
12 Replies
Convex Bot
Convex Botโ€ข10mo ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!
ballingt
ballingtโ€ข10mo ago
Could you file this as an issue at https://github.com/get-convex/convex-auth? Sure it's possible, it's just about what domain is used on the cookie in cookie situat cookie is written to. Or for localstorage, this gets more complicated. Would be helpful to hear more about your use case. Also @sbkl consider using Clerk instead, they do a great job! Convex Auth is convenient because it's one less thing to sign up for but Clerk is hard to beat for all these features.
sbkl
sbklOPโ€ข10mo ago
The use case is to provide a custom subdomain or domain feature in a multi-tenant app. Using vercel for this. Created an issue. Clerk is definitely a great product but I am at the beginning of the project and want to keep it simple. So if I can do it with convex-auth, I've got the current need pretty well covered.
ari
ariโ€ข5mo ago
@ballingt did this ever get resolved, I'm attempting to do the same thing and running into trickiness... Architecture: - Main marketing app at website.com handles unified authentication - 8 separate Next.js apps on subdomains: app.website.com, admin.website.com, work.website.com, etc. - All apps share the same Convex backend instance - Users authenticate once on main domain, should access all subdomains without re-auth Current Flow: 1. User visits app.website.com/dashboard 2. Consumer app middleware redirects to website.com/login 3. User authenticates with Google OAuth via Convex Auth 4. Marketing app redirects to app.website.com/dashboard 5. Problem: Consumer app middleware shows isAuthenticated: false and redirects back to login (infinite loop) Investigation Results: - Cookie convex-auth exists with domain .website.com โœ… - Cookie is accessible on subdomain โœ… - BUT cookie has no value when read on subdomain โŒ - Logs show: allCookies: [ { name: 'convex-auth', hasValue: false } ] Code Setup: // Both apps use convexAuthNextjsMiddleware const isAuthenticated = await convexAuth.isAuthenticated(); // false on subdomain Question: Is there a way to make Convex Auth sessions work across subdomains? I found issue #162 where @thomasballinger mentioned "wouldn't be hard to make work for cookies" but no solution was provided. Environment: - Next.js 14 - @convex-dev/auth latest - Production deployment on Vercel - Verified all apps use same NEXT_PUBLIC_CONVEX_URL Any guidance on subdomain auth or workarounds would be greatly appreciated!
Luke ๐Ÿ‡ฌ๐Ÿ‡ง
Luke ๐Ÿ‡ฌ๐Ÿ‡งโ€ข2mo ago
@ballingt Also jumping in here to ask for a follow-up. Some guidance in the docs regarding setting the cookie for domain wide sharing would be great. @laudu @ari @sbkl @ballingt Disclaimer: I'm NOT Convex Staff but I think I have found a potential solution... The Problem Convex Auth uses localStorage by default to store authentication tokens. This doesn't work across subdomains because each subdomain has isolated localStorage: - Logging in at app.example.com stores tokens in that origin's localStorage - Navigating to tenant1.example.com can't access those tokens - Result: Users appear logged out on subdomains The Solution Convex Auth's ConvexAuthProvider accepts a custom storage prop that implements the TokenStorage interface. By creating a cookie-based storage adapter with the domain set to .yourDomain.com (note the leading dot), authentication tokens become accessible across all subdomains. Implementation 1. Create a cookie storage adapter (src/utils/cookieStorage.ts): 
import { TokenStorage } from "@convex-dev/auth/react";

function getRootDomain(): string {
  const hostname = window.location.hostname;
  const parts = hostname.split('.');
  if (parts.length >= 2) {
    return `.${parts.slice(-2).join('.')}`; // Returns ".example.com"
  }
  return hostname;
}

export const cookieStorage: TokenStorage = {
  getItem: (key) => getCookie(key),
  setItem: (key, value) => setCookie(key, value, domain: getRootDomain()),
  removeItem: (key) => deleteCookie(key, domain: getRootDomain()),
};
import { TokenStorage } from "@convex-dev/auth/react";

function getRootDomain(): string {
  const hostname = window.location.hostname;
  const parts = hostname.split('.');
  if (parts.length >= 2) {
    return `.${parts.slice(-2).join('.')}`; // Returns ".example.com"
  }
  return hostname;
}

export const cookieStorage: TokenStorage = {
  getItem: (key) => getCookie(key),
  setItem: (key, value) => setCookie(key, value, domain: getRootDomain()),
  removeItem: (key) => deleteCookie(key, domain: getRootDomain()),
};
2. Pass the storage adapter to ConvexAuthProvider: 
import { cookieStorage } from "@/utils/cookieStorage";

<ConvexAuthProvider client={convex} storage={cookieStorage}>
  {children}
</ConvexAuthProvider>
import { cookieStorage } from "@/utils/cookieStorage";

<ConvexAuthProvider client={convex} storage={cookieStorage}>
  {children}
</ConvexAuthProvider>
Luke ๐Ÿ‡ฌ๐Ÿ‡ง
Luke ๐Ÿ‡ฌ๐Ÿ‡งโ€ข2mo ago
Result โœ… Users stay authenticated across all subdomains โœ… Works in both development (.localhost) and production (.example.com) โœ… No changes needed to auth logic or backend configuration Reference OP's GitHub Issue: convex-auth #162 ConvexAuth TokenStorage docs: React: TokenStorage
GitHub
convex auth session across subdomains ยท Issue #162 ยท get-convex/c...
Is there a way to make a convex auth session valid across subdomains of a same domain like it is for clerk by default?
react - Convex Auth
Authentication library for your Convex backend
Luke ๐Ÿ‡ฌ๐Ÿ‡ง
Luke ๐Ÿ‡ฌ๐Ÿ‡งโ€ข2mo ago
Does that help?
laudu
lauduโ€ข2mo ago
im looking for a solution for workos rather than convex auth but thank you for the reply anyways, will try to see how i can use it for my use case
Luke ๐Ÿ‡ฌ๐Ÿ‡ง
Luke ๐Ÿ‡ฌ๐Ÿ‡งโ€ข2mo ago
np, good luck
laudu
lauduโ€ข2mo ago
i decided to shift to better-auth ๐Ÿ’€
Luke ๐Ÿ‡ฌ๐Ÿ‡ง
Luke ๐Ÿ‡ฌ๐Ÿ‡งโ€ข2mo ago
What's your use-case? I found Convex Auth really simple to impliment and seems reliable so far
laudu
lauduโ€ข2mo ago
hope convex adds first party support via cli ye it is really simple i want to have a forum on a diff domain and the main app on another the main reason for using other auth implementation over convex auth is that want to have the ability to have enterprise auth and other things like 2fa

Did you find this page helpful?