AmohPrince
AmohPrince2w ago

How to properly authenticate convex functions called via fetchAction and fetchMutation.

So in a user context I have found that you can pass the users token to object on the third arguement of a fetch action call as below 
  const mythings = await fetchQuery(
    api.yadiyadiyada.getSomeX,
    {
      a: b,
    },
    { token: token }
  );
  const mythings = await fetchQuery(
    api.yadiyadiyada.getSomeX,
    {
      a: b,
    },
    { token: token }
  );
Now this is all nice and cozy but what happens if I want to authenticate a function call in a non user context. what token will i pass. In my research I have heard that I can create an api key and pass it to convex on the same field but I dont fully grasp the concept. Thanks foryour time
2 Replies
Convex Bot
Convex Bot2w ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!
ballingt
ballingt2w ago
That's right, you use a shared secret of some kind. Generate a secret (a password) and store it as an environment variable in Convex and also on whatever server you're maing the request from. Add an argument to the queries, mutations, and actions that you want to protect, and on the first line of those functions check that the secret argument and the environment variable match. Throw if not.

Did you find this page helpful?