SkyguyS
Convex Community5mo ago
2 replies
Skyguy

`ctx.auth.getUserIdentity()` returns `null` — missing aud claim despite using AuthKit & Convex

I’m integrating WorkOS AuthKit with Convex in a Next.js app.

My setup:
- I use 
AuthKitProvider
 and 
ConvexProviderWithAuthKit

- I use 
useAccessToken()
 from AuthKit and feed that token to Convex
- In 
convex/auth.config.ts
, I set:

const clientId = process.env.WORKOS_CLIENT_ID;

const authConfig = {
  providers: [
    {
      type: "customJwt",
      issuer: `https://api.workos.com/`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
    {
      type: "customJwt",
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
  ],
};

export default authConfig;


- Redirect URI, env vars, etc. are set per docs

Problem: when I call 
await ctx.auth.getUserIdentity()
 inside Convex functions, it returns 
null
.
The Convex docs say this happens if the ID token is missing an aud claim, and yes AuthKit’s access token doesn’t include aud.

What I’ve tried:
- Switching to 
ConvexProviderWithAuth

- Ensuring redirect URIs match
- Looking at starter kits (e.g. WorkOS + Convex example projects)

Question:
- Is there a configuration (in WorkOS or Convex) I’m missing so that AuthKit will issue an ID token with aud that Convex accepts?
- Has anyone else solved this so that 
ctx.auth.getUserIdentity()
 works out of the box with AuthKit + Convex?
- Am I supposed to use a different token than accessToken(), or is there a version mismatch / bug?

Any pointers or examples appreciated.

Workarounds:

Remove 
applicationID: clientId
 on the second provider in the config.
Was this page helpful?