JWT Configuration

Convex auth.config.ts

issuer: https://convex.kevisual.cn
applicationID: convex-app

issuer必须与JWT中的iss字段匹配，applicationID必须与aud字段匹配。

import { AuthConfig } from 'convex/server';

export default {
  providers: [
    {
      type: 'customJwt',
      applicationID: 'convex-app',
      issuer: 'https://convex.kevisual.cn',
      jwks: 'https://api-convex.kevisual.cn/root/convex/jwks.json',
      algorithm: 'RS256',
    },
  ],
};

Payload 例子

header必须包含kid字段以匹配jwks中的密钥ID。

import * as jose from "jose";
// 加载测试私钥
const keys = JSON.parse(await Bun.file("./jwt/privateKey.json").text());
const privateKey = await jose.importJWK(keys, "RS256");

// 生成 RS256 JWT
const payload = {
  iss: "https://convex.kevisual.cn",
  sub: "user:8fa2be73c2229e85",
  aud: "convex-app",
  exp: Math.floor(Date.now() / 1000) + 3600,
  name: "Test User AA",
  email: "test@example.com",
};
const token = await new jose.SignJWT(payload)
  .setProtectedHeader({
    "alg": "RS256",
    "typ": "JWT",
    "kid": "kid-key-1"
  })
  .setIssuedAt()
  .sign(privateKey);