Export an AuthConfig TypeScript type (#41609)

Nicolapps · Convex, Inc. · commit ceb3abacded9 · 2025-10-06T20:13:13.000Z
GitOrigin-RevId: d27f59744282518bcae108fe9ed6e9cd32e7edb2
diff --git a/src/server/authentication.ts b/src/server/authentication.ts
@@ -1,5 +1,74 @@
 import { JSONValue } from "../values/index.js";
 
+/**
+ * The value exported by your Convex project in `auth.config.ts`.
+ *
+ * ```ts
+ * import { AuthConfig } from "convex/server";
+ *
+ * export default {
+ *   providers: [
+ *     {
+ *       domain: "https://your.issuer.url.com",
+ *       applicationID: "your-application-id",
+ *     },
+ *   ],
+ * } satisfies AuthConfig;
+ * ```
+ */
+export type AuthConfig = {
+  providers: AuthProvider[];
+};
+
+/**
+ * An authentication provider allowed to issue JWTs for your app.
+ *
+ * See: https://docs.convex.dev/auth/advanced/custom-auth and https://docs.convex.dev/auth/advanced/custom-jwt
+ */
+export type AuthProvider =
+  // OIDC provider
+  | {
+      /**
+       * Tokens issued by the auth provider must have this application ID
+       * in their audiences.
+       */
+      applicationID: string;
+
+      /**
+       * The domain of the OIDC auth provider.
+       */
+      domain: string;
+    }
+  // Custom JWT provider (see https://docs.convex.dev/auth/advanced/custom-jwt)
+  | {
+      type: "customJwt";
+
+      /**
+       * Tokens issued by the auth provider must have this application ID
+       * in their audiences.
+       *
+       * Warning: omitting applicationID is often insecure
+       * (see https://docs.convex.dev/auth/advanced/custom-jwt#warning-omitting-applicationid-is-often-insecure).
+       */
+      applicationID?: string;
+
+      /**
+       * The issuer of the JWT auth provider (e.g. `https://auth.example.com`)
+       */
+      issuer: string;
+
+      /**
+       * The URL to fetch the JWKS (e.g. `https://auth.example.com/.well-known/jwks.json`)
+       */
+      jwks: string;
+
+      /**
+       * The algorithm used to sign the JWT tokens. Convex currently only
+       * supports RS256 and ES256.
+       */
+      algorithm: "RS256" | "ES256";
+    };
+
 /**
  * Information about an authenticated user, derived from a
  * [JWT](https://datatracker.ietf.org/doc/html/rfc7519).
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -53,6 +53,8 @@
 
 export type {
   Auth,
+  AuthConfig,
+  AuthProvider,
   UserIdentity,
   UserIdentityAttributes,
 } from "./authentication.js";
