Name: Convex Http Actions
Author: Waynesutton
Install
Terminal · npx
$npx skills add https://github.com/waynesutton/convexskills --skill convex-http-actions
Works with Paperclip
How Convex Http Actions fits into a Paperclip company.

Convex Http Actions drops into any Paperclip agent that handles convex and http work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md733 linesmarkdown
Expand
1---2name: convex-http-actions3displayName: Convex HTTP Actions4description: External API integration and webhook handling including HTTP endpoint routing, request/response handling, authentication, CORS configuration, and webhook signature validation5version: 1.0.06author: Convex7tags: [convex, http, actions, webhooks, api, endpoints]8---9 10# Convex HTTP Actions11 12Build HTTP endpoints for webhooks, external API integrations, and custom routes in Convex applications.13 14## Documentation Sources15 16Before implementing, do not assume; fetch the latest documentation:17 18- Primary: https://docs.convex.dev/functions/http-actions19- Actions Overview: https://docs.convex.dev/functions/actions20- Authentication: https://docs.convex.dev/auth21- For broader context: https://docs.convex.dev/llms.txt22 23## Instructions24 25### HTTP Actions Overview26 27HTTP actions allow you to define HTTP endpoints in Convex that can:28 29- Receive webhooks from third-party services30- Create custom API routes31- Handle file uploads32- Integrate with external services33- Serve dynamic content34 35### Basic HTTP Router Setup36 37```typescript38// convex/http.ts39import { httpRouter } from "convex/server";40import { httpAction } from "./_generated/server";41 42const http = httpRouter();43 44// Simple GET endpoint45http.route({46  path: "/health",47  method: "GET",48  handler: httpAction(async (ctx, request) => {49    return new Response(JSON.stringify({ status: "ok" }), {50      status: 200,51      headers: { "Content-Type": "application/json" },52    });53  }),54});55 56export default http;57```58 59### Request Handling60 61```typescript62// convex/http.ts63import { httpRouter } from "convex/server";64import { httpAction } from "./_generated/server";65 66const http = httpRouter();67 68// Handle JSON body69http.route({70  path: "/api/data",71  method: "POST",72  handler: httpAction(async (ctx, request) => {73    // Parse JSON body74    const body = await request.json();75    76    // Access headers77    const authHeader = request.headers.get("Authorization");78    79    // Access URL parameters80    const url = new URL(request.url);81    const queryParam = url.searchParams.get("filter");82 83    return new Response(84      JSON.stringify({ received: body, filter: queryParam }),85      {86        status: 200,87        headers: { "Content-Type": "application/json" },88      }89    );90  }),91});92 93// Handle form data94http.route({95  path: "/api/form",96  method: "POST",97  handler: httpAction(async (ctx, request) => {98    const formData = await request.formData();99    const name = formData.get("name");100    const email = formData.get("email");101 102    return new Response(103      JSON.stringify({ name, email }),104      {105        status: 200,106        headers: { "Content-Type": "application/json" },107      }108    );109  }),110});111 112// Handle raw bytes113http.route({114  path: "/api/upload",115  method: "POST",116  handler: httpAction(async (ctx, request) => {117    const bytes = await request.bytes();118    const contentType = request.headers.get("Content-Type") ?? "application/octet-stream";119    120    // Store in Convex storage121    const blob = new Blob([bytes], { type: contentType });122    const storageId = await ctx.storage.store(blob);123 124    return new Response(125      JSON.stringify({ storageId }),126      {127        status: 200,128        headers: { "Content-Type": "application/json" },129      }130    );131  }),132});133 134export default http;135```136 137### Path Parameters138 139Use path prefix matching for dynamic routes:140 141```typescript142// convex/http.ts143import { httpRouter } from "convex/server";144import { httpAction } from "./_generated/server";145 146const http = httpRouter();147 148// Match /api/users/* with pathPrefix149http.route({150  pathPrefix: "/api/users/",151  method: "GET",152  handler: httpAction(async (ctx, request) => {153    const url = new URL(request.url);154    // Extract user ID from path: /api/users/123 -> "123"155    const userId = url.pathname.replace("/api/users/", "");156 157    return new Response(158      JSON.stringify({ userId }),159      {160        status: 200,161        headers: { "Content-Type": "application/json" },162      }163    );164  }),165});166 167export default http;168```169 170### CORS Configuration171 172```typescript173// convex/http.ts174import { httpRouter } from "convex/server";175import { httpAction } from "./_generated/server";176 177const http = httpRouter();178 179// CORS headers helper180const corsHeaders = {181  "Access-Control-Allow-Origin": "*",182  "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",183  "Access-Control-Allow-Headers": "Content-Type, Authorization",184  "Access-Control-Max-Age": "86400",185};186 187// Handle preflight requests188http.route({189  path: "/api/data",190  method: "OPTIONS",191  handler: httpAction(async () => {192    return new Response(null, {193      status: 204,194      headers: corsHeaders,195    });196  }),197});198 199// Actual endpoint with CORS200http.route({201  path: "/api/data",202  method: "POST",203  handler: httpAction(async (ctx, request) => {204    const body = await request.json();205 206    return new Response(207      JSON.stringify({ success: true, data: body }),208      {209        status: 200,210        headers: {211          "Content-Type": "application/json",212          ...corsHeaders,213        },214      }215    );216  }),217});218 219export default http;220```221 222### Webhook Handling223 224```typescript225// convex/http.ts226import { httpRouter } from "convex/server";227import { httpAction } from "./_generated/server";228import { internal } from "./_generated/api";229 230const http = httpRouter();231 232// Stripe webhook233http.route({234  path: "/webhooks/stripe",235  method: "POST",236  handler: httpAction(async (ctx, request) => {237    const signature = request.headers.get("stripe-signature");238    if (!signature) {239      return new Response("Missing signature", { status: 400 });240    }241 242    const body = await request.text();243 244    // Verify webhook signature (in action with Node.js)245    try {246      await ctx.runAction(internal.stripe.verifyAndProcessWebhook, {247        body,248        signature,249      });250      return new Response("OK", { status: 200 });251    } catch (error) {252      console.error("Webhook error:", error);253      return new Response("Webhook error", { status: 400 });254    }255  }),256});257 258// GitHub webhook259http.route({260  path: "/webhooks/github",261  method: "POST",262  handler: httpAction(async (ctx, request) => {263    const event = request.headers.get("X-GitHub-Event");264    const signature = request.headers.get("X-Hub-Signature-256");265    266    if (!signature) {267      return new Response("Missing signature", { status: 400 });268    }269 270    const body = await request.text();271 272    await ctx.runAction(internal.github.processWebhook, {273      event: event ?? "unknown",274      body,275      signature,276    });277 278    return new Response("OK", { status: 200 });279  }),280});281 282export default http;283```284 285### Webhook Signature Verification286 287```typescript288// convex/stripe.ts289"use node";290 291import { internalAction, internalMutation } from "./_generated/server";292import { internal } from "./_generated/api";293import { v } from "convex/values";294import Stripe from "stripe";295 296const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);297 298export const verifyAndProcessWebhook = internalAction({299  args: {300    body: v.string(),301    signature: v.string(),302  },303  returns: v.null(),304  handler: async (ctx, args) => {305    const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!;306 307    // Verify signature308    const event = stripe.webhooks.constructEvent(309      args.body,310      args.signature,311      webhookSecret312    );313 314    // Process based on event type315    switch (event.type) {316      case "checkout.session.completed":317        await ctx.runMutation(internal.payments.handleCheckoutComplete, {318          sessionId: event.data.object.id,319          customerId: event.data.object.customer as string,320        });321        break;322 323      case "customer.subscription.updated":324        await ctx.runMutation(internal.subscriptions.handleUpdate, {325          subscriptionId: event.data.object.id,326          status: event.data.object.status,327        });328        break;329    }330 331    return null;332  },333});334```335 336### Authentication in HTTP Actions337 338```typescript339// convex/http.ts340import { httpRouter } from "convex/server";341import { httpAction } from "./_generated/server";342import { internal } from "./_generated/api";343 344const http = httpRouter();345 346// API key authentication347http.route({348  path: "/api/protected",349  method: "GET",350  handler: httpAction(async (ctx, request) => {351    const apiKey = request.headers.get("X-API-Key");352    353    if (!apiKey) {354      return new Response(355        JSON.stringify({ error: "Missing API key" }),356        { status: 401, headers: { "Content-Type": "application/json" } }357      );358    }359 360    // Validate API key361    const isValid = await ctx.runQuery(internal.auth.validateApiKey, {362      apiKey,363    });364 365    if (!isValid) {366      return new Response(367        JSON.stringify({ error: "Invalid API key" }),368        { status: 403, headers: { "Content-Type": "application/json" } }369      );370    }371 372    // Process authenticated request373    const data = await ctx.runQuery(internal.data.getProtectedData, {});374 375    return new Response(376      JSON.stringify(data),377      { status: 200, headers: { "Content-Type": "application/json" } }378    );379  }),380});381 382// Bearer token authentication383http.route({384  path: "/api/user",385  method: "GET",386  handler: httpAction(async (ctx, request) => {387    const authHeader = request.headers.get("Authorization");388    389    if (!authHeader?.startsWith("Bearer ")) {390      return new Response(391        JSON.stringify({ error: "Missing or invalid Authorization header" }),392        { status: 401, headers: { "Content-Type": "application/json" } }393      );394    }395 396    const token = authHeader.slice(7);397 398    // Validate token and get user399    const user = await ctx.runQuery(internal.auth.validateToken, { token });400 401    if (!user) {402      return new Response(403        JSON.stringify({ error: "Invalid token" }),404        { status: 403, headers: { "Content-Type": "application/json" } }405      );406    }407 408    return new Response(409      JSON.stringify(user),410      { status: 200, headers: { "Content-Type": "application/json" } }411    );412  }),413});414 415export default http;416```417 418### Calling Mutations and Queries419 420```typescript421// convex/http.ts422import { httpRouter } from "convex/server";423import { httpAction } from "./_generated/server";424import { api, internal } from "./_generated/api";425 426const http = httpRouter();427 428http.route({429  path: "/api/items",430  method: "POST",431  handler: httpAction(async (ctx, request) => {432    const body = await request.json();433 434    // Call a mutation435    const itemId = await ctx.runMutation(internal.items.create, {436      name: body.name,437      description: body.description,438    });439 440    // Query the created item441    const item = await ctx.runQuery(internal.items.get, { id: itemId });442 443    return new Response(444      JSON.stringify(item),445      { status: 201, headers: { "Content-Type": "application/json" } }446    );447  }),448});449 450http.route({451  path: "/api/items",452  method: "GET",453  handler: httpAction(async (ctx, request) => {454    const url = new URL(request.url);455    const limit = parseInt(url.searchParams.get("limit") ?? "10");456 457    const items = await ctx.runQuery(internal.items.list, { limit });458 459    return new Response(460      JSON.stringify(items),461      { status: 200, headers: { "Content-Type": "application/json" } }462    );463  }),464});465 466export default http;467```468 469### Error Handling470 471```typescript472// convex/http.ts473import { httpRouter } from "convex/server";474import { httpAction } from "./_generated/server";475 476const http = httpRouter();477 478// Helper for JSON responses479function jsonResponse(data: unknown, status = 200) {480  return new Response(JSON.stringify(data), {481    status,482    headers: { "Content-Type": "application/json" },483  });484}485 486// Helper for error responses487function errorResponse(message: string, status: number) {488  return jsonResponse({ error: message }, status);489}490 491http.route({492  path: "/api/process",493  method: "POST",494  handler: httpAction(async (ctx, request) => {495    try {496      // Validate content type497      const contentType = request.headers.get("Content-Type");498      if (!contentType?.includes("application/json")) {499        return errorResponse("Content-Type must be application/json", 415);500      }501 502      // Parse body503      let body;504      try {505        body = await request.json();506      } catch {507        return errorResponse("Invalid JSON body", 400);508      }509 510      // Validate required fields511      if (!body.data) {512        return errorResponse("Missing required field: data", 400);513      }514 515      // Process request516      const result = await ctx.runMutation(internal.process.handle, {517        data: body.data,518      });519 520      return jsonResponse({ success: true, result }, 200);521    } catch (error) {522      console.error("Processing error:", error);523      return errorResponse("Internal server error", 500);524    }525  }),526});527 528export default http;529```530 531### File Downloads532 533```typescript534// convex/http.ts535import { httpRouter } from "convex/server";536import { httpAction } from "./_generated/server";537import { Id } from "./_generated/dataModel";538 539const http = httpRouter();540 541http.route({542  pathPrefix: "/files/",543  method: "GET",544  handler: httpAction(async (ctx, request) => {545    const url = new URL(request.url);546    const fileId = url.pathname.replace("/files/", "") as Id<"_storage">;547 548    // Get file URL from storage549    const fileUrl = await ctx.storage.getUrl(fileId);550 551    if (!fileUrl) {552      return new Response("File not found", { status: 404 });553    }554 555    // Redirect to the file URL556    return Response.redirect(fileUrl, 302);557  }),558});559 560export default http;561```562 563## Examples564 565### Complete Webhook Integration566 567```typescript568// convex/http.ts569import { httpRouter } from "convex/server";570import { httpAction } from "./_generated/server";571import { internal } from "./_generated/api";572 573const http = httpRouter();574 575// Clerk webhook for user sync576http.route({577  path: "/webhooks/clerk",578  method: "POST",579  handler: httpAction(async (ctx, request) => {580    const svixId = request.headers.get("svix-id");581    const svixTimestamp = request.headers.get("svix-timestamp");582    const svixSignature = request.headers.get("svix-signature");583 584    if (!svixId || !svixTimestamp || !svixSignature) {585      return new Response("Missing Svix headers", { status: 400 });586    }587 588    const body = await request.text();589 590    try {591      await ctx.runAction(internal.clerk.verifyAndProcess, {592        body,593        svixId,594        svixTimestamp,595        svixSignature,596      });597      return new Response("OK", { status: 200 });598    } catch (error) {599      console.error("Clerk webhook error:", error);600      return new Response("Webhook verification failed", { status: 400 });601    }602  }),603});604 605export default http;606```607 608```typescript609// convex/clerk.ts610"use node";611 612import { internalAction, internalMutation } from "./_generated/server";613import { internal } from "./_generated/api";614import { v } from "convex/values";615import { Webhook } from "svix";616 617export const verifyAndProcess = internalAction({618  args: {619    body: v.string(),620    svixId: v.string(),621    svixTimestamp: v.string(),622    svixSignature: v.string(),623  },624  returns: v.null(),625  handler: async (ctx, args) => {626    const webhookSecret = process.env.CLERK_WEBHOOK_SECRET!;627    const wh = new Webhook(webhookSecret);628 629    const event = wh.verify(args.body, {630      "svix-id": args.svixId,631      "svix-timestamp": args.svixTimestamp,632      "svix-signature": args.svixSignature,633    }) as { type: string; data: Record<string, unknown> };634 635    switch (event.type) {636      case "user.created":637        await ctx.runMutation(internal.users.create, {638          clerkId: event.data.id as string,639          email: (event.data.email_addresses as Array<{ email_address: string }>)[0]?.email_address,640          name: `${event.data.first_name} ${event.data.last_name}`,641        });642        break;643 644      case "user.updated":645        await ctx.runMutation(internal.users.update, {646          clerkId: event.data.id as string,647          email: (event.data.email_addresses as Array<{ email_address: string }>)[0]?.email_address,648          name: `${event.data.first_name} ${event.data.last_name}`,649        });650        break;651 652      case "user.deleted":653        await ctx.runMutation(internal.users.remove, {654          clerkId: event.data.id as string,655        });656        break;657    }658 659    return null;660  },661});662```663 664### Schema for HTTP API665 666```typescript667// convex/schema.ts668import { defineSchema, defineTable } from "convex/server";669import { v } from "convex/values";670 671export default defineSchema({672  apiKeys: defineTable({673    key: v.string(),674    userId: v.id("users"),675    name: v.string(),676    createdAt: v.number(),677    lastUsedAt: v.optional(v.number()),678    revokedAt: v.optional(v.number()),679  })680    .index("by_key", ["key"])681    .index("by_user", ["userId"]),682 683  webhookEvents: defineTable({684    source: v.string(),685    eventType: v.string(),686    payload: v.any(),687    processedAt: v.number(),688    status: v.union(689      v.literal("success"),690      v.literal("failed")691    ),692    error: v.optional(v.string()),693  })694    .index("by_source", ["source"])695    .index("by_status", ["status"]),696 697  users: defineTable({698    clerkId: v.string(),699    email: v.string(),700    name: v.string(),701  }).index("by_clerk_id", ["clerkId"]),702});703```704 705## Best Practices706 707- Never run `npx convex deploy` unless explicitly instructed708- Never run any git commands unless explicitly instructed709- Always validate and sanitize incoming request data710- Use internal functions for database operations711- Implement proper error handling with appropriate status codes712- Add CORS headers for browser-accessible endpoints713- Verify webhook signatures before processing714- Log webhook events for debugging715- Use environment variables for secrets716- Handle timeouts gracefully717 718## Common Pitfalls719 7201. **Missing CORS preflight handler** - Browsers send OPTIONS requests first7212. **Not validating webhook signatures** - Security vulnerability7223. **Exposing internal functions** - Use internal functions from HTTP actions7234. **Forgetting Content-Type headers** - Clients may not parse responses correctly7245. **Not handling request body errors** - Invalid JSON will throw7256. **Blocking on long operations** - Use scheduled functions for heavy processing726 727## References728 729- Convex Documentation: https://docs.convex.dev/730- Convex LLMs.txt: https://docs.convex.dev/llms.txt731- HTTP Actions: https://docs.convex.dev/functions/http-actions732- Actions: https://docs.convex.dev/functions/actions733- Authentication: https://docs.convex.dev/auth
Related skills
Avoid Feature Creep

Install Avoid Feature Creep skill for Claude Code from waynesutton/convexskills.
Convex

This is an umbrella skill that routes you to 11 specialized Convex development skills instead of trying to cram everything into one giant prompt. Hit `/convex-f
Convex Agents

Install Convex Agents skill for Claude Code from waynesutton/convexskills.