Hello, i am working on integrating web3auth with convex, the issue seems that when i pass the identity token generated after they login with socials/metamask
it doesnt contain any sub field and thus making the token invalid since convex
Custom JWTs are required only to have header fields kid , alg and typ , and payload fields sub , iss , and exp . An iat field is also expected by Convex clients to implement token refreshing.
Thank you for providing detailed context about your integration with Convex and Web3Auth.
Summary of Your Issue:
SDK: Web3Auth Plug and Play (React, using @web3auth/modal)
Platform: Next.js (React)
Integration Target: Convex (requires JWTs with sub, iss, exp, iat)
Problem: The identity token (idToken) generated by Web3Auth after login (socials/MetaMask) does not contain the sub field, making it invalid for Convex, which expects sub, iss, exp, and iat in the JWT payload.
The JWT returned by getIdentityToken does not have the sub claim, which Convex expects.
What Convex Requires in JWT Payload:
header: kid, alg, typ
payload: sub, iss, exp, iat
What Web3Auth Provides:
For social logins: JWT payload typically includes iat, aud, iss, email, name, verifier, verifierId, exp, wallets, etc. (see Web3Auth Docs - getIdentityToken)
For external wallets: JWT payload includes iat, issuer, audience, wallets, exp, etc.
Possible Causes & Next Steps:
The JWT from Web3Auth may use verifierId or another field instead of sub.
Some JWTs (especially from social logins) may not include sub by default.
Convex expects sub for user identification.
Proposed Solution / Next Steps:
Check the Decoded JWT:
Please decode the idToken (using jwt.io or similar) and paste the payload here (you can redact sensitive info). This will help confirm which fields are present and if sub is missing or mapped differently (e.g., verifierId).
If sub is missing:
Web3Auth currently does not provide a way to customize the JWT payload directly in Plug n Play mode.
You may need to map verifierId or another unique identifier from the JWT to sub on your backend before passing it to Convex.
Alternatively, you can submit a feature request for Web3Auth to add sub to the JWT payload for better compatibility with Convex.
Can you share a sample decoded JWT payload (with sensitive info redacted)?
Are you using only Plug n Play (no custom authentication or verifiers)?
Summary for Support Team:
User is integrating Web3Auth Plug n Play (React/Next.js) with Convex.
The JWT idToken generated after login lacks the sub field required by Convex.
User needs either a way to include sub in the JWT or guidance on mapping an existing JWT field to sub.
Let us know if you can share the JWT payload, or if you need guidance on mapping fields for Convex compatibility!
Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours