The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., `convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first., Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation., Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values., Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs., Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets., When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
Privacy notes
Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs., Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records., Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting., Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data., If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
7 safety and 5 privacy notes across 6 risk areas. Review closely: credentials & tokens, network access, third-party handling.
6 areas
SafetyNetwork accessThe download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
SafetyData retention`convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first.
SafetyGeneralTreat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation.
SafetyCredentials & tokensDo not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values.
SafetyCredentials & tokensKeep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs.
SafetyGeneralReview generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets.
SafetyCredentials & tokensWhen actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
PrivacyLocal filesConvex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs.
PrivacyData retentionClient queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records.
PrivacyGeneralUse synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting.
PrivacyThird-party handlingReview Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data.
PrivacyNetwork accessIf Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
Safety notes
The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first.
Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation.
Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values.
Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs.
Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets.
When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
Privacy notes
Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs.
Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records.
Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting.
Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data.
If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
Prerequisites
Next.js App Router project or migration branch with a known package manager.
Convex account access and permission to create or use the target Convex project and deployment.
`NEXT_PUBLIC_CONVEX_URL` and any Convex deployment environment variables managed through local, preview, staging, and production secret configuration.
Data model plan for Convex tables, indexes, generated API functions, and client query/mutation usage.
Auth integration decision, such as Clerk, Auth0, custom JWT, or unauthenticated prototype.
Realtime UX plan covering loading states, optimistic UI, offline behavior, and conflict handling.
.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor
Adapter
.cursor/rules/<skill-name>.mdc
cli
Manual
AGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the Convex Next.js realtime apps skill to this project."
# Required output
1) Current Next.js, data model, auth, and realtime inventory
2) Convex package, deployment, provider, schema, query, and mutation plan
3) Client/server boundary and production deployment checklist
4) Safety, privacy, data import, secret, and rollback notes
About this resource
Knowledge Freshness
This skill is based on Convex's official Next.js quickstart, documentation hub,
website, and get-convex/convex-js repository reviewed on 2026-06-04. The
current Next.js quickstart installs the convex package, runs npx convex dev
to create or connect a deployment, writes backend functions in a convex/
folder, wraps App Router UI with ConvexProvider and ConvexReactClient, and
reads data from generated APIs with useQuery().
Prefer the live Convex docs and official JavaScript repository over model memory
for package names, generated API paths, provider setup, CLI behavior, auth
integration, hosting guidance, schema APIs, and production deployment steps.
Scope Note
Use this skill for Convex-backed Next.js App Router applications that need typed
backend functions and reactive data. It is not a generic database guide, not a
Supabase/Postgres/RLS workflow, and not a replacement for application-specific
authorization, data modeling, or production capacity review.
Core Workflow
Inventory the current Next.js version, router mode, package manager, /src
usage, client components, server components, route handlers, auth provider,
realtime screens, and current data layer.
Confirm whether this is a new Convex project, an existing Convex deployment,
or a migration from another backend, and record the target local, preview,
staging, and production environments.
Add convex with the project package manager and document how the team will
run or replace the interactive npx convex dev flow in local development.
Create or review the convex/ directory, generated API files, backend
function naming, schema definitions, validators, indexes, queries,
mutations, and actions.
Wire the App Router provider with a client component that creates
ConvexReactClient from NEXT_PUBLIC_CONVEX_URL and wraps the app in
ConvexProvider.
Keep client components that call useQuery() or mutations explicit, and keep
server-only logic out of client bundles.
Model read patterns first. Add indexes, pagination, and narrow query
arguments before building realtime lists, dashboards, notifications, or
collaborative UI.
Add mutations with validation, ownership checks, idempotency where needed,
and clear optimistic UI or reconciliation behavior.
If importing seed or migrated data, verify the target deployment, table,
sample data shape, and rollback plan before running convex import.
Integrate auth deliberately. Map provider identity to Convex user records,
enforce authorization in backend functions, and test unauthenticated and
wrong-tenant access.
Review actions, scheduled jobs, external APIs, file storage, webhooks, and
LLM calls for secrets, retries, rate limits, timeouts, and observability.
Produce a deployment checklist covering environment URLs, generated files,
codegen, auth config, data import state, realtime smoke tests, and rollback.
Required Inputs
Next.js version, router mode, package manager, and whether the app uses a
/src directory.
Current data layer, table/document model, realtime requirements, and migration
constraints.
Convex project, team, deployment, dashboard access, and environment names.
Auth provider and authorization model, including tenants, organizations,
roles, user ownership, anonymous access, and public data.
List of client components, server components, API routes, background jobs,
webhooks, scheduled jobs, and external integrations that will touch Convex.
Seed data, import files, backfills, or migration scripts that may mutate a
Convex deployment.
Deployment provider, preview environment policy, generated-file policy, and
rollback plan.
Production Rules
Treat convex dev, convex deploy, imports, backfills, scheduled jobs, and
data deletes as environment-specific operations. Confirm the target deployment
before running them.
Do not rely on client-side filtering for authorization. Enforce access rules
in Convex queries, mutations, actions, or shared backend helpers.
Keep public environment variables and server-only secrets separate. Only
client-safe deployment URLs belong in NEXT_PUBLIC_* configuration.
Use validators and narrow function arguments for every public query and
mutation. Avoid broad "return all documents" queries in production screens.
Add indexes and pagination before large realtime lists, activity feeds,
notifications, search screens, or multi-tenant dashboards.
Use synthetic data for examples and AI prompts. Do not paste real Convex table
exports, logs, dashboard screenshots, auth tokens, or user documents into
chat, issues, or PRs.
Record how generated Convex API files are created and validated so agents do
not hand-edit generated output.
For actions that call LLMs, payment processors, email services, or webhooks,
document outbound data, timeout behavior, retries, and failure handling.
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for Convex app
planning, realtime UI implementation, migration review, and production
readiness checks.
Codex/OpenAI workflows: use as SKILL.md-style instructions when editing
Next.js apps that use Convex.
Manual Adaptation
Cursor, Windsurf, Gemini, and Generic AGENTS files: adapt the trigger,
workflow, safety notes, privacy notes, and output contract into repository
rules for Convex work.
Output Contract
Source evidence: Convex docs, website, and repository URLs reviewed, with
date.
App inventory: Next.js router, current data layer, auth provider, realtime
surfaces, backend functions, imports, and deployment environments.
Safety and privacy review: deployment targeting, secrets, data imports,
generated files, broad queries, logs, prompts, external APIs, and real-user
data handling.
Validation checklist: local Convex dev connection, generated API refresh,
unauthenticated access, wrong-tenant access, realtime update, mutation, data
import dry run, preview deploy, production smoke test, and rollback.
Duplicate And Source Review
Current HeyClaude content includes a Supabase realtime database skill, but that
entry is Postgres/RLS/Supabase-specific. There is no dedicated Convex,
convex-js, ConvexReactClient, ConvexProvider, or docs.convex.dev content
entry. This skill is specifically scoped to Convex's official Next.js App
Router workflow and source-backed by current Convex docs, website, and the
official JavaScript SDK repository.
Troubleshooting
Issue: The app cannot connect to Convex from the browser
Fix: Confirm NEXT_PUBLIC_CONVEX_URL is present for the current environment
and that ConvexReactClient is created only in a client component.
Issue: Generated API imports fail
Fix: Re-run the documented Convex codegen/dev flow, confirm the convex/
function file exports are valid, and avoid hand-editing generated API files.
Issue: Realtime UI renders too much data or exposes another tenant's data
Fix: Move filtering and authorization into the Convex backend function, add
indexes and pagination, and test wrong-user or wrong-organization access by
calling the generated API directly.
Issue: A data import writes to the wrong deployment
Fix: Stop additional imports, identify the target deployment and table, take
a snapshot of current state if available, and use the rollback or cleanup plan
before retrying against the intended environment.
Issue: An action works locally but fails in production
Fix: Check production environment variables, external API secrets, action
timeouts, rate limits, retry behavior, and logs. Do not expose service tokens to
client components while debugging.
Show that Convex Next.js Realtime Apps Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/convex-nextjs-realtime-apps)
How it compares
Convex Next.js Realtime Apps Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Add Better Auth to a Next.js App Router project with API route handlers, database-backed sessions, client helpers, protected route checks, and production auth safety review.
Add Clerk authentication to a Next.js App Router project with middleware, route protection, session-aware UI, environment hygiene, and production auth safety checks.
Build Inngest-backed Next.js workflows with event triggers, durable steps, local Dev Server testing, API route serving, retries, concurrency, and production deployment review.
✓The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first.
Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation.
Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values.
Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs.
Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets.
When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
✓The download URL is Better Auth's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Do not commit Better Auth secrets, OAuth provider secrets, database URLs, email-provider credentials, API-key plugin secrets, or copied dashboard values.
Run schema generation or migrations only against the intended database environment; auth tables, sessions, accounts, and verification records are production-critical.
Treat route protection as server-side authorization work. UI hiding, optimistic middleware redirects, or cookie existence checks are not full access control.
Review `proxy.ts` or `middleware.ts` behavior by Next.js version before relying on database-backed session checks inside request middleware.
Keep OAuth callback URLs, base URLs, trusted origins, and cookie settings environment-specific to avoid broken login loops or cross-environment session confusion.
Track Better Auth release notes and security advisories before introducing auth flows or enabling advanced plugins in production.
Add rollback steps before replacing an existing auth provider because user, account, session, and verification tables can affect active logins.
✓The download URL is Clerk's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Clerk middleware does not protect routes by default; require an explicit protected-route matcher before assuming a page, API route, or tRPC endpoint is private.
Do not commit `CLERK_SECRET_KEY`, webhook signing secrets, OAuth provider secrets, or copied dashboard values to source control, issue comments, screenshots, or chat transcripts.
Review middleware matchers carefully. A broad matcher can affect static assets and public routes, while a narrow matcher can leave sensitive routes unauthenticated.
Treat organization roles, custom permissions, and metadata checks as authorization logic that needs tests, not just UI hiding.
Webhook handlers can mutate user, membership, subscription, and organization state. Make handlers idempotent and verify signatures before processing events.
Confirm production domains and redirect URLs before deploy; wrong origins can break sign-in, leak users into the wrong environment, or create confusing callback loops.
✓The download URL is Inngest's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
The official quickstart documents both package installation and a CLI install path for the Dev Server; review shell installers before piping remote scripts into a shell.
Inngest functions can send email, charge billing systems, call LLMs, write databases, enqueue follow-up work, and retry failed steps; design idempotency before production use.
Do not commit Inngest signing keys, event keys, dashboard tokens, API keys used inside steps, webhook secrets, or copied dashboard values.
Confirm the target Inngest environment before syncing functions, sending events, replaying runs, testing webhooks, or invoking workflows from the Dev Server UI.
Keep event names and schemas explicit. Broad catch-all events, copied production payloads, and unvalidated event data can trigger unintended work.
Review retry policies, concurrency, rate limits, cancellation, durable step behavior, and deployment timeouts before moving request work into asynchronous functions.
For AI workflows, document model calls, human approval points, tool side effects, token cost controls, and what happens when a step retries after partial completion.
Privacy notes
✓Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs.
Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records.
Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting.
Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data.
If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
✓Better Auth handles user identity, email addresses, password-auth state, OAuth profile data, sessions, cookies, accounts, verification tokens, and plugin-specific user data.
Application logs, error trackers, request traces, AI prompts, and screenshots can retain user IDs, emails, callback URLs, cookies, session state, or OAuth provider details.
Use synthetic users and test OAuth applications for examples, demos, issue reports, screenshots, and AI-assisted troubleshooting.
If organization, API key, two-factor, passkey, or SSO plugins are enabled, treat membership, roles, credentials, and device metadata as sensitive authorization data.
Review Better Auth, database, deployment-provider, analytics, email-provider, and AI-assistant retention policies before using real customer identity data.
✓Clerk processes user identity, email addresses, sessions, cookies, authentication factors, OAuth profile data, organization membership, and optional user metadata.
Application logs, error reports, webhook payloads, request traces, and AI chat transcripts can retain user IDs, email addresses, session state, redirect URLs, or organization names.
Keep public examples synthetic. Do not paste real Clerk keys, dashboard screenshots, webhook payloads, user records, or organization metadata into prompts or PRs.
Review Clerk, deployment-provider, analytics, and AI-assistant retention policies before using real customer identity data in troubleshooting sessions.
If custom metadata stores roles, billing flags, internal account IDs, or entitlement data, treat it as sensitive authorization data and avoid exposing it client-side unless intended.
✓Inngest events, function inputs, step outputs, errors, logs, traces, Dev Server runs, and dashboard history can contain user IDs, emails, order IDs, file metadata, prompts, or webhook payloads.
Use synthetic payloads for Dev Server invokes, examples, issue reports, screenshots, demos, and AI-assisted troubleshooting.
Avoid sending raw payment data, authentication secrets, access tokens, private documents, or full customer records as event payloads; pass stable IDs and fetch data inside authorized server code when possible.
Review Inngest, deployment-provider, observability, LLM-provider, email-provider, payment-provider, and AI-assistant retention policies before using real customer data.
If workflows call LLMs or third-party APIs, document which event fields leave the app, where outputs are retained, and how retries affect duplicate external requests.
Prerequisites
Next.js App Router project or migration branch with a known package manager.
Convex account access and permission to create or use the target Convex project and deployment.
`NEXT_PUBLIC_CONVEX_URL` and any Convex deployment environment variables managed through local, preview, staging, and production secret configuration.
Data model plan for Convex tables, indexes, generated API functions, and client query/mutation usage.
Next.js App Router project or migration branch with a known package manager.
Database choice and adapter plan, such as Drizzle, Prisma, MongoDB, or Better Auth's built-in Kysely-backed flow.
Local, preview, staging, and production secret-management path for Better Auth secrets, OAuth client IDs, and OAuth client secrets.
Route map that separates public pages, authenticated pages, API routes, server actions, admin routes, and organization-scoped areas.
Next.js App Router project or migration branch.
Clerk account and application for the target environment.
`NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` and `CLERK_SECRET_KEY` available through local and deployment environment configuration.
Route map that separates public pages, protected app pages, API routes, and admin or organization-scoped areas.
Next.js App Router project or migration branch with a known package manager.
Inngest account or local-only Dev Server plan, plus permission to create or connect the target Inngest app.
Decision on stable SDK usage versus any beta SDK documentation path before pinning package versions.
`INNGEST_DEV`, signing keys, event keys, and deployment environment variables managed through local, preview, staging, and production secret configuration.