Fix guide · info · convex_deployment_exposed

Convex deployment URL exposed in client

Why it matters

Not a vulnerability on its own. The deployment URL combined with function names extracted from your _generated/api.js bundle gives attackers a complete map of your API surface. They will probe each function for unauthenticated access. The actual risk is in convex_function_no_auth.

How to fix it

This is informational. The URL exposure itself doesn't need fixing — Convex needs the URL to be reachable.

What to do instead:

1. Audit every query and mutation for an explicit auth.getUserIdentity() check at the top.
2. Use v.* validators on every function's args.
3. Test from outside with curl against your deployment URL — see /blog/convex-security.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.