Base URLs

Steve's HTTP routes are served from the Convex site domain, not the Convex client domain.

Route families

Surface	Pattern
External Integration API	`https://<deployment>.convex.site/api/v1/...`
Invitation API	`https://<deployment>.convex.site/api/invitation/...`
Workflow Agent API	`https://<deployment>.convex.site/api/agent/chat`

Converting from client URLs

The frontend applications store Convex client URLs such as:

https://your-deployment.convex.cloud

or:

wss://your-deployment.convex.cloud

To call HTTP routes directly, convert that origin to:

https://your-deployment.convex.site

Example:

const httpUrl = convexUrl.replace("wss://", "https://").replace(".cloud", ".site");

That same conversion is already used in the admin app for invitation flows and the workflow agent.

Versioning

Only the external integration surface is explicitly versioned today:

/api/v1/... is the stable integration namespace.
/api/invitation/... is product-specific and unversioned.
/api/agent/chat is private and unversioned.

CORS behavior

Steve uses different CORS policies per surface:

Surface	Policy
External Integration API	`Access-Control-Allow-Origin: *`
Invitation API	Allowlist driven by `ALLOWED_ORIGINS`
Workflow Agent API	Allowlist driven by `ALLOWED_ORIGINS`

The wildcard policy is only used on API-key routes. Invitation and agent endpoints accept secrets from browsers and therefore require an explicit origin allowlist.

Base URLs

Route families

Converting from client URLs

Versioning

CORS behavior

On this page