SteveSteve

Base URLs

How to derive the correct HTTP origin for Steve's live and private HTTP routes.

Steve-owned HTTP routes are served from the Convex site domain, not the Convex client domain.

Route families

SurfacePattern
External Integration APIhttps://<deployment>.convex.site/api/v1/...
Invitation APIhttps://<deployment>.convex.site/api/invitation/...
Workflow Agent APIhttps://<deployment>.convex.site/api/agent/chat

Converting from client URLs

The frontend applications store Convex client URLs such as:

https://your-deployment.convex.cloud

or:

wss://your-deployment.convex.cloud

To call HTTP routes directly, convert that origin to:

https://your-deployment.convex.site

Example:

const httpUrl = convexUrl.replace("wss://", "https://").replace(".cloud", ".site");

That same conversion is already used in the admin app for invitation flows and the workflow agent transport.

Versioning

Only the external integration surface is explicitly versioned today:

  • /api/v1/... is the stable integration namespace.
  • /api/invitation/... is product-specific and unversioned.
  • /api/agent/chat is private and unversioned.

CORS behavior

Steve uses different CORS policies per surface:

SurfacePolicy
External Integration APIAccess-Control-Allow-Origin: *
Invitation APIAllowlist driven by ALLOWED_ORIGINS
Workflow Agent APIAllowlist driven by ALLOWED_ORIGINS

The wildcard policy is only used on API-key routes. Invitation and agent endpoints accept secrets from browsers and therefore require an explicit origin allowlist.

Previous

Error Handling

Next

Workflow Agent API

On this page