Convex Log Streams

Convex connections ingest logs from a Convex deployment via the Log Streams webhook. Convex POSTs each batch of function logs to a Firetiger ingest URL; Firetiger verifies the HMAC-SHA256 signature, decodes the payload, and writes the events to the Iceberg table convex/logs/console.

Recommended: Create the connection via the web UI at https://ui.cloud.firetiger.com/settings/connections — the UI displays the ingest URL after the connection is created.

How It Works

  1. You create a Convex connection in Firetiger and copy the resulting webhook URL.
  2. In the Convex dashboard, you configure a Log Stream that POSTs to that URL with the same shared secret.
  3. Convex signs each request with HMAC-SHA256 over the raw body bytes; Firetiger verifies the signature using the stored secret.
  4. Verified events land in iceberg.convex.logs.console and are queryable from agents and the Firetiger UI.

Setup

1. Create the Firetiger Connection

Parameter Type Description
webhook_secret string Shared secret used to sign requests — generate a strong random value 
{
  "display_name": "Convex Production Logs",
  "description": "Production Convex deployment console logs",
  "connection_details": {
    "convex": {
      "webhook_secret": "<generate-a-strong-random-secret>"
    }
  }
}

The connection’s webhook URL is shown in the Firetiger UI once it’s created.

2. Configure the Convex Log Stream

In the Convex dashboard:

  1. Open Settings → Integrations
  2. Add a new Log Stream (Webhook)
  3. Set the URL to the Firetiger webhook URL
  4. Set the secret to the same webhook_secret you used in step 1

Convex begins streaming function logs to Firetiger immediately.

Querying the Logs

Once events are flowing, query them via the Iceberg connection:

USE iceberg;
SELECT *
FROM "convex/logs/console"
WHERE timestamp >= now() - interval '1 hour'
ORDER BY timestamp DESC
LIMIT 100;

The convex/logs/console table follows the Convex Log Streams payload schema — each row carries the deployment, project, function path, log level, and message.

Best Practices

  • Use a long, random secret — the only thing standing between an attacker and a flood of fabricated log events is the HMAC verification
  • One connection per deployment — separate Convex prod / staging / dev deployments into separate connections so agents and dashboards can scope queries cleanly
  • Rotate the secret in lockstep — update the secret in Firetiger and Convex within a short window; mismatched secrets reject all events with a 401
This site uses Just the Docs, a documentation theme for Jekyll.