Skip to content
RED

Production Checklist

A pre-flight list of things to verify before flipping your RED project from development to production. Items are grouped by concern — skip sections that don’t apply to your setup (e.g. skip Billing if you haven’t enabled Autumn).

Each item links back to the relevant module page for the how-to. This page stays a pure checklist.

Environment variables

Section titled “Environment variables”

Set on your Convex production deployment (via bunx convex env set or the Convex dashboard) unless noted otherwise.

  • SITE_URL — public frontend URL, used for auth redirects and email links. Must match the deployed domain exactly (no trailing slash).
  • CONVEX_SITE_URL — Convex HTTP actions URL, used as the auth issuer and for JWKS.
  • RESEND_API_KEY — Resend API key for the verified sending domain. See Email.
  • RESEND_LIVE=true — required to deliver real emails. Unset or any other value keeps Resend in test mode.
  • FROM_EMAIL — default sender address, must be on a domain verified in Resend.
  • APIKEY_JWT_PUBLIC_KEY and APIKEY_JWT_PRIVATE_KEY — key pair for signing API keys. Generate fresh values for production, never reuse dev keys.
  • AUTUMN_SECRET_KEY — Autumn live secret key, if billing is enabled. See Billing.
  • AI_TRACE=off — disables AI trace logging. Recommended in production.
  • Frontend VITE_CONVEX_URL and VITE_CONVEX_SITE_URL — set on your frontend host’s build environment, not on Convex.

Auth & identity

Section titled “Auth & identity”
  • Verify the sending domain in Resend before setting RESEND_LIVE=true.
  • Register OAuth apps (Google, GitHub, etc.) with production redirect URIs that match SITE_URL.
  • Seed the first global admin user. See Admin.
  • Review session lifetime and MFA policy. See Authentication.

Billing (Autumn)

Section titled “Billing (Autumn)”

Skip if billing is disabled.

  • Switch Autumn to live mode and confirm product/feature IDs match between live and the Convex cache.
  • Run one end-to-end upgrade in live mode with a real card before announcing launch — confirm the post-checkout watcher converges within a few minutes and the row in billingCustomers flips to the new plan.
  • (Optional) Set up the Autumn webhook for real-time plan-change push. See the Future: Autumn webhook section. Skip if you’re fine with the default pull-based sync (post-checkout watcher + daily cron).

Data & backups

Section titled “Data & backups”
  • Confirm the production Convex deployment is separate from dev and preview.
  • Enable a backup or scheduled export cadence on Convex.
  • Decide on data retention for audit logs and sessions. See Audit.

Observability

Section titled “Observability”
  • Set up an uptime check on the frontend root and on a Convex HTTP action (e.g. /.well-known/jwks.json).
  • Wire an error reporter on the frontend if you use one (not bundled by default).
  • Monitor Convex logs and scheduled function failures in the Convex dashboard.

Security

Section titled “Security”
  • Review organization scoping — every mutation touching an organizationId document verifies it matches the active org.
  • Confirm CORS is set only on browser-facing auth routes, not machine-auth API routes.
  • Rotate any secrets that were committed, shared in chat, or reused from dev.
  • Decide whether to keep the Waitlist open or close signup. See Waitlist.
  • Confirm rate limits are sensible for your traffic profile.

DNS & deploy

Section titled “DNS & deploy”
  • Point the apex/subdomain at your frontend host (Vercel, Netlify, Cloudflare Pages, etc.).
  • Deploy the Convex production functions: bunx convex deploy.
  • Verify a verification email, a password reset email, and an org invite email all resolve to the production domain end-to-end.