Gating content the right way

It's tempting to hide a paid lesson with a component and call it done:

<Protect plan="pro">
  <PremiumLesson />
</Protect>

This is fine for UX — it stops the button from showing. But it is not security. Components like <Protect> only decide what to render; a determined user can still call your backend directly. The data must be guarded where it's served.

Enforce in the function

The real check belongs inside the Convex query or mutation, next to the data:

export const getPremiumLesson = query({
  args: { lessonId: v.string() },
  handler: async (ctx, { lessonId }) => {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) throw new Error("Sign in required");

    const entitled = await hasEntitlement(ctx, identity.subject);
    if (!entitled) throw new Error("Upgrade required");

    return ctx.db.get(lessonId);
  },
});

Two layers, two jobs

| Layer | Tool | Purpose | |---|---|---| | UI | <Protect>, has() | Fast, optimistic hide/show | | Backend | check inside Convex fn | The actual access boundary |

A robust pattern syncs entitlements (from a billing webhook, say) into a Convex table, then every sensitive function reads that table. The UI can be wrong or stale; the server is the source of truth.

The exercise shows why client-only gating fails: the "UI" hides the link, but a direct backend call still has to be rejected on its own.

That's the full loop: render on the server, store and sync with Convex, prove identity with Clerk, and enforce access where it counts. Mark this complete — you've built the mental model for a real app.