Auth.js (NextAuth) — Authentication for the Web
Auth.js (formerly NextAuth.js) is a complete open-source authentication solution for Next.js, SvelteKit, Remix, Express, and more. 80+ OAuth providers, passwordless, magic links, database or JWT sessions, and first-class TypeScript.
Safe staging for this asset
This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.
npx -y tokrepo@latest install 4fa5cb9a-3580-11f1-9bc6-00163e2b0d79 --target codexStages files first; activation requires review of the staged README and plan.
What it is
Auth.js (formerly NextAuth.js) is a complete open-source authentication solution for web applications. It supports Next.js, SvelteKit, Remix, Express, and other frameworks. Auth.js provides 80+ OAuth providers (Google, GitHub, Facebook, etc.), passwordless magic links, credential-based login, and flexible session management via database or JWT.
Auth.js targets web developers who need authentication without building it from scratch or paying for Auth0/Clerk. It handles the OAuth flow, session tokens, CSRF protection, and provider integration automatically.
How it saves time or tokens
Implementing OAuth from scratch means handling redirects, token exchange, CSRF, session cookies, and provider-specific quirks. Auth.js handles all of this with a few lines of configuration. Adding a new OAuth provider is a single import. Session management works automatically with either JWT (stateless) or database (stateful) strategies. The built-in sign-in and sign-out pages are customizable but functional out of the box.
How to use
- Install Auth.js for Next.js:
npm i next-auth@beta
- Configure auth providers:
// auth.ts
import NextAuth from 'next-auth';
import GitHub from 'next-auth/providers/github';
import Google from 'next-auth/providers/google';
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [
GitHub({ clientId: process.env.GITHUB_ID, clientSecret: process.env.GITHUB_SECRET }),
Google({ clientId: process.env.GOOGLE_ID, clientSecret: process.env.GOOGLE_SECRET }),
],
});
- Add the API route and middleware:
// app/api/auth/[...nextauth]/route.ts
import { handlers } from '@/auth';
export const { GET, POST } = handlers;
Example
// Using auth in a server component
import { auth } from '@/auth';
export default async function Dashboard() {
const session = await auth();
if (!session) return <p>Please sign in</p>;
return <p>Welcome, {session.user?.name}</p>;
}
// Client-side session access
'use client';
import { useSession, signIn, signOut } from 'next-auth/react';
export function LoginButton() {
const { data: session } = useSession();
if (session) return <button onClick={() => signOut()}>Sign Out</button>;
return <button onClick={() => signIn('github')}>Sign In</button>;
}
Related on TokRepo
- Security Tools — Authentication and security solutions
- AI Tools for Coding — Developer tools and frameworks
This tool integrates with standard development workflows and requires minimal configuration to get started. It is available as open-source software with documentation and community support through the official repository. The project follows semantic versioning for stable releases.
For teams evaluating this tool, the key advantage is reducing manual work in repetitive tasks. The automation provided by the built-in features means less custom code to maintain and fewer integration points to manage. This translates directly to lower maintenance costs and faster iteration cycles.
Common pitfalls
- Auth.js v5 (beta) has API changes from v4 (NextAuth.js); check the migration guide when upgrading from v4.
- Environment variables for OAuth providers (client ID and secret) must be set correctly; missing or incorrect values cause silent authentication failures.
- JWT sessions are stateless and cannot be individually revoked; use database sessions if you need server-side session invalidation.
Frequently Asked Questions
Auth.js is the new name for NextAuth.js starting with v5. The rename reflects expanded framework support beyond Next.js. Auth.js v5 works with Next.js, SvelteKit, Remix, Express, and more.
Yes. Auth.js supports magic link (email) authentication and WebAuthn. Users receive a sign-in link via email without needing a password. This requires an email provider configuration.
Yes. Auth.js supports both JWT (stateless) and database (stateful) session strategies. Database sessions store session data in PostgreSQL, MySQL, MongoDB, or other databases via adapters.
Auth.js supports 80+ OAuth providers including Google, GitHub, Facebook, Twitter, Apple, Discord, Slack, and many more. Custom OAuth providers can be configured with the generic OAuth provider.
Yes. Auth.js is open-source under the ISC license. There are no usage fees, no per-user charges, and no feature restrictions. You can use it in commercial projects without cost.
Citations (3)
- Auth.js Official Site— Auth.js provides 80+ OAuth providers for web authentication
- Auth.js GitHub— Auth.js supports Next.js, SvelteKit, Remix, and Express
- Auth.js Documentation— Auth.js v5 migration from NextAuth.js v4
Related on TokRepo
Discussion
Related Assets
Better Auth — Framework-Agnostic Authentication for TypeScript
Better Auth is a comprehensive TypeScript authentication library that provides email/password, OAuth, multi-factor, and session management out of the box. It works with any framework and any database, offering a plugin system for extending authentication flows without vendor lock-in.
Payload CMS — Open Source Fullstack Next.js Headless CMS
Payload is the open-source headless CMS and app framework built on Next.js. TypeScript-first, code-configured, with instant admin panel, auth, and file uploads.
Express — Fast Unopinionated Minimalist Web Framework for Node.js
Express is the original, most popular web framework for Node.js. Minimal, flexible, and the foundation of countless APIs. The go-to starting point for Node.js backends that inspired Koa, Hono, Fastify, and many others.
Passport.js — Simple Authentication Middleware for Node.js
Passport.js is an unobtrusive authentication middleware for Node.js that supports 500+ strategies including OAuth, OpenID Connect, and local username/password.