NextjsAuth.js (NextAuth)

Auth.js (NextAuth)

Auth.js — known for most of its history as NextAuth.js — is the most popular dedicated authentication library in the Next.js ecosystem. It handles the parts of auth that are tedious and easy to get subtly wrong: OAuth handshakes with dozens of providers, credential verification, session issuance, and CSRF protection — all behind a fairly small configuration surface.
What it supports

Provider type

Examples

Typical use

OAuth providers

Google, GitHub, Discord, and dozens more

"Sign in with X" buttons, no password to manage yourself

Email (magic link)

Passwordless sign-in via a one-time emailed link

Lower friction than passwords, no credentials to store

Credentials

Traditional email + password form

Full control, but you own password hashing and storage

The general setup shape

Regardless of which providers you use, an Auth.js setup in the App Router has the same three pieces: a configuration file describing your providers and callbacks, a Route Handler that exposes Auth.js's endpoints, and a hook or helper for reading the current session in your components.

auth.ts — configuration

TS
import NextAuth from 'next-auth'
import GitHub from 'next-auth/providers/github'

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({
      clientId: process.env.GITHUB_ID,
      clientSecret: process.env.GITHUB_SECRET,
    }),
  ],
})

app/api/auth/[...nextauth]/route.ts — Route Handler

TS
import { handlers } from '@/auth'

export const { GET, POST } = handlers

Reading the session in a Server Component

TSX
import { auth } from '@/auth'

export default async function ProfilePage() {
  const session = await auth()

  if (!session) {
    return <p>You are not signed in.</p>
  }

  return <p>Signed in as {session.user?.email}</p>
}

Sign-in / sign-out via Server Actions

TSX
import { signIn, signOut } from '@/auth'

export function SignIn() {
  return (
    <form
      action={async () => {
        'use server'
        await signIn('github')
      }}
    >
      <button type="submit">Sign in with GitHub</button>
    </form>
  )
}

export function SignOut() {
  return (
    <form
      action={async () => {
        'use server'
        await signOut()
      }}
    >
      <button type="submit">Sign out</button>
    </form>
  )
}
The API has evolved across versions — check the current docs
Auth.js has gone through significant API changes between its NextAuth.js v4 days and the current Auth.js v5 (the shape shown above, built around a single auth() helper exported from a config file). Configuration option names, the split betweengetServerSession-style helpers and the newer auth() function, and even the package name itself have changed. Always confirm which major version a tutorial or your installed dependency is targeting before copying a setup.
Why teams reach for it
  • One consistent interface across dozens of OAuth providers, instead of hand-rolling each handshake.

  • Session strategy (JWT or database-backed) is a configuration choice, not something built from scratch.

  • Built-in CSRF protection and secure cookie defaults for the auth flow itself.

  • Callbacks (jwt, session, signIn) give fine-grained hooks into the auth lifecycle without forking the library.

  • Auth.js (formerly NextAuth.js) is the most widely adopted dedicated auth library for Next.js.

  • A typical setup is: a config file (providers + callbacks), a catch-all Route Handler, and an auth() helper for reading sessions.

  • It supports OAuth, magic-link email, and traditional credentials providers.

  • The API has changed materially across major versions — verify docs match your installed version before following a guide.