Auth.js (NextAuth)
What it supports
Provider type | Examples | Typical use |
|---|---|---|
OAuth providers | Google, GitHub, Discord, and dozens more | "Sign in with X" buttons, no password to manage yourself |
Email (magic link) | Passwordless sign-in via a one-time emailed link | Lower friction than passwords, no credentials to store |
Credentials | Traditional email + password form | Full control, but you own password hashing and storage |
The general setup shape
Regardless of which providers you use, an Auth.js setup in the App Router has the same three pieces: a configuration file describing your providers and callbacks, a Route Handler that exposes Auth.js's endpoints, and a hook or helper for reading the current session in your components.
auth.ts — configuration
import NextAuth from 'next-auth'
import GitHub from 'next-auth/providers/github'
export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [
GitHub({
clientId: process.env.GITHUB_ID,
clientSecret: process.env.GITHUB_SECRET,
}),
],
})app/api/auth/[...nextauth]/route.ts — Route Handler
import { handlers } from '@/auth'
export const { GET, POST } = handlersReading the session in a Server Component
import { auth } from '@/auth'
export default async function ProfilePage() {
const session = await auth()
if (!session) {
return <p>You are not signed in.</p>
}
return <p>Signed in as {session.user?.email}</p>
}Sign-in / sign-out via Server Actions
import { signIn, signOut } from '@/auth'
export function SignIn() {
return (
<form
action={async () => {
'use server'
await signIn('github')
}}
>
<button type="submit">Sign in with GitHub</button>
</form>
)
}
export function SignOut() {
return (
<form
action={async () => {
'use server'
await signOut()
}}
>
<button type="submit">Sign out</button>
</form>
)
}auth() helper exported from a config file). Configuration option names, the split betweengetServerSession-style helpers and the newer auth() function, and even the package name itself have changed. Always confirm which major version a tutorial or your installed dependency is targeting before copying a setup.Why teams reach for it
One consistent interface across dozens of OAuth providers, instead of hand-rolling each handshake.
Session strategy (JWT or database-backed) is a configuration choice, not something built from scratch.
Built-in CSRF protection and secure cookie defaults for the auth flow itself.
Callbacks (
jwt,session,signIn) give fine-grained hooks into the auth lifecycle without forking the library.
Auth.js (formerly NextAuth.js) is the most widely adopted dedicated auth library for Next.js.
A typical setup is: a config file (providers + callbacks), a catch-all Route Handler, and an
auth()helper for reading sessions.It supports OAuth, magic-link email, and traditional credentials providers.
The API has changed materially across major versions — verify docs match your installed version before following a guide.