Next.js App Router Authentication (Sessions, Cookies, JWTs)

Always lovely to see official guides on these important topics :)

I think authentication is a super important topic for web development and next.js and I think you guys should expand more on this. Security is the most important thing for modern web applications and I think you guys should keep talking about it. Great work.

Looking for this tutorial for months. So nice to have a official tutorial to follow. Thanks!

Sweet Jesus, where were you the last couple of weeks when I was trying to implement it the correct way? Your solution is so simple yet powerful and God thanks you did it in less thans 12 minutes, thanks man!

Thanks for Lucia shout out, I've integrated the V3 recently and it was a breeze.

Thanks! for the tutorial, just a small note for those that wonder why the email value is always null, simply add name='email' to the input field

I would like to see a video on the topic of authorization/authentication for cases when a third-party server(node/nest/etc...) is used and also how it should work for "use client" components/pages

Would love a video about using OAuth to login with a custom backend and how to refresh a session with your own issued JWT!

Please keep uploading these videos how you have been the last bit I've been really enjoying them and finding them useful

Lee great job. If you could create a video on how Next.JS handles “authentication” -vs- “authorization” that would be awesome.
Thanks Lee….😁👍🏿✨

Nice Video. I think authentication and authorization is not really talked about often. It will be nice to see more indepth videos on rolling out custom auth and using libraries like auth js and clerk.

Great walkthrough as always.
And for those who noticed the null email, I see someone opened a PR on the linked repo to fix it.

I want to thank you for this excellent introduction to authentication in Next.js

the two examples shown are not the same. ones a credentials provider and the other is oauth. it would've been nice to see a simple example of credentials using next auth. but the fact that so many are seeking help around this illustrates next is missing the point here in some way

a month ago i was entirely new to node.js react.js tailwind next.js and typescript and i have been enjoying it so much until i got to authentication. it has been a horrible experience. this video outlines a more direct approach to authentication and session management and I'm hoping it can help me implement properly because I'm pretty close to quitting next.js.

awesome to see attention to auth* - its such a crucial topic! Would love to see ways to work with open source solutions like keycloak or Ory + Next. They solve nearly anything a large scale product might need while being completely open source

The way this video explains Auth in Next.js reminds me of how Dan explained React Redux. Next.js App Router next-auth changes are also super exciting!

I just finished this feature tonight. after that I watched RUclips and saw that you had made the tutorial. this is such a coincidence. keep up the spirit, Bro. 😁

Just saw the news about the promotion ( a few months after it happened ) -- congrats!

I love to watch videos where the focus is on proper documentation

This is great, but what I hoped to get is information about was how authN and authZ intersects with the caches of server components and other server-side functions, as well as how and when to authorize server actions

Very useful video :D One minor point: shouldn't the encrypt/decrypt really be `encode_and_sign` and `decode_and_verify_signature`? I don't believe you are encrypting unless I am missing something.

How to use updateSession() for jwt accessToken and refreshToken

You have no idea how helpfull is this video to me. Thanks a lot for an insightful explanation and for the amazing content

good session. yes we need more detail session on this. As this is related to auth or security we don't need to learn this from anywhere else.

look at this how awesome. giving lightweith version of topic is really good. thanks man

Great video! Can't wait to see the full guide on the updated next-auth lib!

Awesome video, congrats! Specially due to explanation of the missing sign in part that is not in the Next.js docs. Thank you.

This is more informative beyond nextjs and React... well the first example 😊😊

On the input element name="email" was missed, hence the formData read was failing and hence email was getting set as null in the JWT cookie.

I've been able to run the nextauth version just fine in dev mode, but when building in standalone mode, I'm having all sorts of issues. It would be awesome if a version of that in standalone mode were released. thank you, Lee!

can someone help why do we get null value in the email area

Nice, server components are great for websites or when you don't have much interactivity in a component in a application. Having the option of using them is really helpful althogh I much prefered if they didn't had put them as default in next.js.

Authentication in next js is the only reason why I don't use next, but if I have implemented authentication and authorization process on backend(Nest Js), what should I do in that case ? Where to save access token after successful authentication ? How to send access token along with header on each request ? In normal react this process is done very easily with axios or state manager(redux).

God bless you. I couldn't figure out just how to do exactly that

Vercel Auth would be great to complete with clerk, auth0. Something built-in and easy to use / deploy.

this tutorial is my life saver, thanks a lot lee!

In video, under session in , "email" returns null.
This is an error/oversight on your part. Please see corrected code below:
name property missing from input element. 😋. You're welcome.

I know this is a very big long shot, but I would absolutely love to see a video about a multi-tenant nextjs app with authentication (with custom domains and such). Ideally without using the Vercel starter kit, cuz that's no way to learn how it actually works... Also not ideal for people not hosting on Vercel. As far as I can tell there is not a single good resource for this on either RUclips or Google.

Nextjs & discord auth would be awesome, extending the Session, modify the callbacks etc

For those getting user { email: null } in the session output, remember to add a name attribute `name='email'` in the email input in the `page.tsx` file

The guide is so useful. Thanks a lot!

Alright, so you set the session on frontend, but what to do if i should do it on backend with refresh and access tokens? Can you make a video about server authentication with these tokens? I can't find any valuable info about this :(

Yes we would like to talk more . Authorization

Lee, can you do one about GDPR?
I was worried when I learned that google fonts was not compliant, and then gladly surprised when I learned that next/font does self-hosting automatically.
I would love to know more on how small projects can comply without it being a headache.

Great video.. a deep dive using supabase auth will be helpful

Can this be done as easily on the pages router? Does anyone have a video or example of this? Thanks

I tryed next-auth, authjs, but this satisfied what I was looking for. thanks

This is great.Please can you do a video on how to use nextjs and an external cookie based authentcation api (e.g nodejs express) and how to persist the cookies in deployed nextjs.Once again thank you

Can I access the token or session from client side component. because I think httponly cookie don't access from client side.

finally an official guide!!!

Thanks for the most needed content ❤

This was great. Thank you

would be great if there is an example with service worker.

I would love to see a deep dive on this. Admittedly I need handholding or a follow along a few time before I get things.
I'd like to do something where there is a Username/Email and Password OR Google OR Github. Smurf the actual user lookup initially but then be able to plugin a database or something like AWS cognito, after the fact.

Thanks Lee, always helpful!

Very informative, Can you please make a more detail article on how to implement client side and server side validations on the server components during login process?

Pretty good video, as usual!

Perfect. I always look for the custom way as next-auth is very abstract and I don't know what is going behind. Now my question is do we need to check getSession in each page, if yes, then will it work for Server and Client in the same way? and second query is how to handle callback url, I know if I check the session in each page, then I need to redirect and put the callback of each page, but if there is any way where I can define these in central/one place instead of checking in all pages.
P.S: I am not using library (auth.js, clerk etc.,)

No database session in nextAuth credentials strategy, hence why i prefer Lucia Auth

doesnt auth.js v5 handle encryption and sigining of jwt by default? why are you manually doing it?
Thanks for the tutorial!

Thanks a lot Lee, This was really helpfull

Next js is getting more and more unclear regarding the authentication/authorization process

thank you for the repo, mate

Why is email 'null'? Shouldn't the email that was typed in be displayed under the form?

how do we get modified headers from middleware.ts to the page.tsx and access cookies in the client component? please do a video for a better understanding

im using nextui which uses client" but the login functions use "use server" i get errors tried looking everywhere for a fix 😭😭

Lee, I have two questions about authentication in Next js.
Can I use node js apis in middleware? Or do middleware necessarily run on the edge?
The next-auth auth function is not memoized on the server, can I use the react cache function to memo the auth function?

Next auth has the worst documentation in the history of documentations!
It took me weeks to get used to it.
Everything is scattered here and there.
Come on people! Dont just make great software!, Make minimum descent documentation first!

This is a really well done video, Lee! However, as I've mentioned before, the issues here is not reading the user data off the session, but the inability to use the updated session user to set client-side state immediately (without relying on a useEffect or a hard refresh) due to the router cache. Any update on when this can be fixed?

What a awesome tutorial

This is great! Isn’t it more accurate to say “encode” / “decode” and “sign” / “verify signature” versus encrypt / decrypt? Nothing is encrypted so imo using that terminology could be a little misleading

Thank you Lee, very helpfull!

which nextjs version is this? which version should I take for a new project?

Hello, I have a genuine doubt: how can we use clean architecture on Next?

In the video, Lee uses middleware to upate the expiry of the cookie. Why is he doing that? Is it not better to keep the expiry of the cookie identical to the expiry of the JWT?
It kind of defeats the purpose of an expire date, if you keep pushing it forward in time on every reload.
My best guess is that you want to give more time every time a logged in person visits the page, so they could effectively stay logged in forever if they reload every 9 seconds (since he set expiry to 10 sec).
Also, someone else already asked, but did not get an answer: What vscode color theme is used in the video?

yeah more guides on roll your own auth and more guide on building RBAC and adding MFA and 2FA in Next.js with App Router.

Thank you, Lee, this is very helpful! I started working on an app using Auth.js but seeing how easy it it to implement authentication with Next.js, I'm wondering if it is worth using Auth.js. What's the added value compared to just implementing our own auth with Next.js?

Can you please make a page transition video using next.js v14 with app dir and framer motion? Including exit animation?

The auth session object return only name, image, email. Can you please show how can we make callback to getServerSession to fetch other user parameters like id, userPrinciPalName, etc, in case of Entra Id?

next video if possible be authrization
any maybe protecitng routes /pages

middleware can be async too? why is there waituntil helper then?

First like ❤

In the authjs overview toward the end, one of the added security checks shown via the devtools / applications display was a CSRF token. Is the "role your own" auth in this video (using JWT and the session cookie) also in need of a CSRF token, and if so, any examples of how that would be added to the existing code example?

more auth please

You're missing name="email" in the email field on the login form.

tell me dear developers, what place did you think when you released the new version of nextjs, even if you can't make a chain of middlewares?

Thanks for this awesome video!
Assuming you have a server that is returning a JWT in an API call, and you’re using the pages router, whhat is the right place for the login, logout functions? Using Next api handlers?
Also, in this scenario would you still set the JWT in cookies in the same way?

which vscode theme is this?

Is it possible to show next-auth, but also just with your own login and password? I have searched a lot of youtube and nowhere have I found a clear example of such an application, and it seems to me that to learn the basics of the backend it is much more useful to just implement your own solution than a provider like github.
PS. when someone logs in via google/github etc. how can we for example add such a user to the database as a user that exists with us? because basically he doesn't seem to have an "account" on the platform.

Thanks for the video but the main issue with Next Auth is sharing the auth context between Server Component and Client component ...

Pls make a video on session update when we update user details in database

Can you create a video on how to build and deploy a production-ready application on AWS, including how to export output data? I've been struggling with this for the past few days.
#nextjs
#production
#build

Best video ever

Middleware I can't seem to make it work properly

Great job. When destroying session after jwt expired or deleted jwt session from browser for test purposes, is it redirected after clicking logout in the server action?

Great Video!

Error: JWS "alg" (Algorithm) Header Parameter missing or invalid
Source
lib.ts (17:38) @ input
15 |
16 | export async function decrypt(input: string): Promise {
> 17 | const { payload } = await jwtVerify(input, key, {
| ^
18 | algorithms: ["HS256"],
19 | });
20 | return payload;

Thanks for the video. Biggest issue I've run into with this flow is that it seems nearly impossible to kick users out when using JWTs. Would love a video on that. ie. A bad actor signs up for my app and I need to kick them out immediately (faster than the JWT expiry date). How do I do that?

"Thanks so much!!!"