← Back to EliteSaas

Complete Guide to Next.js Authentication

Introduction

Robust Next.js auth is the foundation of any serious web application. In this guide, you will build a production-ready authentication stack using Next.js App Router and modern best practices. You will learn how to integrate OAuth, handle sessions securely, protect both server and client routes, and add advanced functionality like roles and passwordless sign-in. The goal is practical, minimal, and developer-friendly code that you can ship quickly.

Why it matters: authentication protects user data, enables personalization, and unlocks revenue models. A clean auth architecture also reduces bugs and security risks, which means more time building product features. If you are racing to market, pair this guide with How to Build Your MVP in Record Time and keep your focus on value, not boilerplate.

This tutorial is built for the App Router. If you are using the Pages Router, the concepts translate, but code locations differ. We will reference NextAuth.js (Auth.js) since it covers the majority of use cases. Teams building on EliteSaas can copy these patterns directly into their starter to move faster with confidence.

Prerequisites

  • Node.js 18+ and a Next.js 13+ project using the App Router.
  • Basic TypeScript familiarity helps, but not required.
  • An OAuth provider account such as GitHub or Google to test social login.
  • Environment variables set for your provider client ID and secret.
  • Optional: a database and ORM like Prisma if you plan to support credentials sign-in.

Step 1 - Pick an authentication strategy and install dependencies

You have three primary options for Next.js auth:

  • Auth.js (NextAuth.js) - fastest path for OAuth, email magic links, and credentials. Great default.
  • Managed auth providers like Clerk or Auth0 - excellent DX, externalized complexity, paid tiers.
  • Custom JWT and cookies - maximum control, slower to implement correctly.

We will use NextAuth.js because it balances speed and flexibility, which aligns with most product timelines. It supports both server and client usage in the App Router, and it handles security-sensitive details like cookie attributes and CSRF automatically.

# Install NextAuth.js and optional helpers
npm install next-auth
# If you plan to use credentials with hashing and Prisma
npm install @prisma/client bcryptjs
# If you need to generate Prisma client
npx prisma generate

Set required environment variables in .env.local. At minimum:

NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=your-long-random-secret

GITHUB_ID=your-github-oauth-client-id
GITHUB_SECRET=your-github-oauth-client-secret

Tip: run node -e "console.log(crypto.randomBytes(32).toString('hex'))" to generate a strong NEXTAUTH_SECRET. For production, set secure cookies automatically by using HTTPS and correct domain settings. Teams using EliteSaas can wire env variables into the runtime configuration provided by the template.

Step 2 - Configure NextAuth with a Route Handler

In the App Router, NextAuth is configured with a Route Handler. We will add GitHub OAuth plus a credentials provider to cover both enterprise SSO and basic email-password.

Create app/api/auth/[...nextauth]/route.ts:

import NextAuth from "next-auth";
import GitHub from "next-auth/providers/github";
import Credentials from "next-auth/providers/credentials";
import bcrypt from "bcryptjs";
// Optional: Prisma user lookup
import { PrismaClient } from "@prisma/client";
const prisma = new PrismaClient();

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({
      clientId: process.env.GITHUB_ID as string,
      clientSecret: process.env.GITHUB_SECRET as string
    }),
    Credentials({
      name: "Credentials",
      credentials: {
        email: { label: "Email", type: "email" },
        password: { label: "Password", type: "password" }
      },
      async authorize(credentials) {
        if (!credentials?.email || !credentials?.password) return null;
        // Example: look up user in DB
        const user = await prisma.user.findUnique({
          where: { email: credentials.email }
        });
        if (!user || !user.passwordHash) return null;
        const isValid = await bcrypt.compare(credentials.password, user.passwordHash);
        if (!isValid) return null;
        // Return minimal user object for JWT
        return { id: user.id, name: user.name, email: user.email, role: user.role || "user" };
      }
    })
  ],
  session: { strategy: "jwt" },
  callbacks: {
    async jwt({ token, user }) {
      if (user) token.role = (user as any).role || "user";
      return token;
    },
    async session({ session, token }) {
      if (session.user) {
        (session.user as any).role = token.role || "user";
      }
      return session;
    }
  },
  pages: {
    // Optional: custom pages like /login or /auth/error
  }
});

// Export route handlers
export const GET = handlers.GET;
export const POST = handlers.POST;

Why this setup: OAuth reduces friction and increases security. Credentials support is useful for early MVPs and admin backdoors. JWT sessions scale well across serverless and edge. The callbacks enrich tokens with role claims for simple authorization downstream.

Step 3 - Secure routes with Middleware

Middleware lets you gate entire sections like /dashboard or /admin without repeating checks. Use the NextAuth auth helper with a matcher.

Create middleware.ts at the project root:

import { auth } from "next-auth";

export default auth((req) => {
  const { nextUrl } = req;
  // Protect /dashboard and /settings for authenticated users
  if (!req.auth && nextUrl.pathname.startsWith("/dashboard")) {
    const loginUrl = new URL("/login", nextUrl);
    loginUrl.searchParams.set("callbackUrl", nextUrl.pathname);
    return Response.redirect(loginUrl);
  }
  // Simple role-based check for /admin
  if (nextUrl.pathname.startsWith("/admin")) {
    const role = req.auth?.user?.role;
    if (role !== "admin") {
      return new Response("Forbidden", { status: 403 });
    }
  }
});

export const config = {
  matcher: ["/dashboard/:path*", "/settings/:path*", "/admin/:path*"]
};

Why this approach: centralizing route protection reduces mistakes, and the callbackUrl preserves user intent after login. This pattern is production safe and easy to extend.

Step 4 - Add session UI and client hooks

Wrap your UI in SessionProvider to read session state client-side. Then add sign-in and sign-out actions in your header. This is ideal for showing user avatars, conditional navigation, and access gates.

Create app/providers.tsx:

"use client";

import { SessionProvider } from "next-auth/react";

export function Providers({ children }: { children: React.ReactNode }) {
  return <SessionProvider>{children}</SessionProvider>;
}

Use it in app/layout.tsx:

import "./globals.css";
import { Providers } from "./providers";

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    <html lang="en">
      <body>
        <Providers>{children}</Providers>
      </body>
    </html>
  );
}

Add a simple header component:

"use client";
import { useSession, signIn, signOut } from "next-auth/react";

export function Header() {
  const { data: session, status } = useSession();
  if (status === "loading") return <div>Loading...</div>;

  return (
    <header className="flex items-center justify-between p-4 border-b">
      <div>MyApp</div>
      <nav>
        {session ? (
          <div className="flex items-center gap-3">
            <span>Hello, {session.user?.name || session.user?.email}</span>
            <button onClick={() => signOut()} className="btn">Sign out</button>
          </div>
        ) : (
          <button onClick={() => signIn()} className="btn-primary">Sign in</button>
        )}
      </nav>
    </header>
  );
}

Why this step: users must see clear auth state and actions. Client hooks are perfect for non-sensitive UI logic, while sensitive authorization still belongs on the server.

Step 5 - Protect server components, actions, and APIs

Always validate on the server. Client checks are convenient but must never be the only protection. The auth helper reads the session in server contexts.

Server Component example:

import { auth } from "next-auth";

export default async function DashboardPage() {
  const session = await auth();
  if (!session) {
    // Return a server redirect or a minimal unauthorized UI
    return <div>Please sign in to view your dashboard.</div>;
  }
  return <div>Welcome back, {session.user?.name || session.user?.email}!</div>;
}

Server Action example:

"use server";
import { auth } from "next-auth";

export async function createProject(formData: FormData) {
  const session = await auth();
  if (!session) throw new Error("Unauthorized");
  // Proceed with creating a project for session.user.email
}

API Route Handler example:

import { auth } from "next-auth";

export async function GET() {
  const session = await auth();
  if (!session) return new Response("Unauthorized", { status: 401 });
  return Response.json({ message: "Secret data" });
}

Why this step: server checks are authoritative. They prevent API abuse and mismatched UI from becoming security vulnerabilities. This pattern is used across EliteSaas modules to keep business logic secure.

Step 6 - Advanced options: passwordless, roles, and 2FA

Magic link sign-in: add the Email provider and a transport like Resend or SMTP. This reduces friction and support load for password resets.

import Email from "next-auth/providers/email";

Email({
  server: process.env.EMAIL_SERVER,
  from: process.env.EMAIL_FROM
})

Role-based access control: you already added role to the JWT. Enforce it in middleware and on the server. For more complex scenarios, store permissions as arrays in the token and check at the boundary of each feature.

2FA: add a TOTP secret per user and require a one-time code during sign-in. You can store a boolean like mfaEnabled on the user and handle a second step in a custom credentials flow. For SaaS admin panels, 2FA dramatically reduces account takeover risk.

Testing and Verification

  • Unit checks: mock auth() in server actions and verify unauthorized requests throw or return 401.
  • Integration: run the app, click Sign in, and complete OAuth. Confirm new user rows exist if using a DB.
  • Middleware: visit /dashboard while logged out. You should be redirected to /login with a callbackUrl. After sign-in, you should land on the original page.
  • Role paths: ensure non-admin users receive 403 for /admin. Test both with direct URL entry and navigation.
  • Cookie integrity: open browser devtools and check for __Secure- cookie flags in production.

Screenshot description: a dashboard screen with the user's avatar in the header, a greeting message, and a visible Sign out button. An unauthorized user sees a sign-in CTA. This simple visual check confirms UI state is wired to session data correctly.

Performance note: with JWT strategy and App Router, auth checks are lightweight. Cache public pages aggressively and keep private data on the server. EliteSaas uses this split to deliver fast TTI without compromising security.

Common Issues and Troubleshooting

  • Invalid NEXTAUTH_URL: sessions fail or callbacks break. Ensure NEXTAUTH_URL matches your deployed domain including protocol.
  • Missing NEXTAUTH_SECRET: NextAuth refuses to start or rotates cookies unexpectedly. Set a stable, long secret in all environments.
  • OAuth callback mismatch: configure the provider's callback URL exactly, for example https://yourdomain.com/api/auth/callback/github.
  • Session not available in Server Components: import and use auth() from next-auth in the component file. Do not use useSession() server-side.
  • Credentials login always fails: verify password hashing and comparison. Ensure passwordHash exists and bcrypt rounds match. Seed at least one user for testing.
  • Flash of Logged-Out Content: wrap your layout with SessionProvider and gate client components based on status. Consider skeletons to avoid abrupt changes.
  • CSRF errors on custom forms: use NextAuth's sign-in methods or include the CSRF token from /api/auth/csrf when posting to credentials endpoints.
  • Edge vs Node runtimes: some providers or crypto operations require Node runtime. Set export const runtime = "nodejs" in route handlers that need Node APIs.

Conclusion

You set up modern Next.js auth that is secure, scalable, and flexible: OAuth with NextAuth, credentials fallback, middleware gating, session-aware UI, and server-side authorization. This foundation scales from MVP to production without major rewrites. If you are shipping a SaaS, plan pricing experiments and activation flows alongside auth. See SaaS Pricing Strategies: A Complete Guide for ideas on trials, freemium, and usage tiers. For rapid iteration, revisit How to Build Your MVP in Record Time and keep your scope tight.

Adopt these patterns across your app for consistent security. Teams using EliteSaas can apply the same middleware, server checks, and role claims to modules like billing, teams, and admin. With auth solved, you can focus on shipping features that delight users.

FAQ

Which auth strategy should I pick for a new Next.js app?

Start with NextAuth plus OAuth and passwordless email. It is fast to implement, reduces support, and is secure by default. Add credentials only if you need it. If you prefer fully managed auth, a provider like Auth0 works well. Templates like EliteSaas default to NextAuth for speed and flexibility.

How do I protect API routes and server actions?

Always call const session = await auth() inside the handler or action. If !session, return 401 or throw. Do not rely on client checks alone. For admin actions, also verify session.user.role.

Can I use the Edge runtime with NextAuth?

Yes, but confirm your providers and crypto functions support Edge. If something requires Node-only APIs, mark that handler with export const runtime = "nodejs". Keep your high-traffic public pages edge-cached and route private logic to Node where needed.

How do I persist roles and permissions?

Store roles in your user table, inject into the JWT in the jwt callback, and map it onto session.user in the session callback. Enforce roles in middleware and on the server at each sensitive boundary.

What about rate limiting and brute force protection?

Add rate limits to credential sign-in and password reset endpoints. Store failed attempts and apply temporary lockouts. Use bot protection on forms. OAuth and magic links reduce brute force risk by removing password entry. This is part of the security posture recommended in EliteSaas projects.

Related Articles

Top SaaS Fundamentals Ideas for E-Commerce

SaaS fundamentals help e-commerce brands control rising customer acquisition costs, plug costly cart abandonment gaps, and keep inventory in sync across sale...

Top Pricing Strategies Ideas for SaaS

Pricing can make or break a SaaS business when markets are crowded, sales cycles are long, and churn is stubborn. The right strategy aligns value with how cu...

Top SaaS Fundamentals Ideas for AI & Machine Learning

Building AI SaaS products requires more than wrapping a model with an endpoint. Teams must balance model accuracy with compute costs, while shipping fast in ...

Ready to get started?

Start building your SaaS with EliteSaas today.

Get Started Free