index

Experimental

@auth/core is under active development.

This is the main entry point to the Auth.js library.

Based on the Request and Response Web standard APIs. Primarily used to implement framework-specific packages, but it can also be used directly.

Installation

npm

npm install @auth/core

yarn

yarn add @auth/core

pnpm

pnpm add @auth/core

Usage

import { Auth } from "@auth/core"

const request = new Request("https://example.com")
const response = await Auth(request, {...})

console.log(response instanceof Response) // true

Resources

• Getting started
• Most common use case guides

Auth()

Auth(request, config): Promise< Response >

Core functionality provided by Auth.js.

Receives a standard Request and returns a Response.

Example

import Auth from "@auth/core"

const request = new Request("https://example.com")
const response = await AuthHandler(request, {
  providers: [...],
  secret: "...",
  trustHost: true,
})

See

Documentation

Parameters

Parameter	Type
request	Request
config	AuthConfig

Returns

Promise< Response >

---

AuthConfig

Configure the Auth method.

Example

import Auth, { type AuthConfig } from "@auth/core"

export const authConfig: AuthConfig = {...}

const request = new Request("https://example.com")
const response = await AuthHandler(request, authConfig)

See

Initialization

Properties

providers

providers: Provider< any >[]

List of authentication providers for signing in (e.g. Google, Facebook, Twitter, GitHub, Email, etc) in any order. This can be one of the built-in providers or an object with a custom provider.

Default

;[]

---

adapter

optional adapter: Adapter

You can use the adapter option to pass in your database adapter.

---

callbacks

optional callbacks: Partial< CallbacksOptions< Profile, Account > >

Callbacks are asynchronous functions you can use to control what happens when an action is performed. Callbacks are extremely powerful, especially in scenarios involving JSON Web Tokens as they allow you to implement access controls without a database and to integrate with external databases or APIs.

---

cookies

optional cookies: Partial< CookiesOptions >

You can override the default cookie names and options for any of the cookies used by NextAuth.js. You can specify one or more cookies with custom properties, but if you specify custom options for a cookie you must provide all the options for that cookie. If you use this feature, you will likely want to create conditional behavior to support setting different cookies policies in development and production builds, as you will be opting out of the built-in dynamic policy.

• ⚠ This is an advanced option. Advanced options are passed the same way as basic options, but may have complex implications or side effects. You should try to avoid using advanced options unless you are very comfortable using them.

Default

{
}

---

debug

optional debug: boolean

Set debug to true to enable debug messages for authentication and database operations.

• ⚠ If you added a custom logger, this setting is ignored.

Default

false

---

events

optional events: Partial< EventCallbacks >

Events are asynchronous functions that do not return a response, they are useful for audit logging. You can specify a handler for any of these events below - e.g. for debugging or to create an audit log. The content of the message object varies depending on the flow (e.g. OAuth or Email authentication flow, JWT or database sessions, etc), but typically contains a user object and/or contents of the JSON Web Token and other information relevant to the event.

Default

{
}

---

jwt

optional jwt: Partial< JWTOptions >

JSON Web Tokens are enabled by default if you have not specified an adapter. JSON Web Tokens are encrypted (JWE) by default. We recommend you keep this behaviour.

---

logger

optional logger: Partial< LoggerInstance >

Override any of the logger levels (undefined levels will use the built-in logger), and intercept logs in NextAuth. You can use this option to send NextAuth logs to a third-party logging service.

Example

// /pages/api/auth/[...nextauth].js
import log from "logging-service"
export default NextAuth({
  logger: {
    error(code, ...message) {
      log.error(code, message)
    },
    warn(code, ...message) {
      log.warn(code, message)
    },
    debug(code, ...message) {
      log.debug(code, message)
    }
  }
})

• ⚠ When set, the debug option is ignored

Default

console

---

pages

optional pages: Partial< PagesOptions >

Specify URLs to be used if you want to create custom sign in, sign out and error pages. Pages specified will override the corresponding built-in page.

Default

{
}

Example

  pages: {
    signIn: '/auth/signin',
    signOut: '/auth/signout',
    error: '/auth/error',
    verifyRequest: '/auth/verify-request',
    newUser: '/auth/new-user'
  }

---

redirectProxyUrl

optional redirectProxyUrl: string

When set, during an OAuth sign-in flow, the redirect_uri of the authorization request will be set based on this value.

This is useful if your OAuth Provider only supports a single redirect_uri or you want to use OAuth on preview URLs (like Vercel), where you don't know the final deployment URL beforehand.

The url needs to include the full path up to where Auth.js is initialized.

Note

This will auto-enable the state OAuth2Config.checks on the provider.

Example

"https://authjs.example.com/api/auth"

You can also override this individually for each provider.

Example

GitHub({
  ...
  redirectProxyUrl: "https://github.example.com/api/auth"
})

Default

AUTH_REDIRECT_PROXY_URL environment variable

See also: Guide: Securing a Preview Deployment

---

secret

optional secret: string

A random string used to hash tokens, sign cookies and generate cryptographic keys. If not specified, it falls back to AUTH_SECRET or NEXTAUTH_SECRET from environment variables. To generate a random string, you can use the following command:

• On Unix systems, type openssl rand -hex 32 in the terminal
• Or generate one online

---

session

optional session: object

Configure your session like if you want to use JWT or a database, how long until an idle session expires, or to throttle write operations in case you are using a database.

Type declaration

session.generateSessionToken

optional generateSessionToken: () => string

Generate a custom session token for database-based sessions. By default, a random UUID or string is generated depending on the Node.js version. However, you can specify your own custom string (such as CUID) to be used.

Default

randomUUID or randomBytes.toHex depending on the Node.js version

Returns

string

session.maxAge

optional maxAge: number

Relative time from now in seconds when to expire the session

Default

2592000 // 30 days

session.strategy

optional strategy: "jwt" | "database"

Choose how you want to save the user session. The default is "jwt", an encrypted JWT (JWE) in the session cookie.

If you use an adapter however, we default it to "database" instead. You can still force a JWT session by explicitly defining "jwt".

When using "database", the session cookie will only contain a sessionToken value, which is used to look up the session in the database.

Documentation | Adapter | About JSON Web Tokens

session.updateAge

optional updateAge: number

How often the session should be updated in seconds. If set to 0, session is updated every time.

Default

86400 // 1 day

---

theme

optional theme: Theme

Changes the theme of built-in pages.

---

trustHost

optional trustHost: boolean

Todo

---

useSecureCookies

optional useSecureCookies: boolean

When set to true then all cookies set by NextAuth.js will only be accessible from HTTPS URLs. This option defaults to false on URLs that start with http:// (e.g. http://localhost:3000) for developer convenience. You can manually set this option to false to disable this security feature and allow cookies to be accessible from non-secured URLs (this is not recommended).

• ⚠ This is an advanced option. Advanced options are passed the same way as basic options, but may have complex implications or side effects. You should try to avoid using advanced options unless you are very comfortable using them.

The default is false HTTP and true for HTTPS sites.

---

raw

const raw: typeof raw

danger

This option is intended for framework authors.

Auth.js returns a web standard Response by default, but if you are implementing a framework you might want to get access to the raw internal response by passing this value to AuthConfig.raw.

---

skipCSRFCheck

const skipCSRFCheck: typeof skipCSRFCheck

danger

This option is intended for framework authors.

Auth.js comes with built-in CSRF protection, but if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by passing this value to AuthConfig.skipCSRFCheck.