Next.js SDK for signing in with Auth0
Installations
npm install @auth0/nextjs-auth0Developer Guide
Typescript
No
Module System
ESM
Node Version
22.13.1
NPM Version
10.9.2
Score
69.2
Supply Chain
83
Quality
97
Maintenance
100
Vulnerability
92.3
License
Releases
Contributors
Languages
TypeScript (98.92%)
JavaScript (0.84%)
CSS (0.24%)
validate.email 🚀
Verify real, reachable, and deliverable emails with instant MX records, SMTP checks, and disposable email detection.
Developer
auth0
Download Statistics
Total Downloads
39,473,173
Last Day
48,823
Last Week
248,631
Last Month
1,048,197
Last Year
10,130,630
GitHub Statistics
MIT License
2,126 Stars
1,848 Commits
410 Forks
30 Watchers
62 Branches
97 Contributors
Updated on Feb 27, 2025
Maintainers
Package Meta Information
Latest Version
4.0.2
Package Id
@auth0/nextjs-auth0@4.0.2
Unpacked Size
337.04 kB
Size
43.38 kB
File Count
60
NPM Version
10.9.2
Node Version
22.13.1
Published on
Feb 19, 2025
Total Downloads
Cumulative downloads
Total Downloads
39,473,173
Last Day
0.6%
48,823
Compared to previous day
Last Week
6.3%
248,631
Compared to previous week
Last Month
34.1%
1,048,197
Compared to previous month
Last Year
-6.2%
10,130,630
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
5
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.
📚 Documentation - 🚀 Getting Started - 💻 API Reference - 💬 Feedback
Documentation
- QuickStart- our guide for adding Auth0 to your Next.js app.
- Examples - lots of examples for your different use cases.
- Security - Some important security notices that you should check.
- Docs Site - explore our docs site and learn more about Auth0.
Getting Started
1. Install the SDK
1npm i @auth0/nextjs-auth0
This library requires Node.js 20 LTS and newer LTS versions.
2. Add the environment variables
Add the following environment variables to your .env.local file:
AUTH0_DOMAIN=
AUTH0_CLIENT_ID=
AUTH0_CLIENT_SECRET=
AUTH0_SECRET=
APP_BASE_URL=
The AUTH0_DOMAIN, AUTH0_CLIENT_ID, and AUTH0_CLIENT_SECRET can be obtained from the Auth0 Dashboard once you've created an application. This application must be a Regular Web Application.
The AUTH0_SECRET is the key used to encrypt the session and transaction cookies. You can generate a secret using openssl:
1openssl rand -hex 32
The APP_BASE_URL is the URL that your application is running on. When developing locally, this is most commonly http://localhost:3000.
[!IMPORTANT]
You will need to register the follwing URLs in your Auth0 Application via the Auth0 Dashboard:
- Add
http://localhost:3000/auth/callbackto the list of Allowed Callback URLs- Add
http://localhost:3000to the list of Allowed Logout URLs
3. Create the Auth0 SDK client
Create an instance of the Auth0 client. This instance will be imported and used in anywhere we need access to the authentication methods on the server.
Add the following contents to a file named lib/auth0.ts:
1import { Auth0Client } from "@auth0/nextjs-auth0/server" 2 3export const auth0 = new Auth0Client()
4. Add the authentication middleware
Create a middleware.ts file in the root of your project's directory:
1import type { NextRequest } from "next/server" 2 3import { auth0 } from "./lib/auth0" 4 5export async function middleware(request: NextRequest) { 6 return await auth0.middleware(request) 7} 8 9export const config = { 10 matcher: [ 11 /* 12 * Match all request paths except for the ones starting with: 13 * - _next/static (static files) 14 * - _next/image (image optimization files) 15 * - favicon.ico, sitemap.xml, robots.txt (metadata files) 16 */ 17 "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)", 18 ], 19}
[!NOTE]
If you're using asrc/directory, themiddleware.tsfile must be created inside thesrc/directory.
You can now begin to authenticate your users by redirecting them to your application's /auth/login route:
1import { auth0 } from "@/lib/auth0" 2 3export default async function Home() { 4 const session = await auth0.getSession() 5 6 if (!session) { 7 return ( 8 <main> 9 <a href="/auth/login?screen_hint=signup">Sign up</a> 10 <a href="/auth/login">Log in</a> 11 </main> 12 ) 13 } 14 15 return ( 16 <main> 17 <h1>Welcome, {session.user.name}!</h1> 18 </main> 19 ) 20}
[!IMPORTANT]
You must use<a>tags instead of the<Link>component to ensure that the routing is not done client-side as that may result in some unexpected behavior.
Customizing the client
You can customize the client by using the options below:
| Option | Type | Description |
|---|---|---|
| domain | string | The Auth0 domain for the tenant (e.g.: example.us.auth0.com or https://example.us.auth0.com). If it's not specified, it will be loaded from the AUTH0_DOMAIN environment variable. |
| clientId | string | The Auth0 client ID. If it's not specified, it will be loaded from the AUTH0_CLIENT_ID environment variable. |
| clientSecret | string | The Auth0 client secret. If it's not specified, it will be loaded from the AUTH0_CLIENT_SECRET environment variable. |
| authorizationParameters | AuthorizationParameters | The authorization parameters to pass to the /authorize endpoint. See Passing authorization parameters for more details. |
| clientAssertionSigningKey | string or CryptoKey | Private key for use with private_key_jwt clients. This can also be specified via the AUTH0_CLIENT_ASSERTION_SIGNING_KEY environment variable. |
| clientAssertionSigningAlg | string | The algorithm used to sign the client assertion JWT. This can also be provided via the AUTH0_CLIENT_ASSERTION_SIGNING_ALG environment variable. |
| appBaseUrl | string | The URL of your application (e.g.: http://localhost:3000). If it's not specified, it will be loaded from the APP_BASE_URL environment variable. |
| secret | string | A 32-byte, hex-encoded secret used for encrypting cookies. If it's not specified, it will be loaded from the AUTH0_SECRET environment variable. |
| signInReturnToPath | string | The path to redirect the user to after successfully authenticating. Defaults to /. |
| session | SessionConfiguration | Configure the session timeouts and whether to use rolling sessions or not. See Session configuration for additional details. |
| beforeSessionSaved | BeforeSessionSavedHook | A method to manipulate the session before persisting it. See beforeSessionSaved for additional details. |
| onCallback | OnCallbackHook | A method to handle errors or manage redirects after attempting to authenticate. See onCallback for additional details. |
| sessionStore | SessionStore | A custom session store implementation used to persist sessions to a data store. See Database sessions for additional details. |
| pushedAuthorizationRequests | boolean | Configure the SDK to use the Pushed Authorization Requests (PAR) protocol when communicating with the authorization server. |
| routes | Routes | Configure the paths for the authentication routes. See Custom routes for additional details. |
| allowInsecureRequests | boolean | Allow insecure requests to be made to the authorization server. This can be useful when testing with a mock OIDC provider that does not support TLS, locally. This option can only be used when NODE_ENV is not set to production. |
| httpTimeout | number | Integer value for the HTTP timeout in milliseconds for authentication requests. Defaults to 5000 milliseconds |
| enableTelemetry | boolean | Boolean value to opt-out of sending the library name and version to your authorization server via the Auth0-Client header. Defaults to true. |
Routes
The SDK mounts 6 routes:
/auth/login: the login route that the user will be redirected to to start a initiate an authentication transaction/auth/logout: the logout route that must be addedto your Auth0 application's Allowed Logout URLs/auth/callback: the callback route that must be addedto your Auth0 application's Allowed Callback URLs/auth/profile: the route to check the user's session and return their attributes/auth/access-token: the route to check the user's session and return an access token (which will be automatically refreshed if a refresh token is available)/auth/backchannel-logout: the route that will receive alogout_tokenwhen a configured Back-Channel Logout initiator occurs
Feedback
Contributing
We appreciate feedback and contribution to this repo! Before you get started, please read the following:
- Auth0's general contribution guidelines
- Auth0's code of conduct guidelines
- This repo's contribution guide
Raise an issue
To provide feedback or report a bug, please raise an issue on our issue tracker.
Vulnerability Reporting
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
What is Auth0?
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?
This project is licensed under the MIT license. See the LICENSE file for more info.
Stable Version
Stable Version
4.0.2
High
1
8/10
Summary
Reflected XSS from the callback handler's error query parameter
Affected Versions
< 1.4.2
Patched Versions
1.4.2
Moderate
1
6.4/10
Summary
Open redirect in @auth0/nextjs-auth0
Affected Versions
< 1.6.2
Patched Versions
1.6.2
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
SAST tool detected
Details
- Info: SAST configuration detected: CodeQL
- Info: SAST configuration detected: Snyk
- Info: all commits (30) are checked with a SAST tool
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Info: codeowner review is required on branch 'main'
- Info: 'last push approval' is required to merge on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
5 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-7m27-7ghc-44w9
- Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/npm-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/playwright.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/playwright.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/playwright.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rl-secure.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/rl-secure.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/rl-secure.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/rl-secure.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rl-secure.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/rl-secure.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semgrep.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/semgrep.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/snyk.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/snyk.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/snyk.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/snyk.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/nextjs-auth0/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/playwright.yml:19
- Info: 0 out of 21 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 7 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:17
- Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:18
- Warn: no topLevel permission defined: .github/workflows/npm-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/playwright.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10
- Warn: no topLevel permission defined: .github/workflows/rl-secure.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/semgrep.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/snyk.yml:17
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:12
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.9
/10
Last Scanned on 2025-02-24
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More