Add or maintain Auth.js authentication in a Next.js app with next-auth, auth.ts, route handlers, providers, sessions, adapters, protected resources, proxy or middleware behavior, deployment configuration, and migration review.
The download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app., Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values., Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics., Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks., Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path., Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths., Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
Privacy notes
Auth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads., Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers., Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting., Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues., Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.
8 safety and 5 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access, third-party handling.
4 areas
SafetyNetwork accessThe download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
SafetyGeneralAuth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app.
SafetyCredentials & tokensAuthentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics.
SafetyCredentials & tokensProxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks.
SafetyCredentials & tokensProvider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path.
SafetyThird-party handlingEdge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths.
SafetyCredentials & tokensTest OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
PrivacyCredentials & tokensAuth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads.
PrivacyCredentials & tokensAuth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers.
PrivacyThird-party handlingUse synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting.
PrivacyCredentials & tokensAvoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues.
PrivacyThird-party handlingReview Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.
Safety notes
The download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app.
Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values.
Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics.
Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks.
Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path.
Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths.
Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
Privacy notes
Auth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads.
Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers.
Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting.
Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues.
Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.
Prerequisites
Next.js application with known App Router or Pages Router usage, package manager, deployment provider, and runtime targets.
Decision that Auth.js or NextAuth.js is the right fit for this app, especially when maintaining an existing install or requiring Auth.js-specific session behavior.
Adapter and database plan if persistent users, accounts, sessions, verification tokens, or WebAuthn/passkey data are required.
Route protection plan for pages, route handlers, server components, API routes, proxy or middleware, and resource-level authorization close to data access.
# Trigger
"Apply the Auth.js Next.js authentication skill to this app."
# Required output
1) Current Next.js, Auth.js/NextAuth, provider, adapter, and session inventory
2) auth.ts, route handler, provider, session, and protection plan
3) OAuth callback, cookie, proxy/middleware, adapter, and deployment checklist
4) Safety, privacy, migration, secret, and rollback notes
About this resource
Knowledge Freshness
This skill is based on the Auth.js homepage, Next.js installation guide,
session login guide, protecting resources guide, deployment guide, edge
compatibility guide, and nextauthjs/next-auth repository reviewed on
2026-06-04. The current Auth.js docs show the Next.js package as
next-auth@beta, recommend an auth.ts file that exports handlers,
signIn, signOut, and auth, and document route handlers, session access,
protected resources, provider setup, deployment environment variables, and edge
compatibility considerations.
The official project now states that Auth.js is part of Better Auth and that
many new projects should consider Better Auth first. Keep that source fact in
the recommendation instead of treating Auth.js and Better Auth as identical
choices.
Prefer the live Auth.js docs and official repository over model memory for
package names, provider APIs, route-handler exports, proxy or middleware
guidance, adapter behavior, environment variables, deployment behavior, and
migration guidance.
Scope Note
Use this skill for Auth.js or NextAuth.js work in Next.js applications,
especially existing apps, v4-to-v5 migration planning, provider additions,
adapter review, session strategy changes, and resource-protection audits. It is
not a generic authentication comparison, not a Clerk integration, and not a
Better Auth setup guide.
Confirm why Auth.js or NextAuth.js is being used. For greenfield work,
explicitly compare the official Auth.js guidance about Better Auth before
proceeding.
Identify the installed package and migration state: legacy next-auth v4,
Auth.js v5 beta, mixed docs, Pages Router examples, App Router examples, or
an adapter/provider upgrade.
Add or update the framework package with the project package manager. For
current Auth.js Next.js docs, review next-auth@beta before applying it.
Create or update auth.ts in the chosen project location. Export the route
handlers, auth, and sign-in/sign-out helpers needed by the app.
Wire app/api/auth/[...nextauth]/route.ts or the equivalent route handler
to the exported handlers without duplicating provider configuration.
Add AUTH_SECRET and provider secrets through local and deployment
environment configuration. Never place them in client bundles, examples, or
repository files.
Choose session behavior. Document database sessions versus JWT sessions,
callback customization, refresh behavior, expiration, logout/reset behavior,
tenant or organization claims, and what must never be stored in the session.
If an adapter is used, review schema ownership, migrations, database
connectivity, transaction behavior, indexes, user/account/session tables,
and production backup/rollback path.
Protect resources at the right layer. Use auth() in server components,
route handlers, server actions, loaders, and data access paths instead of
relying only on navigation guards.
Review proxy or middleware protection separately. Matchers should avoid
static assets and public auth routes, and authorization should still be
checked near sensitive data reads and writes.
Check runtime compatibility before using edge, proxy, middleware, adapter,
provider SDK, crypto, or database code in constrained runtimes.
Produce a validation plan covering sign-in, sign-out, callback URLs,
session reads, protected routes, unauthorized requests, adapter writes,
preview deployments, secret rotation, and rollback.
Current Auth.js or NextAuth.js version, package name, config location, route
handlers, provider list, adapter, and migration state.
OAuth provider dashboard settings, allowed callbacks, local URLs, preview
URLs, production domains, scopes, and ownership.
Session strategy, callback requirements, token lifetime, cookie behavior,
logout behavior, and tenant or role claims.
Database or adapter plan, migrations, backup/rollback path, and production
access model if persistent auth data is stored.
Route inventory covering public pages, authenticated pages, admin pages, API
routes, server actions, webhooks, background jobs, and data access paths.
Security and privacy requirements for user identity data, provider tokens,
logs, prompts, retention, and access control.
Production Rules
Never ship Auth.js changes without validating every provider callback URL in
local, preview, staging, and production. One wrong URL can break login or
send users through the wrong OAuth application.
Keep AUTH_SECRET, OAuth secrets, adapter credentials, SMTP credentials,
refresh tokens, cookies, session tokens, and dashboard exports out of source
control and prompts.
Do not store raw access tokens, refresh tokens, unnecessary profile payloads,
permissions, customer data, or provider responses in client-visible sessions.
Treat callbacks as security-sensitive code. Review authorized, JWT,
session, sign-in, redirect, and account-linking callbacks for denial cases,
tenant boundaries, and confused identity behavior.
Protect sensitive reads and writes close to the data access layer. Proxy or
middleware redirects are useful, but they are not enough for authorization.
Review adapter schema changes before applying them in production. Auth tables
often hold the records needed for account recovery and incident response.
Keep examples synthetic. Do not paste production session objects, provider
payloads, cookies, database rows, email addresses, or dashboard screenshots
into public issues or AI prompts.
Include a lockout recovery plan before rotating secrets, changing provider
IDs, moving domains, switching session strategy, or changing adapters.
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for adding,
migrating, reviewing, and operating Auth.js or NextAuth.js in Next.js apps.
Codex/OpenAI workflows: use as SKILL.md-style instructions when editing
Next.js codebases that touch auth.ts, route handlers, providers, sessions,
adapters, proxy or middleware, and deployment auth configuration.
Manual Adaptation
Cursor, Windsurf, Gemini, and Generic AGENTS files: adapt the trigger,
workflow, safety notes, privacy notes, and output contract into repository
rules for Auth.js and NextAuth.js maintenance.
Output Contract
Source evidence: Auth.js docs and repository URLs reviewed, with date.
Issue: OAuth login redirects to the wrong environment
Fix: Compare the provider dashboard callback URLs, AUTH_URL or inferred
host behavior, deployment preview URL policy, reverse proxy headers, and the
domain used by the browser during the callback.
Issue: Session exists in one route but not another
Fix: Check whether the route uses App Router or Pages Router, whether
auth() is imported from the shared auth.ts, whether cookies are scoped to
the current domain, and whether server/client session access is mixed.
Issue: Protected pages are visible after adding proxy or middleware
Fix: Review matcher patterns, static asset exclusions, public auth routes,
and the authorized callback. Add server-side checks near the protected data
read instead of relying only on redirects.
Issue: Edge or proxy code fails after adding an adapter
Fix: Review Auth.js edge compatibility guidance, database client runtime
support, provider SDK dependencies, Node.js APIs, crypto usage, and whether the
auth path must run in a Node.js runtime instead.
Issue: Users get linked to the wrong account
Fix: Audit provider IDs, email verification behavior, account-linking
callbacks, sign-in callbacks, adapter rows, tenant claims, and any custom
profile mapping before allowing account merge or login.
Duplicate And Source Review
Current HeyClaude content includes dedicated Better Auth and Clerk Next.js
skills, plus generic examples that mention NextAuth/Auth.js inside broader
agents and tRPC workflows. There is no dedicated Auth.js, NextAuth.js,
nextauthjs/next-auth, next-auth@beta, or Auth.js Next.js content entry.
This skill is scoped to Auth.js/NextAuth.js installation, maintenance,
providers, sessions, adapters, protected resources, deployment behavior, edge
compatibility, and migration review, with an explicit note that Better Auth is a
separate existing skill and the current Auth.js docs should guide greenfield
decisions.
Editorial Disclosure
This is a source-backed community content entry submitted by oktofeesh1.
There is no paid placement, affiliate link, sponsorship, or maintainer-verified
package artifact attached to this listing.
Show that Auth.js Next.js Authentication Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/authjs-nextjs-authentication)
How it compares
Auth.js Next.js Authentication Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Add or maintain Auth.js authentication in a Next.js app with next-auth, auth.ts, route handlers, providers, sessions, adapters, protected resources, proxy or middleware behavior, deployment configuration, and migration review.
Add Better Auth to a Next.js App Router project with API route handlers, database-backed sessions, client helpers, protected route checks, and production auth safety review.
Add Clerk authentication to a Next.js App Router project with middleware, route protection, session-aware UI, environment hygiene, and production auth safety checks.
✓The download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app.
Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values.
Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics.
Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks.
Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path.
Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths.
Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
✓The download URL is Better Auth's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Do not commit Better Auth secrets, OAuth provider secrets, database URLs, email-provider credentials, API-key plugin secrets, or copied dashboard values.
Run schema generation or migrations only against the intended database environment; auth tables, sessions, accounts, and verification records are production-critical.
Treat route protection as server-side authorization work. UI hiding, optimistic middleware redirects, or cookie existence checks are not full access control.
Review `proxy.ts` or `middleware.ts` behavior by Next.js version before relying on database-backed session checks inside request middleware.
Keep OAuth callback URLs, base URLs, trusted origins, and cookie settings environment-specific to avoid broken login loops or cross-environment session confusion.
Track Better Auth release notes and security advisories before introducing auth flows or enabling advanced plugins in production.
Add rollback steps before replacing an existing auth provider because user, account, session, and verification tables can affect active logins.
✓The download URL is Clerk's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Clerk middleware does not protect routes by default; require an explicit protected-route matcher before assuming a page, API route, or tRPC endpoint is private.
Do not commit `CLERK_SECRET_KEY`, webhook signing secrets, OAuth provider secrets, or copied dashboard values to source control, issue comments, screenshots, or chat transcripts.
Review middleware matchers carefully. A broad matcher can affect static assets and public routes, while a narrow matcher can leave sensitive routes unauthenticated.
Treat organization roles, custom permissions, and metadata checks as authorization logic that needs tests, not just UI hiding.
Webhook handlers can mutate user, membership, subscription, and organization state. Make handlers idempotent and verify signatures before processing events.
Confirm production domains and redirect URLs before deploy; wrong origins can break sign-in, leak users into the wrong environment, or create confusing callback loops.
✓The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first.
Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation.
Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values.
Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs.
Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets.
When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
Privacy notes
✓Auth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads.
Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers.
Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting.
Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues.
Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.
✓Better Auth handles user identity, email addresses, password-auth state, OAuth profile data, sessions, cookies, accounts, verification tokens, and plugin-specific user data.
Application logs, error trackers, request traces, AI prompts, and screenshots can retain user IDs, emails, callback URLs, cookies, session state, or OAuth provider details.
Use synthetic users and test OAuth applications for examples, demos, issue reports, screenshots, and AI-assisted troubleshooting.
If organization, API key, two-factor, passkey, or SSO plugins are enabled, treat membership, roles, credentials, and device metadata as sensitive authorization data.
Review Better Auth, database, deployment-provider, analytics, email-provider, and AI-assistant retention policies before using real customer identity data.
✓Clerk processes user identity, email addresses, sessions, cookies, authentication factors, OAuth profile data, organization membership, and optional user metadata.
Application logs, error reports, webhook payloads, request traces, and AI chat transcripts can retain user IDs, email addresses, session state, redirect URLs, or organization names.
Keep public examples synthetic. Do not paste real Clerk keys, dashboard screenshots, webhook payloads, user records, or organization metadata into prompts or PRs.
Review Clerk, deployment-provider, analytics, and AI-assistant retention policies before using real customer identity data in troubleshooting sessions.
If custom metadata stores roles, billing flags, internal account IDs, or entitlement data, treat it as sensitive authorization data and avoid exposing it client-side unless intended.
✓Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs.
Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records.
Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting.
Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data.
If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
Prerequisites
Next.js application with known App Router or Pages Router usage, package manager, deployment provider, and runtime targets.
Decision that Auth.js or NextAuth.js is the right fit for this app, especially when maintaining an existing install or requiring Auth.js-specific session behavior.