Skip to main content
skillsSource-backed

Auth.js Next.js Authentication Skill

Add or maintain Auth.js authentication in a Next.js app with next-auth, auth.ts, route handlers, providers, sessions, adapters, protected resources, proxy or middleware behavior, deployment configuration, and migration review.

Level:advancedType:generalVerified:validated
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://authjs.dev/getting-started/installation?framework=next-js, https://github.com/nextauthjs/next-auth, https://authjs.dev/
Safety notes
The download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app., Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values., Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics., Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks., Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path., Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths., Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
Privacy notes
Auth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads., Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers., Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting., Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues., Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.
Platform compatibility
claude-code (native-skill), codex (native-skill), windsurf (native-skill), gemini (native-skill), cursor (adapter), cli (manual-context)
Author
oktofeesh1
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

86

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

7 prerequisites to line up before setup. Have accounts and credentials ready first.

0/7 ready
Account & credentials4Install & runtime2Permissions & scopes1

Safety & privacy surface

Safety & privacy surface

8 safety and 5 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access, third-party handling.

4 areas
  • SafetyNetwork accessThe download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
  • SafetyGeneralAuth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app.
  • SafetyCredentials & tokensDo not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values.
  • SafetyCredentials & tokensAuthentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics.
  • SafetyCredentials & tokensProxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks.
  • SafetyCredentials & tokensProvider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path.
  • SafetyThird-party handlingEdge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths.
  • SafetyCredentials & tokensTest OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.
  • PrivacyCredentials & tokensAuth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads.
  • PrivacyCredentials & tokensAuth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers.
  • PrivacyThird-party handlingUse synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting.
  • PrivacyCredentials & tokensAvoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues.
  • PrivacyThird-party handlingReview Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.

Safety notes

  • The download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
  • Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app.
  • Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values.
  • Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics.
  • Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks.
  • Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path.
  • Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths.
  • Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.

Privacy notes

  • Auth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads.
  • Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers.
  • Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting.
  • Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues.
  • Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.

Prerequisites

  • Next.js application with known App Router or Pages Router usage, package manager, deployment provider, and runtime targets.
  • Decision that Auth.js or NextAuth.js is the right fit for this app, especially when maintaining an existing install or requiring Auth.js-specific session behavior.
  • OAuth provider, credentials, callback URL, allowed redirect URL, domain, and local/preview/staging/production environment plan.
  • `AUTH_SECRET`, provider client IDs/secrets, adapter credentials, email provider credentials, and deployment secrets managed outside source control.
  • Session strategy decision covering database sessions, JWT sessions, stateless requirements, callback customization, token lifetime, and logout behavior.
  • Adapter and database plan if persistent users, accounts, sessions, verification tokens, or WebAuthn/passkey data are required.
  • Route protection plan for pages, route handlers, server components, API routes, proxy or middleware, and resource-level authorization close to data access.

Schema details

Install type
package
Reading time
8 min
Difficulty score
78
Troubleshooting
Yes
Breaking changes
No
Source repository stats
Scope
Source repo
Skill and platform metadata
Skill type
general
Skill level
advanced
Verification
validated
Verified at
2026-06-04
Retrieval sources
https://authjs.dev/https://authjs.dev/getting-started/installation?framework=next-jshttps://authjs.dev/getting-started/session-management/loginhttps://authjs.dev/getting-started/session-management/protectinghttps://authjs.dev/getting-started/deploymenthttps://authjs.dev/guides/edge-compatibilityhttps://github.com/nextauthjs/next-auth
Tested platforms
ClaudeCodexWindsurfGeminiCursorGeneric AGENTS
PlatformSupportInstall path
claude-codeNative.claude/skills/<skill-name>/SKILL.md
codexNative.agents/skills/<skill-name>/SKILL.md
windsurfNative.windsurf/skills/<skill-name>/SKILL.md
geminiNative.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursorAdapter.cursor/rules/<skill-name>.mdc
cliManualAGENTS.md or tool-specific context file
Tool listing metadata
Full copyable content
# Trigger
"Apply the Auth.js Next.js authentication skill to this app."

# Required output
1) Current Next.js, Auth.js/NextAuth, provider, adapter, and session inventory
2) auth.ts, route handler, provider, session, and protection plan
3) OAuth callback, cookie, proxy/middleware, adapter, and deployment checklist
4) Safety, privacy, migration, secret, and rollback notes

About this resource

Knowledge Freshness

This skill is based on the Auth.js homepage, Next.js installation guide, session login guide, protecting resources guide, deployment guide, edge compatibility guide, and nextauthjs/next-auth repository reviewed on 2026-06-04. The current Auth.js docs show the Next.js package as next-auth@beta, recommend an auth.ts file that exports handlers, signIn, signOut, and auth, and document route handlers, session access, protected resources, provider setup, deployment environment variables, and edge compatibility considerations.

The official project now states that Auth.js is part of Better Auth and that many new projects should consider Better Auth first. Keep that source fact in the recommendation instead of treating Auth.js and Better Auth as identical choices.

Retrieval Sources

Prefer the live Auth.js docs and official repository over model memory for package names, provider APIs, route-handler exports, proxy or middleware guidance, adapter behavior, environment variables, deployment behavior, and migration guidance.

Scope Note

Use this skill for Auth.js or NextAuth.js work in Next.js applications, especially existing apps, v4-to-v5 migration planning, provider additions, adapter review, session strategy changes, and resource-protection audits. It is not a generic authentication comparison, not a Clerk integration, and not a Better Auth setup guide.

Core Workflow

  1. Inventory the app: Next.js version, router mode, package manager, runtime targets, deployment provider, /src layout, existing auth files, provider usage, session strategy, adapter, protected routes, and environment files.
  2. Confirm why Auth.js or NextAuth.js is being used. For greenfield work, explicitly compare the official Auth.js guidance about Better Auth before proceeding.
  3. Identify the installed package and migration state: legacy next-auth v4, Auth.js v5 beta, mixed docs, Pages Router examples, App Router examples, or an adapter/provider upgrade.
  4. Add or update the framework package with the project package manager. For current Auth.js Next.js docs, review next-auth@beta before applying it.
  5. Create or update auth.ts in the chosen project location. Export the route handlers, auth, and sign-in/sign-out helpers needed by the app.
  6. Wire app/api/auth/[...nextauth]/route.ts or the equivalent route handler to the exported handlers without duplicating provider configuration.
  7. Configure providers deliberately. Review OAuth app settings, callback URLs, scopes, profile mapping, account linking, domain restrictions, local/preview URLs, and production redirect URLs.
  8. Add AUTH_SECRET and provider secrets through local and deployment environment configuration. Never place them in client bundles, examples, or repository files.
  9. Choose session behavior. Document database sessions versus JWT sessions, callback customization, refresh behavior, expiration, logout/reset behavior, tenant or organization claims, and what must never be stored in the session.
  10. If an adapter is used, review schema ownership, migrations, database connectivity, transaction behavior, indexes, user/account/session tables, and production backup/rollback path.
  11. Protect resources at the right layer. Use auth() in server components, route handlers, server actions, loaders, and data access paths instead of relying only on navigation guards.
  12. Review proxy or middleware protection separately. Matchers should avoid static assets and public auth routes, and authorization should still be checked near sensitive data reads and writes.
  13. Check runtime compatibility before using edge, proxy, middleware, adapter, provider SDK, crypto, or database code in constrained runtimes.
  14. Produce a validation plan covering sign-in, sign-out, callback URLs, session reads, protected routes, unauthorized requests, adapter writes, preview deployments, secret rotation, and rollback.

Required Inputs

  • Next.js version, router mode, package manager, deployment provider, and runtime targets.
  • Current Auth.js or NextAuth.js version, package name, config location, route handlers, provider list, adapter, and migration state.
  • OAuth provider dashboard settings, allowed callbacks, local URLs, preview URLs, production domains, scopes, and ownership.
  • Session strategy, callback requirements, token lifetime, cookie behavior, logout behavior, and tenant or role claims.
  • Database or adapter plan, migrations, backup/rollback path, and production access model if persistent auth data is stored.
  • Route inventory covering public pages, authenticated pages, admin pages, API routes, server actions, webhooks, background jobs, and data access paths.
  • Security and privacy requirements for user identity data, provider tokens, logs, prompts, retention, and access control.

Production Rules

  • Never ship Auth.js changes without validating every provider callback URL in local, preview, staging, and production. One wrong URL can break login or send users through the wrong OAuth application.
  • Keep AUTH_SECRET, OAuth secrets, adapter credentials, SMTP credentials, refresh tokens, cookies, session tokens, and dashboard exports out of source control and prompts.
  • Do not store raw access tokens, refresh tokens, unnecessary profile payloads, permissions, customer data, or provider responses in client-visible sessions.
  • Treat callbacks as security-sensitive code. Review authorized, JWT, session, sign-in, redirect, and account-linking callbacks for denial cases, tenant boundaries, and confused identity behavior.
  • Protect sensitive reads and writes close to the data access layer. Proxy or middleware redirects are useful, but they are not enough for authorization.
  • Review adapter schema changes before applying them in production. Auth tables often hold the records needed for account recovery and incident response.
  • Keep examples synthetic. Do not paste production session objects, provider payloads, cookies, database rows, email addresses, or dashboard screenshots into public issues or AI prompts.
  • Include a lockout recovery plan before rotating secrets, changing provider IDs, moving domains, switching session strategy, or changing adapters.

Compatibility

Native

  • Claude Code / Claude: use as a reusable Agent Skill for adding, migrating, reviewing, and operating Auth.js or NextAuth.js in Next.js apps.
  • Codex/OpenAI workflows: use as SKILL.md-style instructions when editing Next.js codebases that touch auth.ts, route handlers, providers, sessions, adapters, proxy or middleware, and deployment auth configuration.

Manual Adaptation

  • Cursor, Windsurf, Gemini, and Generic AGENTS files: adapt the trigger, workflow, safety notes, privacy notes, and output contract into repository rules for Auth.js and NextAuth.js maintenance.

Output Contract

  1. Source evidence: Auth.js docs and repository URLs reviewed, with date.
  2. Inventory: Next.js version, router mode, package version, auth config, providers, adapter, sessions, protected resources, runtimes, and deployment.
  3. Recommendation: continue with Auth.js, migrate within Auth.js, migrate from legacy NextAuth, or evaluate Better Auth for greenfield work.
  4. Implementation plan: package, auth.ts, route handlers, providers, callbacks, sessions, adapter, protection points, proxy or middleware, and environment variables.
  5. Safety and privacy review: secrets, cookies, provider tokens, callbacks, adapters, logs, prompts, screenshots, user records, and retention.
  6. Validation checklist: login, logout, callback URLs, session reads, unauthorized requests, protected routes, adapter writes, preview deploys, edge/runtime behavior, and rollback.

Troubleshooting

Issue: OAuth login redirects to the wrong environment

Fix: Compare the provider dashboard callback URLs, AUTH_URL or inferred host behavior, deployment preview URL policy, reverse proxy headers, and the domain used by the browser during the callback.

Issue: Session exists in one route but not another

Fix: Check whether the route uses App Router or Pages Router, whether auth() is imported from the shared auth.ts, whether cookies are scoped to the current domain, and whether server/client session access is mixed.

Issue: Protected pages are visible after adding proxy or middleware

Fix: Review matcher patterns, static asset exclusions, public auth routes, and the authorized callback. Add server-side checks near the protected data read instead of relying only on redirects.

Issue: Edge or proxy code fails after adding an adapter

Fix: Review Auth.js edge compatibility guidance, database client runtime support, provider SDK dependencies, Node.js APIs, crypto usage, and whether the auth path must run in a Node.js runtime instead.

Issue: Users get linked to the wrong account

Fix: Audit provider IDs, email verification behavior, account-linking callbacks, sign-in callbacks, adapter rows, tenant claims, and any custom profile mapping before allowing account merge or login.

Duplicate And Source Review

Current HeyClaude content includes dedicated Better Auth and Clerk Next.js skills, plus generic examples that mention NextAuth/Auth.js inside broader agents and tRPC workflows. There is no dedicated Auth.js, NextAuth.js, nextauthjs/next-auth, next-auth@beta, or Auth.js Next.js content entry. This skill is scoped to Auth.js/NextAuth.js installation, maintenance, providers, sessions, adapters, protected resources, deployment behavior, edge compatibility, and migration review, with an explicit note that Better Auth is a separate existing skill and the current Auth.js docs should guide greenfield decisions.

Editorial Disclosure

This is a source-backed community content entry submitted by oktofeesh1. There is no paid placement, affiliate link, sponsorship, or maintainer-verified package artifact attached to this listing.

Source citations

Add this badge to your README

Show that Auth.js Next.js Authentication Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/skills/authjs-nextjs-authentication.svg)](https://heyclau.de/entry/skills/authjs-nextjs-authentication)

How it compares

Auth.js Next.js Authentication Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

Add or maintain Auth.js authentication in a Next.js app with next-auth, auth.ts, route handlers, providers, sessions, adapters, protected resources, proxy or middleware behavior, deployment configuration, and migration review.

Open dossier

Add Better Auth to a Next.js App Router project with API route handlers, database-backed sessions, client helpers, protected route checks, and production auth safety review.

Open dossier

Add Clerk authentication to a Next.js App Router project with middleware, route protection, session-aware UI, environment hygiene, and production auth safety checks.

Open dossier

Build Convex-backed Next.js App Router applications with typed backend functions, reactive queries, client providers, realtime UI, data imports, and production deployment review.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
Submitteroktofeesh1oktofeesh1oktofeesh1oktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
Brand
Categoryskillsskillsskillsskills
SourceSource-backedSource-backedSource-backedSource-backed
Authoroktofeesh1oktofeesh1oktofeesh1oktofeesh1
Added2026-06-042026-06-042026-06-042026-06-04
Platforms
Harness
Source repo
Safety notesThe download URL is the external `nextauthjs/next-auth` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. Auth.js is now part of Better Auth, and the official README recommends Better Auth for many new projects. Confirm why Auth.js remains the intended choice before adding it to a greenfield app. Do not commit `AUTH_SECRET`, OAuth client secrets, adapter connection strings, email SMTP credentials, WebAuthn secrets, session tokens, cookies, or copied dashboard values. Authentication changes can alter sign-in, sign-out, callback URLs, cookie names, session lifetime, authorization behavior, provider access, and account-linking semantics. Proxy or middleware protection is not a substitute for checking authorization close to data access. Server actions, route handlers, loaders, and database queries still need session and permission checks. Provider callbacks, JWT/session callbacks, adapter customizations, and account-linking rules can create authorization bypasses or identity confusion if reviewed only through the UI happy path. Edge runtime, proxy, middleware, database adapters, and provider SDKs have compatibility constraints. Verify runtime support before moving auth code into edge-executed paths. Test OAuth in non-production first. Callback URL mismatches, domain changes, preview deployments, and secret rotation can lock users out or route tokens to the wrong environment.The download URL is Better Auth's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. Do not commit Better Auth secrets, OAuth provider secrets, database URLs, email-provider credentials, API-key plugin secrets, or copied dashboard values. Run schema generation or migrations only against the intended database environment; auth tables, sessions, accounts, and verification records are production-critical. Treat route protection as server-side authorization work. UI hiding, optimistic middleware redirects, or cookie existence checks are not full access control. Review `proxy.ts` or `middleware.ts` behavior by Next.js version before relying on database-backed session checks inside request middleware. Keep OAuth callback URLs, base URLs, trusted origins, and cookie settings environment-specific to avoid broken login loops or cross-environment session confusion. Track Better Auth release notes and security advisories before introducing auth flows or enabling advanced plugins in production. Add rollback steps before replacing an existing auth provider because user, account, session, and verification tables can affect active logins.The download URL is Clerk's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. Clerk middleware does not protect routes by default; require an explicit protected-route matcher before assuming a page, API route, or tRPC endpoint is private. Do not commit `CLERK_SECRET_KEY`, webhook signing secrets, OAuth provider secrets, or copied dashboard values to source control, issue comments, screenshots, or chat transcripts. Review middleware matchers carefully. A broad matcher can affect static assets and public routes, while a narrow matcher can leave sensitive routes unauthenticated. Treat organization roles, custom permissions, and metadata checks as authorization logic that needs tests, not just UI hiding. Webhook handlers can mutate user, membership, subscription, and organization state. Make handlers idempotent and verify signatures before processing events. Confirm production domains and redirect URLs before deploy; wrong origins can break sign-in, leak users into the wrong environment, or create confusing callback loops.The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. `convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first. Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation. Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values. Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs. Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets. When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
Privacy notesAuth.js can process user profile data, email addresses, OAuth account IDs, provider tokens, refresh tokens, session tokens, cookies, adapter records, verification tokens, WebAuthn data, and callback payloads. Auth callbacks, debug logs, server logs, failed sign-in logs, screenshots, issue reports, and AI prompts can expose provider IDs, token claims, user metadata, cookies, callback URLs, or database identifiers. Use synthetic accounts and non-production providers for demos, public examples, screenshots, and AI-assisted troubleshooting. Avoid pasting raw OAuth payloads, cookies, JWTs, session objects, adapter rows, production user records, or provider dashboard screenshots into prompts or public issues. Review Auth.js, provider, database, deployment-platform, email-provider, analytics, and AI-assistant retention behavior before using real customer identity data in troubleshooting.Better Auth handles user identity, email addresses, password-auth state, OAuth profile data, sessions, cookies, accounts, verification tokens, and plugin-specific user data. Application logs, error trackers, request traces, AI prompts, and screenshots can retain user IDs, emails, callback URLs, cookies, session state, or OAuth provider details. Use synthetic users and test OAuth applications for examples, demos, issue reports, screenshots, and AI-assisted troubleshooting. If organization, API key, two-factor, passkey, or SSO plugins are enabled, treat membership, roles, credentials, and device metadata as sensitive authorization data. Review Better Auth, database, deployment-provider, analytics, email-provider, and AI-assistant retention policies before using real customer identity data.Clerk processes user identity, email addresses, sessions, cookies, authentication factors, OAuth profile data, organization membership, and optional user metadata. Application logs, error reports, webhook payloads, request traces, and AI chat transcripts can retain user IDs, email addresses, session state, redirect URLs, or organization names. Keep public examples synthetic. Do not paste real Clerk keys, dashboard screenshots, webhook payloads, user records, or organization metadata into prompts or PRs. Review Clerk, deployment-provider, analytics, and AI-assistant retention policies before using real customer identity data in troubleshooting sessions. If custom metadata stores roles, billing flags, internal account IDs, or entitlement data, treat it as sensitive authorization data and avoid exposing it client-side unless intended.Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs. Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records. Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting. Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data. If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
Prerequisites
  • Next.js application with known App Router or Pages Router usage, package manager, deployment provider, and runtime targets.
  • Decision that Auth.js or NextAuth.js is the right fit for this app, especially when maintaining an existing install or requiring Auth.js-specific session behavior.
  • OAuth provider, credentials, callback URL, allowed redirect URL, domain, and local/preview/staging/production environment plan.
  • `AUTH_SECRET`, provider client IDs/secrets, adapter credentials, email provider credentials, and deployment secrets managed outside source control.
  • Next.js App Router project or migration branch with a known package manager.
  • Database choice and adapter plan, such as Drizzle, Prisma, MongoDB, or Better Auth's built-in Kysely-backed flow.
  • Local, preview, staging, and production secret-management path for Better Auth secrets, OAuth client IDs, and OAuth client secrets.
  • Route map that separates public pages, authenticated pages, API routes, server actions, admin routes, and organization-scoped areas.
  • Next.js App Router project or migration branch.
  • Clerk account and application for the target environment.
  • `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` and `CLERK_SECRET_KEY` available through local and deployment environment configuration.
  • Route map that separates public pages, protected app pages, API routes, and admin or organization-scoped areas.
  • Next.js App Router project or migration branch with a known package manager.
  • Convex account access and permission to create or use the target Convex project and deployment.
  • `NEXT_PUBLIC_CONVEX_URL` and any Convex deployment environment variables managed through local, preview, staging, and production secret configuration.
  • Data model plan for Convex tables, indexes, generated API functions, and client query/mutation usage.
Install
pnpm add next-auth@beta
pnpm add better-auth
pnpm add @clerk/nextjs
pnpm add convex
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.