> ## Documentation Index > Fetch the complete documentation index at: https://docs-staging-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Add Login to Your Next.js Application > This guide demonstrates how to integrate Auth0 with any new or existing Next.js application using the Auth0 Next.js v4 SDK. export const HowToSchema = () => ; export const CreateInteractiveApp = ({placeholderText = 'Auth0', appType = 'regular_web', allowedCallbackUrls = ['localhost:3000'], allowedLogoutUrls = ['localhost:3000'], allowedOriginUrls = ['localhost:3000']}) => { const [isAuthenticated, setIsAuthenticated] = useState(false); const [storeReady, setStoreReady] = useState(false); const [displayForm, setDisplayForm] = useState(true); useEffect(() => { const init = () => setStoreReady(true); if (window.rootStore) { window.rootStore.clientStore.setSelectedClient(null); window.rootStore.clientStore.setSelectedClientSecret(undefined); init(); } else { window.addEventListener('adu:storeReady', init); } return () => { window.removeEventListener('adu:storeReady', init); }; }, []); useEffect(() => { if (!storeReady) return; const disposer = autorun(() => { const rootStore = window.rootStore; setIsAuthenticated(rootStore.sessionStore.isAuthenticated); }); return () => { disposer(); }; }, [storeReady]); if (!storeReady || typeof window === 'undefined' || !displayForm) { return <>; } const login = () => { const baseUrl = window.rootStore.config.apiBaseUrl; const returnTo = encodeURIComponent(window.location.href); window.location.href = `${baseUrl}/auth/user/login?returnTo=${returnTo}`; }; const Card = ({className = '', children}) => { return

{children}

; }; const Button = ({children, ...props}) => { return ; }; const CreateApplicationForm = () => { const [name, setName] = useState(''); const [isLoading, setIsLoading] = useState(false); const [error, setError] = useState(''); const handleSubmit = async () => { if (!name.trim()) { setError('Application name is required'); return; } setIsLoading(true); setError(null); try { await window.rootStore.clientStore.createClient({ name: name.trim(), app_type: appType, callbacks: allowedCallbackUrls, allowed_logout_urls: allowedLogoutUrls, web_origins: allowedOriginUrls, client_metadata: { created_by: 'quickstart-docs-app-creation-component' } }); setDisplayForm(false); } catch (err) { console.error('Error creating client:', err); const errorMessage = err instanceof Error ? err.message : 'Failed to create application'; setError(errorMessage); } finally { setIsLoading(false); } }; return Create Auth0 App

setName(e.target.value)} />

{error &&

{error}

} ; }; const SignInForm = () => { return to create the app ; }; return isAuthenticated ? : ; }; export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => { const [displayText, setDisplayText] = useState(children); const [copyText, setCopyText] = useState(children); const wrapperRef = React.useRef(null); useEffect(() => { let unsubscribe = null; function init() { if (!window.autorun || !window.rootStore) { return; } unsubscribe = window.autorun(() => { let processedChildrenForDisplay = children; let processedChildrenForCopy = children; for (const [key, value] of window.rootStore.variableStore.values.entries()) { const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`); let displayValue = value; if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") { displayValue = value.substring(0, 3) + "*****MASKED*****"; } processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue); processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value); } setDisplayText(processedChildrenForDisplay); setCopyText(processedChildrenForCopy); }); } if (window.rootStore) { init(); } else { window.addEventListener("adu:storeReady", init); } return () => { window.removeEventListener("adu:storeReady", init); unsubscribe?.(); }; }, [children]); useEffect(() => { if (!wrapperRef.current) return; const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard); let isOverriding = false; const handleClick = e => { const button = e.target.closest('[data-testid="copy-code-button"]'); if (!button || !wrapperRef.current.contains(button)) return; isOverriding = true; navigator.clipboard.writeText = text => { if (isOverriding) { isOverriding = false; navigator.clipboard.writeText = originalWriteText; return originalWriteText(copyText); } return originalWriteText(text); }; setTimeout(() => { if (isOverriding) { isOverriding = false; navigator.clipboard.writeText = originalWriteText; } }, 100); }; const wrapper = wrapperRef.current; wrapper.addEventListener('click', handleClick, true); return () => { wrapper.removeEventListener('click', handleClick, true); if (navigator.clipboard.writeText !== originalWriteText) { navigator.clipboard.writeText = originalWriteText; } }; }, [copyText]); return

{displayText}

; }; export const AuthCodeGroup = ({children, dropdown}) => { const [processedChildren, setProcessedChildren] = useState(children); useEffect(() => { let unsubscribe = null; function init() { unsubscribe = window.autorun(() => { const processChildren = node => { if (typeof node === "string") { let processedNode = node; for (const [key, value] of window.rootStore.variableStore.values.entries()) { const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`); processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value); } return processedNode; } else if (Array.isArray(node)) { return node.map(processChildren); } else if (node && node.props && node.props.children) { return { ...node, props: { ...node.props, children: processChildren(node.props.children) } }; } return node; }; setProcessedChildren(processChildren(children)); }); } if (window.rootStore) { init(); } else { window.addEventListener("adu:storeReady", init); } return () => { window.removeEventListener("adu:storeReady", init); unsubscribe?.(); }; }, [children]); return {processedChildren}; }; If you use an AI coding assistant like Claude Code, Cursor, or GitHub Copilot, you can add Auth0 authentication automatically in minutes using [agent skills](https://agentskills.io/home). **Install:** ```bash theme={null} npx skills add auth0/agent-skills --skill auth0-quickstart --skill auth0-nextjs ``` **Then ask your AI assistant:** ```text theme={null} Add Auth0 authentication to my Next.js app ``` Your AI assistant will automatically create your Auth0 application, fetch credentials, install `@auth0/nextjs-auth0`, create API routes, and set up environment variables. [Full agent skills documentation →](/docs/quickstart/agent-skills) **Prerequisites:** Before you begin, ensure you have the following installed: * **[Node.js](https://nodejs.org/en/download)** 20 LTS or newer * **[npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)** 10+ or **[yarn](https://classic.yarnpkg.com/lang/en/docs/install/)** 1.22+ or **[pnpm](https://pnpm.io/installation)** 8+ Verify installation: `node --version && npm --version` ## Get Started This quickstart demonstrates how to add Auth0 authentication to a Next.js 16 application. You'll build a full-stack web application with server-side rendering, secure login functionality, and protected routes using the Auth0 Next.js SDK. export function generateRandomString(length) { const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; return Array.from({ length }, () => chars[Math.floor(Math.random() * chars.length)]).join(''); } export const localEnvSnippet = `AUTH0_DOMAIN={yourDomain} AUTH0_CLIENT_ID={yourClientId} AUTH0_CLIENT_SECRET={yourClientSecret} AUTH0_SECRET=${generateRandomString(32)} APP_BASE_URL=http://localhost:3000`; Create a new Next.js project for this Quickstart ```shellscript theme={null} npx create-next-app@latest auth0-nextjs --typescript --tailwind --eslint --app --src-dir --import-alias "@/*" --yes ``` Open the project ```shellscript theme={null} cd auth0-nextjs ``` ```shellscript theme={null} npm install @auth0/nextjs-auth0 ``` Create all necessary directories and files for Auth0 integration: ```shellscript Mac/Linux theme={null} mkdir -p src/lib src/components && touch src/lib/auth0.ts src/proxy.ts src/components/LoginButton.tsx src/components/LogoutButton.tsx src/components/Profile.tsx ``` ```powershell Windows theme={null} New-Item -ItemType Directory -Force -Path src/lib, src/components New-Item -ItemType File -Path src/lib/auth0.ts, src/proxy.ts, src/components/LoginButton.tsx, src/components/LogoutButton.tsx, src/components/Profile.tsx ``` Next up, you need to create a new app on your Auth0 tenant and add the environment variables to your project. You have three options to set up your Auth0 app: use the Quick Setup tool (recommended), run a CLI command, or configure manually via the Dashboard: Create an Auth0 App and copy the pre-filled `.env` file with the right configuration values. Run the following command in your project's root directory to create an Auth0 app and generate a `.env` file: ```shellscript Mac theme={null} # Install Auth0 CLI (if not already installed) brew tap auth0/auth0-cli && brew install auth0 # Set up Auth0 app and generate .env file auth0 qs setup --app --type regular --framework nextjs --name "My App" --port 3000 ``` ```powershell Windows theme={null} # Install Auth0 CLI (if not already installed) scoop bucket add auth0 https://github.com/auth0/scoop-auth0-cli.git scoop install auth0 # Set up Auth0 app and generate .env file auth0 qs setup --app --type regular --framework nextjs --name "My App" --port 3000 ``` This command will: 1. Check if you're authenticated (and prompt for login if needed) 2. Create an Auth0 Regular Web Application configured for `http://localhost:3000` 3. Generate a `.env` file with `AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET`, `AUTH0_SECRET`, and `APP_BASE_URL` Create a `.env.local` file on your project's root directory: ```shellscript .env.local theme={null} AUTH0_DOMAIN=YOUR_AUTH0_APP_DOMAIN AUTH0_CLIENT_ID=YOUR_AUTH0_APP_CLIENT_ID AUTH0_CLIENT_SECRET=YOUR_AUTH0_APP_CLIENT_SECRET AUTH0_SECRET=YOUR_LONG_RANDOM_SECRET_HERE APP_BASE_URL=http://localhost:3000 ``` **Generate a secure AUTH0\_SECRET:** ```shellscript theme={null} openssl rand -hex 32 ``` Copy the output and replace `YOUR_LONG_RANDOM_SECRET_HERE` in `.env.local`. This must be exactly 64 hexadecimal characters. Then configure your Auth0 application: 1. Head to the [Auth0 Dashboard](https://manage.auth0.com/dashboard/) 2. Click on **Applications** > **Applications** > **Create Application** 3. In the popup, enter a name for your app, select `Regular Web Application` as the app type and click **Create** 4. Switch to the **Settings** tab on the Application Details page 5. Replace `YOUR_AUTH0_APP_DOMAIN`, `YOUR_AUTH0_APP_CLIENT_ID`, and `YOUR_AUTH0_APP_CLIENT_SECRET` in the `.env.local` file with the **Domain**, **Client ID**, and **Client Secret** values from the dashboard **Critical:** If you change the `AUTH0_SECRET` after the app has been running, you must clear your browser cookies for localhost. Old session cookies encrypted with the previous secret will cause a `JWEDecryptionFailed` error. Finally, on the **Settings** tab of your Application Details page, configure the following URLs: **Allowed Callback URLs:** ``` http://localhost:3000/auth/callback ``` **Allowed Logout URLs:** ``` http://localhost:3000 ``` **Allowed Web Origins:** ``` http://localhost:3000 ``` **Allowed Callback URLs** are a critical security measure to ensure users are safely returned to your application after authentication. Without a matching URL, the login process will fail, and users will be blocked by an Auth0 error page instead of accessing your app. **Allowed Logout URLs** are essential for providing a seamless user experience upon signing out. Without a matching URL, users will not be redirected back to your application after logout and will instead be left on a generic Auth0 page. **Allowed Web Origins** is critical for silent authentication. Without it, users will be logged out when they refresh the page or return to your app later. Add the Auth0 client code to `src/lib/auth0.ts`: ```typescript src/lib/auth0.ts lines theme={null} import { Auth0Client } from '@auth0/nextjs-auth0/server'; export const auth0 = new Auth0Client(); ``` Add the proxy code to `src/proxy.ts`: ```typescript src/proxy.ts expandable lines theme={null} import { auth0 } from "./lib/auth0"; export async function proxy(request: Request) { return await auth0.middleware(request); } export const config = { matcher: [ /* * Match all request paths except for the ones starting with: * - _next/static (static files) * - _next/image (image optimization files) * - favicon.ico, sitemap.xml, robots.txt (metadata files) */ "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)", ], }; ``` Since we're using a `src/` directory, the `proxy.ts` file is created inside `src/`. If you're not using a `src/` directory, create it in the project root instead. This proxy automatically mounts the following authentication routes: * `/auth/login` - Login route * `/auth/logout` - Logout route * `/auth/callback` - Callback route * `/auth/profile` - User profile route * `/auth/access-token` - Access token route * `/auth/backchannel-logout` - Backchannel logout route Add the component code to the files created in Step 3: ```typescript src/components/LoginButton.tsx lines theme={null} "use client"; export default function LoginButton() { return ( Login ); } ``` ```typescript src/components/LogoutButton.tsx lines theme={null} "use client"; export default function LogoutButton() { return ( Logout ); } ``` ```typescript src/components/Profile.tsx lines theme={null} "use client"; import { useUser } from "@auth0/nextjs-auth0/client"; function getInitials(name?: string | null, email?: string | null): string { if (name) { const parts = name.trim().split(" "); return parts.length >= 2 ? `${parts[0][0]}${parts[1][0]}`.toUpperCase() : parts[0].slice(0, 2).toUpperCase(); } if (email) return email.slice(0, 2).toUpperCase(); return "U"; } export default function Profile() { const { user, isLoading } = useUser(); if (isLoading) return

; if (!user) return null; return ( <>

Successfully authenticated

{getInitials(user.name, user.email)} {user.email}

); } ``` Replace `src/app/page.tsx` with: ```typescript src/app/page.tsx lines theme={null} import { auth0 } from "@/lib/auth0"; import LoginButton from "@/components/LoginButton"; import LogoutButton from "@/components/LogoutButton"; import Profile from "@/components/Profile"; export default async function Home() { const session = await auth0.getSession(); const user = session?.user; return (

{user ? ( <>

Your account

) : ( <>

Welcome to Sample0

Get started by logging in to your account

)}

); } ``` Update `src/app/layout.tsx` to load the Inter font and wrap your app with `Auth0Provider`: ```typescript src/app/layout.tsx lines theme={null} import { Inter } from "next/font/google"; import type { Metadata } from "next"; import { Auth0Provider } from "@auth0/nextjs-auth0/client"; import "./globals.css"; const inter = Inter({ subsets: ["latin"], weight: ["300", "400", "500", "600", "700"], }); export const metadata: Metadata = { title: "Auth0 Next.js App", description: "Next.js app with Auth0 authentication", }; export default function RootLayout({ children, }: { children: React.ReactNode; }) { return ( {children} ); } ``` In v4, the Auth0Provider is optional. You only need it if you want to pass an initial user during server rendering to be available to the useUser() hook. Replace the contents of `src/app/globals.css` with: ```css src/app/globals.css lines theme={null} @import "tailwindcss"; ``` ```shellscript theme={null} npm run dev ``` Your app will be available at [http://localhost:3000](http://localhost:3000). The Auth0 SDK v4 automatically mounts authentication routes at `/auth/*` (not `/api/auth/*` like in v3). If port 3000 is in use, run: `npm run dev -- --port 3001` and update your Auth0 app's callback URLs to `http://localhost:3001` **Checkpoint** You should now have a fully functional Auth0 login page running on your [localhost](http://localhost:3000/) *** ## Troubleshooting If you see a `JWEDecryptionFailed: decryption operation failed` error, this is caused by either an invalid `AUTH0_SECRET` or an old session cookie encrypted with a different secret. **Solution:** 1. Generate a new secret using: ```shellscript theme={null} openssl rand -hex 32 ``` 2. Update your `.env.local` file: ``` AUTH0_SECRET= ``` 3. **Clear your browser cookies** for `localhost:3000`: * Chrome/Edge: Press `F12` → Application tab → Cookies → Delete all cookies for localhost * Firefox: Press `F12` → Storage tab → Cookies → Delete all cookies for localhost * Safari: Develop menu → Show Web Inspector → Storage tab → Cookies → Delete all 4. Restart your dev server: ```shellscript theme={null} npm run dev ``` The secret must be exactly 32 bytes (64 hexadecimal characters). The error occurs when the app tries to decrypt an existing session cookie that was encrypted with a different secret. If clicking login takes you to a 404 page, check these common issues: 1. **Proxy location:** Ensure `src/proxy.ts` exists in the correct location 2. **Proxy code:** Verify the proxy matches the code in Step 6 3. **Restart server:** After creating the proxy file, restart the dev server 4. **Check imports:** Make sure `import { auth0 } from "./lib/auth0"` path is correct If you see "Cannot find module '@/components/LoginButton'" or similar errors: 1. **Verify files exist:** Check that all files from Step 3 were created 2. **Check paths:** Ensure components are in `src/components/` directory 3. **Restart TypeScript:** Press `Cmd+Shift+P` (Mac) or `Ctrl+Shift+P` (Windows) and run "TypeScript: Restart TS Server" 4. **Verify imports:** Make sure you're using `@/components/*` (not `~/components/*`) *** ## Advanced Usage This quickstart uses **Auth0 Next.js SDK v4**, which has significant changes from v3: * **No dynamic route handlers needed** - Authentication routes are auto-mounted by the proxy * **Simplified client setup** - `new Auth0Client()` reads environment variables automatically * **New route paths** - Routes are at `/auth/*` instead of `/api/auth/*` * **Required proxy** - All authentication functionality goes through `proxy.ts` * **Use `` tags** - Navigation must use `` instead of buttons with onClick ### Authentication Routes The SDK automatically mounts these routes via the proxy: | Route | Purpose | | -------------------------- | ------------------------- | | `/auth/login` | Initiate login | | `/auth/logout` | Logout user | | `/auth/callback` | Handle Auth0 callback | | `/auth/profile` | Get user profile | | `/auth/access-token` | Get access token | | `/auth/backchannel-logout` | Handle backchannel logout | If you're experiencing 404 errors on these routes, ensure that: 1. The `proxy.ts` file is in the correct location (project root, or inside `src/` if using a `src/` directory) 2. The proxy is properly configured with the matcher pattern shown in Step 6 3. The development server was restarted after creating the proxy file The Auth0 Next.js SDK v4 supports both App Router and Pages Router patterns. Here are some common server-side patterns: ```typescript app/protected/page.tsx theme={null} import { auth0 } from "@/lib/auth0"; import { redirect } from "next/navigation"; export default async function ProtectedPage() { const session = await auth0.getSession(); if (!session) { redirect('/auth/login'); } return (

Protected Content

Welcome, {session.user.name}!

); } ``` ```typescript app/api/protected/route.ts theme={null} import { auth0 } from "@/lib/auth0"; import { NextResponse } from "next/server"; export async function GET() { const session = await auth0.getSession(); if (!session) { return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); } return NextResponse.json({ message: "This is a protected API route", user: session.user }); } ``` ```typescript pages/protected.tsx theme={null} import { auth0 } from "@/lib/auth0"; import { GetServerSideProps } from "next"; export default function ProtectedPage({ user }: { user: any }) { return (

Protected Content

Welcome, {user.name}!

); } export const getServerSideProps: GetServerSideProps = auth0.withPageAuthRequired(); ``` For client-side authentication state, use the `useUser` hook: ```typescript components/UserProfile.tsx theme={null} "use client"; import { useUser } from "@auth0/nextjs-auth0/client"; export default function UserProfile() { const { user, error, isLoading } = useUser(); if (isLoading) return

; if (error) return

Error: {error.message}

; if (!user) return

Not logged in

; return (

{user.name}

{user.email}

); } ``` For API route protection, use the `withApiAuthRequired` method: ```typescript app/api/protected/route.ts theme={null} import { auth0 } from "@/lib/auth0"; export const GET = auth0.withApiAuthRequired(async function handler() { const session = await auth0.getSession(); return Response.json({ message: "This is a protected API route", user: session?.user }); }); ``` If you're using a third-party backend service (like Convex, Supabase, or Firebase) that requires Auth0 authentication tokens, you'll need to pass the access token from your Next.js app to the backend client. ### Getting the Access Token **Server-side (App Router):** ```typescript app/api/token/route.ts theme={null} import { auth0 } from "@/lib/auth0"; import { NextResponse } from "next/server"; export async function GET() { const session = await auth0.getSession(); if (!session) { return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); } const accessToken = session.accessToken; return NextResponse.json({ accessToken }); } ``` **Client-side:** ```typescript lib/convex-client.ts theme={null} "use client"; import { ConvexProviderWithAuth0 } from "convex/react-auth0"; import { ConvexReactClient } from "convex/react"; const convex = new ConvexReactClient(process.env.NEXT_PUBLIC_CONVEX_URL!); export function ConvexClientProvider({ children }: { children: React.ReactNode }) { return ( ({ // Fetch the access token from your Next.js API route getAccessToken: async () => { const response = await fetch("/api/token"); const { accessToken } = await response.json(); return accessToken; }, })} > {children} ); } ``` ### Configuring Your Backend Most third-party services need your Auth0 domain and audience to verify tokens. In your backend configuration: ```typescript convex/auth.config.ts theme={null} export default { providers: [ { domain: process.env.AUTH0_DOMAIN, applicationID: process.env.AUTH0_CLIENT_ID, }, ], }; ``` Ensure your Auth0 application is configured with an API audience if your backend requires it. You can set this in the Auth0 Dashboard under Applications → APIs, or add `AUTH0_AUDIENCE` to your `.env.local` and configure the SDK accordingly. ### Troubleshooting Token Issues If `ctx.auth.getUserIdentity()` returns `null` in your backend: 1. **Verify token is being passed:** Check browser DevTools Network tab to confirm the token is included in requests 2. **Check token format:** Ensure you're passing the `accessToken`, not the `idToken` 3. **Verify backend configuration:** Confirm your backend has the correct Auth0 domain and client ID 4. **Check audience:** If using an Auth0 API, ensure the `AUTH0_AUDIENCE` is set and matches your API identifier 5. **Inspect token claims:** Decode your JWT at [jwt.io](https://jwt.io) to verify it contains the expected claims