// the find
nextauthjs/next-auth
Authentication for the Web.
Auth.js (formerly NextAuth.js) is the de facto standard for adding OAuth, email magic links, and credentials auth to Next.js and other JS frameworks. It abstracts away the OAuth dance, session management, and database adapters so you don't have to. Worth knowing: the README now recommends new projects use Better Auth instead, as Auth.js has merged into that project.
Built on standard Web APIs so it runs in Node, edge runtimes, and serverless without hacks. JWTs are encrypted by default (JWE with A256CBC-HS512), not just signed — most auth libraries get this wrong. The adapter ecosystem is genuinely broad: Prisma, Drizzle, raw SQL, MongoDB, all covered. CSRF protection and secure cookie defaults are on by default rather than opt-in.
The v4→v5 migration was painful and broke a lot of userland code; the API surface changed significantly and the docs lagged badly. Credentials provider is officially discouraged but still widely used, leading to people building insecure password flows on top of it without understanding why it's a footgun. The merge into Better Auth creates real questions about long-term maintenance — if you're starting a new project today, you're adopting something the authors themselves say to avoid. Role-based access control is not in scope; you bolt it on yourself, and the patterns for doing so correctly are not well documented.