NextAuthAuthenticationNext.jsApp Router

NextAuth v5 App Router migration: auth(), new middleware pattern, session types

Oliver White

6 May 2026 · 8 min read

In NextAuth v5, getServerSession() is gone — replaced by auth() with no arguments. The authOptions config moves to a top-level auth.ts file. Middleware no longer uses withAuth() — it wraps a handler that calls auth() directly. If you are upgrading from v4 or starting fresh on Next.js 14 App Router, these three changes affect every part of the auth integration.

Configuration: auth.ts instead of [...nextauth]/route.ts

In v4, your entire auth configuration lived inside app/api/auth/[...nextauth]/route.ts. In v5, the config moves to a top-level auth.ts file, and the route handler just re-exports the handlers. This separation matters because auth.ts can be imported by middleware and Server Components directly.

typescript

// auth.ts — v5 pattern
import NextAuth from 'next-auth'
import GitHub from 'next-auth/providers/github'
import Credentials from 'next-auth/providers/credentials'

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    }),
    Credentials({
      credentials: { email: {}, password: {} },
      authorize: async ({ email, password }) => {
        // verify against your users table
      },
    }),
  ],
  callbacks: {
    async session({ session, token }) {
      // Attach role and id from your users table to the session
      if (token.sub) {
        const { data: user } = await supabase
          .from('users').select('id, role').eq('id', token.sub).single();
        session.user.id   = user?.id;
        session.user.role = user?.role ?? 'user';
      }
      return session;
    },
  },
});

// app/api/auth/[...nextauth]/route.ts — just re-export
import { handlers } from '@/auth';
export const { GET, POST } = handlers;

Server Components: auth() instead of getServerSession()

In v4, you called getServerSession() and passed it your authOptions. In v5, you call auth() — no arguments needed — because it reads the config from auth.ts automatically. This works in Server Components, Server Actions, API routes, and middleware.

Context	v4 pattern	v5 pattern
Server Component	getServerSession(authOptions)	auth()
API Route	getServerSession(req, res, authOptions)	auth()
Middleware	withAuth() wrapper from next-auth/middleware	Import auth from auth.ts, wrap handler
Client Component	useSession() from next-auth/react	useSession() — unchanged

Middleware: wrapping, not replacing

The v5 middleware integration is where most people hit issues. You don't use withAuth() anymore. Instead, you export a default function that calls auth() and wraps your own middleware logic. This means you can apply security headers, redirects, and auth checks in the same file:

typescript

// middleware.ts — v5 pattern
import { auth } from '@/auth';
import { NextResponse } from 'next/server';

export default auth((req) => {
  const { nextUrl, auth: session } = req;

  // Admin route protection
  if (nextUrl.pathname.startsWith('/admin')) {
    if (!session?.user || session.user.role !== 'admin') {
      return NextResponse.redirect(new URL('/signin', nextUrl));
    }
  }

  return applySecurityHeaders(NextResponse.next());
});

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\.(?:svg|png|jpg)$).*)'],
};

⚠

The auth() call in middleware adds latency because it validates the session token on every matched request. Keep the matcher pattern specific — exclude static assets, images, and any route that doesn't need auth context. The pattern above shaves ~40ms off static asset responses.

Session type augmentation

By default, session.user only has name, email, and image. To add id and role (which you need for admin checks), you extend the types. Without this, TypeScript will complain every time you access session.user.role:

typescript

// types/next-auth.d.ts
import 'next-auth';

declare module 'next-auth' {
  interface Session {
    user: {
      id:    string;
      email: string;
      name:  string | null;
      image: string | null;
      role:  'user' | 'admin';
    };
  }
}

Built with this methodology

In NextAuth v5, getServerSession() is replaced by auth(), authOptions moves to auth.ts, and the middleware uses a wrapping pattern instead of withAuth(). This covers all three changes with working code for Next.js 14 App Router.

See the App Router architecture this post describes →

From the build log

Next.jsAuthentication

Three bugs, one session: fixing a NextAuth v5 race condition, Next.js 16 async params, and broken contest URLs

Read →

PostgreSQLSupabase

PostgreSQL SECURITY DEFINER functions: atomic votes, 80% latency reduction, zero race conditions

Read →

Written by

Oliver White →

← All posts

NextAuthAuthenticationNext.jsApp Router

NextAuth v5 App Router migration: auth(), new middleware pattern, session types

Oliver White

6 May 2026 · 8 min read

Configuration: auth.ts instead of [...nextauth]/route.ts

typescript

// auth.ts — v5 pattern
import NextAuth from 'next-auth'
import GitHub from 'next-auth/providers/github'
import Credentials from 'next-auth/providers/credentials'

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    GitHub({
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    }),
    Credentials({
      credentials: { email: {}, password: {} },
      authorize: async ({ email, password }) => {
        // verify against your users table
      },
    }),
  ],
  callbacks: {
    async session({ session, token }) {
      // Attach role and id from your users table to the session
      if (token.sub) {
        const { data: user } = await supabase
          .from('users').select('id, role').eq('id', token.sub).single();
        session.user.id   = user?.id;
        session.user.role = user?.role ?? 'user';
      }
      return session;
    },
  },
});

// app/api/auth/[...nextauth]/route.ts — just re-export
import { handlers } from '@/auth';
export const { GET, POST } = handlers;

Server Components: auth() instead of getServerSession()

Context	v4 pattern	v5 pattern
Server Component	getServerSession(authOptions)	auth()
API Route	getServerSession(req, res, authOptions)	auth()
Middleware	withAuth() wrapper from next-auth/middleware	Import auth from auth.ts, wrap handler
Client Component	useSession() from next-auth/react	useSession() — unchanged

Middleware: wrapping, not replacing

typescript

// middleware.ts — v5 pattern
import { auth } from '@/auth';
import { NextResponse } from 'next/server';

export default auth((req) => {
  const { nextUrl, auth: session } = req;

  // Admin route protection
  if (nextUrl.pathname.startsWith('/admin')) {
    if (!session?.user || session.user.role !== 'admin') {
      return NextResponse.redirect(new URL('/signin', nextUrl));
    }
  }

  return applySecurityHeaders(NextResponse.next());
});

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\.(?:svg|png|jpg)$).*)'],
};

⚠

Session type augmentation

typescript

// types/next-auth.d.ts
import 'next-auth';

declare module 'next-auth' {
  interface Session {
    user: {
      id:    string;
      email: string;
      name:  string | null;
      image: string | null;
      role:  'user' | 'admin';
    };
  }
}

Built with this methodology

See the App Router architecture this post describes →

From the build log

Next.jsAuthentication

Three bugs, one session: fixing a NextAuth v5 race condition, Next.js 16 async params, and broken contest URLs

Read →

PostgreSQLSupabase

PostgreSQL SECURITY DEFINER functions: atomic votes, 80% latency reduction, zero race conditions

Read →

Written by

Oliver White →

← All posts