Dmytro Morar
Next.js

Auth in App Router

Auth in App Router is server-first: cookies, middleware, and server components handle access checks.

Session storage

  • HTTP-only cookies (recommended), JWT in cookies, or DB-backed sessions.
  • Read cookies on the server:
import { cookies } from "next/headers";

Middleware checks

  • Runs before the route on Edge Runtime.
  • Use for redirects, admin protection, i18n, rate limiting.
import { NextResponse } from "next/server";
export function middleware(request) {
  const token = request.cookies.get("token");
  if (!token) return NextResponse.redirect(new URL("/login", request.url));
  return NextResponse.next();
}

Server components as guards

  • Check access in page.js:
const user = await getUser();
if (!user) notFound();

Login/signup with Server Actions

"use server";
export async function login(formData) {
  const { email, pass } = Object.fromEntries(formData);
  const session = await verifyUser(email, pass);
  cookies().set("session", session.token, { httpOnly: true });
}
<form action={login}>...</form>

When API routes are needed

  • Mobile apps, external integrations, webhooks, OAuth callbacks.

Notes

  • Never store tokens in localStorage (XSS risk).
  • Middleware is Edge-only; no Node APIs.

Middleware

Authentication

On this page

Session storageMiddleware checksServer components as guardsLogin/signup with Server ActionsWhen API routes are neededNotes