description: Auth.js / NextAuth v5 conventions globs: ["/auth.ts", "/auth.config.ts", "/middleware.ts", "/api/auth/**"] alwaysApply: false
- v5: one central
auth.tsat the project root →export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [...] }). - Route handler is a one-liner:
app/api/auth/[...nextauth]/route.ts→export const { GET, POST } = handlers. - Use the universal
auth()everywhere server-side (RSC, route handlers, server actions, middleware) — it replacesgetServerSession/getToken/withAuth.useSession()is client-only, under<SessionProvider>. - Secrets from env:
AUTH_SECRET; provider creds are auto-inferred (AUTH_GITHUB_ID/AUTH_GITHUB_SECRET). Never hardcode. - Import providers from
next-auth/providers/*. The package isnext-auth(brand: Auth.js). - Persistence: a database adapter from
@auth/*-adapter(drizzle/prisma) for DB sessions; otherwise the default JWT strategy. Shape the token/session only via thejwt/sessioncallbacks, kept pure and minimal. - Protect routes by wrapping
middleware.tswithauth. If your adapter isn't edge-safe, split config intoauth.config.tsso middleware stays edge-compatible.