AGENTS.md — Auth.js / NextAuth v5
Setup
- Central
auth.tsat the root:export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [...] }). - Route handler:
app/api/auth/[...nextauth]/route.ts→export const { GET, POST } = handlers. - Package is
next-auth(brand: Auth.js); providers fromnext-auth/providers/*.
Conventions
- Use the universal
auth()server-side (RSC, route handlers, server actions, middleware).useSession()is client-only, under<SessionProvider>. - Secrets from env:
AUTH_SECRET; provider creds auto-inferred (AUTH_GITHUB_ID/AUTH_GITHUB_SECRET). - Database sessions via
@auth/*-adapter(drizzle/prisma); otherwise JWT strategy. Shape tokens viajwt/sessioncallbacks, kept minimal. - Protect routes by wrapping
middleware.tswithauth; splitauth.config.tsif the adapter isn't edge-safe.
Banned
getServerSession/getToken/withAuthinstead ofauth().useSession()in server components.- Hardcoded
AUTH_SECRETor provider credentials. - Heavy I/O in
jwt/sessioncallbacks; non-edge adapters in edge middleware.