---
description: Auth.js / NextAuth v5 conventions
globs: ["**/auth.ts", "**/auth.config.ts", "**/middleware.ts", "**/api/auth/**"]
alwaysApply: false
---

- v5: one central `auth.ts` at the project root → `export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [...] })`.
- Route handler is a one-liner: `app/api/auth/[...nextauth]/route.ts` → `export const { GET, POST } = handlers`.
- Use the universal `auth()` everywhere server-side (RSC, route handlers, server actions, middleware) — it replaces `getServerSession` / `getToken` / `withAuth`. `useSession()` is client-only, under `<SessionProvider>`.
- Secrets from env: `AUTH_SECRET`; provider creds are auto-inferred (`AUTH_GITHUB_ID` / `AUTH_GITHUB_SECRET`). Never hardcode.
- Import providers from `next-auth/providers/*`. The package is `next-auth` (brand: Auth.js).
- Persistence: a database adapter from `@auth/*-adapter` (drizzle/prisma) for DB sessions; otherwise the default JWT strategy. Shape the token/session only via the `jwt` / `session` callbacks, kept pure and minimal.
- Protect routes by wrapping `middleware.ts` with `auth`. If your adapter isn't edge-safe, split config into `auth.config.ts` so middleware stays edge-compatible.