# AGENTS.md — Auth.js / NextAuth v5

## Setup

- Central `auth.ts` at the root: `export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [...] })`.
- Route handler: `app/api/auth/[...nextauth]/route.ts` → `export const { GET, POST } = handlers`.
- Package is `next-auth` (brand: Auth.js); providers from `next-auth/providers/*`.

## Conventions

- Use the universal `auth()` server-side (RSC, route handlers, server actions, middleware). `useSession()` is client-only, under `<SessionProvider>`.
- Secrets from env: `AUTH_SECRET`; provider creds auto-inferred (`AUTH_GITHUB_ID` / `AUTH_GITHUB_SECRET`).
- Database sessions via `@auth/*-adapter` (drizzle/prisma); otherwise JWT strategy. Shape tokens via `jwt` / `session` callbacks, kept minimal.
- Protect routes by wrapping `middleware.ts` with `auth`; split `auth.config.ts` if the adapter isn't edge-safe.

## Banned

- `getServerSession` / `getToken` / `withAuth` instead of `auth()`.
- `useSession()` in server components.
- Hardcoded `AUTH_SECRET` or provider credentials.
- Heavy I/O in `jwt` / `session` callbacks; non-edge adapters in edge middleware.