Tesseral
Back to Guides

Next.js authentication: ways to implement authentication in Next.js

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

Next.js feels pretty magical sometimes. You spin up a quick prototype in a few seconds, and it's just a one-click deploy to get it running on Vercel (or Cloudflare, or whatever else you want to use)!

Unfortunately, you are going to need authentication at some point, and you need it to be exactly right.

There's no way to make authentication fun. However, it can be relatively painless. Here are some of the best ways to set up authentication for a modern Next.js app.

Libraries vs. services for auth in Next.js

Build vs. Buy

You'll first need to make a bit of a decision: to what extent to which you want to build authentication yourself? After all, it is generally a lot simpler to outsource your authentication to a managed service.

This is a pretty common trade-off in software. For example, you're very unlikely to be running your own database. It's more likely that you're using something like Amazon RDS or Supabase.

Sometimes people reduce the build vs. buy decision to a matter of capability; i.e., you might hear someone insist that you should "just roll your own." I don't really see things that way. In fact, I'm quite certain you can figure this stuff out.

It's more about where you'll see rewards for your effort.

There are cases where your software will benefit from custom authentication. If your requirements are extremely unusual, for example, the answer is probably yes! Alternatively, if you expect to maintain an extremely simple application, you probably don't need all of the bells and whistles that come with a managed service.

dexters-lab

For most applications, though, you'll just be reinventing code that someone else has already written pretty well. There's a good chance that both you -- and your users -- will be happier if you simply pull something off the shelf.

Nonetheless, I'll start with the best auth libraries for Next.js -- for those who want to build things themselves. From there, I'll cover the best auth services for Next.js.

Best libraries for auth in Next.js

NextAuth

If you're working on a simple consumer app, you may want to try NextAuth, which seems interested in rebranding to Auth.js. It's an open source library with almost 30,000 GitHub stars (at time of writing).

NextAuth stands out for its support for passwordless social authentication. It has pretty remarkable coverage for OAuth login providers, from the usual suspects like Google to pretty niche login providers like Netlify and EVE Online.

It's pretty straightforward to get started, too. Here's a code sample:

import NextAuth from "next-auth"
import GithubProvider from "next-auth/providers/github"

export const authOptions = {
  providers: [
    GithubProvider({
      clientId: process.env.GITHUB_ID,
      clientSecret: process.env.GITHUB_SECRET,
    }),
  ],
}

Pretty nice!

We see lots of people get started with NextAuth successfully. That said, we often see people move off NextAuth. It's not particularly easy to figure out how it works, and it's not especially flexible. This is especially true of fast-growing B2B applications; NextAuth works well for prototypes, but it doesn't tend to stick around.

Here's a Reddit comment that expresses the sentiment:

NextAuth is totally fine if your auth model fits on the road they’ve paved for you. The second you need to go off their road for any reason it’s a minefield of expensive work-arounds where you’re spending more time bending your model to fit theirs than actually moving forward with your project.

As with all such things, you need to decide whether NextAuth matches your requirements.

Better Auth

Better Auth is a commercial open source project, a TypeScript library, that's rapidly been gaining share in the Next.js ecosystem. (Like us at Tesseral, Better Auth is a Y Combinator- backed company!)

Anything that I write here will be rapidly out of date, but I nonetheless recommend exploring Better Auth as a more flexible alternative to NextAuth.

Honorable mention: Lucia

Lucia was another open source project in the JavaScript / TypeScript ecosystem.

From the GitHub repository, it's now deprecated:

Lucia v3 will be deprecated by March 2025. Lucia is now a learning resource on implementing auth from scratch. See the announcement for details and migration path. The source code for v3 is available in the v3 branch.

We came to the conclusion that at least for the core of auth - sessions - it's better to teach the code and concepts rather than to try cramming it into a library. The code is very straightforward and shouldn't take more than 10 minutes to write it once you understand it. As an added bonus, it's fully customizable.

You can learn more about the decision to shut down Lucia here.

Best services for auth in Next.js

For consumer apps

If you're working on a consumer application (e.g., social media) in Next.js, you should consider using Clerk. It's easy to get it working out-of-the-box, it comes with nice-looking UI, and it comes with pretty natural support for social login providers.

There are nice ancillary products you'll likely benefit from. For example, Clerk has a billing product, which is quite nice for managing high-volume, low-complexity subscriptions via Stripe.

Tesseral is the best auth service for B2B Next.js apps

Auth for B2B apps doesn't work like auth for B2C apps. I've written about this extensively here.

If you're working on a B2B application in Next.js, you should use Tesseral with its Next.js SDK. Tesseral is an open source auth provider built specifically for business software applications.

TSRL-banner

Unlike other services, Tesseral supports everything :

  • B2B multitenancy
  • Multi-factor authentication
  • Organization-level configuration
  • Enterprise SSO, including self-service SAML configuration
  • SCIM provisioning
  • Fine-grained access control with advanced RBAC
  • Managed API keys
  • Managed audit logs

Moreover, because it's open source, you can self-host or run Tesseral on your customers' infrastructure. This is a critical need if you anticipate ever selling major enterprise deals.

In essence, there's an awful lot of complexity to B2B authentication. If you set up Tesseral, you don't have to manage the complexity yourself. With just a few lines of code, you get everything you need to manage an enterprise application at any scale. It's remarkably simple to integrate Tesseral in a Next.js app; implementations often take just a day of development time.

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Newsletter
Top Secret by Tesseral
Resources
Pricing
Docs
Blog
Security
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)