(self.webpackChunk_N_E=self.webpackChunk_N_E||[]).push([[34646],{77097:function(e,t,i){(window.__NEXT_P=window.__NEXT_P||[]).push(["/concepts",function(){return i(68477)}])},73918:function(e,t,i){"use strict";i.d(t,{UQ:function(){return h},FV:function(){return l}});var s=i(651),n=i(94322),a=i(26489),o=i(92379),r=i(80324),d=i.n(r);let l=(0,o.forwardRef)((e,t)=>"multiple"===e.type?(0,s.jsx)(c,{className:"bg-red-500",ref:t,...e}):(0,s.jsx)(u,{ref:t,...e,type:"single"}));l.displayName="Accordions";let c=(0,o.forwardRef)((e,t)=>{var i,a,r;let{className:d,defaultValue:l,...c}=e,[u,h]=(0,o.useState)(l),p=null!==(a=c.value)&&void 0!==a?a:u,f=null!==(r=null===(i=c.onValueChange)||void 0===i?void 0:i.bind(c))&&void 0!==r?r:h;return(0,o.useEffect)(()=>{window.location.hash.length>0&&f([window.location.hash.substring(1)])},[f]),(0,s.jsx)(n.fC,{ref:t,value:p,onValueChange:f,className:d,...c})});c.displayName="MultipleAccordions";let u=(0,o.forwardRef)((e,t)=>{var i,a,r;let{className:l,defaultValue:c,...u}=e,[h,p]=(0,o.useState)(c),f=null!==(a=u.value)&&void 0!==a?a:h,m=null!==(r=null===(i=u.onValueChange)||void 0===i?void 0:i.bind(u))&&void 0!==r?r:p;return(0,o.useEffect)(()=>{window.location.hash.length>0&&m(window.location.hash.substring(1))},[m]),(0,s.jsx)(n.fC,{ref:t,value:f,onValueChange:m,collapsible:!0,className:d()(l,"mt-4 rounded-lg border border-neutral-200 dark:border-neutral-800"),...u})});u.displayName="SingleAccordions";let h=(0,o.forwardRef)((e,t)=>{var i;let{title:o,className:r,children:l,...c}=e;return(0,s.jsxs)(n.ck,{ref:t,value:null!==(i=c.id)&&void 0!==i?i:o,className:d()("group/accordion scroll-m-20 border-b border-neutral-200 first:overflow-hidden first:rounded-t-lg last:overflow-hidden last:rounded-b-lg last-of-type:border-b-0 dark:border-neutral-800",r),...c,children:[(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.xz,{className:"focus-visible:ring-ring flex w-full items-center gap-1 px-2 py-[1.125rem] text-left transition-colors duration-300 focus-visible:outline-none focus-visible:ring-2 data-[state=open]:bg-neutral-100 data-[state=open]:dark:bg-neutral-950",children:[(0,s.jsx)(a.TZ,{className:"size-4 transition-transform duration-200 group-data-[state=open]/accordion:rotate-90"}),(0,s.jsx)("span",{className:"text-medium text-foreground font-medium",children:o})]}),c.id?(0,s.jsx)(p,{id:c.id}):null]}),(0,s.jsx)(n.VY,{className:"data-[state=closed]:animate-accordion-up data-[state=open]:animate-accordion-down overflow-hidden",children:(0,s.jsx)("div",{className:"prose-no-margin py-4 pl-6 text-sm",children:l})})]})});function p(e){let{id:t}=e,[i,n]=function(e){let[t,i]=(0,o.useState)(!1),s=(0,o.useRef)(null),n=(0,o.useCallback)(()=>{s.current&&window.clearTimeout(s.current),s.current=window.setTimeout(()=>{i(!1)},1500),e(),i(!0)},[e]);return(0,o.useEffect)(()=>()=>{s.current&&window.clearTimeout(s.current)},[]),[t,n]}(()=>{let e=new URL(window.location.href);e.hash=t,navigator.clipboard.writeText(e.toString())});return(0,s.jsx)("button",{type:"button","aria-label":"Copy Link",className:"hover:bg-accent hover:text-accent-foreground opacity-0 transition-all group-data-[state=open]/accordion:opacity-100",onClick:n,children:i?(0,s.jsx)(a.Jr,{className:"size-3.5"}):(0,s.jsx)(a.rU,{className:"size-3.5"})})}h.displayName="Accordion"},68477:function(e,t,i){"use strict";i.r(t),i.d(t,{useTOC:function(){return d}});var s=i(651),n=i(64211),a=i(1089),o=i(15593),r=i(73918);function d(e){return[{value:"Is Auth.js commercial software?",id:"is-authjs-commercial-software",depth:3},{value:"Compatibility",id:"compatibility",depth:3},{value:"Session strategies",id:"session-strategies",depth:3},{value:"Security",id:"security",depth:3},{value:"Feature Requests",id:"feature-requests",depth:3}]}t.default=(0,n.c)(function(e){let{toc:t=d(e)}=e,i={a:"a",code:"code",em:"em",h1:"h1",h3:"h3",li:"li",ol:"ol",p:"p",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(i.h1,{children:"About Auth.js"}),"\n",(0,s.jsx)(i.h3,{id:t[0].id,children:t[0].value}),"\n",(0,s.jsx)(i.p,{children:"Auth.js is an open-source project built by individual contributors."}),"\n",(0,s.jsx)(i.p,{children:"It is not commercial software and is not associated with a commercial organization."}),"\n",(0,s.jsx)(i.h3,{id:t[1].id,children:t[1].value}),"\n",(0,s.jsxs)(r.FV,{children:[(0,s.jsxs)(r.UQ,{title:"What databases does Auth.js support?",children:[(0,s.jsxs)(i.p,{children:["You can use Auth.js with many flavors of MySQL, MariaDB, PostgreSQL, MongoDB and SQLite. See our ",(0,s.jsx)(i.a,{href:"/getting-started/database",children:"using a database adapter guide"}),". There are adapters for most popular database types available."]}),(0,s.jsx)(i.p,{children:"You can use also Auth.js with any database using a custom database adapter, or by using a custom credentials authentication provider - e.g. to support signing in with a username and password stored in an existing database."}),(0,s.jsx)(i.p,{children:"You do not need a database to use Auth.js, however. You can use Auth.js with JWT-based sessions, which do not require a database."})]}),(0,s.jsx)(r.UQ,{title:"What authentication services does Auth.js support?",children:(0,s.jsxs)(i.p,{children:["Auth.js includes built-in support for 4 high-level authentication types - OAuth / OICD, Email magic-links, WebAuthn / Passkeys and username/password credentials. Check out our ",(0,s.jsx)(i.a,{href:"/getting-started/authentication",children:"authentication page"})," for more information."]})}),(0,s.jsxs)(r.UQ,{title:"Does Auth.js support signing in with a username and password?",children:[(0,s.jsx)(i.p,{children:"Auth.js is designed to avoid the need to store passwords and user accounts."}),(0,s.jsxs)(i.p,{children:["However, if you’d still like to use username/password based login, then you can use our ",(0,s.jsx)(i.a,{href:"/getting-started/authentication/credentials",children:"Credentials provider"})," to allow signing in with a username and password."]}),(0,s.jsx)(i.p,{children:(0,s.jsx)(i.em,{children:"If you use a custom credentials provider user accounts will not be persisted in a database by Auth.js (even if one is configured). The option to use JSON Web Tokens for session tokens (which allow sign-in without using a session database) must be enabled to use a custom credentials provider."})})]}),(0,s.jsx)(r.UQ,{title:"Can I use Auth.js with a website that does not use Next.js?",children:(0,s.jsxs)(i.p,{children:["Auth.js was initially designed for use with Next.js and Serverless, however, over time we’ve evolved into a framework-agnostic authentication solution. If you’re curious, take a look at ",(0,s.jsx)(i.a,{href:"/contributors#history",children:"our history page"}),". We currently have framework packages available for Next.js (",(0,s.jsx)(i.code,{children:"next-auth"}),"), SvelteKit (",(0,s.jsx)(i.code,{children:"@auth/sveltekit"}),"), SolidStart (",(0,s.jsx)(i.code,{children:"@auth/solid"}),"), Express (",(0,s.jsx)(i.code,{children:"@auth/express"}),") and more in the pipeline."]})}),(0,s.jsxs)(r.UQ,{title:"Can I use Auth.js with React Native?",children:[(0,s.jsx)(i.p,{children:"Auth.js is designed as a secure, confidential client and implements a server-side authentication flow."}),(0,s.jsx)(i.p,{children:"It is not intended to be used in native applications on desktop or mobile applications, which typically implement public clients (e.g. with client/secrets embedded in the application)."})]}),(0,s.jsx)(r.UQ,{title:"Is Auth.js supporting TypeScript?",children:(0,s.jsxs)(i.p,{children:["Yes! Check out the ",(0,s.jsx)(i.a,{href:"/getting-started/typescript",children:"TypeScript docs"})]})}),(0,s.jsx)(r.UQ,{title:"Is Auth.js compatible with Next.js 12 Middleware?",children:(0,s.jsxs)(i.p,{children:[(0,s.jsx)(i.a,{href:"https://nextjs.org/docs/middleware",children:"Next.js middleware"})," is supported and is recommended as of version 5. An example middleware setup can be found ",(0,s.jsx)(i.a,{href:"/getting-started/session-management/protecting#nextjs-middleware",children:"here"}),"."]})})]}),"\n",(0,s.jsx)(i.h3,{id:t[2].id,children:t[2].value}),"\n",(0,s.jsxs)(i.p,{children:["Check out the ",(0,s.jsx)(i.a,{href:"/concepts/session-strategies",children:"Session strategies page"})," to learn more."]}),"\n",(0,s.jsx)(i.h3,{id:t[3].id,children:t[3].value}),"\n",(0,s.jsxs)(i.p,{children:["Parts of this section have been moved to their own ",(0,s.jsx)(i.a,{href:"/security",children:"page"}),"."]}),"\n",(0,s.jsxs)(r.FV,{children:[(0,s.jsxs)(r.UQ,{title:"How do I get Refresh Tokens and Access Tokens for an OAuth account?",children:[(0,s.jsx)(i.p,{children:"Auth.js provides a solution for authentication, session management and user account creation."}),(0,s.jsx)(i.p,{children:"Auth.js records Refresh Tokens and Access Tokens on sign-in (if supplied by the provider) and it will pass them, along with the User ID, Provider and Provider Account ID, to either:"}),(0,s.jsxs)(i.ol,{children:["\n",(0,s.jsx)(i.li,{children:"A database - if a database connection string is provided"}),"\n",(0,s.jsx)(i.li,{children:"The JSON Web Token callback - if JWT sessions are enabled (e.g. if no database is specified)"}),"\n"]}),(0,s.jsx)(i.p,{children:"You can then look them up from the database or persist them to the JSON Web Token."}),(0,s.jsxs)(i.p,{children:["Note: Auth.js does not currently handle Access Token rotation for OAuth providers for you, however, you can check out ",(0,s.jsx)(i.a,{href:"/guides/refresh-token-rotation",children:"this tutorial"})," if you want to implement it."]})]}),(0,s.jsxs)(r.UQ,{title:"When I sign in with another account with the same email address, why are accounts not linked automatically?",children:[(0,s.jsx)(i.p,{children:"Automatic account linking on sign-in is not secure between arbitrary providers - except for allowing users to sign in via email addresses as a fallback (as they must verify their email address as part of the flow)."}),(0,s.jsx)(i.p,{children:"When an email address is associated with an OAuth account it does not necessarily mean that it has been verified as belonging to the account holder — how email address verification is handled is not part of the OAuth specification and varies between providers (e.g. some do not verify first, some do verify first, others return metadata indicating the verification status)."}),(0,s.jsx)(i.p,{children:"With automatic account linking on sign-in, this can be exploited by bad parties to hijack accounts by creating an OAuth account associated with the email address of another user."}),(0,s.jsx)(i.p,{children:"For this reason, it is not secure to automatically link accounts between arbitrary providers on sign-in, which is why this feature is generally not provided by an authentication service and is not provided by Auth.js."}),(0,s.jsx)(i.p,{children:"Automatic account linking is seen on some sites, sometimes insecurely. It can be technically possible to do automatic account linking securely if you trust all the providers involved to ensure they have securely verified the email address associated with the account, but requires placing trust (and transferring the risk) to those providers to handle the process securely."}),(0,s.jsx)(i.p,{children:"Examples of scenarios where this is secure include an OAuth provider you control (e.g. that only authorizes users internal to your organization) or a provider you explicitly trust to have verified the users’ email address."}),(0,s.jsx)(i.p,{children:"Automatic account linking is not a planned feature of Auth.js, however, there is scope to improve the user experience of account linking and of handling this flow, securely. Typically this involves providing a fallback option to sign in via email, which is already possible (and recommended), but the current implementation of this flow could be improved."}),(0,s.jsx)(i.p,{children:"Providing support for secure account linking and unlinking of additional providers - which can only be done if a user is already signed in - was originally a feature in v1.x but has not been present since v2.0, and is planned to return in a future release."})]})]}),"\n",(0,s.jsx)(i.h3,{id:t[4].id,children:t[4].value}),"\n",(0,s.jsxs)(r.FV,{children:[(0,s.jsxs)(r.UQ,{title:"Why doesn't Auth.js support [a particular feature]?",children:[(0,s.jsx)(i.p,{children:"Auth.js is an open-source project built by individual contributors who are volunteers writing code and providing support in their spare time."}),(0,s.jsx)(i.p,{children:"If you would like Auth.js to support a particular feature, the best way to help make it happen is to raise a feature request describing the feature and offer to work with other contributors to develop and test it."}),(0,s.jsx)(i.p,{children:"If you are not able to develop a feature yourself, you can offer to sponsor someone to work on it."})]}),(0,s.jsxs)(r.UQ,{title:"I disagree with a design decision, how can I change your mind?",children:[(0,s.jsx)(i.p,{children:"Product design decisions on Auth.js are made by core team members."}),(0,s.jsx)(i.p,{children:"You can raise suggestions as feature requests for enhancement."}),(0,s.jsx)(i.p,{children:"Requests that provide the detail requested in the template and follow the format requested may be more likely to be supported, as additional detail prompted in the templates often provides important context."}),(0,s.jsx)(i.p,{children:"Ultimately if your request is not accepted or is not actively in development, you are always free to fork the project under the terms of the ISC License."})]})]})]})},"/concepts",{filePath:"pages/concepts/index.mdx",timestamp:1727465008e3,pageMap:a.v,frontMatter:{},title:"About Auth.js"},"undefined"==typeof RemoteContent?d:RemoteContent.useTOC)}},function(e){e.O(0,[64211,50857,94322,1089,26489,92888,49774,40179],function(){return e(e.s=77097)}),_N_E=e.O()}]);