Skip to main content

Use AI to integrate Auth0

If you use an AI coding assistant like Claude Code, Cursor, or GitHub Copilot, you can add Auth0 authentication automatically in minutes using agent skills.Install:
Then ask your AI assistant:
Your AI assistant will automatically create your Auth0 application, fetch credentials, install @auth0/nextjs-auth0, create API routes, and set up environment variables. Full agent skills documentation →
Prerequisites: Before you begin, ensure you have the following installed:Verify installation: node --version && npm --version

Get Started

This quickstart demonstrates how to add Auth0 authentication to a Next.js 16 application. You’ll build a full-stack web application with server-side rendering, secure login functionality, and protected routes using the Auth0 Next.js SDK.
1

Create a new project

Create a new Next.js project for this Quickstart
Open the project
2

Install the Auth0 Next.js SDK

3

Create project files

Create all necessary directories and files for Auth0 integration:
4

Setup your Auth0 App

Next up, you need to create a new app on your Auth0 tenant and add the environment variables to your project.You have three options to set up your Auth0 app: use the Quick Setup tool (recommended), run a CLI command, or configure manually via the Dashboard:
5

Create the Auth0 configuration

Add the Auth0 client code to src/lib/auth0.ts:
src/lib/auth0.ts
6

Add Proxy

Add the proxy code to src/proxy.ts:
src/proxy.ts
Since we’re using a src/ directory, the proxy.ts file is created inside src/. If you’re not using a src/ directory, create it in the project root instead.
This proxy automatically mounts the following authentication routes:
  • /auth/login - Login route
  • /auth/logout - Logout route
  • /auth/callback - Callback route
  • /auth/profile - User profile route
  • /auth/access-token - Access token route
  • /auth/backchannel-logout - Backchannel logout route
7

Create Login, Logout and Profile Components

Add the component code to the files created in Step 3:
8

Update your main page

Replace src/app/page.tsx with:
src/app/page.tsx
9

Update layout with Auth0Provider

Update src/app/layout.tsx to load the Inter font and wrap your app with Auth0Provider:
src/app/layout.tsx
In v4, the Auth0Provider is optional. You only need it if you want to pass an initial user during server rendering to be available to the useUser() hook.
10

Configure Tailwind CSS

Replace the contents of src/app/globals.css with:
src/app/globals.css
11

Run your app

Your app will be available at http://localhost:3000. The Auth0 SDK v4 automatically mounts authentication routes at /auth/* (not /api/auth/* like in v3).If port 3000 is in use, run: npm run dev -- --port 3001 and update your Auth0 app’s callback URLs to http://localhost:3001
CheckpointYou should now have a fully functional Auth0 login page running on your localhost

Troubleshooting

If you see a JWEDecryptionFailed: decryption operation failed error, this is caused by either an invalid AUTH0_SECRET or an old session cookie encrypted with a different secret.Solution:
  1. Generate a new secret using:
  1. Update your .env.local file:
  1. Clear your browser cookies for localhost:3000:
    • Chrome/Edge: Press F12 → Application tab → Cookies → Delete all cookies for localhost
    • Firefox: Press F12 → Storage tab → Cookies → Delete all cookies for localhost
    • Safari: Develop menu → Show Web Inspector → Storage tab → Cookies → Delete all
  2. Restart your dev server:
The secret must be exactly 32 bytes (64 hexadecimal characters). The error occurs when the app tries to decrypt an existing session cookie that was encrypted with a different secret.
If clicking login takes you to a 404 page, check these common issues:
  1. Proxy location: Ensure src/proxy.ts exists in the correct location
  2. Proxy code: Verify the proxy matches the code in Step 6
  3. Restart server: After creating the proxy file, restart the dev server
  4. Check imports: Make sure import { auth0 } from "./lib/auth0" path is correct
If you see “Cannot find module ’@/components/LoginButton’” or similar errors:
  1. Verify files exist: Check that all files from Step 3 were created
  2. Check paths: Ensure components are in src/components/ directory
  3. Restart TypeScript: Press Cmd+Shift+P (Mac) or Ctrl+Shift+P (Windows) and run “TypeScript: Restart TS Server”
  4. Verify imports: Make sure you’re using @/components/* (not ~/components/*)

Advanced Usage

This quickstart uses Auth0 Next.js SDK v4, which has significant changes from v3:
  • No dynamic route handlers needed - Authentication routes are auto-mounted by the proxy
  • Simplified client setup - new Auth0Client() reads environment variables automatically
  • New route paths - Routes are at /auth/* instead of /api/auth/*
  • Required proxy - All authentication functionality goes through proxy.ts
  • Use <a> tags - Navigation must use <a href="/auth/login"> instead of buttons with onClick

Authentication Routes

The SDK automatically mounts these routes via the proxy:
RoutePurpose
/auth/loginInitiate login
/auth/logoutLogout user
/auth/callbackHandle Auth0 callback
/auth/profileGet user profile
/auth/access-tokenGet access token
/auth/backchannel-logoutHandle backchannel logout
If you’re experiencing 404 errors on these routes, ensure that:
  1. The proxy.ts file is in the correct location (project root, or inside src/ if using a src/ directory)
  2. The proxy is properly configured with the matcher pattern shown in Step 6
  3. The development server was restarted after creating the proxy file
The Auth0 Next.js SDK v4 supports both App Router and Pages Router patterns. Here are some common server-side patterns:
app/protected/page.tsx
For client-side authentication state, use the useUser hook:
components/UserProfile.tsx
For API route protection, use the withApiAuthRequired method:
app/api/protected/route.ts
If you’re using a third-party backend service (like Convex, Supabase, or Firebase) that requires Auth0 authentication tokens, you’ll need to pass the access token from your Next.js app to the backend client.

Getting the Access Token

Server-side (App Router):
app/api/token/route.ts
Client-side:
lib/convex-client.ts

Configuring Your Backend

Most third-party services need your Auth0 domain and audience to verify tokens. In your backend configuration:
convex/auth.config.ts
Ensure your Auth0 application is configured with an API audience if your backend requires it. You can set this in the Auth0 Dashboard under Applications → APIs, or add AUTH0_AUDIENCE to your .env.local and configure the SDK accordingly.

Troubleshooting Token Issues

If ctx.auth.getUserIdentity() returns null in your backend:
  1. Verify token is being passed: Check browser DevTools Network tab to confirm the token is included in requests
  2. Check token format: Ensure you’re passing the accessToken, not the idToken
  3. Verify backend configuration: Confirm your backend has the correct Auth0 domain and client ID
  4. Check audience: If using an Auth0 API, ensure the AUTH0_AUDIENCE is set and matches your API identifier
  5. Inspect token claims: Decode your JWT at jwt.io to verify it contains the expected claims