developers

Next.js 16: What’s New for Authentication and Authorization

Dive into the latest Next.js 16 updates for authentication and authorization, and learn how the new defaults improve security for Next.js developers.

Will Johnson

Developer Advocate

Dec 1, 20255 min read

Next.js 16 brings a set of practical updates that refine how the framework handles caching, routing, and request interception.

For developers working on authentication and authorization, these changes offer clearer boundaries and more predictable defaults. They do not reinvent the wheel, but they do provide better tools for defining where and how security logic runs.

Here is a look at the specific features in Next.js 16 and what they mean for securing your applications.

Clarifying the Network Boundary with proxy.ts

The most visible change for security configuration is the renaming and clearer definition of the middleware file.

The Change: middleware.ts is now proxy.ts

Next.js 16 renames middleware.ts to proxy.ts. While the core functionality of intercepting requests remains similar, the new name better reflects its role as a lightweight routing layer rather than a place for heavy business logic.

You can now export a named proxy function from a proxy.ts file in your root or /src directory:

// proxy.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function proxy(request: NextRequest) {  
  // Lightweight authentication check  
  const token = request.cookies.get('auth_token');    

  if (!token) {
    return NextResponse.redirect(new URL('/login', request.url));
  }
  return NextResponse.next();
}

The security impact

This change reinforces an important architectural pattern. The documentation notes that proxy.ts is not intended for full session management or complex authorization.

  • Keep it light: Use proxy.ts for high-level traffic control, such as redirecting users who lack a session cookie.
  • move complexity downstream: Detailed authentication (like validating JWT signatures) and granular authorization (like checking specific user permissions) should live closer to your data in Server Components or Server Actions. This approach benefits from the stable Node.js runtime and keeps your edge logic simple.

Cache Components and Dynamic by Default

Next.js 16 introduces a new default behavior for caching that aligns well with security requirements.

The change: opt-in caching

When you enable cacheComponents: true in your configuration, the framework no longer attempts to cache dynamic data by default. Instead, data fetching operations run at request time unless you explicitly use the use cache directive.

The authorization benefit

This shift reduces the risk of accidental data leaks.

  • Fresh data: Because components run dynamically by default, you can be confident that authorization checks (like fetching user roles) happen in real-time for every request.
  • Explicit caching: You only cache data when you intend to, which forces a conscious decision about what is safe to store.

A note on use cache

When you do use the use cache directive for personalized data, you must be careful with your cache keys. The directive generates a key based on the arguments passed to the function.

To prevent one user from seeing the cached data of another, always pass the user identifier as an argument:

'use cache';

// The cache key is derived from the `userId` argument
// This ensures Next.js creates a unique entry for each user

export async function getCachedUserDashboard(userId: string) {
  const data = await db.findDashboard(userId);
  return data;
}

Server Actions and updateTag()

Server Actions remain the standard way to handle mutations (like updating a user profile). Next.js 16 adds a specific tool to handle cache invalidation after these updates.

The new API: updateTag()

When a user performs an action that changes their permissions (for example, an admin bans a user or a user upgrades their plan), you need that change to reflect immediately.

The updateTag() API allows you to expire a cache tag and refresh the data within the same request:

'use server';
import { updateTag } from 'next/cache';

export async function changeUserRole(userId: string, newRole: string) {
  // 1. Update the user's role in the database
  await db.users.update(userId, { role: newRole });
  // 2. Invalidate the cache and refresh the data immediately
  updateTag(`user-profile-${userId}`);
}

The security benefit

This supports "read-your-writes" semantics. In a security context, this is critical. It ensures that if you revoke a permission, the application recognizes that change instantly on the very next render, rather than serving stale, authorized content from the cache.

Next.js 16 Makes Authentication and Authorization Boundaries Clear

Next.js 16 offers a set of refinements that make the security model more explicit.

  • proxy.ts clarifies the role of request interception.
  • Dynamic defaults reduce the chance of accidental caching issues.
  • updateTag() ensures that permission changes take effect immediately.

These updates help developers build applications where authentication and authorization boundaries are clear, predictable, and easier to maintain.

We are actively working to incorporate these new Next.js 16 features into the official Auth0 Next.js SDK. To stay informed on our progress and track the release of these updates, you can check out the Auth0 Next.js SDK GitHub project on GitHub.