How to Add Authentication to Next.js (App Router Guide)
Complete guide to adding auth to Next.js with App Router. Compare Auth.js, Clerk, Supabase Auth, and all-in-one solutions for 2026.
Next.js authentication is one of the first things every developer needs to add, and one of the most time-consuming to get right. The shift from Pages Router to App Router changed the entire auth architecture, and most tutorials have not caught up.
This guide covers every practical approach to nextjs auth in 2026, with honest trade-offs and real implementation details. If you want the quick version, check out our step-by-step tutorial on adding auth to a Next.js app.
Why Next.js Auth Is Different in 2026
Next.js App Router introduced a fundamental shift in how authentication works. Server Components execute exclusively on the server. You cannot use useContext or client-side state management for session data the way you did with Pages Router.
Three architectural changes make Next.js auth uniquely challenging:
- Server Components cannot use hooks. No
useSession()in your layout. You read session data from cookies or headers on the server. - Middleware runs on Edge Runtime. Prior to Next.js 15.2, middleware could not make database calls. It can only validate cookies and JWTs, not check database sessions.
- The CVE-2025-29927 vulnerability exposed a critical flaw where attackers could bypass middleware entirely by manipulating the
x-middleware-subrequestheader. This proved that middleware-only auth is not enough.
The current best practice is defense-in-depth: verify authentication at every data access point, not just at the middleware boundary.
Common Next.js Auth Approaches Compared
Auth.js (NextAuth)
Auth.js, formerly NextAuth.js, is the community standard for Next.js authentication. It is open source, supports 80+ OAuth providers, and has native App Router support since v5.
What works well:
- Zero cost, fully open source
- Built-in support for Google, GitHub, Discord, and dozens of other providers
- Database adapters for Prisma, Drizzle, and most ORMs
- Session management with JWT or database sessions
Where it falls apart:
- Configuration complexity grows fast with custom providers
- Email/password auth requires extra setup and a transactional email provider
- No built-in UI components — you build every login form yourself
- Upgrade path from v4 to v5 broke many production apps
A basic Auth.js setup with Google OAuth requires configuring the provider, setting up API routes, creating middleware, and building login UI. Expect 1-3 days for a production-ready implementation.
Clerk
Clerk has become the fastest-growing auth provider for Next.js, with native React Server Components support and pre-built UI components that work in both server and client contexts.
What works well:
- Drop-in
<SignIn />and<UserButton />components - 10,000 free monthly active users
- Built-in user management dashboard
- Native App Router and Server Components support
Where it falls apart:
- Vendor lock-in with proprietary APIs
- Costs scale at $0.02 per MAU after the free tier
- Limited customization of pre-built components
- Requires Clerk’s infrastructure for all auth operations
Supabase Auth
Supabase Auth bundles authentication with a Postgres database and Row Level Security. If you already use Supabase, adding auth is nearly free.
What works well:
- Free up to 50,000 MAUs ($0.00325/MAU after)
- Row Level Security ties auth directly to database permissions
- Built-in email, phone, and social auth
- Self-hostable if you want full control
Where it falls apart:
- Ties your auth to your database provider
- Next.js integration requires manual cookie management
- Server Components support needs the
@supabase/ssrpackage - No built-in payments or subscription management
Custom JWT Implementation
Rolling your own JWT auth gives you complete control but demands serious security expertise. You handle token generation, refresh rotation, CSRF protection, and session invalidation yourself.
Most indie hackers should not do this. The security surface area is enormous, and the implementation time — typically 2-4 weeks for production quality — is better spent building your actual product. If you are considering other frameworks, see our guides for adding auth to SvelteKit and adding auth to an Astro app.
The Real Problem: Auth Is Only Half the Battle
Here is what nobody tells you about adding auth to Next.js: authentication alone does not make money. You still need payments. And wiring up Stripe after you have already built auth means a second integration project with its own webhooks, session management, and user-to-customer mapping.
Every auth solution above handles login. None of them handle Stripe checkout, subscription management, or payment webhooks out of the box.
This is why many indie hackers lose 2-4 weeks on infrastructure instead of shipping features. You wire up Auth.js. Then you wire up Stripe. Then you realize the user objects do not match and you need a mapping layer. Then you need webhook handlers. Then you need a customer portal.
How Beag Simplifies Next.js Auth and Payments
Beag takes a different approach. Instead of managing separate auth and payment integrations, you add a single script tag to your Next.js app. Beag handles:
- Authentication with email, social login, and magic links
- Stripe payments with checkout, subscriptions, and customer portal
- User-to-customer mapping automatically, no webhook code required
- Session data accessible via a simple API call from your Server Components
The setup takes minutes instead of days. You add the Beag script tag to your layout, configure your plans in the Beag dashboard, and your Next.js app has both auth and payments working immediately.
For indie hackers and solo developers building micro SaaS products, this eliminates the two biggest infrastructure headaches so you can focus on the features that differentiate your product.
Choosing the Right Approach
| Solution | Cost | Setup Time | Auth + Payments |
|---|---|---|---|
| Auth.js | Free | 1-3 days | Auth only |
| Clerk | $0.02/MAU after 10K | 1-2 hours | Auth only |
| Supabase Auth | Free up to 50K MAU | 2-4 hours | Auth only |
| Custom JWT | Free | 2-4 weeks | Auth only |
| Beag | $19/month | 15 minutes | Both included |
If you are building a micro SaaS and need both auth and payments, Beag handles both with a single integration. If you need fine-grained control over your auth layer and plan to build payments separately, Auth.js or Clerk are solid choices.
Read more about how Beag compares in our auth provider comparison or check out the step-by-step setup guide. For a broader view of authentication across frameworks, browse the complete guide hub.
What to Do Next
- Decide your scope. Do you need auth only, or auth plus payments?
- Pick your timeline. Days to build or minutes to integrate?
- Consider total cost. Factor in development time, not just subscription fees.
- Start building. Try Beag free for 7 days or explore the docs to see how fast you can ship.
Frequently Asked Questions
What is the best authentication solution for Next.js in 2026?
It depends on your needs. Auth.js (NextAuth) is best for open-source flexibility, Clerk offers the smoothest developer experience with 10,000 free MAUs, and Supabase Auth is ideal if you already use Supabase for your database. For indie hackers who need auth and payments together, Beag handles both with a single script tag.
Does Next.js App Router change how authentication works?
Yes, significantly. Server Components run exclusively on the server, so you cannot use client-side auth patterns like React context for session state. You need to verify authentication at the Data Access Layer, not just in middleware. The CVE-2025-29927 vulnerability proved that middleware-only auth is not safe.
How long does it take to add auth to a Next.js app?
With a managed provider like Clerk or Beag, you can have basic auth running in under an hour. Rolling your own with Auth.js takes 3-6 days for a production-ready setup. Custom JWT implementations can take 2-4 weeks when you factor in refresh token rotation, CSRF protection, and session management.
Can I use Next.js middleware for authentication?
Middleware should be used for optimistic redirects only, not as your sole authentication layer. Middleware runs on Edge Runtime and cannot make database calls. Always verify sessions at the Data Access Layer in your Server Components and API routes.
What is the cheapest way to add auth to Next.js?
Auth.js is free and open source but requires self-hosting and maintenance. Supabase Auth is free up to 50,000 MAUs. Clerk offers 10,000 free MAUs at $0.02 per MAU after that. Beag bundles auth and Stripe payments together starting at $19/month for unlimited users.
Skip the Auth and Payments Headaches
Beag handles authentication and Stripe payments with a single script tag. Ship your SaaS faster.
Start 7-day free trial