JWT callback returns large token → split into .0, .1, .2 cookies

[sanjayrajeev]

I’m using next-auth with the jwt session strategy and running into a problem with cookie size when storing multiple API tokens.

Here’s my jwt callback:

async jwt({ token, user }) {
  if (user) {
    token.agentInfo = user.agentInfo;
  }
  const cognitoTokens = await manageTokens(token as Record<string, Token>);
  token = { ...token, ...cognitoTokens };
  return token;
}

In my case, manageTokens merges three different API tokens (Cognito + other APIs) into the JWT payload. but in __Secure-next-auth.session-token cookie becomes too large and NextAuth splits it into multiple cookies (.0, .1, .2).

Why this is a problem

• Some APIs start returning 431 Request Header Fields Too Large because the cookies in the request headers are too big
• I don’t actually use the cookie-based JWT anywhere in our app.
• I only rely on the session token inside next-auth.
• Because the JWT grows with multiple tokens, the cookie approach creates unnecessary complexity.

Questions

• Is there a way to disable cookie storage of the JWT when using the jwt session strategy and only keep it in memory/server-side?
• If not, what’s the recommended pattern for handling multiple tokens without hitting cookie size limits?
• Should i be moving to a server-side session store (e.g., PrismaAdapter + DB/Redis)?
• Or should NextAuth provide an option to avoid serializing everything into cookies?

Any guidance or best practices would be appreciated 🙏