Am I missing something?

[nehalist]

I think I'm missing something here: what's the point of using next-auth? let's say I've configured some oauth providers and am able to login in my next app. but I'd still need an api to have some kind of authentication (e.g. oauth) - which makes using next-auth oauth standalone pretty useless?

[balazsorban44]

You can authenticate users, delegating the actual authentication to a respected third party. If you don't trust any of those, we also allow you to configure your own IdentityProvider, or you can use passwordless (Email) logins, or a traditional credentials login if you already have such a system set up.

Obtaining user access_tokens can be done through the IdentityProvider for example. Let's say you want to use some GitHub APIs in the name of the user (build a dashboard based on the user's repos for instance). You can use next-auth to receive such a token for auth that the GitHub API will accept.

If using your own IdentityProvider, you can talk to your third-party APIs the same way as mentioned above.

You can also utilize the user session for auth on your Next.js app's backend (simply read the session, and you can assume the user is logged in, execute protected operations on their behalf).

You can protect certain pages to only be visible for logged-in users (like a paywall), or implement a role-based/subscription model. The possibilities are really endless.

Also check out our FAQ and Tutorials pages to get some inspiration.

[nehalist]

Let's say, for example, I'm running next-auth with JWT. Would that mean I'd use the same secret on my third-party API for the JWT as in Next?

[0ubbe]

Those are two different things. NextAuth's secret is to manage the session within your application. Once the user is logged in, you may then call an external API using a different secret and way to authenticate. If you're hosting your API within the NextJS app itself, then you don't need a secret for it; on the routes you don't want to be public, you can do...

export default async function DetailRoute(req: NextApiRequest, res: NextApiResponse) { 
  const { status } = await getSession()
  if (status === "unauthenticated") res.status(401).json({ error: 'Not authenticated' })
  // and so on...
}

Does that make sense?