Where does next-auth store user sessions on the server side?

[matthias-hampel]

Hi!
I'm using next-auth for a new project that I'm building.
We use Directus as our database - users and passwords are stored there too.

I created a CredentialsProvider where I verify whether the user provided the correct credentials or not. If user and password do match, the login succeeded.

Everything is working fine so far.
However, I wonder where next-auth stores the user sessions on the server-side. If I understand it correctly, the authorize of the CredentialsProvider is only called when the user tries to login and not on every request.

Can someone please enlighten me?

[transformmindgarden]

It doesn't, I believe. usage of the credentials provider causes next-auth to use JWT sessions. (https://next-auth.js.org/providers/credentials)

Your server then trusts that they are who they say they are by just decoding the JWT so you'll need to put important details about them there. Ideally to make use of the JWT's databaseless strengths, you can put things like what tier of stuff they have access to in the token. If that doesn't make sense for your app, you can always just put their userid in there and then treat them as logged in as whatever userid your credentials provider returned and was stored in their JWT.