WorkOS Docs Homepage
SDKs
API referenceDashboardSign In
SDKs

AuthKit Next.js SDK

github.com
workos/ authkit-nextjs
149 Stars
59 Forks
41 Contributors
github.com
Official AuthKit SDK for Next.js applications.

Installation

Usage

The AuthKit Next.js SDK provides server-side and client-side utilities for integrating AuthKit authentication into Next.js applications.

Refer to the AuthKit documentation for detailed usage instructions and examples.

Beta Versions

Certain WorkOS features may be available only in the beta version of the SDK. Beta versions have the -beta.* suffix, for example, 3.2.0-beta.1. For more information on how to use beta versions, refer to the README in the GitHub repository.

Releases

June 24, 2026

v4.1.2

Latest
June 24, 2026

4.1.2 (2026-06-24)

Bug Fixes

  • Improve auth cookie missing error message (#440) (39af2bb)
May 27, 2026

v4.1.1

May 27, 2026

4.1.1 (2026-05-27)

Bug Fixes

  • defer PKCE cookie write until AuthKit redirect (#432) (4f63d2f)
May 15, 2026

v4.1.0

May 15, 2026

4.1.0 (2026-05-15)

Features

  • Add feature flags runtime client helper (#428) (be6b932)
April 23, 2026

v4.0.1

April 23, 2026

4.0.1 (2026-04-23)

Bug Fixes

  • persist authenticationMethod in sealed session cookie (#410) (a8f7def)
April 23, 2026

v4.0.0

April 23, 2026

4.0.0 (2026-04-23)

⚠ BREAKING CHANGES

  • Upgrade @workos-inc/node to v9 (#407)
  • set minimum Node.js version to 22.11.0 (#408)

Miscellaneous Chores

April 20, 2026

v3.0.1

April 20, 2026

3.0.1 (2026-04-20)

Bug Fixes

  • isolate concurrent PKCE flows to prevent cookie clobbering (#403) (3740a83)
  • set PKCE cookie in ensureSignedIn server action flow (#406) (a55bb64)
March 25, 2026

v3.0.0

March 25, 2026

3.0.0 (2026-03-25)

⚠ BREAKING CHANGES

  • add OAuth state verification on callback to prevent CSRF attacks (#388)

Features

  • add OAuth state verification on callback to prevent CSRF attacks (#388) (ebef6e7)
  • middleware: add authkitProxy and handleAuthkitProxy aliases for proxy.ts (#384) (4c3f27b)

Bug Fixes

  • actions: catch TokenRefreshError in refreshAccessTokenAction to prevent 500s (#383) (5c46c39)
  • auth: return signInUrl from server actions to avoid CORS errors (#386) (7d52400)
  • harden PKCE/CSRF for v3.0.0 release (#398) (8054829)
March 13, 2026

v2.17.0

March 13, 2026

2.17.0 (2026-03-13)

Features

  • Automatically pass claim nonce for unclaimed environments (#389) (67dfc92)
March 13, 2026

v2.16.1

March 13, 2026

2.16.1 (2026-03-13)

Bug Fixes

  • make PKCE opt-in to avoid breaking custom middleware proxies (#392) (9e09fcb)
March 11, 2026

v2.16.0

March 11, 2026

2.16.0 (2026-03-11)

Features

  • add PKCE support for OAuth 2.1 compliance (#374) (de01c7f)

Bug Fixes

  • improve compatibility with non-Next.js environments (#378) (734311a)
  • resolve Dependabot security alerts (#380) (519dccf)
February 25, 2026

v2.15.0

February 25, 2026

2.15.0 (2026-02-25)

Features

  • Add returnTo option to getSignInUrl and getSignUpUrl functions (#375) (fc75708)
February 11, 2026

v2.14.0

February 11, 2026

What's Changed

  • chore: switch from npm to pnpm by @nicknisi in #360
  • docs: add warning about catch-all middleware matcher breaking styles by @nicknisi in #355
  • chore: migrate from Jest to Vitest by @nicknisi in #367
  • chore: upgrade @workos-inc/node to v8 by @nicknisi in #368
  • Add example app as pnpm workspace package by @nicknisi in #370
  • v2.14.0 by @nicknisi in #369

Full Changelog: v2.13.0...v2.14.0

January 7, 2026

v2.13.0

January 7, 2026

What's Changed

  • Add context7.json to repo by @nicknisi in #345
  • feat: enable npm Trusted Publishers by @nicknisi in #346
  • feat: add TokenRefreshError with userId and sessionId for debugging by @nicknisi in #349
  • feat: add composable proxy/middleware helpers by @nicknisi in #348
  • fix(tests): move window.location patching and restoration to beforeEach/afterEach by @sundaray in #350
  • fix: avoid calling headers() in middleware context by @nicknisi in #354
  • fix(test): restore document.querySelector mock in afterEach by @sundaray in #356
  • fix(test): restore process.env after each test by @sundaray in #357
  • v2.13.0 by @nicknisi in #358

New Contributors

  • @sundaray made their first contribution in #350

Full Changelog: v2.12.2...v2.13.0

December 12, 2025

v2.12.2

December 12, 2025

What's Changed

  • fix: bump Next.js dev dependency to patched version by @nickcollisson-workos in #343
  • v2.12.2 by @nicknisi in #344

Full Changelog: v2.12.1...v2.12.2

December 11, 2025

v2.12.1

December 11, 2025

What's Changed

  • Socket workflow integration by @nickcollisson-workos in #338
  • Switch runner to ubuntu-latest for socket action by @nicknisi in #339
  • fix: bump Next.js dev dependency to patched version by @nicknisi in #341
  • fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #340
  • fix: handle full URLs in returnPathname to prevent malformed redirects by @nicknisi in #342

New Contributors

  • @nickcollisson-workos made their first contribution in #338

Full Changelog: v2.12.0...v2.12.1

December 3, 2025

v2.12.0

December 3, 2025

What's Changed

  • feat: Add initialAuth to AuthkitProvider by @danielr18 in #323

Full Changelog: v2.11.1...v2.12.0

November 20, 2025

v2.11.1

November 20, 2025

What's Changed

  • docs: fix state parameter type documentation to match implementation by @nicknisi in #327
  • Prevent caching authenticated pages (94cf438)

Full Changelog: v2.11.0...v2.11.1

October 29, 2025

v2.11.0

October 29, 2025

What's Changed

  • feat: support returnTo on Impersonation stop by @danielr18 in #322
  • feat: don't load organization unless impersonating by @danielr18 in #324
  • Add validateApiKey function by @nholden in #328
  • Add Next.js 16 support by @nicknisi in #331

New Contributors

  • @danielr18 made their first contribution in #322

Full Changelog: v2.10.0...v2.11.0

October 15, 2025

v3.0.0-beta.1

Pre-release
October 15, 2025

This update simply updates to @workos-inc/node v8.0.0-rc.1.

Full Changelog: v2.10.0...v3.0.0-beta.1

October 8, 2025

v2.10.0

October 8, 2025

What's Changed

  • Fix docs around eagerAuth usage by @nicknisi in #313
  • docs: Add featureFlag usage to the README by @birdcar in #318
  • feat: Add support for passing custom state data through authentication flow by @nicknisi in #314

New Contributors

  • @birdcar made their first contribution in #318

Full Changelog: v2.9.0...v2.10.0

September 24, 2025

v2.9.0

September 24, 2025

What's Changed

  • Specify 'use client' to differentiate between a server component. by @brandonin in #310
  • Allow onSuccess callback to update session by @nholden in #311

New Contributors

  • @brandonin made their first contribution in #310
  • @nholden made their first contribution in #311

Full Changelog: v2.8.0...v2.9.0

September 17, 2025

v2.8.0

September 17, 2025

What's Changed

  • Add roles to session JWT by @atainter in #308
  • v2.8.0 by @atainter in #309

New Contributors

  • @atainter made their first contribution in #308

Full Changelog: v2.7.1...v2.8.0

September 16, 2025

v2.7.1

September 16, 2025

What's Changed

  • Fix SSR hydration mismatch in tokenStore by @nicknisi in #306

Full Changelog: v2.7.0...v2.7.1

September 11, 2025

v2.7.0

September 11, 2025

What's Changed

  • docs: improve middleware documentation with security best practices by @nicknisi in #293
  • Add eager auth for synchronous token access by @nicknisi in #301
  • reduce test coverage thresholds to 80% by @nicknisi in #303
  • Move tests inline by @nicknisi in #304

Full Changelog: v2.6.0...v2.7.0

September 2, 2025

v2.6.0

September 2, 2025

What's Changed

  • add prompt to getAuthorizationURL by @jameslcarpino in #292
  • fix: allow signOut to work outside middleware coverage by @nicknisi in #296
  • Fix: Show loading state during initial token fetch to prevent flash by @nicknisi in #297

New Contributors

  • @jameslcarpino made their first contribution in #292

Full Changelog: v2.5.0...v2.6.0

August 18, 2025

v2.5.0

August 18, 2025

What's Changed

  • Fix token staleness in inactive browser tabs by @nicknisi in #290

Full Changelog: v2.4.6...v2.5.0

July 30, 2025

v2.4.6

July 30, 2025

What's Changed

  • Fix intermittent Turbopack build errors by removing .js extensions from Next.js imports by @nicknisi in #284

Full Changelog: v2.4.5...v2.4.6

July 29, 2025

v2.4.5

July 29, 2025

What's Changed

  • Clean up getCookieOptions and use in signOut to respect all options when delting cookie by @nicknisi in #281

Full Changelog: v2.4.4...v2.4.5

July 23, 2025

v2.4.4

July 23, 2025

What's Changed

  • Fix: Correct typos in README by @triplechecker-com in #278
  • docs: Update README to include explicitly passing baseURL in containerized environments by @heatherfaerber in #279
  • fix: improve useAccessToken timer management and prevent background flashing by @nicknisi in #280

New Contributors

  • @triplechecker-com made their first contribution in #278
  • @heatherfaerber made their first contribution in #279

Full Changelog: v2.4.3...v2.4.4

July 14, 2025

v2.4.3

July 14, 2025

What's Changed

  • Fix: Token refresh logic improvements by @nicknisi in #276

Full Changelog: v2.4.2...v2.4.3