Securing pages and API routes
You can easily protect client and server side side rendered pages and API routes with NextAuth.js.
You can find working examples of the approaches shown below in the example project.
tip
The methods getSession()
and getToken()
both return an object
if a session is valid and null
if a session is invalid or has expired.
Securing Pages
Client Side
If data on a page is fetched using calls to secure API routes - i.e. routes which use getSession()
or getToken()
to access the session - you can use the useSession
React Hook to secure pages.
Server Side
You can protect server side rendered pages using the getSession()
method.
tip
This example assumes you have configured _app.js
to pass the session
prop through so that it's immediately avalible on page load to useSession
.
Securing API Routes
Using getSession()
You can protect API routes using the getSession()
method.
Using getToken()
If you are using JSON Web Tokens you can use the getToken()
helper to access the contents of the JWT without having to handle JWT decryption / verification yourself. This method can only be used server side.
tip
You can use the getToken()
helper function in any application as long as you set the NEXTAUTH_URL
environment variable and the application is able to read the JWT cookie (e.g. is on the same domain).
note
Pass getToken
the same value for secret
as specified in pages/api/auth/[...nextauth].js
.
See the documentation for the JWT option for more information.