Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
Getting Started
Providers
Credentials

Credentials Provider

The Credentials provider allows you to handle signing in with arbitrary credentials, such as a username and password, domain, two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).

It is intended to support use cases where you have an existing system you need to authenticate users against, and therefore users authenticated in this manner are not persisted in the database.

⚠️

OAuth providers spend significant amounts of money, time, and engineering effort to build:

  • abuse detection (bot-protection, rate-limiting)
  • password management (password reset, credential stuffing, rotation)
  • data security (encryption/salting, strength validation)

and much more for authentication solutions. It is likely that your application would benefit from leveraging these battle-tested solutions rather than try to rebuild them from scratch.

If you’d still like to build password-based authentication for your application despite these risks, Auth.js gives you full control to do so.

⚠️

There is no validation on the user inputs by default. We recommend validating user input at runtime using a library like Zod or Valibot.

Configuration

/auth.ts
import NextAuth from "next-auth"
import Credentials from "next-auth/providers/credentials"
 
export const { signIn, signOut, auth } = NextAuth({
  providers: [
    Credentials({
      credentials: {
        username: { label: "Username" },
        password: { label: "Password", type: "password" },
      },
      async authorize({ request }) {
        const response = await fetch(request)
        if (!response.ok) return null
        return (await response.json()) ?? null
      },
    }),
  ],
})

See the callbacks documentation for more information on how to interact with the token. For example, you can add additional information to the token by returning an object from the jwt() callback:

callbacks: {
  async jwt({ token, user, account, profile, isNewUser }) {
    if (user) {
      token.id = user.id
    }
    return token
  }
}
Auth.js © Balázs Orbán and Team - 2024