Delete index.md

.eslintignore

@@ -23,14 +23,10 @@ pnpm-lock.yaml
 
 .docusaurus
 build
-docs/pages/reference/core
-docs/pages/reference/sveltekit
-docs/pages/reference/adapter
+docs/docs/reference/core
+docs/docs/reference/sveltekit
 static
 
-#  TODO: Enable
-docs-nextra
-
 # --------------- Packages ---------------
 
 coverage

.eslintrc.js

@@ -34,11 +34,11 @@ module.exports = {
       extends: ["plugin:jest/recommended"],
       env: { jest: true },
     },
-    // {
-    //   files: ["docs/**"],
-    //   plugins: ["@docusaurus"],
-    //   extends: ["plugin:@docusaurus/recommended"],
-    // },
+    {
+      files: ["docs/**"],
+      plugins: ["@docusaurus"],
+      extends: ["plugin:@docusaurus/recommended"],
+    },
     {
       // TODO: Expand to all packages
       files: ["packages/{core,sveltekit}/*.ts"],

.github/ISSUE_TEMPLATE/2_bug_provider.yml

@@ -32,7 +32,6 @@ body:
         - "Azure Active Directory"
         - "Azure Active Directory B2C"
         - "Battlenet"
-        - "Beyond Identity"
         - "Box"
         - "Bungie"
         - "Cognito"

.github/actions/issue-validator/repro.md

@@ -14,9 +14,9 @@ Ensure the link is pointing to a codebase that is accessible (e.g. not a private
 
 ### **What happens if I don't provide a sufficient minimal reproduction?**
 
-Issues with the `incomplete` label that receives no meaningful activity (e.g. new comments with a reproduction link) are closed after 7 days.
+Issues with the `incomplete` label that receives no meaningful activity (e.g. new comments with a reproduction link) are automatically closed and locked after 30 days.
 
-If your issue has _not_ been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction. (It's less likely that we check back on already closed issues.)
+If your issue has _not_ been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction.
 
 ### **I did not open this issue, but it is relevant to me, what can I do to help?**
 

.github/pr-labeler.yml

@@ -2,7 +2,7 @@
 adapters: ["packages/core/src/adapters.ts", "packages/adapter-*/**/*"]
 core: ["packages/core/src/**/*"]
 dgraph: ["packages/adapter-dgraph/**/*"]
-documentation: ["packages/docs/pages/**/*"]
+documentation: ["packages/docs/docs/**/*"]
 dynamodb: ["packages/adapter-dynamodb/**/*"]
 examples: ["apps/examples/**/*"]
 fauna: ["packages/adapter-fauna/**/*"]

.github/workflows/issue-validator.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/setup-node@v3
         with:
           node-version: 18
-      - name: Run issue validator
+      - name: "Run issue validator"
         run: node /home/runner/work/next-auth/next-auth/.github/actions/issue-validator/index.mjs
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -3,10 +3,10 @@ name: Release
 on:
   push:
     branches:
-      - main
-      - beta
-      - next
-      - 3.x
+      - "main"
+      - "beta"
+      - "next"
+      - "3.x"
   pull_request:
 
 jobs:
@@ -24,6 +24,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18
+          cache: "pnpm"
       - name: Install dependencies
         run: pnpm install
       - name: Run tests
@@ -73,6 +74,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18
+          cache: "pnpm"
       - name: Install dependencies
         run: pnpm install
       - name: Publish to npm and GitHub
@@ -97,6 +99,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18
+          cache: "pnpm"
       - name: Install dependencies
         run: pnpm install
       - name: Determine version

.gitignore

@@ -1,5 +1,6 @@
 # Misc
 .DS_Store
+.npmrc
 .eslintcache
 .env
 .env.local
@@ -11,9 +12,8 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 firebase-debug.log
-ui-debug.log
 .pnpm-debug.log
-.husky
+
 
 # Dependencies
 node_modules
@@ -78,11 +78,15 @@ docs/.docusaurus
 docs/providers.json
 
 # Core
+packages/core/*.js
+packages/core/*.d.ts
+packages/core/*.d.ts.map
 packages/core/src/providers/oauth-types.ts
 packages/core/lib
 packages/core/providers
 packages/core/src/lib/pages/styles.ts
-docs/pages/reference/core
+docs/docs/reference/core
+docs/docs/reference/sveltekit
 
 
 # SvelteKit
@@ -92,8 +96,3 @@ packages/frameworks-sveltekit/.svelte-kit
 packages/frameworks-sveltekit/package
 packages/frameworks-sveltekit/vite.config.js.timestamp-*
 packages/frameworks-sveltekit/vite.config.ts.timestamp-*
-docs/pages/reference/sveltekit
-
-# Adapters
-
-docs/pages/reference/adapter

.npmrc

@@ -1 +0,0 @@
-public-hoist-pattern[]=*prisma*

.prettierignore

@@ -13,14 +13,16 @@ pnpm-lock.yaml
 *.d.ts.map
 
 .svelte-kit
+.next
 .nuxt
 
 # --------------- Docs ---------------
 
-.next
-docs/pages/reference/core
-docs/pages/reference/sveltekit
-docs/pages/reference/adapter
+.docusaurus
+build
+docs/docs/reference/core
+docs/docs/reference/sveltekit
+static
 docs/providers.json
 
 # --------------- Packages ---------------

apps/dev/nextjs/.env.local.example

@@ -17,13 +17,9 @@ AUTH0_ID=
 AUTH0_SECRET=
 AUTH0_ISSUER=
 
-# Beyond Identity Provider
-BEYOND_IDENTITY_CLIENT_ID=
-BEYOND_IDENTITY_CLIENT_SECRET=
-BEYOND_IDENTITY_ISSUER=
-
-GITHUB_ID=
-GITHUB_SECRET=
+KEYCLOAK_ID=
+KEYCLOAK_SECRET=
+KEYCLOAK_ISSUER=
 
 NOTION_ID=
 NOTION_SECRET=
@@ -33,15 +29,8 @@ IDS4_ID=
 IDS4_SECRET=
 IDS4_ISSUER=
 
-KEYCLOAK_ID=
-KEYCLOAK_SECRET=
-KEYCLOAK_ISSUER=
-
-LINE_ID=
-LINE_SECRET=
-
-TRAKT_ID=
-TRAKT_SECRET=
+GITHUB_ID=
+GITHUB_SECRET=
 
 TWITCH_ID=
 TWITCH_SECRET=
@@ -49,8 +38,11 @@ TWITCH_SECRET=
 TWITTER_ID=
 TWITTER_SECRET=
 
-WIKIMEDIA_ID=
-WIKIMEDIA_SECRET=
+LINE_ID=
+LINE_SECRET=
+
+TRAKT_ID=
+TRAKT_SECRET=
 
 # Example configuration for a Gmail account (will need SMTP enabled)
 EMAIL_SERVER=smtps://user@gmail.com:password@smtp.gmail.com:465
@@ -63,9 +55,12 @@ EMAIL_FROM=user@gmail.com
 # MongoDB:  DATABASE_URL=mongodb://nextauth:password@127.0.0.1:27017/nextauth?synchronize=true
 DATABASE_URL=
 
+WIKIMEDIA_ID=
+WIKIMEDIA_SECRET=
+
 # Supabase Example Configuration
 # Supabase Example Configuration
 # NEXT_PUBLIC_SUPABASE_URL=http://localhost:54321
 # SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSJ9.vI9obAHOGyVVKa3pD--kJlyxp-Z2zV9UUMAhKpNLAcU
 # SUPABASE_JWT_SECRET=super-secret-jwt-token-with-at-least-32-characters-long
-# NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24ifQ.625_WdcF3KHqz5amU0x2X5WWHP-OEs_4qj0ssLNHzTs
+# NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24ifQ.625_WdcF3KHqz5amU0x2X5WWHP-OEs_4qj0ssLNHzTs

apps/dev/nextjs/pages/api/auth/[...nextauth].ts

@@ -6,7 +6,6 @@ import Asgardeo from "@auth/core/providers/asgardeo"
 import Auth0 from "@auth/core/providers/auth0"
 import AzureAD from "@auth/core/providers/azure-ad"
 import AzureB2C from "@auth/core/providers/azure-ad-b2c"
-import BeyondIdentity from "@auth/core/providers/beyondidentity"
 import BoxyHQSAML from "@auth/core/providers/boxyhq-saml"
 // import Cognito from "@auth/core/providers/cognito"
 import Credentials from "@auth/core/providers/credentials"
@@ -93,7 +92,6 @@ export const authConfig: AuthConfig = {
       tenantId: process.env.AZURE_AD_TENANT_ID,
     }),
     AzureB2C({ clientId: process.env.AZURE_B2C_ID, clientSecret: process.env.AZURE_B2C_SECRET, issuer: process.env.AZURE_B2C_ISSUER }),
-    BeyondIdentity({ clientId: process.env.BEYOND_IDENTITY_CLIENT_ID, clientSecret: process.env.BEYOND_IDENTITY_CLIENT_SECRET, issuer: process.env.BEYOND_IDENTITY_ISSUER }),
     BoxyHQSAML({ issuer: "https://jackson-demo.boxyhq.com", clientId: "tenant=boxyhq.com&product=saml-demo.boxyhq.com", clientSecret: "dummy" }),
     // Cognito({ clientId: process.env.COGNITO_ID, clientSecret: process.env.COGNITO_SECRET, issuer: process.env.COGNITO_ISSUER }),
     Discord({ clientId: process.env.DISCORD_ID, clientSecret: process.env.DISCORD_SECRET }),

apps/examples/solid-start/src/routes/protected.tsx

@@ -3,7 +3,7 @@ import { Protected } from "~/components";
 export const { routeData, Page } = Protected((session) => {
   return (
     <main class="flex flex-col gap-2 items-center">
-      <h1>This is a protected route</h1>
+      <h1>This is a proteced route</h1>
     </main>
   );
 });

docs/.eslintrc

@@ -1,3 +0,0 @@
-{
-  "extends": "next/core-web-vitals"
-}

docs/README.md

@@ -0,0 +1,66 @@
+<p align="center">
+   <br/>
+   <a href="https://authjs.dev" target="_blank"><img width="150px" src="https://authjs.dev/img/logo/logo-sm.png" /></a>
+   <h3 align="center">Auth.js</h3>
+   <p align="center">Authentication for Next.js</p>
+   <p align="center">
+   Open Source. Full Stack. Own Your Data.
+   </p>
+   <p align="center" style="align: center;">
+      <a href="https://github.com/nextauthjs/next-auth/actions/workflows/release.yml?query=workflow%3ARelease">
+        <img src="https://github.com/nextauthjs/next-auth/actions/workflows/release.yml/badge.svg" alt="Release" />
+      </a>
+      <a href="https://packagephobia.com/result?p=@auth/core">
+        <img src="https://packagephobia.com/badge?p=@auth/core" alt="Bundle Size"/>
+      </a>
+      <a href="https://www.npmtrends.com/@auth/core">
+        <img src="https://img.shields.io/npm/dm/@auth/core" alt="Downloads" />
+      </a>
+      <a href="https://github.com/nextauthjs/next-auth/stargazers">
+        <img src="https://img.shields.io/github/stars/nextauthjs/next-auth" alt="Github Stars" />
+      </a>
+      <a href="https://www.npmjs.com/package/@auth/core">
+        <img src="https://img.shields.io/github/v/release/nextauthjs/next-auth?label=latest" alt="Github Stable Release" />
+      </a>
+   </p>
+</p>
+
+## Overview
+
+This is the repository for the documentation page for Auth.js!
+
+NextAuth.js is a complete open source authentication solution for [Next.js](http://nextjs.org/) applications.
+
+This documentation site is based on the [Docusaurus](https://docusaurus.io) framework.
+
+## Getting Started
+
+To start a local environment of this project, please do the following.
+
+1. Clone the repository.
+
+```bash
+$ git clone https://github.com/nextauthjs/docs.git
+```
+
+2. Install dependencies
+
+```bash
+$ npm install
+```
+
+3. Start the development server
+
+```bash
+$ npm start
+```
+
+And thats all! Now you should have a local copy of this docs site running at [localhost:3000](http://localhost:3000)!
+
+## Contributing
+
+We're open to all community contributions! If you'd like to contribute in any way, please first read our [Contributing Guide](https://github.com/nextauthjs/.github/blob/main/CONTRIBUTING.md).
+
+## License
+
+ISC

docs/assets/img/blobs/blob1.svg

@@ -1,19 +0,0 @@
-<!-- <svg width="1077" height="990" viewBox="0 0 1077 990" fill="none" xmlns="http://www.w3.org/2000/svg"> -->
-<!-- <path d="M909.079 176.687C486.468 1429.32 94.8519 797.145 -245.666 989.191L-273.518 122.311C-98.0847 109.104 255.784 81.3405 267.79 75.9479C282.798 69.2072 1153.31 -485.661 1071.51 -140.889C1022.28 -26.4819 1001.45 -97.0987 909.079 176.687Z" fill="url(#paint0_linear_228_76)" fill-opacity="1" /> -->
-<!-- <defs> -->
-<!-- <linearGradient id="paint0_linear_228_76" x1="588.47" y1="791.265" x2="238.137" y2="497.91" gradientUnits="userSpaceOnUse"> -->
-<!-- <stop stop-color="#FF4400"/> -->
-<!-- <stop offset="1" stop-color="#111" /> -->
-<!-- </linearGradient> -->
-<!-- </defs> -->
-<!-- </svg> -->
-<svg width="1056" height="855" viewBox="0 0 1056 855" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M888.078 42.3027C465.467 1294.94 73.851 662.761 -266.667 854.807L-294.519 -12.0732C-119.086 -25.2807 234.783 -53.0438 246.789 -58.4364C261.797 -65.1771 1132.31 -620.045 1050.51 -275.273C1001.28 -160.866 980.447 -231.483 888.078 42.3027Z" fill="url(#paint0_radial_228_76)"/>
-<defs>
-<radialGradient id="paint0_radial_228_76" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(666.999 571.116) rotate(-129.513) scale(513.947 862.777)">
-<stop stop-color="#FF4400"/>
-<stop offset="1" stop-color="#111111"/>
-</radialGradient>
-</defs>
-</svg>
-

docs/assets/img/blobs/blob2.svg

@@ -1,20 +0,0 @@
-<!-- <svg width="1405" height="1025" viewBox="0 0 1405 1025" fill="none" xmlns="http://www.w3.org/2000/svg"> -->
-<!-- <path d="M1180.05 977.4C483.802 708.04 103.247 143.506 0 -105.091L1102.61 -196C1418.53 307.367 1876.29 1246.76 1180.05 977.4Z" fill="url(#paint0_linear_228_83)" fill-opacity="0.44"/> -->
-<!-- <defs> -->
-<!-- <linearGradient id="paint0_linear_228_83" x1="185.171" y1="460.565" x2="641.405" y2="-62.9701" gradientUnits="userSpaceOnUse"> -->
-<!-- <stop stop-color="#BB44CC"/> -->
-<!-- <stop offset="1" stop-color="#BB44CC" stop-opacity="0"/> -->
-<!-- </linearGradient> -->
-<!-- </defs> -->
-<!-- </svg> -->
-
-<svg width="1405" height="1025" viewBox="0 0 1405 1025" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M1180.05 977.4C483.802 708.04 103.247 143.506 0 -105.091L1102.61 -196C1418.53 307.367 1876.29 1246.76 1180.05 977.4Z" fill="url(#paint0_radial_228_83)"/>
-<defs>
-<radialGradient id="paint0_radial_228_83" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(498 619) rotate(-46.5881) scale(548.572 1194.34)">
-<stop stop-color="#BB44CC"/>
-<stop offset="1" stop-color="#111111"/>
-</radialGradient>
-</defs>
-</svg>
-

docs/assets/img/blobs/blob3.svg

@@ -1,20 +0,0 @@
-<!-- <svg width="2402" height="275" viewBox="0 0 2402 275" fill="none" xmlns="http://www.w3.org/2000/svg"> -->
-<!-- <path d="M305.668 155.376C1150.52 -387.169 3270.85 708.01 2011.14 262.274L1847.48 804.627C1613.84 721.267 1142.31 553.804 1125.29 550.832C1104 547.117 -168.361 431.431 18.8067 264.119C109.949 220.108 121.011 273.958 305.668 155.376Z" fill="url(#paint0_linear_228_78)" fill-opacity="0.66"/> -->
-<!-- <defs> -->
-<!-- <linearGradient id="paint0_linear_228_78" x1="869.047" y1="-51.7999" x2="921.583" y2="353.448" gradientUnits="userSpaceOnUse"> -->
-<!-- <stop stop-color="#44BBCC"/> -->
-<!-- <stop offset="1" stop-color="#44BBCC" stop-opacity="0.12"/> -->
-<!-- </linearGradient> -->
-<!-- </defs> -->
-<!-- </svg> -->
-
-<svg width="2402" height="275" viewBox="0 0 2402 275" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M305.668 155.376C1150.52 -387.169 3270.85 708.01 2011.14 262.274L1847.48 804.627C1613.84 721.267 1142.31 553.804 1125.29 550.832C1104 547.117 -168.361 431.431 18.8067 264.119C109.949 220.108 121.011 273.958 305.668 155.376Z" fill="url(#paint0_radial_228_78)"/>
-<defs>
-<radialGradient id="paint0_radial_228_78" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(883.5 -66) rotate(93.0267) scale(757.557 879.417)">
-<stop stop-color="#44BBCC"/>
-<stop offset="1" stop-color="#111111"/>
-</radialGradient>
-</defs>
-</svg>
-

docs/components/marquee.jsx

@@ -1,66 +0,0 @@
-import { useState, useEffect } from "react"
-import { motion } from "framer-motion"
-
-const clamp = (num, min, max) => Math.min(Math.max(num, min), max)
-
-export default function Marquee({ files }) {
-  const [{ width, height }, setSize] = useState({ height: 0, width: 0 })
-  useEffect(() => {
-    setSize({
-      width: window.innerWidth,
-      height: window.innerHeight,
-    })
-  }, [])
-
-  if (width === 0) return
-
-  return (
-    <div className="absolute w-full h-full top-0 left-0 dark:opacity-5 opacity-20 saturate-0 brightness-75 dark:brightness-[1000] -z-20 overflow-hidden flex flex-col marquee-wrapper">
-      {files.map((name) => (
-        <MarqueeItem key={name} name={name} width={width} height={height} />
-      ))}
-    </div>
-  )
-}
-
-function MarqueeItem({ name, width, height }) {
-  const [y] = useState(height * Math.random())
-  const [reset, setReset] = useState(false)
-  const [duration] = useState(clamp(Math.random() * 25, 20, 25))
-  const offset = Math.random() * width
-  useEffect(() => {
-    const timeout =
-      setTimeout(() => {
-        setReset(true)
-      }, (1000 * (width - offset)) / duration) - 2000
-    return () => clearTimeout(timeout)
-  }, [duration, width, offset])
-  return (
-    <motion.span
-      key={name + reset}
-      className="absolute flex items-center justify-center"
-      initial={{ x: reset ? 0 : offset, y }}
-      animate={{ x: width }}
-      transition={{
-        repeat: Infinity,
-        duration: reset ? duration : (width - offset) / duration,
-        ease: "linear",
-      }}
-    >
-      <motion.img
-        src={`/img/providers/${name}`}
-        alt={name}
-        className="relative w-12 drop-shadow-xl"
-        initial={{ opacity: 0, scale: 0.5 }}
-        animate={{ opacity: 1, scale: 1 }}
-        transition={{
-          delay: reset ? 0 : Math.random() * 5,
-          duration: 1,
-          type: "spring",
-
-          stiffness: 150,
-        }}
-      />
-    </motion.span>
-  )
-}

docs/components/triangle.jsx

@@ -1,85 +0,0 @@
-export default function Triangle({ className }) {
-  return (
-    <svg
-      id="triangle"
-      viewBox="0 0 445 379"
-      className={className}
-      fill="none"
-      xmlns="http://www.w3.org/2000/svg"
-    >
-      <style jsx>
-        {`
-          @media (prefers-color-scheme: light) {
-            #triangle-0 {
-              fill: #000;
-            }
-            #triangle-1 {
-              fill: #ff4400;
-            }
-            #triangle-2 {
-              fill: #bb44cc;
-            }
-            #triangle-3 {
-              fill: #44bbcc;
-            }
-          }
-        `}
-      </style>
-      <path
-        id="triangle-0"
-        d="M334.033 238.33L222.692 46.7201L111.352 238.33H334.033Z"
-        fill="#fff"
-      />
-      <path
-        id="triangle-1"
-        d="M198.174 1.12812L4.62255 51.2473C1.37638 52.0878 -0.550786 55.4258 0.344333 58.6574L53.7157 251.338C55.1362 256.466 62.0336 257.344 64.6942 252.736L204.874 9.93656C207.535 5.32834 203.325 -0.205751 198.174 1.12812Z"
-        fill="url(#triangle-1-gradient)"
-      />
-      <path
-        id="triangle-2"
-        d="M246.294 1.12825L439.846 51.2473C443.092 52.0879 445.019 55.4259 444.124 58.6574L390.753 251.338C389.332 256.466 382.435 257.344 379.774 252.736L239.594 9.93665C236.933 5.32844 241.143 -0.205634 246.294 1.12825Z"
-        fill="url(#triangle-2-gradient)"
-      />
-      <path
-        id="triangle-3"
-        d="M361.388 286.577L225.585 377.959C223.559 379.322 220.91 379.322 218.885 377.959L83.0814 286.577C78.1672 283.27 80.5079 275.599 86.4311 275.599H358.039C363.962 275.599 366.303 283.27 361.388 286.577Z"
-        fill="url(#triangle-3-gradient)"
-      />
-      <defs>
-        <linearGradient
-          id="triangle-1-gradient"
-          x1="-1.28386"
-          y1="52.7769"
-          x2="134.785"
-          y2="131.336"
-          gradientUnits="userSpaceOnUse"
-        >
-          <stop stopColor="#992900" />
-          <stop offset="1" stopColor="#FF4400" />
-        </linearGradient>
-        <linearGradient
-          id="triangle-2-gradient"
-          x1="445.753"
-          y1="52.7769"
-          x2="309.684"
-          y2="131.336"
-          gradientUnits="userSpaceOnUse"
-        >
-          <stop stopColor="#6D2178" />
-          <stop offset="1" stopColor="#BB44CC" />
-        </linearGradient>
-        <linearGradient
-          id="triangle-3-gradient"
-          x1="222.236"
-          y1="380.213"
-          x2="222.236"
-          y2="275.599"
-          gradientUnits="userSpaceOnUse"
-        >
-          <stop stopColor="#1B5B64" />
-          <stop offset="1" stopColor="#44BBCC" />
-        </linearGradient>
-      </defs>
-    </svg>
-  )
-}

docs/docs/concepts/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Concepts",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/concepts/oauth.md

@@ -2,16 +2,14 @@
 title: How OAuth works
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Authentication Providers in **Auth.js** are OAuth definitions that allow your users to sign in with their favorite preexisting logins. You can use any of our many predefined providers, or write your own custom OAuth configuration.
 
 - [Using a built-in OAuth Provider](#built-in-providers) (e.g Github, Twitter, Google, etc...)
 - [Using a custom OAuth Provider](#using-a-custom-provider)
 
-<Callout>
+:::note
 Auth.js is designed to work with any OAuth service, it supports **OAuth 1.0**, **1.0A**, **2.0** and **OpenID Connect** and has built-in support for most popular sign-in services.
-</Callout>
+:::
 
 Without going into too much detail, the OAuth flow generally has 6 parts:
 

docs/docs/contributors.md

@@ -1,6 +1,11 @@
+---
+title: Contributors
+displayed_sidebar: null
+---
+
 ## Core team
 
-Without these people, the project could not have become one of the most used authentication libraries in its category.
+Without these people, the project could not have become one of the most used authentication library in its category.
 
 - [Balázs Orbán](https://github.com/balazsorban44) - **Lead Maintainer**
 - [Thang Vu](https://github.com/ThangHuuVu) - Maintainer (Core)
@@ -9,7 +14,7 @@ Without these people, the project could not have become one of the most used aut
 
 ## Special thanks
 
-Special thanks to Lori Karikari for creating most of the original provider configurations, to Fredrik Pettersen for creating the original Prisma Adapter, to Gerald Nolan for adding support for Sign in with Apple, and to Jefferson Bledsoe for working on the original testing automation.
+Special thanks to Lori Karikari for creating most of the original provider configurations to Fredrik Pettersen for creating the original Prisma Adapter, to Gerald Nolan for adding support for Sign in with Apple, and to Jefferson Bledsoe for working on original testing automations.
 
 - [Lori Karikari](https://github.com/LoriKarikari)
 - [Fredrik Pettersen](https://github.com/Fumler)
@@ -20,7 +25,7 @@ Special thanks to Lori Karikari for creating most of the original provider confi
 
 Auth.js as it exists today has been possible thanks to the work of many individual contributors.
 
-Thank you to the [dozens of individual contributors](https://github.com/nextauthjs/next-auth/graphs/contributors) who have helped shape Auth.js.
+Thank you to the [dozens of individual contributors](https://github.com/nextauthjs/next-auth/graphs/contributors) who have help shaped Auth.js.
 
 ## Open Collective
 
@@ -30,12 +35,8 @@ More information can be found at: https://opencollective.com/nextauth
 
 ## History
 
-- NextAuth.js was originally developed by <a href="https://github.com/iaincollins">Iain Collins</a> in 2016 for Next.js.
+- Auth.js was originally developed by <a href="https://github.com/iaincollins">Iain Collins</a> in 2016 for Next.js.
 
-- In 2020, NextAuth.js was rebuilt from the ground up to support Serverless, with support for MySQL, Postgres and MongoDB, JSON Web Tokens and built-in support for over a dozen authentication providers.
+- In 2020, Auth.js was rebuilt from the ground up to support Serverless, with support for MySQL, Postgres and MongoDB, JSON Web Tokens and built in support for over a dozen authentication providers.
 
-- In 2021, efforts have started to move NextAuth.js to other frameworks and to support as many databases and providers as possible.
-
-- In 2022, NextAuth.js was rebranded to Auth.js and became framework/runtime agnostic. The core library `@auth/core` was written by <a href="https://twitter.com/balazsorban44">Balázs Orbán</a>
-
-- In 2023 // TODO: 👀🤫
+- In 2021, efforts have started to move Auth.js to other frameworks and to support as many databases and providers as possible.

docs/docs/getting-started/02-oauth-tutorial.mdx

@@ -2,9 +2,6 @@
 title: OAuth authentication
 ---
 
-import { Callout } from "nextra-theme-docs"
-import Image from "next/image"
-
 import creatingOauthAppImg from "./img/getting-started-creating-oauth-app.png"
 import addingCallbackUrlImg from "./img/getting-started-oauth-callback-url.png"
 import gettingClientIdSecretImg from "./img/getting-started-oauth-clientid-secret.png"
@@ -16,9 +13,9 @@ We know, authentication is hard. Is a rabbit hole and it's easy to get lost on i
 
 The easiest way is to setup Auth.js with an [OAuth](https://en.wikipedia.org/wiki/OAuth) provider. In this tutorial we'll be setting Auth.js in a **Next.js app** to be able to login with **Github**.
 
-<Callout type="info">
+:::info
 Auth.js comes with a long list of [built-in providers](/reference/providers/oauth-builtin) (Google, Facebook, Twitter, etc...) you can also integrate it with your own OAuth service easily by [building a custom provider](/guides/providers/custom-provider). Auth.js can integrate as well with other frameworks like SvelteKit, SolidStart and Gatsby.
-</Callout>
+:::
 
 ## 1. Configuring Auth.js
 
@@ -65,15 +62,15 @@ $ openssl rand -base64 32
 
 or https://generate-secret.vercel.app/32 to generate a random value for it.
 
-<Callout type="info">
+:::info
 Auth.js is extremely customizable, [our guides section](/guides/overview) will teach you how you can set it up to handle auth in different ways. All the possible configuration options are [listed here](/reference/configuration/auth-config).
-</Callout>
+:::
 
 ### Exposing the session via provider
 
 To be able to use `useSession` first you'll need to expose the session context, [`<SessionProvider />`](/reference/react/#sessionprovider), at the top level of your application:
 
-```ts title="pages/_app.ts"
+```ts title="pages/_app.tsx"
 import { SessionProvider } from "next-auth/react"
 
 export default function App({
@@ -90,9 +87,9 @@ export default function App({
 
 Instances of `useSession` (more on it in the next section) will then have access to the session data and status. The `<SessionProvider />` also takes care of keeping the session updated and synced between browser tabs and windows. 💪🏽
 
-<Callout>
+:::tip
 Check our [client docs](/reference/react/) to learn all the available options for handling sessions on the browser.
-</Callout>
+:::
 
 ### Consuming the session via hooks
 
@@ -159,19 +156,19 @@ export default async function listMovies(req, res) {
 
 Ok, we have our Next.js app setup with NextAuth, however, if you run the app right now, it won't work as we haven't configured our OAuth provider (**Github**) yet.
 
-<Callout type="info">
+:::info
 When using OAuth you're asking for a third-party service (in this case Github, although it could be Google, Twitter, etc...) to handle user authentication for your app.
-</Callout>
+:::
 
 We need to register our new Next.js app in Github, so that when Auth.js forwards the authorization requests to it, Github can recognize your application and prompt the user to sign in.
 
-<Image src={creatingOauthAppImg} />
+<img src={creatingOauthAppImg} />
 
 Log in into **Github**, go to `Settings / Developers / OAuth Apps` and click on "New OAuth App".
 
 Next you'll be presented with a screen to add details about your new application. Fill in the required fields, but pay extra attention to the **Authorization Callback URL** one:
 
-<Image src={addingCallbackUrlImg} />
+<img src={addingCallbackUrlImg} />
 
 The callback URL we insert should have the following pattern:
 
@@ -185,19 +182,19 @@ In this case, given we want to try our authentication working locally on our mac
 http://localhost:3000/api/auth/callback/github
 ```
 
-<Callout type="info">
+:::info
 Auth.js will already magically create this API endpoint for you when we start the application later. Note that because we're using Next.js, locally it starts our server on the port `3000`, hence the origin is `http://localhost:3000`.
-</Callout>
+:::
 
-Next you'll be presented with the following screen which presents all the configuration for your new OAuth app. For now, let's we need two things from it: the **Client ID** and **Client Secret** for our new OAuth app:
+Next you'll be presented with the following screen which presents all the configuration for your new OAuth app. For now, we need two things from it: the **Client ID** and **Client Secret** for our new OAuth app:
 
-<Image src={gettingClientIdSecretImg} />
+<img src={gettingClientIdSecretImg} />
 
 The Client ID is always there, a public identifier of your OAuth application within Github. Click on the **Generate a new client Secret** button and should be presented with a new string (which is just a randomized string).
 
-<Callout type="warning">
-🔥 Keep both your Client ID and Client Secret secure and never expose them to the public or shared with people outside your organization. With tem a malicious actor could hijack your application and cause you and your user serious problems!
-</Callout>
+:::warning
+🔥 Keep both your Client ID and Client Secret secure and never expose them to the public or shared with people outside your organization. With them, a malicious actor could hijack your application and cause you and your user serious problems!
+:::
 
 Now let's copy both the Client ID and Client Secret and paste them in an environment file in the root of your project like so:
 
@@ -208,16 +205,16 @@ GITHUB_SECRET=67890
 
 Cool! We have finished the configuring our OAuth provider, now let's wire all together so we can finally see authentication working in our app!
 
-<Callout type="info">
+:::info
 As noted previously, Auth.js has built-in support for multiple OAuth providers, <a href="">here the full list</a>. You can also easily build your own in case the provider you need is not on the list.
 
 Note that, for each provider, the configuration process will be similar to what we just did:
 
-    1. Log in to the provider
-    2. Create create your OAuth application within it
-    3. Set the callback URL
-    4. Get the Client ID and Generate a Client Secret
-</Callout>
+1. Log in to the provider
+2. Create create your OAuth application within it
+3. Set the callback URL
+4. Get the Client ID and Generate a Client Secret
+   :::
 
 ## 3. Wiring all together
 
@@ -245,21 +242,21 @@ $ npm run next dev
 
 You should see the following page:
 
-<Image src={startAppAndSignInImg} />
+<img src={startAppAndSignInImg} />
 
 Click on "Sign in" and then on "Sign in with Github": Auth.js will redirect you to Github, and Github will recognize our app [that we just registered](#2-configuring-oauth-provider) and ask the user (in this case you) to enter its credentials to proceed:
 
-<Image src={githubAuthCredentials} />
+<img src={githubAuthCredentials} />
 
 Once inserted and correct, Github will redirect the user to our app and Auth.js will take care of any further calls with Github to get access to the user profile and start a user sessions safely in the background:
 
-<Image src={nextAuthUserLoggedIn} />
+<img src={nextAuthUserLoggedIn} />
 
 Great! We have completed the whole E2E authentication flow setup so that users can login in our application through Github!
 
-<Callout type="info">
+:::info
 You can create your own Sign In page instead of using the default one from Auth.js. You can learn how to do so in our dedicated guide for it.
-</Callout>
+:::
 
 ## 4. Deploying to production
 
@@ -293,10 +290,10 @@ When deploying your site, **you need to set** the `NEXTAUTH_URL` environment var
 NEXTAUTH_URL=https://example.com
 ```
 
-<Callout type="warning">
+:::warning
 In production, this needs to be set as an environment variable on the service you use to deploy your app.
 
 To set environment variables on Vercel, you can use the [dashboard](https://vercel.com/dashboard) or the `vercel env pull` [command](https://vercel.com/docs/build-step#development-environment-variables).
-</Callout>
+:::
 
 For more information please check out our [deployment page](/guides/basics/deployment).

docs/docs/getting-started/03-email-tutorial.mdx

@@ -2,9 +2,6 @@
 title: Email authentication
 ---
 
-import { Callout } from "nextra-theme-docs"
-import Image from "next/image"
-
 import smtpConfig from "./img/dashboard-smtp.png"
 import startPageImg from "./img/email-tutorial-start.png"
 import checkPageImg from "./img/email-tutorial-check.png"
@@ -21,12 +18,9 @@ The Email provider can be used in conjunction with (or instead of) one or more O
 
 On initial sign in, a **Verification Token** is sent to the email address provided. By default this token **is valid for 24 hours**. If the Verification Token is used within that time (i.e. by clicking on the link in the email) an account is created for the user and they are signed in.
 
-<Callout>
-  The Email Provider can be used with both JSON Web Tokens and database
-  sessions, but you [must configure a database
-  adapter](/guides/adapters/using-a-database-adapter) to use it. It is not
-  possible to enable email sign in without using a database.
-</Callout>
+:::tip
+The Email Provider can be used with both JSON Web Tokens and database sessions, but you [must configure a database adapter](/guides/adapters/using-a-database-adapter) to use it. It is not possible to enable email sign in without using a database.
+:::
 
 ## 1. Installing `nodemailer`
 
@@ -42,14 +36,13 @@ npm install -D nodemailer
 
 Next we need a [SMTP service](https://sendgrid.com/blog/what-is-an-smtp-server/) which will be in charge of sending emails from our application. There's a number of services available for this, however [here are the ones](http://nodemailer.com/smtp/well-known/) known to work with `nodemailer`.
 
-<Callout>
-  For this tutorial, we're going to be using [Sendgrid](https://sendgrid.com/),
-  but any of the services linked above should work the same
-</Callout>
+:::info
+For this tutorial, we're going to be using [Sendgrid](https://sendgrid.com/), but any of the services linked above should work the same
+:::
 
 First create an account in and then login to the dashboard, then navigate to "Settings → API Keys" and create an API key:
 
-<Image src={smtpConfig} />
+<img src={smtpConfig} />
 
 Next paste the API in your terminal as so, and run the command:
 
@@ -179,34 +172,30 @@ Let's start by running a Next.js application with NextAuth, making sure the **Em
 
 For this tutorial we're going to be using NextAuth example app. Launch the app and click on "Sign in", we're redirected to the Sign In page:
 
-<Image src={startPageImg} alt="Screenshot of sign in page" />
+<img src={startPageImg} alt="Screenshot of sign in page" />
 
-<Callout>
-  You can customize the look and feel of your Sign in page pretty easily with
-  NextAuth. Refer to our [pages guide](/guides/basics/pages) for that!
-</Callout>
+:::info
+You can customize the look and feel of your Sign in page pretty easily with NextAuth. Refer to our [pages guide](/guides/basics/pages) for that!
+:::
 
 Then we insert the email address we want to log-in with in the Email credentials section and click on "Sign in with Email".
 
 NextAuth will then display another page hinting the user to check their email:
 
-<Image src={checkPageImg} alt="Screenshot of check email page" />
+<img src={checkPageImg} alt="Screenshot of check email page" />
 
 Let's now check our email, and look for one sent from NextAuth (check your spam folder just in case):
 
-<Image src={mailboxImg} alt="Screenshot of mailbox" />
+<img src={mailboxImg} alt="Screenshot of mailbox" />
 
 Nice! We got one, coming from the sender specified in the `EMAIL_FROM` environment variable from our configuration above and that's is the sender we verified in Sengrid.
 
 Click on "Sign in" and a new browser tab will open, you should then land on your application as authenticated!
 
-<Image src={loggedInImg} alt="Screenshot of logged in" />
+<img src={loggedInImg} alt="Screenshot of logged in" />
 
 Easy right? We had to configure Sendgrid and install a database adapter so the user sessions can be saved somewhere, but once done NextAuth will deal with all the user session management for us in a secure way!
 
-<Callout>
-  A user account (i.e. an entry in the Users table) will not be created for the
-  user until the first time they verify their email address. If an email address
-  is already associated with an account, the user will be signed in to that
-  account when they use the link in the email.
-</Callout>
+:::info
+A user account (i.e. an entry in the Users table) will not be created for the user until the first time they verify their email address. If an email address is already associated with an account, the user will be signed in to that account when they use the link in the email.
+:::

docs/docs/getting-started/04-credentials-tutorial.mdx

@@ -1,9 +1,7 @@
 ---
-title: Credentials Authentication
+title: Credentials authentication
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Auth.js is built in a way that is flexible to integrate it with any authentication back-end you or your company may already have.
 
 This library has been designed to handle the user session client-wise, to support multiple authentication methods (OAuth, Email, etc...) so that you're not forced to run your own authentication service.
@@ -12,9 +10,9 @@ In case you already have an authentication service, you can use the Credentials
 
 For this tutorial, we're going to use [Auth.js example app](https://github.com/nextauthjs/next-auth-example) as a base.
 
-<Callout type="warning">
+:::warning
 The functionality provided for credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords.
-</Callout>
+:::
 
 Integrating the Credentials Provider is as simple as initializing it in the Auth.js configuration file:
 
@@ -47,12 +45,12 @@ export default NextAuth({
 })
 ```
 
-<Callout type="info">
+:::note
 Check the [Credentials Provider options](/reference/providers/credentials) for further customization
-</Callout>
+:::
 
 Note that we only need to define an `authorize` method that is in charge of receiving the credentials inserted by the user and call the authorization service.
 
-<Callout type="info">
+:::info
 If you're using TypeScript, you can [augment the `User` interface](/getting-started/typescript#module-augmentation) to match the response of your `authorize` callback, so whenever you read the user in other callbacks (like the `jwt`) the type will match correctly.
-</Callout>
+:::

docs/docs/getting-started/05-typescript.md

@@ -2,12 +2,10 @@
 title: TypeScript
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Auth.js has its own type definitions to use in your TypeScript projects safely. Even if you don't use TypeScript, IDEs like VSCode will pick this up to provide you with a better developer experience. While you are typing, you will get suggestions about what certain objects/functions look like, and sometimes links to documentation, examples, and other valuable resources.
 
 Check out the example repository showcasing how to use `next-auth` on a Next.js application with TypeScript:  
-https://github.com/nextauthjs/next-auth-typescript-example
+https://github.com/nextauthjs/next-auth-example
 
 ---
 
@@ -36,9 +34,9 @@ function MyAdapter() {
 }
 ```
 
-<Callout>
+:::note
 This will work in code editors with a strong TypeScript integration like VSCode or WebStorm. It might not work if you're using more lightweight editors like VIM or Atom.
-</Callout>
+:::
 
 ## Module Augmentation
 
@@ -159,6 +157,6 @@ declare module "next-auth/jwt" {
 
 Contributions of any kind are always welcome, especially for TypeScript. Please keep in mind that we are a small team working on this project in our free time. We will try our best to give support, but if you think you have a solution for a problem, please open a PR!
 
-<Callout>
+:::note
 When contributing to TypeScript, if the actual JavaScript user API does not change in a breaking manner, we reserve the right to push any TypeScript change in a minor release. This ensures that we can keep on a faster release cycle.
-</Callout>
+:::

docs/docs/getting-started/06-databases.md

@@ -0,0 +1,18 @@
+---
+title: Databases
+---
+
+Auth.js offers multiple database adapters. Check our guides on:
+
+- [using a database adapter](/guides/adapters/using-a-database-adapter)
+- [creating your own](/guides/adapters/creating-a-database-adapter)
+
+> As of **v4** Auth.js no longer ships with an adapter included by default. If you would like to persist any information, you need to install one of the many available adapters yourself. See the individual adapter documentation pages for more details.
+
+To learn more about databases in Auth.js and how they are used, check out [databases in the FAQ](/concepts/faq#databases).
+
+---
+
+## How to use a database
+
+See the [documentation for adapters](/reference/adapters/overview) for more information on advanced configuration, including how to use Auth.js with other databases using a [custom adapter](/guides/adapters/creating-a-database-adapter).

docs/docs/getting-started/07-security.md

@@ -2,8 +2,6 @@
 title: Security
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 ## Reporting a Vulnerability
 
 Auth.js practices responsible disclosure.
@@ -19,9 +17,9 @@ If you contact us regarding a serious issue:
 
 The best way to report an issue is by contacting us via email at info@balazsorban.com or me@iaincollins.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
 
-<Callout>
+:::note
 For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to make these public as bug reports or feature requests or to raise a question to open a discussion around them.
-</Callout>
+:::
 
 ## Supported Versions
 

docs/docs/getting-started/08-upgrade-to-v4.md

@@ -0,0 +1,612 @@
+---
+title: Upgrade Guide (v4)
+---
+
+Auth.js version 4 includes a few breaking changes from the last major version (3.x). So we're here to help you upgrade your applications as smoothly as possible. It should be possible to upgrade from any version of 3.x to the latest 4 release by following the next few migration steps.
+
+:::note
+Version 4 has been released to GA 🚨
+
+We encourage users to try it out and report any and all issues they come across.
+:::
+
+You can upgrade to the new version by running:
+
+```bash npm2yarn
+npm install next-auth
+```
+
+## `next-auth/jwt`
+
+We no longer have a default export in `next-auth/jwt`.
+To comply with this, change the following:
+
+```diff
+- import jwt from "next-auth/jwt"
++ import { getToken } from "next-auth/jwt"
+```
+
+## `next-auth/react`
+
+We've renamed the client-side import source to `next-auth/react`. To comply with this change, you will simply have to rename anywhere you were using `next-auth/client`.
+
+For example:
+
+```diff
+- import { useSession } from "next-auth/client"
++ import { useSession } from "next-auth/react"
+```
+
+We've also made the following changes to the names of the exports:
+
+- `setOptions`: Not exposed anymore, use [`SessionProvider` props](/reference/react/#sessionprovider)
+- `options`: Not exposed anymore, [use `SessionProvider` props](/reference/react/#sessionprovider)
+- `session`: Renamed to `getSession`
+- `providers`: Renamed to `getProviders`
+- `csrfToken`: Renamed to `getCsrfToken`
+- `signin`: Renamed to `signIn`
+- `signout`: Renamed to `signOut`
+- `Provider`: Renamed to `SessionProvider`
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.12
+
+## `SessionProvider`
+
+Version 4 makes using the `SessionProvider` mandatory. This means that you will have to wrap any part of your application using `useSession` in this provider, if you were not doing so already. The `SessionProvider` has also undergone a few further changes:
+
+- `Provider` is renamed to `SessionProvider`
+- The options prop is now flattened as the props of SessionProvider.
+- `keepAlive` has been renamed to `refetchInterval`.
+- `clientMaxAge` has been removed in favor of `refetchInterval`, as they overlap in functionality, with the difference that `refetchInterval` will keep re-fetching the session periodically in the background.
+
+The best practice for wrapping your app in Providers is to do so in your `pages/_app.jsx` file.
+
+An example use-case with these new changes:
+
+```jsx
+import { SessionProvider } from "next-auth/react"
+
+export default function App({
+  Component,
+  pageProps: { session, ...pageProps },
+}) {
+  return (
+    // `session` comes from `getServerSideProps` or `getInitialProps`.
+    // Avoids flickering/session loading on first load.
+    <SessionProvider session={session} refetchInterval={5 * 60}>
+      <Component {...pageProps} />
+    </SessionProvider>
+  )
+}
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.12
+
+## Providers
+
+Providers now need to be imported individually.
+
+```diff
+- import Provider from "next-auth/providers"
+- Providers.Auth0({...})
+- Providers.Google({...})
++ import Auth0Provider from "next-auth/providers/auth0"
++ import GoogleProvider from "next-auth/providers/google"
++ Auth0Provider({...})
++ GoogleProvider({...})
+```
+
+1. The `AzureADB2C` provider has been renamed `AzureAD`.
+2. The `Basecamp` provider has been removed, see explanation [here](https://github.com/basecamp/api/blob/master/sections/authentication.md#on-authenticating-users-via-oauth).
+3. The GitHub provider by default now will not request full write access to user profiles. If you need this scope, please add `user` to the scope option manually.
+
+The following new options are available when defining your Providers in the configuration:
+
+1. `authorization` (replaces `authorizationUrl`, `authorizationParams`, `scope`)
+2. `token` replaces (`accessTokenUrl`, `headers`, `params`)
+3. `userinfo` (replaces `profileUrl`)
+4. `issuer`(replaces `domain`)
+
+For more details on their usage, please see [options](/reference/providers/oauth) section of the OAuth Provider documentation.
+
+When submitting a new OAuth provider to the repository, the `profile` callback is expected to only return these fields from now on: `id`, `name`, `email`, and `image`. If any of these are missing values, they should be set to `null`.
+
+Also worth noting is that `id` is expected to be returned as a `string` type (For example if your provider returns it as a number, you can cast it by using the `.toString()` method). This makes the returned profile object comply across all providers/accounts/adapters, and hopefully cause less confusion in the future.
+
+Implemented in: https://github.com/nextauthjs/next-auth/pull/2411
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.20
+
+## `useSession` Hook
+
+The `useSession` hook has been updated to return an object. This allows you to test states much more cleanly with the new `status` option.
+
+```diff
+- const [ session, loading ] = useSession()
++ const { data: session, status } = useSession()
++ const loading = status === "loading"
+```
+
+[Check the docs](/reference/react/#usesession) for the possible values of both `session.status` and `session.data`.
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.18
+
+## Named Parameters
+
+We have changed the arguments to our callbacks to the named parameters pattern. This way you don't have to use dummy `_` placeholders or other tricks.
+
+### Callbacks
+
+The signatures for the callback methods now look like this:
+
+```diff
+- signIn(user, account, profileOrEmailOrCredentials)
++ signIn({ user, account, profile, email, credentials })
+```
+
+```diff
+- redirect(url, baseUrl)
++ redirect({ url, baseUrl })
+```
+
+```diff
+- session(session, tokenOrUser)
++ session({ session, token, user })
+```
+
+```diff
+- jwt(token, user, account, OAuthProfile, isNewUser)
++ jwt({ token, user, account, profile, isNewUser })
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.17
+
+### Events
+
+Two event signatures have changed to also use the named parameters pattern, `signOut` and `updateUser`.
+
+```diff
+// [...nextauth].js
+...
+events: {
+- signOut(tokenOrSession),
++ signOut({ token, session }), // token if using JWT, session if DB persisted sessions.
+- updateUser(user)
++ updateUser({ user })
+}
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.20
+
+## JWT configuration
+
+We have removed some of the [configuration options](/reference/configuration/auth-config) when using JSON Web Tokens, [here's the PR](https://github.com/nextauthjs/next-auth/pull/3039) for more context.
+
+```diff
+export default NextAuth({
+  // ...
+  jwt: {
+    secret,
+    maxAge,
+-   encryptionKey
+-   signingKey
+-   encryptionKey
+-   verificationOptions
+    encode({
+        token
+        secret
+        maxAge
+-       signingKey
+-       signingOptions
+-       encryptionKey
+-       encryptionOptions
+-       encryption
+    }) {},
+    decode({
+        token
+        secret
+-       maxAge
+-       signingKey
+-       verificationKey
+-       verificationOptions
+-       encryptionKey
+-       decryptionKey
+-       decryptionOptions
+-       encryption
+    }) {}
+  }
+})
+```
+
+## Logger API
+
+The logger API has been simplified to use at most two parameters, where the second is usually an object (`metadata`) containing an `error` object. If you are not using the logger settings you can ignore this change.
+
+```diff
+// [...Auth.js]
+import log from "some-logger-service"
+...
+logger: {
+- error(code, ...message) {},
++ error(code, metadata) {},
+- warn(code, ...message) {},
++ warn(code) {}
+- debug(code, ...message) {}
++ debug(code, metadata) {}
+}
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.19
+
+## `nodemailer`
+
+Like `typeorm` and `prisma`, [`nodemailer`](https://npmjs.com/package/nodemailer) is no longer included as a dependency by default. If you are using the Email provider you must install it in your project manually, or use any other Email library in the [`sendVerificationRequest`](/reference/providers/email) callback. This reduces bundle size for those not actually using the Email provider. Remember, when using the Email provider, it is mandatory to also use a database adapter due to the fact that verification tokens need to be persisted longer term for the magic link functionality to work.
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.2
+
+## Theme
+
+We have added some basic customization options to our built-in pages like `signin`, `signout`, etc.
+
+These can be set under the `theme` configuration key. This used to be a string which only controlled the color scheme option. Now it is an object with the following options:
+
+```js
+theme: {
+  colorScheme: "auto", // "auto" | "dark" | "light"
+  brandColor: "", // Hex color value
+  logo: "" // Absolute URL to logo image
+}
+```
+
+The hope is that with some minimal configuration / customization options, users won't immediately feel the need to replace the built-in pages with their own.
+
+More details and screenshots of the new theme options can be found under [custom pages tutorial](/guides/basics/pages).
+
+Introduced in https://github.com/nextauthjs/next-auth/pull/2788
+
+## Session
+
+The `session.jwt: boolean` option has been renamed to `session.strategy: "jwt" | "database"`. The goal is to make the user's options more intuitive:
+
+1. No adapter, `strategy: "jwt"`: This is the default. The session is saved in a cookie and never persisted anywhere.
+2. With Adapter, `strategy: "database"`: If an Adapter is defined, this will be the implicit setting. No user config is needed.
+3. With Adapter, `strategy: "jwt"`: The user can explicitly instruct `next-auth` to use JWT even if a database is available. This can result in faster lookups in compromise of lowered security. Read more about: https://authjs.dev/concepts/faq#json-web-tokens
+
+Example:
+
+```diff
+session: {
+- jwt: true,
++ strategy: "jwt",
+}
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/pull/3144
+
+## Adapters
+
+Most importantly, the core `next-auth` package no longer ships with `typeorm` or any other database adapter by default. This brings the default bundle size down significantly for those not needing to persist user data to a database.
+
+You can find the official Adapters in the `packages` directory in the primary monorepo ([nextauthjs/next-auth](https://github.com/nextauthjs/next-auth)). Although you can still [create your own](/guides/adapters/creating-a-database-adapter) with a new, [simplified Adapter API](https://github.com/nextauthjs/next-auth/pull/2361).
+
+If you have a database that was created with a `3.x.x` or earlier version of Auth.js, you will need to run a migration to update the schema to the new version 4 database model. See the bottom of this migration guide for database specific migration examples.
+
+1. If you use the built-in TypeORM or Prisma adapters, these have been removed from the core `next-auth` package. Thankfully the migration is easy; you just need to install the external packages for your database and change the import in your `[...nextauth].js`.
+
+The `database` option has been removed, you must now do the following instead:
+
+```diff
+// [...nextauth].js
+import NextAuth from "next-auth"
++ import { TypeORMLegacyAdapter } from "@next-auth/typeorm-legacy-adapter"
+
+...
+export default NextAuth({
+-  database: "yourconnectionstring",
++  adapter: TypeORMLegacyAdapter("yourconnectionstring")
+})
+```
+
+2. The `prisma-legacy` adapter has been removed, please use the [`@next-auth/prisma-adapter`](https://npmjs.com/package/@next-auth/prisma-adapter) instead.
+
+3. The `typeorm-legacy` adapter has been upgraded to use the newer adapter API, but has retained the `typeorm-legacy` name. We aim to migrate this to individual lighter weight adapters for each database type in the future, or switch out `typeorm`.
+
+4. MongoDB has been moved to its own adapter under `@next-auth/mongodb-adapter`. See the [MongoDB Adapter docs](/reference/adapters/mongodb).
+
+Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.8 and https://github.com/nextauthjs/next-auth/pull/2361
+
+### Adapter API
+
+**This does not require any changes from the user - these are adapter specific changes only**
+
+The Adapter API has been rewritten and significantly simplified in NextAuth v4. The adapters now have less work to do as some functionality has been migrated to the core of NextAuth, like hashing the [verification token](/reference/adapters/models/#verification-token).
+
+If you are an adapter maintainer or are interested in writing your own adapter, you can find more information about this change in https://github.com/nextauthjs/next-auth/pull/2361 and release https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.22.
+
+### Schema changes
+
+The way we save data with adapters have slightly changed. With the new Adapter API, we wanted to make it easier to extend your database with additional fields. For example if your User needs an extra `phone` field, it should be enough to add that to your database's schema, and no changes will be necessary in your adapter.
+
+- `created_at`/`createdAt` and `updated_at`/`updatedAt` fields are removed from all Models.
+- `user_id`/`userId` consistently named `userId`.
+- `compound_id`/`compoundId` is removed from Account.
+- `access_token`/`accessToken` is removed from Session.
+- `email_verified`/`emailVerified` on User is consistently named `emailVerified`.
+- `provider_id`/`providerId` renamed to `provider` on Account
+- `provider_type`/`providerType` renamed to `type` on Account
+- `provider_account_id`/`providerAccountId` on Account is consistently named `providerAccountId`
+- `access_token_expires`/`accessTokenExpires` on Account renamed to `expires_at`
+- New fields on Account: `token_type`, `scope`, `id_token`, `session_state`
+- `verification_requests` table has been renamed to `verification_tokens`
+
+<!-- REVIEW: Would something like this below be helpful? -->
+<details>
+<summary>
+See the changes
+</summary>
+<pre>
+
+```diff
+User {
+  id
+  name
+  email
+- emailVerified
++ email_verified
+  image
+-  created_at
+-  updated_at
+}
+
+Account {
+  id
+- compound_id
+- user_id
++ userId
+-  provider_type
++ type
+- provider_id
++ provider
+- provider_account_id
++ providerAccountId
+  refresh_token
+  access_token
+- access_token_expires
++ expires_in
++ expires_at
++ token_type
++ scope
++ id_token
++ session_state
+- created_at
+- updated_at
+}
+
+Session {
+  id
+  userId
+  expires
+  sessionToken
+- access_token
+- created_at
+- updated_at
+}
+
+VerificationToken {
+  id
+  token
+  expires
+  identifier
+-  created_at
+-  updated_at
+}
+```
+
+</pre>
+</details>
+
+For more info, see the [Models page](/reference/adapters/models).
+
+### Database migration
+
+Auth.js v4 has a slightly different database schema compared to v3. If you're using any of our adapters and want to upgrade, you can use on of the below schemas.
+
+They are designed to be run directly against the database itself. So instead of having one in Prisma syntax, one in TypeORM syntax, etc. we've decided to just make one for each underlying database type. i.e. one for Postgres, one for MySQL, one for MongoDB, etc.
+
+#### MySQL
+
+```sql
+/* ACCOUNT */
+ALTER TABLE accounts
+CHANGE "access_token_expires" "expires_at" int
+CHANGE "user_id" "userId" varchar(255)
+ADD CONSTRAINT fk_user_id FOREIGN KEY (userId) REFERENCES users(id)
+RENAME COLUMN "provider_id" "provider"
+RENAME COLUMN "provider_account_id" "providerAccountId"
+DROP COLUMN "provider_type"
+DROP COLUMN "compound_id"
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+DROP COLUMN "created_at"
+DROP COLUMN "updated_at"
+
+ADD COLUMN "token_type" varchar(255) NULL
+ADD COLUMN "scope" varchar(255) NULL
+ADD COLUMN "id_token" varchar(255) NULL
+ADD COLUMN "session_state" varchar(255) NULL
+
+/* Note: These are only needed if you're going to be using the old Twitter OAuth 1.0 provider. */
+ADD COLUMN "oauth_token_secret" varchar(255) NULL
+ADD COLUMN "oauth_token" varchar(255) NULL
+
+/* USER */
+ALTER TABLE users
+RENAME COLUMN "email_verified" "emailVerified"
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+DROP COLUMN "created_at"
+DROP COLUMN "updated_at"
+
+/* SESSION */
+ALTER TABLE sessions
+RENAME COLUMN "session_token" "sessionToken"
+CHANGE "user_id" "userId" varchar(255)
+ADD CONSTRAINT fk_user_id FOREIGN KEY (userId) REFERENCES users(id)
+DROP COLUMN "access_token"
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+DROP COLUMN "created_at"
+DROP COLUMN "updated_at"
+
+/* VERIFICATION REQUESTS */
+ALTER TABLE verification_requests RENAME verification_tokens
+ALTER TABLE verification_tokens
+DROP COLUMN id
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+DROP COLUMN "created_at"
+DROP COLUMN "updated_at"
+```
+
+#### Postgres
+
+```sql
+/* ACCOUNT */
+ALTER TABLE accounts RENAME COLUMN "user_id" TO "userId";
+ALTER TABLE accounts RENAME COLUMN "provider_id" TO "provider";
+ALTER TABLE accounts RENAME COLUMN "provider_account_id" TO "providerAccountId";
+ALTER TABLE accounts RENAME COLUMN "access_token_expires" TO "expires_at";
+ALTER TABLE accounts RENAME COLUMN "provider_type" TO "type";
+
+/* Do conversion of TIMESTAMPTZ to BIGINT */
+ALTER TABLE accounts ALTER COLUMN "expires_at" TYPE TEXT USING CAST(extract(epoch FROM "expires_at") AS BIGINT)*1000;
+
+/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility */
+/* ALTER TABLE accounts ALTER COLUMN "id" TYPE TEXT; */
+/* ALTER TABLE accounts ALTER COLUMN "userId" TYPE TEXT; */
+ALTER TABLE accounts ALTER COLUMN "type" TYPE TEXT;
+ALTER TABLE accounts ALTER COLUMN "provider" TYPE TEXT;
+ALTER TABLE accounts ALTER COLUMN "providerAccountId" TYPE TEXT;
+
+ALTER TABLE accounts ADD CONSTRAINT fk_user_id FOREIGN KEY ("userId") REFERENCES users(id);
+ALTER TABLE accounts
+DROP COLUMN IF EXISTS "compound_id";
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+ALTER TABLE accounts
+DROP COLUMN IF EXISTS "created_at",
+DROP COLUMN IF EXISTS "updated_at";
+
+ALTER TABLE accounts
+ADD COLUMN IF NOT EXISTS "token_type" TEXT NULL,
+ADD COLUMN IF NOT EXISTS "scope" TEXT NULL,
+ADD COLUMN IF NOT EXISTS "id_token" TEXT NULL,
+ADD COLUMN IF NOT EXISTS "session_state" TEXT NULL;
+/* Note: These are only needed if you're going to be using the old Twitter OAuth 1.0 provider. */
+/* ALTER TABLE accounts
+ADD COLUMN IF NOT EXISTS "oauth_token_secret" TEXT NULL,
+ADD COLUMN IF NOT EXISTS "oauth_token" TEXT NULL; */
+
+/* USER */
+ALTER TABLE users RENAME COLUMN "email_verified" TO "emailVerified";
+
+/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility */
+/* ALTER TABLE users ALTER COLUMN "id" TYPE TEXT; */
+ALTER TABLE users ALTER COLUMN "name" TYPE TEXT;
+ALTER TABLE users ALTER COLUMN "email" TYPE TEXT;
+ALTER TABLE users ALTER COLUMN "image" TYPE TEXT;
+/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */
+ALTER TABLE users ALTER COLUMN "emailVerified" TYPE TEXT USING CAST(CAST(extract(epoch FROM "emailVerified") AS BIGINT)*1000 AS TEXT);
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+ALTER TABLE users
+DROP COLUMN IF EXISTS "created_at",
+DROP COLUMN IF EXISTS "updated_at";
+
+/* SESSION */
+ALTER TABLE sessions RENAME COLUMN "session_token" TO "sessionToken";
+ALTER TABLE sessions RENAME COLUMN "user_id" TO "userId";
+
+/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility */
+/* ALTER TABLE sessions ALTER COLUMN "id" TYPE TEXT; */
+/* ALTER TABLE sessions ALTER COLUMN "userId" TYPE TEXT; */
+ALTER TABLE sessions ALTER COLUMN "sessionToken" TYPE TEXT;
+ALTER TABLE sessions ADD CONSTRAINT fk_user_id FOREIGN KEY ("userId") REFERENCES users(id);
+/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */
+ALTER TABLE sessions ALTER COLUMN "expires" TYPE TEXT USING CAST(CAST(extract(epoch FROM "expires") AS BIGINT)*1000 AS TEXT);
+ALTER TABLE sessions DROP COLUMN IF EXISTS "access_token";
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+ALTER TABLE sessions
+DROP COLUMN IF EXISTS "created_at",
+DROP COLUMN IF EXISTS "updated_at";
+
+/* VERIFICATION REQUESTS */
+ALTER TABLE verification_requests RENAME TO verification_tokens;
+/* Keep id as ORM needs it */
+/* ALTER TABLE verification_tokens DROP COLUMN IF EXISTS id; */
+ALTER TABLE verification_tokens ALTER COLUMN "identifier" TYPE TEXT;
+ALTER TABLE verification_tokens ALTER COLUMN "token" TYPE TEXT;
+/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */
+ALTER TABLE verification_tokens ALTER COLUMN "expires" TYPE TEXT USING CAST(CAST(extract(epoch FROM "expires") AS BIGINT)*1000 AS TEXT);
+/* The following two timestamp columns have never been necessary for Auth.js to function, but can be kept if you want */
+ALTER TABLE verification_tokens
+DROP COLUMN IF EXISTS "created_at",
+DROP COLUMN IF EXISTS "updated_at";
+```
+
+#### MongoDB
+
+MongoDB is a document database and as such new fields will be automatically populated. You do, however, need to update the names of existing fields which are going to be reused.
+
+```mongo
+db.getCollection('accounts').updateMany({}, {
+  $rename: {
+    "provider_id": "provider",
+    "provider_account_id": "providerAccountId",
+    "user_id": "userId",
+    "access_token_expires": "expires_at"
+  }
+})
+db.getCollection('users').updateMany({}, {
+  $rename: {
+    "email_verified": "emailVerified"
+  }
+})
+db.getCollection('sessions').updateMany({}, {
+  $rename: {
+    "session_token": "sessionToken",
+    "user_id": "userId"
+  }
+})
+```
+
+## Missing `secret`
+
+Auth.js used to generate a secret for convenience, when the user did not define one. This might have been useful in development, but can be a concern in production. We have always been clear about that in the docs, but from now on, if you forget to define a `secret` property in production, we will show the user an error page. Read more about this option [here](/reference/configuration/auth-config#secret)
+
+You can generate a secret to be placed in the `secret` configuration option via the following command:
+
+```bash
+$ openssl rand -base64 32
+```
+
+Therefore, your Auth.js config should look something like this:
+
+```javascript title="/pages/api/auth/[...nextauth].js"
+...
+export default NextAuth({
+  ...
+  providers: [...],
+  secret: "LlKq6ZtYbr+hTC073mAmAh9/h2HwMfsFo4hrfCx5mLg=",
+  ...
+})
+```
+
+Introduced in https://github.com/nextauthjs/next-auth/issues/3143
+
+## Session `strategy`
+
+We have always supported two different session strategies. The first being our most popular and default strategy - the JWT based one. The second is the database adapter persisted session strategy. Both have their advantages/disadvantages, you can learn more about them on the [FAQ](/concepts/faq) page.
+
+Previously, the way you configured this was through the `jwt: boolean` flag in the `session` option. The names `session` and `jwt` might have been a bit overused in the options, and so for a clearer message, we renamed this option to `strategy: "jwt" | "database"`, it is still in the `session` object. This will hopefully better indicate the purpose of this option as well as make very explicit which type of session you are going to use.
+
+See the [`session` option docs](/reference/configuration/auth-config#session) for more details.
+
+Introduced in https://github.com/nextauthjs/next-auth/pull/3144
+
+## Summary
+
+We hope this migration goes smoothly for each and every one of you! If you have any questions or get stuck anywhere, feel free to create [a new issue](https://github.com/nextauthjs/next-auth/issues/new) on GitHub.

docs/docs/getting-started/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Getting Started",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/03-basics/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Basics",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/03-basics/callbacks.md

@@ -2,18 +2,13 @@
 title: Callbacks
 ---
 
-import { Callout } from "nextra-theme-docs"
-
 Callbacks are **asynchronous** functions you can use to control what happens when an action is performed.
 
 Callbacks are extremely powerful, especially in scenarios involving JSON Web Tokens as they allow you to implement access controls without a database and to integrate with external databases or APIs.
 
-<Callout>
-  If you want to pass data such as an Access Token or User ID to the browser
-  when using JSON Web Tokens, you can persist the data in the token when the
-  `jwt` callback is called, then pass the data through to the browser in the
-  `session` callback.
-</Callout>
+:::tip
+If you want to pass data such as an Access Token or User ID to the browser when using JSON Web Tokens, you can persist the data in the token when the `jwt` callback is called, then pass the data through to the browser in the `session` callback.
+:::
 
 You can specify a handler for any of the callbacks below.
 
@@ -64,19 +59,17 @@ callbacks: {
 
 * When using the **Credentials Provider** the `user` object is the response returned from the `authorize` callback and the `profile` object is the raw body of the `HTTP POST` submission.
 
-<Callout>
+:::note
 When using Auth.js with a database, the User object will be either a user object from the database (including the User ID) if the user has signed in before or a simpler prototype user object (i.e. name, email, image) for users who have not signed in before.
 
 When using Auth.js without a database, the user object will always be a prototype user object, with information extracted from the profile.
+:::
 
-</Callout>
-
-<Callout>
+:::note
 Redirects returned by this callback cancel the authentication flow. Only redirect to error pages that, for example, tell the user why they're not allowed to sign in.
 
 To redirect to a page after a successful sign in, please use [the `callbackUrl` option](/reference/utilities/#specifying-a-callbackurl) or [the redirect callback](/reference/configuration/auth-config#callbacks).
-
-</Callout>
+:::
 
 ## Redirect callback
 
@@ -98,9 +91,9 @@ callbacks: {
 }
 ```
 
-<Callout>
-  The redirect callback may be invoked more than once in the same flow.
-</Callout>
+:::note
+The redirect callback may be invoked more than once in the same flow.
+:::
 
 ## JWT callback
 
@@ -126,13 +119,9 @@ callbacks: {
 }
 ```
 
-<Callout>
-  Use an if branch to check for the existence of parameters (apart from
-  `token`). If they exist, this means that the callback is being invoked for the
-  first time (i.e. the user is being signed in). This is a good place to persist
-  additional data like an `access_token` in the JWT. Subsequent invocations will
-  only contain the `token` parameter.
-</Callout>
+:::tip
+Use an if branch to check for the existence of parameters (apart from `token`). If they exist, this means that the callback is being invoked for the first time (i.e. the user is being signed in). This is a good place to persist additional data like an `access_token` in the JWT. Subsequent invocations will only contain the `token` parameter.
+:::
 
 ## Session callback
 
@@ -153,18 +142,15 @@ callbacks: {
 }
 ```
 
-<Callout>
-  When using JSON Web Tokens the `jwt()` callback is invoked before the
-  `session()` callback, so anything you add to the JSON Web Token will be
-  immediately available in the session callback, like for example an
-  `access_token` from a provider.
-</Callout>
+:::tip
+When using JSON Web Tokens the `jwt()` callback is invoked before the `session()` callback, so anything you add to the
+JSON Web Token will be immediately available in the session callback, like for example an `access_token` from a provider.
+:::
 
-<Callout type="warning">
+:::warning
 The session object is not persisted server side, even when using database sessions - only data such as the session token, the user, and the expiry time is stored in the session table.
 
 If you need to persist session data server side, you can use the `accessToken` returned for the session as a key - and connect to the database in the `session()` callback to access it. Session `accessToken` values do not rotate and are valid as long as the session is valid.
 
 If using JSON Web Tokens instead of database sessions, you should use the User ID or a unique key stored in the token (you will need to generate a key for this yourself on sign in, as access tokens for sessions are not generated when using JSON Web Tokens).
-
-</Callout>
+:::

docs/docs/guides/03-basics/events.md

@@ -2,15 +2,13 @@
 title: Events
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Events are asynchronous functions that do not return a response, they are useful for audit logs / reporting or handling any other side-effects.
 
 You can specify a handler for any of these events below, for debugging or for an audit log.
 
-<Callout>
+:::note
 The execution of your authentication API will be blocked by an `await` on your event handler. If your event handler starts any burdensome work it should not block its own promise on that work.
-</Callout>
+:::
 
 ## Events
 

docs/docs/guides/03-basics/initialization.md

@@ -2,8 +2,6 @@
 title: Custom Initialization
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 In Next.js, you can define an API route that will catch all requests that begin with a certain path. Conveniently, this is called [Catch all API routes](https://nextjs.org/docs/api-routes/dynamic-api-routes#catch-all-api-routes).
 
 When you define a `/pages/api/auth/[...nextauth]` JS/TS file, you instruct Auth.js that every API request beginning with `/api/auth/*` should be handled by the code written in the `[...nextauth]` file.
@@ -48,15 +46,15 @@ The `...` section will still be your [options](/reference/configuration/auth-con
 
 You could for example log the request, add headers, read `query` or `body` parameters, whatever you would do in an API route.
 
-<Callout>
+:::tip
 Since this is a catch-all route, remember to check what kind of Auth.js "action" is running. Compare the REST API with the `req.query.nextauth` parameter.
 
 For example to execute something on the "callback" action when the request is a POST method, you can check for `req.query.nextauth.includes("callback") && req.method === "POST"`
-</Callout>
+:::
 
-<Callout>
+:::note
 `NextAuth` will implicitly close the response (by calling `res.end`, `res.send` or similar), so you should not run code **after** `NextAuth` in the function body. Using `return NextAuth` makes sure you don't forget that.
-</Callout>
+:::
 
 Any variable you create this way will be available in the `NextAuth` options as well, since they are in the same scope.
 
@@ -119,6 +117,6 @@ For more details on all available actions and which methods are supported, pleas
 
 This way of initializing `NextAuth` is very powerful, but should be used sparingly.
 
-<Callout type="warning">
+:::warning
 Changing parts of the request that is essential to `NextAuth` to do it's job - like messing with the [default cookies](/reference/configuration/auth-config#cookies) - can have unforeseen consequences, and have the potential to introduce security holes if done incorrectly. Only change those if you understand consequences.
-</Callout>
+:::

docs/docs/guides/03-basics/overriding-jwt.md

@@ -3,11 +3,9 @@ title: Override JWT `encode` and `decode` methods
 sidebar_label: Custom JWT encoding
 ---
 
-import { Callout } from "nextra-theme-docs"
-
-<Callout type="warning">
+:::warning
 If you use middleware to protect routes, make sure the same method is also set in the [`_middleware.ts` options](/reference/nextjs/#custom-jwt-decode-method)
-</Callout>
+:::
 
 Auth.js uses encrypted JSON Web Tokens ([JWE](https://datatracker.ietf.org/doc/html/rfc7516)) by default. Unless you have a good reason, we recommend keeping this behaviour. Although you can override this using the `encode` and `decode` methods. Both methods must be defined at the same time.
 

docs/docs/guides/03-basics/pages.md

@@ -2,8 +2,6 @@
 title: Pages
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Auth.js automatically creates simple, unbranded authentication pages for handling Sign in, Sign out, Email Verification and displaying error messages.
 
 The options displayed on the sign-up page are automatically generated based on the providers specified in the options passed to Auth.js.
@@ -22,9 +20,9 @@ To add a custom login page, you can use the `pages` option:
 ...
 ```
 
-<Callout>
+:::note
 When using this configuration, ensure that these pages actually exist. For example `error: '/auth/error'` refers to a page file at `pages/auth/error.js`.
-</Callout>
+:::
 
 ## Error codes
 
@@ -178,6 +176,6 @@ You can also use the `signIn()` function which will handle obtaining the CSRF to
 signIn("credentials", { username: "jsmith", password: "1234" })
 ```
 
-<Callout type="info">
+:::tip
 Remember to put any custom pages in a folder outside **/pages/api** which is reserved for API code. As per the examples above, a location convention suggestion is `pages/auth/...`.
-</Callout>
+:::

docs/docs/guides/03-basics/refresh-token-rotation.md

@@ -2,14 +2,11 @@
 title: Refresh token rotation
 ---
 
-import { Callout } from "nextra-theme-docs"
-
 Refresh token rotation is the practice of updating an `access_token` on behalf of the user, without requiring interaction (eg.: re-sign in). `access_token`s are usually issued for a limited time. After they expire, the service verifying them will ignore the value. Instead of asking the user to sign in again to obtain a new `access_token`, certain providers support exchanging a `refresh_token` for a new `access_token`, renewing the expiry time. Let's see how this can be achieved.
 
-<Callout>
-  Our goal is to add zero-config support for built-in providers eventually. Let
-  us know if you would like to help.
-</Callout>
+:::note
+Our goal is to add zero-config support for built-in providers eventually. Let us know if you would like to help.
+:::
 
 ## Implementation
 
@@ -19,15 +16,13 @@ First, make sure that the provider you want to use supports `refresh_token`'s. C
 
 Depending on the session strategy, `refresh_token` can be persisted either in a database, or in a cookie, in an encrypted JWT.
 
-<Callout type="info">
-  Using a JWT to store the `refresh_token` is less secure than saving it in a
-  database, and you need to evaluate based on your requirements which strategy
-  you choose.
-</Callout>
+:::info
+Using a JWT to store the `refresh_token` is less secure than saving it in a database, and you need to evaluate based on your requirements which strategy you choose.
+:::
 
 #### JWT strategy
 
-Using the [jwt](../../reference/03-core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/03-core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
+Using the [jwt](../../reference/core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
 
 Below is a sample implementation using Google's Identity Provider. Please note that the OAuth 2.0 request in the `refreshAccessToken()` function will vary between different providers, but the core logic should remain similar.
 
@@ -141,7 +136,7 @@ export default Auth(new Request("https://example.com"), {
       const [google] = await prisma.account.findMany({
         where: { userId: user.id, provider: "google" },
       })
-      if (google.expires_at >= Date.now()) {
+      if (google.expires_at < Date.now()) {
         // If the access token has expired, try to refresh it
         try {
           // https://accounts.google.com/.well-known/openid-configuration
@@ -227,3 +222,4 @@ return (...)
 ## Source Code
 
 A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
+

docs/docs/guides/03-basics/role-based-authentication.md

@@ -0,0 +1,153 @@
+---
+title: Role-based authentication
+---
+
+There are two ways to add role-based authentication (RBAC) to your application, based on the [session strategy](/concepts/session-strategies) you choose. Let's see an example for each of these.
+
+## Getting the role
+
+We are going to start by adding a `profile()` callback to the providers' config to determine the user role:
+
+```ts title="/pages/api/auth/[...nextauth].ts"
+import NextAuth from "next-auth"
+import Google from "next-auth/providers/google"
+
+export default NextAuth({
+  providers: [
+    Google({
+      profile(profile) {
+        return { role: profile.role ?? "user", ... }
+      },
+      ...
+    })  
+  ],
+})
+```
+
+:::tip
+To determine the user's role, you can either add your logic or if your provider assigns roles already, use that instead.
+:::
+
+## Persisting the role
+### With JWT
+
+When you don't have a database configured, the role will be persisted in a cookie, by using the `jwt()` callback. On sign-in, the `role` property is exposed from the `profile` callback on the `user` object. Persist the `user.role` value by assigning it to `token.role`. That's it!
+
+If you also want to use the role on the client, you can expose it via the `session` callback.
+
+```ts title="/pages/api/auth/[...nextauth].ts"
+import NextAuth from "next-auth"
+import Google from "next-auth/providers/google"
+
+export default NextAuth({
+  providers: [
+    Google({
+      profile(profile) {
+        return { role: profile.role ?? "user", ... }
+      },
+      ...
+    })  
+  ],
+  // highlight-start
+  callbacks: {
+    jwt({ token, user }) {
+      if(user) token.role = user.role
+      return token
+    },
+    session({ session, token }) {
+      session.user.role = token.role
+      return session
+    }
+  }
+  // highlight-end
+})
+```
+
+:::info
+With this strategy, if you want to update the role, the user needs to be forced to sign in again.
+:::
+
+### With Database
+
+When you have a database, you can save the user role on the [User model](/reference/adapters/models#user). The below example is showing you how to do this with Prisma, but the idea is the same for all adapters.
+
+First, add a `role` column to the User model.
+
+```ts title="/prisma/schema.prisma"
+model User {
+  id            String    @id @default(cuid())
+  name          String?
+  email         String?   @unique
+  emailVerified DateTime?
+  image         String?
+  role          String?  // New column
+  accounts      Account[]
+  sessions      Session[]
+}
+```
+
+The `profile()` callback's return value is used to create users in the database. That's it! Your newly created users will now have an assigned role.
+
+If you also want to use the role on the client, you can expose it via the `session` callback.
+
+```ts title="/pages/api/auth/[...nextauth].ts"
+import NextAuth from "next-auth"
+import Google from "next-auth/providers/google"
+  // highlight-next-line
+import prisma from "lib/prisma"
+
+export default NextAuth({
+  // highlight-next-line
+  adapter: PrismaAdapter(prisma),
+  providers: [
+    Google({
+      profile(profile) {
+        return { role: profile.role ?? "user", ... }
+      }
+      ...
+    })  
+  ],
+  // highlight-start
+  callbacks: {
+    session({ session, user }) {
+      session.user.role = user.role
+      return session
+    }
+  }
+  // highlight-end
+})
+```
+
+:::info
+It is up to you how you want to manage to update the roles, either through direct database access or building your role update API.
+:::
+
+## Using the role
+
+If you want to use the role in the client, for both cases above, when using the `useSession` hook, `session.user.role` will have the required role if you exposed it via the `session` callback. You can use this to render a different UI for different users.
+
+```ts title="/pages/admin.tsx"
+import { useSession } from "next-auth/react"
+
+export default function Page() {
+  const session = await useSession()
+
+  if (session?.user.role === "admin") {
+    return <p>You are an admin, welcome!</p>
+  }
+
+  return <p>You are not authorized to view this page!</p>
+}
+```
+
+:::tip
+When using Next.js and JWT, you can alternatively also use [Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware) to redirect the user based on their role, even before rendering the page.
+:::
+
+## Resources
+
+- [Concepts: Session strategies](/concepts/session-strategies)
+- [Next.js: Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware)
+- [Adapters: User model](/reference/adapters/models#user)
+- [Adapters: Prisma adapter](/reference/adapters/prisma)
+- [TypeScript](/getting-started/typescript)

docs/docs/guides/03-basics/securing-pages-and-api-routes.md

@@ -2,15 +2,13 @@
 title: Securing Pages & API routes
 ---
 
-import { Callout } from "nextra-theme-docs"
-
 You can easily protect client and server side rendered pages and API routes with Auth.js.
 
 _You can find working examples of the approaches shown below in the [example project](https://github.com/nextauthjs/next-auth-example/)._
 
-<Callout>
+:::tip
 The methods `getSession()` and `getToken()` both return an `object` if a session is valid and `null` if a session is invalid or has expired.
-</Callout>
+:::
 
 ## Securing Pages
 
@@ -93,7 +91,7 @@ export async function getServerSideProps(context) {
 }
 ```
 
-<Callout>
+:::tip
 When you supply a `session` prop in `_app.js`, `useSession` won't show a loading state, as it'll already have the session available. In this way, you can provide a more seamless user experience.
 
 ```js title="pages/_app.js"
@@ -111,7 +109,7 @@ export default function App({
 }
 ```
 
-</Callout>
+:::
 
 ## Securing API Routes
 
@@ -158,12 +156,12 @@ export default async (req, res) => {
 }
 ```
 
-<Callout>
+:::tip
 You can use the `getToken()` helper function in any application as long as you set the `NEXTAUTH_URL` environment variable and the application is able to read the JWT cookie (e.g. is on the same domain).
-</Callout>
+:::
 
-<Callout>
+:::note
 Pass `getToken` the same value for `secret` as specified in `pages/api/auth/[...nextauth].js`.
 
 See [the documentation for the JWT option](/reference/configuration/auth-config#jwt) for more information.
-</Callout>
+:::

docs/docs/guides/04-providers/00-custom-provider.md

@@ -3,8 +3,6 @@ title: Using a custom Provider
 sidebar_label: Creating a Provider
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 You can use an OAuth provider that isn't built-in by using a custom object.
 
 As an example of what this looks like, this is the provider object returned for the Google provider:
@@ -79,9 +77,9 @@ For built-in providers, in most cases you will only need to specify the `clientI
 
 Even if you are using a built-in provider, you can override any of these options to tweak the default configuration.
 
-<Callout>
+:::note
 The user provided options are deeply merged with the default options. That means you only have to override part of the options that you need to be different. For example if you want different scopes, overriding `authorization.params.scope` is enough, instead of the whole `authorization` option.
-</Callout>
+:::
 
 ```js title=/api/auth/[...nextauth].js
 import Auth0Provider from "next-auth/providers/auth0"

docs/docs/guides/04-providers/01-credentials-provider.md

@@ -3,17 +3,15 @@ id: credentials
 title: Credentials Provider
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 The Credentials provider allows you to handle signing in with arbitrary credentials, such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).
 
 It is intended to support use cases where you have an existing system you need to authenticate users against.
 
 It comes with the constraint that users authenticated in this manner are not persisted in the database, and consequently that the Credentials provider can only be used if JSON Web Tokens are enabled for sessions.
 
-<Callout type="warning">
+:::warning
 The functionality provided for credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords.
-</Callout>
+:::
 
 ## Options
 

docs/docs/guides/04-providers/02-email-provider.md

@@ -3,8 +3,6 @@ id: email
 title: Email Provider
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 The Email provider uses email to send "magic links" that can be used to sign in, you will likely have seen these if you have used services like Slack before.
 
 Adding support for signing in via email in addition to one or more OAuth services provides a way for users to sign in if they lose access to their OAuth account (e.g. if it is locked or deleted).
@@ -17,9 +15,9 @@ On initial sign in, a **Verification Token** is sent to the email address provid
 
 If someone provides the email address of an _existing account_ when signing in, an email is sent and they are signed into the account associated with that email address when they follow the link in the email.
 
-<Callout>
+:::tip
 The Email Provider can be used with both JSON Web Tokens and database sessions, but you **must** configure a database to use it. It is not possible to enable email sign in without using a database.
-</Callout>
+:::
 
 ## Options
 
@@ -199,9 +197,9 @@ function text({ url, host }: Record<"url" | "host", string>) {
 }
 ```
 
-<Callout>
+:::tip
 If you want to generate great looking email client compatible HTML with React, check out https://mjml.io
-</Callout>
+:::
 
 ## Customizing the Verification Token
 

docs/docs/guides/04-providers/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Providers",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/05-adapters/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Adapters",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/05-adapters/using-a-database-adapter.md

@@ -1,14 +1,12 @@
 ---
-title: Using a Database Adapter
+title: Using a database adapter
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 An **Adapter** in Auth.js connects your application to whatever database or backend system you want to use to store data for users, their accounts, sessions, etc. Adapters are optional, unless you need to persist user information in your own database, or you want to implement certain flows. The [Email Provider](/getting-started/email-tutorial) requires an adapter to be able to save [Verification Tokens](/reference/adapters/models#verification-token).
 
-<Callout>
+:::tip
 When using a database, you can still use JWT for session handling for fast access. See the [`session.strategy`](/reference/configuration/auth-config#session) option. Read about the trade-offs of JWT in the [FAQ](/concepts/faq#json-web-tokens).
-</Callout>
+:::
 
 We have a list of official adapters that are distributed as their own packages under the `@next-auth/{name}-adapter` namespace. Their source code is available in their various adapters package directories at [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth/tree/main/packages):
 

docs/docs/guides/06-testing/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Testing",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/06-testing/testing-with-cypress.md

@@ -2,8 +2,6 @@
 title: Testing with Cypress
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 To test an implementation of Auth.js, we encourage you to use [Cypress](https://cypress.io).
 
 ## Setting up Cypress
@@ -14,9 +12,9 @@ To get started, install the dependencies:
 npm install --save-dev cypress cypress-social-logins @testing-library/cypress
 ```
 
-<Callout>
+:::note
 If you are using username/password based login, you will not need the `cypress-social-login` dependency.
-</Callout>
+:::
 
 Cypress will install and initialize the folder structure with example integration tests, a folder for plugins, etc.
 

docs/docs/guides/07-corporate-proxies/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Corporate proxies",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/07-corporate-proxies/corporate-proxy.md

@@ -2,8 +2,6 @@
 title: Corporate proxy
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 Using Auth.js behind a corporate proxy is not supported out of the box. This is due to the fact that the underlying library we use, [`openid-client`](https://npm.im/openid-client) which uses the built-in Node.js `http` / `https` libraries, and those do not support proxys by default:
 
 - [`http` docs](https://nodejs.org/dist/latest-v18.x/docs/api/http.html)
@@ -11,9 +9,9 @@ Using Auth.js behind a corporate proxy is not supported out of the box. This is
 
 Therefore, we'll need to add an additional proxy agent to the http client, such as `https-proxy-agent`.
 
-<Callout type="info">
+:::info
 `openid-client` allows the user to set an `agent` for requests ([source](https://github.com/panva/node-openid-client/blob/main/docs/README.md#customizing-individual-http-requests)).
-</Callout>
+:::
 
 Thanks to [raphaelpc](https://github.com/raphaelpc) for the below diff, which when applied to `v4.2.1`, adds this agent support to the `client.js` file.
 

docs/docs/guides/08-other/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Other",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/guides/09-resources.md

@@ -0,0 +1,118 @@
+---
+id: resources
+title: Community resources
+---
+
+> These tutorials are contributed by the community.
+> **New submissions and edits are welcome!**
+
+## Basics
+
+#### [Introduction to Auth.js](https://www.youtube.com/watch?v=npZsJxWntJM) <svg role="img" viewBox="0 0 24 24" height="24" width="24" style={{ marginLeft: '5px', marginBottom:'-6px'}} xmlns="http://www.w3.org/2000/svg"><title>YouTube</title><path fill="#ff0000" d="M23.498 6.186a3.016 3.016 0 0 0-2.122-2.136C19.505 3.545 12 3.545 12 3.545s-7.505 0-9.377.505A3.017 3.017 0 0 0 .502 6.186C0 8.07 0 12 0 12s0 3.93.502 5.814a3.016 3.016 0 0 0 2.122 2.136c1.871.505 9.376.505 9.376.505s7.505 0 9.377-.505a3.015 3.015 0 0 0 2.122-2.136C24 15.93 24 12 24 12s0-3.93-.502-5.814zM9.545 15.568V8.432L15.818 12l-6.273 3.568z"/></svg>
+
+- This is an introductory video to Auth.js for beginners. In this video, it is explained how to set up authentication in a few easy steps and add different configurations to make it more robust and secure.
+
+#### [Authentication patterns for Next.js](https://nextjs.org/docs/authentication) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Next.js supports multiple patterns for authentication, each designed for different use cases. This guide will allow you to choose your adventure based on your constraints. By Lee Robinson.
+
+#### [Adding Authentication to an existing Next.js Application in no time!](https://dev.to/ndom91/adding-authentication-to-an-existing-serverless-next-js-app-in-no-time-with-nextauth-js-192h) <svg style={{ marginLeft: '5px', marginBottom:'-6px'}} width="30" height="25" viewBox="0 0 50 40" fill="none" xmlns="http://www.w3.org/2000/svg"><rect width="50" height="40" rx="3" style={{ fill: '#000' }}></rect><path d="M19.099 23.508c0 1.31-.423 2.388-1.27 3.234-.838.839-1.942 1.258-3.312 1.258h-4.403V12.277h4.492c1.31 0 2.385.423 3.224 1.27.846.838 1.269 1.912 1.269 3.223v6.738zm-2.808 0V16.77c0-.562-.187-.981-.562-1.258-.374-.285-.748-.427-1.122-.427h-1.685v10.107h1.684c.375 0 .75-.138 1.123-.415.375-.285.562-.708.562-1.27zM28.185 28h-5.896c-.562 0-1.03-.187-1.404-.561-.375-.375-.562-.843-.562-1.404V14.243c0-.562.187-1.03.562-1.404.374-.375.842-.562 1.404-.562h5.896v2.808H23.13v3.65h3.088v2.808h-3.088v3.65h5.054V28zm7.12 0c-.936 0-1.684-.655-2.246-1.965l-3.65-13.758h3.089l2.807 10.804 2.808-10.804H41.2l-3.65 13.758C36.99 27.345 36.241 28 35.305 28z" style={{ fill: '#fff' }}></path></svg>
+
+- This tutorial walks one through adding Auth.js to an existing project. Including setting up the OAuth client id and secret, adding the API routes for authentication, protecting pages and API routes behind that authentication, etc.
+
+#### [Adding social authentication support to a Next.js app](https://getstarted.sh/bulletproof-next/add-social-authentication) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- A tutorial by Arunoda Susirpiala. Checkout [GetStarted](https://getstarted.sh/) for more examples.
+
+#### [How to Authenticate Next.js Apps with Twitter & Auth.js](https://spacejelly.dev/posts/how-to-authenticate-next-js-apps-with-twitter-nextauth-js/) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Learn how to add Twitter authentication and login to a Next.js app both client-side and server-side with Auth.js.
+
+#### [NextJS Authentication Crash Course with Auth.js](https://youtu.be/o_wZIVmWteQ) <svg role="img" viewBox="0 0 24 24" height="24" width="24" style={{ marginLeft: '5px', marginBottom:'-6px'}} xmlns="http://www.w3.org/2000/svg"><title>YouTube</title><path fill="#ff0000" d="M23.498 6.186a3.016 3.016 0 0 0-2.122-2.136C19.505 3.545 12 3.545 12 3.545s-7.505 0-9.377.505A3.017 3.017 0 0 0 .502 6.186C0 8.07 0 12 0 12s0 3.93.502 5.814a3.016 3.016 0 0 0 2.122 2.136c1.871.505 9.376.505 9.376.505s7.505 0 9.377-.505a3.015 3.015 0 0 0 2.122-2.136C24 15.93 24 12 24 12s0-3.93-.502-5.814zM9.545 15.568V8.432L15.818 12l-6.273 3.568z"/></svg>
+
+- This tutorial dives into the ins and outs of NextAuth, including using the Email, Github, Twitter and Auth0 providers in under an hour.
+
+#### [Create your own Auth.js Login Pages](https://youtu.be/kB6YNYZ63fw) <svg role="img" viewBox="0 0 24 24" height="24" width="24" style={{ marginLeft: '5px', marginBottom:'-6px'}} xmlns="http://www.w3.org/2000/svg"><title>YouTube</title><path fill="#ff0000" d="M23.498 6.186a3.016 3.016 0 0 0-2.122-2.136C19.505 3.545 12 3.545 12 3.545s-7.505 0-9.377.505A3.017 3.017 0 0 0 .502 6.186C0 8.07 0 12 0 12s0 3.93.502 5.814a3.016 3.016 0 0 0 2.122 2.136c1.871.505 9.376.505 9.376.505s7.505 0 9.377-.505a3.015 3.015 0 0 0 2.122-2.136C24 15.93 24 12 24 12s0-3.93-.502-5.814zM9.545 15.568V8.432L15.818 12l-6.273 3.568z"/></svg>
+
+- This tutorial shows you how to jump in and create your own custom login pages versus using the ones provided by Auth.js
+
+#### [Passwordless Authentication with next-auth](https://www.youtube.com/watch?v=GPBD3acOx_M) <svg role="img" viewBox="0 0 24 24" height="24" width="24" style={{ marginLeft: '5px', marginBottom:'-6px'}} xmlns="http://www.w3.org/2000/svg"><title>YouTube</title><path fill="#ff0000" d="M23.498 6.186a3.016 3.016 0 0 0-2.122-2.136C19.505 3.545 12 3.545 12 3.545s-7.505 0-9.377.505A3.017 3.017 0 0 0 .502 6.186C0 8.07 0 12 0 12s0 3.93.502 5.814a3.016 3.016 0 0 0 2.122 2.136c1.871.505 9.376.505 9.376.505s7.505 0 9.377-.505a3.015 3.015 0 0 0 2.122-2.136C24 15.93 24 12 24 12s0-3.93-.502-5.814zM9.545 15.568V8.432L15.818 12l-6.273 3.568z"/></svg>
+
+- A video tutorial by Xiaoru Li from Prisma.
+
+#### [How to authenticate Next.js Apps with Sign-In With Ethereum (SIWE) & Auth.js](https://docs.login.xyz/integrations/Auth.js) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Learn how to use Sign-In With Ethereum to authenticate your users with their existing Ethereum wallets - identifiers they personally control.
+- Example application: [spruceid/siwe-next-auth-example](https://github.com/spruceid/siwe-next-auth-example)
+
+#### [Next.js Authentication with Okta and Auth.js 4.0](https://thetombomb.com/posts/nextjs-nextauth-okta) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Learn how to perform authentication with an OIDC Application in Okta and Auth.js.
+
+## Fullstack
+
+#### [Build a FullStack App with Next.js, Auth.js, Supabase & Prisma](https://themodern.dev/courses/build-a-fullstack-app-with-nextjs-supabase-and-prisma-322389284337222224) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+In this [free course](https://themodern.dev/courses/build-a-fullstack-app-with-nextjs-supabase-and-prisma-322389284337222224), you'll learn how to build a full-stack app using the following technologies:
+
+- **Next.js** - The React framework for building the UI of the app and the REST API
+- **Auth.js** - For implementing passwordless and OAuth authentication
+- **Supabase** - For persisting the app data into a PostgreSQL database and storing media files
+- **Prisma** - For making it easy to read and write data from our app from and to the database
+
+The app that we'll work on in this course is called **_SupaVacation_**. It is an online marketplace for vacation rentals where users can browse through all the properties for rent, bookmark their favorite ones, and even rent their own properties.
+
+> Here's [a live demo](https://supa-vacation.vercel.app/) of the app's final version. It is what your app should look likes after completing this course. Feel free to play with it to get an overview of all the features you'll be working on.
+
+#### [Magic Link Authentication in Next.js with NextAuth and Fauna](https://alterclass.io/tutorials/magic-link-authentication-in-nextjs-with-nextauth-and-fauna) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+Learn how to implement passwordless/magic link authentication with database storage in your Next.js projects using NextAuth and Fauna DB.
+
+> The final version of the project's code can be found on [Github](https://github.com/AlterClassIO/magic-next-auth). You can use it as a starting point for any Next.js app that requires passwordless authentication.
+
+> You can also preview the example live [here](https://magic-next-auth.vercel.app/).
+
+This tutorial covers:
+
+- Configuring Next.js, Auth.js, and Fauna to work together seamlessly
+- Using Next.js dynamic API routes to handle authentication requests
+- Using Fauna and the Fauna Adapter for `next-auth` to persist users, email sign in tokens, and sessions
+- Creating custom login and confirmation pages with React + Tailwind CSS
+- Customizing the sign-in email and sending a welcome email to new users
+
+#### [Passwordless Authentication with Next.js, Prisma, and next-auth](https://dev.to/prisma/passwordless-authentication-with-next-js-prisma-and-next-auth-5g8g) <svg style={{ marginLeft: '5px', marginBottom:'-6px'}} width="30" height="25" viewBox="0 0 50 40" fill="none" xmlns="http://www.w3.org/2000/svg"><rect width="50" height="40" rx="3" style={{ fill: '#000' }}></rect><path d="M19.099 23.508c0 1.31-.423 2.388-1.27 3.234-.838.839-1.942 1.258-3.312 1.258h-4.403V12.277h4.492c1.31 0 2.385.423 3.224 1.27.846.838 1.269 1.912 1.269 3.223v6.738zm-2.808 0V16.77c0-.562-.187-.981-.562-1.258-.374-.285-.748-.427-1.122-.427h-1.685v10.107h1.684c.375 0 .75-.138 1.123-.415.375-.285.562-.708.562-1.27zM28.185 28h-5.896c-.562 0-1.03-.187-1.404-.561-.375-.375-.562-.843-.562-1.404V14.243c0-.562.187-1.03.562-1.404.374-.375.842-.562 1.404-.562h5.896v2.808H23.13v3.65h3.088v2.808h-3.088v3.65h5.054V28zm7.12 0c-.936 0-1.684-.655-2.246-1.965l-3.65-13.758h3.089l2.807 10.804 2.808-10.804H41.2l-3.65 13.758C36.99 27.345 36.241 28 35.305 28z" style={{ fill: '#fff' }}></path></svg>
+
+- In this post, you'll learn how to add passwordless authentication to your Next.js app using Prisma and next-auth. By the end of this tutorial, your users will be able to log in to your app with either their GitHub account or a Slack-styled magic link sent right to their Email inbox. By Xiaoru Li.
+
+#### [Fullstack Authentication Example with Next.js and Auth.js](https://github.com/prisma/prisma-examples/tree/latest/typescript/rest-nextjs-api-routes-auth) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- This example shows how to implement a full-stack app in TypeScript with Next.js using Prisma Client as a backend. It also demonstrates how to implement authentication using Auth.js. By Nikolas Burk at Prisma.
+
+## Advanced
+
+#### [Add auth support to a Next.js app with a custom backend](https://arunoda.me/blog/add-auth-support-to-a-next-js-app-with-a-custom-backend) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- A tutorial by Arunoda Susirpiala.
+
+#### [How to Configure Azure AD B2C Authentication with Next.js](https://benjaminwfox.com/blog/tech/how-to-configure-azure-b2c-with-nextjs) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Configuring authentication with Azure B2C in Next.js is not a particularly straight forward process. We'll look at how to facilitate this using the Auth.js library. By Ben Fox.
+
+#### [Sign in with Apple in NextJS](https://thesiddd.com/blog/apple-auth) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- This tutorial walks step by step on how to get sign in with Apple working (both locally and on a deployed website) using Auth.js.
+
+#### [Using Auth.js with Magic links](https://dev.to/narciero/using-nextauth-js-with-magic-links-df4) <svg style={{ marginLeft: '5px', marginBottom:'-6px'}} width="30" height="25" viewBox="0 0 50 40" fill="none" xmlns="http://www.w3.org/2000/svg"><rect width="50" height="40" rx="3" style={{ fill: '#000' }}></rect><path d="M19.099 23.508c0 1.31-.423 2.388-1.27 3.234-.838.839-1.942 1.258-3.312 1.258h-4.403V12.277h4.492c1.31 0 2.385.423 3.224 1.27.846.838 1.269 1.912 1.269 3.223v6.738zm-2.808 0V16.77c0-.562-.187-.981-.562-1.258-.374-.285-.748-.427-1.122-.427h-1.685v10.107h1.684c.375 0 .75-.138 1.123-.415.375-.285.562-.708.562-1.27zM28.185 28h-5.896c-.562 0-1.03-.187-1.404-.561-.375-.375-.562-.843-.562-1.404V14.243c0-.562.187-1.03.562-1.404.374-.375.842-.562 1.404-.562h5.896v2.808H23.13v3.65h3.088v2.808h-3.088v3.65h5.054V28zm7.12 0c-.936 0-1.684-.655-2.246-1.965l-3.65-13.758h3.089l2.807 10.804 2.808-10.804H41.2l-3.65 13.758C36.99 27.345 36.241 28 35.305 28z" style={{ fill: '#fff' }}></path></svg>
+
+- Learn how to use [Magic.Link](https://magic.link) authentication with [Auth.js](https://authjs.dev) to enable passwordless authentication without a database.
+
+## Database
+
+#### [Create a Auth.js Custom Adapter with HarperDB & Next.js](https://spacejelly.dev/posts/how-to-create-a-nextauth-js-custom-adapter-with-harperdb-next-js/) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- Use a custom database in a Custom Adapter for persisted Auth.js sessions using HarperDB as an example.
+- Video tutorial also available: <https://www.youtube.com/watch?v=pu7xBv7sZ8s>
+
+#### [Using Auth.js with Prisma and PlanetScale serverless databases](https://github.com/planetscale/nextjs-planetscale-starter) <svg xmlns="http://www.w3.org/2000/svg" style={{ marginLeft: '5px', marginBottom:'-6px'}} height="20" width="20" fill="none" viewBox="0 0 24 24" stroke="currentColor"><title>External</title> <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14" /> </svg>
+
+- How to set up a PlanetScale database to fetch and store user / account data with the Prisma adapter.

docs/docs/reference/02-configuration/01-auth-config.md

@@ -0,0 +1,447 @@
+---
+title: Initialization
+---
+
+## Options
+
+Options are passed to Auth.js when initializing it in a server environment like a Next.js API Route.
+
+### providers
+
+- **Default value**: `[]`
+- **Required**: _Yes_
+
+#### Description
+
+An array of authentication providers for signing in (e.g. Google, Facebook, Twitter, GitHub, Email, etc) in any order. This can be one of the built-in providers or an object with a custom provider.
+
+Refer to the list of [all available Oauth providers](/reference/providers/oauth-builtin) and the [Oauth tutorial](/getting-started/oauth-tutorial) on how to use them.
+
+---
+
+### secret
+
+- **Default value**: `string` (_SHA hash of the "options" object_) in development, no default in production.
+- **Required**: _Yes, in production!_
+
+#### Description
+
+A random string is used to hash tokens, sign/encrypt cookies and generate cryptographic keys.
+
+If you set [`NEXTAUTH_SECRET`](#nextauth_secret) as an environment variable, you don't have to define this option.
+
+If no value specified specified in development (and there is no `NEXTAUTH_SECRET` variable either), it uses a hash for all configuration options, including OAuth Client ID / Secrets for entropy.
+
+:::warning
+Not providing any `secret` or `NEXTAUTH_SECRET` will throw [an error](/reference/errors#no_secret) in production.
+:::
+
+You can quickly create a good value on the command line via this `openssl` command.
+
+```bash
+$ openssl rand -base64 32
+```
+
+:::tip
+If you rely on the default secret generation in development, you might notice JWT decryption errors, since the secret changes whenever you change your configuration. Defining an explicit secret will make this problem go away. We will likely make this option mandatory, even in development, in the future.
+:::
+
+---
+
+### session
+
+- **Default value**: `object`
+- **Required**: _No_
+
+#### Description
+
+The `session` object and all properties on it are optional.
+
+Default values for this option are shown below:
+
+```js
+session: {
+  // Choose how you want to save the user session.
+  // The default is `"jwt"`, an encrypted JWT (JWE) stored in the session cookie.
+  // If you use an `adapter` however, we default it to `"database"` instead.
+  // You can still force a JWT session by explicitly defining `"jwt"`.
+  // When using `"database"`, the session cookie will only contain a `sessionToken` value,
+  // which is used to look up the session in the database.
+  strategy: "database",
+
+  // Seconds - How long until an idle session expires and is no longer valid.
+  maxAge: 30 * 24 * 60 * 60, // 30 days
+
+  // Seconds - Throttle how frequently to write to database to extend a session.
+  // Use it to limit write operations. Set to 0 to always update the database.
+  // Note: This option is ignored if using JSON Web Tokens
+  updateAge: 24 * 60 * 60, // 24 hours
+}
+```
+
+---
+
+### jwt
+
+- **Default value**: `object`
+- **Required**: _No_
+
+#### Description
+
+JSON Web Tokens can be used for session tokens if enabled with `session: { strategy: "jwt" }` option. JSON Web Tokens are enabled by default if you have not specified an adapter. JSON Web Tokens are encrypted (JWE) by default. We recommend you keep this behaviour. See the [Override JWT `encode` and `decode` methods](#override-jwt-encode-and-decode-methods) advanced option.
+
+#### JSON Web Token Options
+
+```js
+jwt: {
+  // The maximum age of the Auth.js issued JWT in seconds.
+  // Defaults to `session.maxAge`.
+  maxAge: 60 * 60 * 24 * 30,
+  // You can define your own encode/decode functions for signing and encryption
+  async encode() {},
+  async decode() {},
+}
+```
+
+An example JSON Web Token contains a payload like this:
+
+```js
+{
+  name: 'Iain Collins',
+  email: 'me@iaincollins.com',
+  picture: 'https://example.com/image.jpg',
+  iat: 1594601838,
+  exp: 1597193838
+}
+```
+
+#### JWT Helper
+
+You can use the built-in `getToken()` helper method to verify and decrypt the token, like this:
+
+```js
+import { getToken } from "next-auth/jwt"
+
+const secret = process.env.NEXTAUTH_SECRET
+
+export default async function handler(req, res) {
+  // if using `NEXTAUTH_SECRET` env variable, we detect it, and you won't actually need to `secret`
+  // const token = await getToken({ req })
+  const token = await getToken({ req, secret })
+  console.log("JSON Web Token", token)
+  res.end()
+}
+```
+
+_For convenience, this helper function is also able to read and decode tokens passed from the `Authorization: 'Bearer token'` HTTP header._
+
+**Required**
+
+The getToken() helper requires the following options:
+
+- `req` - (object) Request object
+- `secret` - (string) JWT Secret. Use `NEXTAUTH_SECRET` instead.
+
+You must also pass _any options configured on the `jwt` option_ to the helper.
+
+e.g. Including custom session `maxAge` and custom signing and/or encryption keys or options
+
+**Optional**
+
+It also supports the following options:
+
+- `secureCookie` - (boolean) Use secure prefixed cookie name
+
+  By default, the helper function will attempt to determine if it should use the secure prefixed cookie (e.g. `true` in production and `false` in development, unless NEXTAUTH_URL contains an HTTPS URL).
+
+- `cookieName` - (string) Session token cookie name
+
+  The `secureCookie` option is ignored if `cookieName` is explicitly specified.
+
+- `raw` - (boolean) Get raw token (not decoded)
+
+  If set to `true` returns the raw token without decrypting or verifying it.
+
+:::note
+The JWT is stored in the Session Token cookie, the same cookie used for tokens with database sessions.
+:::
+
+---
+
+### pages
+
+- **Default value**: `{}`
+- **Required**: _No_
+
+#### Description
+
+Specify URLs to be used if you want to create custom sign in, sign out and error pages.
+
+Pages specified will override the corresponding built-in page.
+
+_For example:_
+
+```js
+pages: {
+  signIn: '/auth/signin',
+  signOut: '/auth/signout',
+  error: '/auth/error', // Error code passed in query string as ?error=
+  verifyRequest: '/auth/verify-request', // (used for check email message)
+  newUser: '/auth/new-user' // New users will be directed here on first sign in (leave the property out if not of interest)
+}
+```
+
+:::note
+When using this configuration, ensure that these pages actually exist. For example `error: '/auth/error'` refers to a page file at `pages/auth/error.js`.
+:::
+
+See the documentation for the [creating custom pages guide](/guides/basics/pages) for more information.
+
+---
+
+### callbacks
+
+- **Default value**: `object`
+- **Required**: _No_
+
+#### Description
+
+Callbacks are asynchronous functions you can use to control what happens when an action is performed.
+
+Callbacks are extremely powerful, especially in scenarios involving JSON Web Tokens as they allow you to implement access controls without a database and to integrate with external databases or APIs.
+
+You can specify a handler for any of the callbacks below.
+
+```js
+callbacks: {
+  async signIn({ user, account, profile, email, credentials }) {
+    return true
+  },
+  async redirect({ url, baseUrl }) {
+    return baseUrl
+  },
+  async session({ session, token, user }) {
+    return session
+  },
+  async jwt({ token, user, account, profile, isNewUser }) {
+    return token
+  }
+}
+```
+
+See [our callbacks guide](/guides/basics/callbacks) for more information on how to use the callback functions.
+
+---
+
+### events
+
+- **Default value**: `object`
+- **Required**: _No_
+
+#### Description
+
+Events are asynchronous functions that do not return a response, they are useful for audit logging.
+
+You can specify a handler for any of these events below - e.g. for debugging or to create an audit log.
+
+The content of the message object varies depending on the flow (e.g. OAuth or Email authentication flow, JWT or database sessions, etc). See the [events guide](/guides/basics/events) for more information on the form of each message object and how to use the events functions.
+
+```js
+events: {
+  async signIn(message) { /* on successful sign in */ },
+  async signOut(message) { /* on signout */ },
+  async createUser(message) { /* user created */ },
+  async updateUser(message) { /* user updated - e.g. their email was verified */ },
+  async linkAccount(message) { /* account (e.g. Twitter) linked to a user */ },
+  async session(message) { /* session is active */ },
+}
+```
+
+---
+
+### adapter
+
+- **Default value**: none
+- **Required**: _No_
+
+#### Description
+
+By default Auth.js does not include an adapter any longer. If you would like to persist user / account data, please install one of the many available adapters. More information can be found in the [adapter documentation](/reference/adapters/overview).
+
+---
+
+### debug
+
+- **Default value**: `false`
+- **Required**: _No_
+
+#### Description
+
+Set debug to `true` to enable debug messages for authentication and database operations.
+
+---
+
+### logger
+
+- **Default value**: `console`
+- **Required**: _No_
+
+#### Description
+
+Override any of the logger levels (`undefined` levels will use the built-in logger), and intercept logs in NextAuth. You can use this to send NextAuth logs to a third-party logging service.
+
+The `code` parameter for `error` and `warn` are explained in the [Warnings](/reference/warnings) and [Errors](/reference/errors) pages respectively.
+
+Example:
+
+```js title="/pages/api/auth/[...nextauth].js"
+import log from "logging-service"
+
+export default NextAuth({
+  ...
+  logger: {
+    error(code, metadata) {
+      log.error(code, metadata)
+    },
+    warn(code) {
+      log.warn(code)
+    },
+    debug(code, metadata) {
+      log.debug(code, metadata)
+    }
+  }
+  ...
+})
+```
+
+:::note
+If the `debug` level is defined by the user, it will be called regardless of the `debug: false` [option](#debug).
+:::
+
+---
+
+### theme
+
+- **Default value**: `object`
+- **Required**: _No_
+
+#### Description
+
+Changes the color scheme theme of [pages](/reference/configuration/auth-config#pages) as well as allows some minor customization. Set `theme.colorScheme` to `"light"`, if you want to force pages to always be light. Set to `"dark"`, if you want to force pages to always be dark. Set to `"auto"`, (or leave this option out) if you want the pages to follow the preferred system theme. (Uses the [prefers-color-scheme](https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme) media query.)
+
+In addition, you can define a logo URL in `theme.logo` which will be rendered above the main card in the default signin/signout/error/verify-request pages, as well as a `theme.brandColor` which will affect the accent color of these pages.
+
+```js
+theme: {
+  colorScheme: "auto", // "auto" | "dark" | "light"
+  brandColor: "", // Hex color code
+  logo: "" // Absolute URL to image
+}
+```
+
+---
+
+## Advanced Options
+
+Advanced options are passed the same way as basic options, but may have complex implications or side effects. You should try to avoid using advanced options unless you are very comfortable using them.
+
+---
+
+### useSecureCookies
+
+- **Default value**: `true` for HTTPS sites / `false` for HTTP sites
+- **Required**: _No_
+
+#### Description
+
+When set to `true` (the default for all site URLs that start with `https://`) then all cookies set by Auth.js will only be accessible from HTTPS URLs.
+
+This option defaults to `false` on URLs that start with `http://` (e.g. `http://localhost:3000`) for developer convenience.
+
+:::note
+Properties on any custom `cookies` that are specified override this option.
+:::
+
+:::warning
+Setting this option to _false_ in production is a security risk and may allow sessions to be hijacked if used in production. It is intended to support development and testing. Using this option is not recommended.
+:::
+
+---
+
+### cookies
+
+- **Default value**: `{}`
+- **Required**: _No_
+
+#### Description
+
+Cookies in Auth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional data in their sessionToken, for example.
+
+You can override the default cookie names and options for any of the cookies used by Auth.js.
+
+This is an advanced option and using it is not recommended as you may break authentication or introduce security flaws into your application.
+
+You can specify one or more cookies with custom properties, but if you specify custom options for a cookie you must provide all the options for that cookie.
+
+If you use this feature, you will likely want to create conditional behaviour to support setting different cookies policies in development and production builds, as you will be opting out of the built-in dynamic policy.
+
+:::tip
+An example of a use case for this option is to support sharing session tokens across subdomains.
+:::
+
+#### Example
+
+```js
+cookies: {
+  sessionToken: {
+    name: `__Secure-next-auth.session-token`,
+    options: {
+      httpOnly: true,
+      sameSite: 'lax',
+      path: '/',
+      secure: true
+    }
+  },
+  callbackUrl: {
+    name: `__Secure-next-auth.callback-url`,
+    options: {
+      sameSite: 'lax',
+      path: '/',
+      secure: true
+    }
+  },
+  csrfToken: {
+    name: `__Host-next-auth.csrf-token`,
+    options: {
+      httpOnly: true,
+      sameSite: 'lax',
+      path: '/',
+      secure: true
+    }
+  },
+  pkceCodeVerifier: {
+    name: `${cookiePrefix}next-auth.pkce.code_verifier`,
+    options: {
+      httpOnly: true,
+      sameSite: 'lax',
+      path: '/',
+      secure: useSecureCookies,
+      maxAge: 900
+    }
+  },
+  state: {
+    name: `${cookiePrefix}next-auth.state`,
+    options: {
+      httpOnly: true,
+      sameSite: "lax",
+      path: "/",
+      secure: useSecureCookies,
+      maxAge: 900
+    },
+  },
+}
+```
+
+:::warning
+Using a custom cookie policy may introduce security flaws into your application and is intended as an option for advanced users who understand the implications. Using this option is not recommended.
+:::

docs/docs/reference/02-configuration/04-env.md

@@ -0,0 +1,38 @@
+---
+title: Environment variables
+sidebar_label: Environment Variables
+---
+
+## NEXTAUTH_URL
+
+When deploying to production, set the `NEXTAUTH_URL` environment variable to the canonical URL of your site.
+
+```
+NEXTAUTH_URL=https://example.com
+```
+
+If your Next.js application uses a custom base path, specify the route to the API endpoint in full.
+
+_e.g. `NEXTAUTH_URL=https://example.com/custom-route/api/auth`_
+
+:::note
+Using [System Environment Variables](https://vercel.com/docs/concepts/projects/environment-variables#system-environment-variables) we automatically detect when you deploy to [Vercel](https://vercel.com) so you don't have to define this variable. Make sure **Automatically expose System Environment Variables** is checked in your Project Settings.
+:::
+
+---
+
+## NEXTAUTH_SECRET
+
+Used to encrypt the Auth.js JWT, and to hash [email verification tokens](/reference/adapters/models#verification-token). This is the default value for the [`secret`](/reference/configuration/auth-config#secret) option. The `secret` option might be removed in the future in favor of this.
+
+If you are using [Middleware](/reference/nextjs/#prerequisites) this environment variable must be set.
+
+---
+
+## NEXTAUTH_URL_INTERNAL
+
+If provided, server-side calls will use this instead of `NEXTAUTH_URL`. Useful in environments when the server doesn't have access to the canonical URL of your site. Defaults to `NEXTAUTH_URL`.
+
+```
+NEXTAUTH_URL_INTERNAL=http://10.240.8.16
+```

docs/docs/reference/02-configuration/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Configuration",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/reference/02-utilities/index.md

@@ -3,8 +3,6 @@ id: client
 title: Utilities
 ---
 
-import { Callout } from 'nextra-theme-docs'
-
 The Auth.js client library makes it easy to interact with sessions from React applications.
 
 #### Example Session Object
@@ -20,15 +18,15 @@ The Auth.js client library makes it easy to interact with sessions from React ap
 }
 ```
 
-<Callout>
+:::tip
 The session data returned to the client does not contain sensitive information such as the Session Token or OAuth tokens. It contains a minimal payload that includes enough data needed to display information on a page about the user who is signed in for presentation purposes (e.g name, email, image).
 
 You can use the [session callback](/reference/configuration/auth-config#callbacks) to customize the session object returned to the client if you need to return additional data in the session object.
-</Callout>
+:::
 
-<Callout>
+:::note
 The `expires` value is rotated, meaning whenever the session is retrieved from the [REST API](/reference/rest-api), this value will be updated as well, to avoid session expiry.
-</Callout>
+:::
 
 ## getSession()
 
@@ -39,9 +37,9 @@ Auth.js provides a `getSession()` helper which should be called **client side on
 
 On the server side, **this is still available to use**, however, we recommend using `unstable_getServerSession` going forward. The idea behind this is to avoid an additional unnecessary `fetch` call on the server side. For more information, please check out [this issue](https://github.com/nextauthjs/next-auth/issues/1535).
 
-<Callout>
+:::note
 The `unstable_getServerSession` only has the prefix `unstable_` at the moment, because the API may change in the future. There are no known bugs at the moment and it is safe to use. If you discover any issues, please do report them as a [GitHub Issue](https://github.com/nextauthjs/next-auth/issues) and we will patch them as soon as possible.
-</Callout>
+:::
 
 This helper is helpful in case you want to read the session outside of the context of React.
 
@@ -115,9 +113,9 @@ export default async (req, res) => {
 }
 ```
 
-<Callout>
+:::note
 Unlike and `getCsrfToken()`, when calling `getProviders()` server side, you don't need to pass anything, just as calling it client side.
-</Callout>
+:::
 
 ---
 
@@ -180,9 +178,9 @@ The URL must be considered valid by the [redirect callback handler](/reference/c
 
 ### Using the `redirect: false` option
 
-<Callout>
+:::note
 The redirect option is only available for `credentials` and `email` providers.
-</Callout>
+:::
 
 In some cases, you might want to deal with the sign in response on the same page and disable the default redirection. For example, if an error occurs (like wrong credentials given by the user), you might want to handle the error on the same page. For that, you can pass `redirect: false` in the second parameter object.
 
@@ -229,13 +227,13 @@ e.g.
 - `signIn("identity-server4", null, { prompt: "login" })` _always ask the user to re-authenticate_
 - `signIn("auth0", null, { login_hint: "info@example.com" })` _hints the e-mail address to the provider_
 
-<Callout>
+:::note
 You can also set these parameters through [`provider.authorizationParams`](/reference/providers/oauth).
-</Callout>
+:::
 
-<Callout>
+:::note
 The following parameters are always overridden server-side: `redirect_uri`, `state`
-</Callout>
+:::
 
 ---
 
@@ -266,8 +264,8 @@ The URL must be considered valid by the [redirect callback handler](/guides/basi
 
 If you pass `redirect: false` to `signOut`, the page will not reload. The session will be deleted, and the `useSession` hook is notified, so any indication about the user will be shown as logged out automatically. It can give a very nice experience for the user.
 
-<Callout>
+:::tip
 If you need to redirect to another page but you want to avoid a page reload, you can try:
 `const data = await signOut({redirect: false, callbackUrl: "/foo"})`
 where `data.url` is the validated URL you can redirect the user to without any flicker by using Next.js's `useRouter().push(data.url)`
-</Callout>
+:::

docs/docs/reference/04-providers/02-oauth-builtin.mdx

@@ -3,16 +3,13 @@ title: Available OAuth providers
 sidebar_label: OAuth providers
 ---
 
-import { Callout } from "nextra-theme-docs"
-
 Authentication Providers in **Auth.js** are services that can be used to sign a user in.
 
 Auth.js comes with a set of built-in providers. You can find them [here](https://github.com/nextauthjs/next-auth/tree/main/packages/core/src/providers). Each built-in provider has its own documentation page:
 
-<Callout>
-  Auth.js supports any **2.x** and **OpenID Connect (OIDC)** compliant providers
-  and has built-in support for the most popular services.
-</Callout>
+:::note
+Auth.js supports any **2.x** and **OpenID Connect (OIDC)** compliant providers and has built-in support for the most popular services.
+:::
 
 <ul>
   {Object.entries(require("../../../providers.json"))

docs/docs/reference/04-providers/02-oauth.mdx

@@ -3,8 +3,6 @@ title: OAuth Provider Options
 sidebar_label: OAuth options
 ---
 
-import { Callout } from "nextra-theme-docs"
-
 ## Provider Options
 
 Whenever you configure a custom or a built-in OAuth provider, you have the following options available:
@@ -103,10 +101,9 @@ There are two ways to use this option:
    }
    ```
 
-<Callout>
-  If your Provider is OpenID Connect (OIDC) compliant, we recommend using the
-  `wellKnown` option instead.
-</Callout>
+:::tip
+If your Provider is OpenID Connect (OIDC) compliant, we recommend using the `wellKnown` option instead.
+:::
 
 ### `token` option
 
@@ -134,16 +131,13 @@ There are three ways to use this option:
    }
    ```
 
-<Callout type="warning">
-  Option 3. should not be necessary in most cases, but if your provider does not
-  follow the spec, or you have some very unique constraints it can be useful.
-  Try to avoid it, if possible.
-</Callout>
+:::warning
+Option 3. should not be necessary in most cases, but if your provider does not follow the spec, or you have some very unique constraints it can be useful. Try to avoid it, if possible.
+:::
 
-<Callout>
-  If your Provider is OpenID Connect (OIDC) compliant, we recommend using the
-  `wellKnown` option instead.
-</Callout>
+:::tip
+If your Provider is OpenID Connect (OIDC) compliant, we recommend using the `wellKnown` option instead.
+:::
 
 ### `userinfo` option
 
@@ -171,13 +165,11 @@ There are three ways to use this option:
    }
    ```
 
-<Callout type="warning">
-  Option 3. should not be necessary in most cases, but if your provider does not
-  follow the spec, or you have some very unique constraints it can be useful.
-  Try to avoid it, if possible.
-</Callout>
+:::warning
+Option 3. should not be necessary in most cases, but if your provider does not follow the spec, or you have some very unique constraints it can be useful. Try to avoid it, if possible.
+:::
 
-<Callout>
+:::tip
 In the rare case you don't care about what this endpoint returns, or your provider does not have one, you could create a noop function:
 
 ```js
@@ -186,17 +178,11 @@ userinfo: {
 }
 ```
 
-</Callout>
+:::
 
-<Callout>
-  If your Provider is OpenID Connect (OIDC) compliant, we recommend using the
-  `wellKnown` option instead. OIDC usually returns an `id_token` from the
-  `token` endpoint. `next-auth` can decode the `id_token` to get the user
-  information, instead of making an additional request to the `userinfo`
-  endpoint. Just set `idToken: true` at the top-level of your provider
-  configuration. If not set, `next-auth` will still try to contact this
-  endpoint.
-</Callout>
+:::tip
+If your Provider is OpenID Connect (OIDC) compliant, we recommend using the `wellKnown` option instead. OIDC usually returns an `id_token` from the `token` endpoint. `next-auth` can decode the `id_token` to get the user information, instead of making an additional request to the `userinfo` endpoint. Just set `idToken: true` at the top-level of your provider configuration. If not set, `next-auth` will still try to contact this endpoint.
+:::
 
 ### `client` option
 

docs/docs/reference/04-providers/04-email.md

@@ -16,4 +16,4 @@ sidebar_label: Email options
 See our guides on magic links authentication for further tips on how to customize this provider:
 
 - [Tutorial](/getting-started/email-tutorial)
-- [Guide deep-dive](guides/providers/email)
+- [Guide deep-dive](/guides/providers/email)

docs/docs/reference/04-providers/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "Providers",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/reference/05-oauth-providers/42.md

@@ -0,0 +1,38 @@
+---
+id: 42-school
+title: 42 School
+---
+
+:::note
+42 returns a field on `Account` called `created_at` which is a number. See the [docs](https://api.intra.42.fr/apidoc/guides/getting_started#make-basic-requests). Make sure to add this field to your database schema, in case if you are using an [Adapter](/reference/adapters/overview).
+:::
+
+## Documentation
+
+https://api.intra.42.fr/apidoc/guides/web_application_flow
+
+## Configuration
+
+https://profile.intra.42.fr/oauth/applications/new
+
+## Options
+
+The **42 School Provider** comes with a set of default options:
+
+- [42 School Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/42-school.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import FortyTwoProvider from "next-auth/providers/42-school";
+...
+providers: [
+  FortyTwoProvider({
+    clientId: process.env.FORTY_TWO_CLIENT_ID,
+    clientSecret: process.env.FORTY_TWO_CLIENT_SECRET
+  })
+]
+...
+```

docs/docs/reference/05-oauth-providers/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "OAuth Providers",
+  "collapsible": true,
+  "collapsed": true
+}

docs/docs/reference/05-oauth-providers/apple.md

@@ -0,0 +1,137 @@
+---
+id: apple
+title: Apple
+---
+
+## Documentation
+
+https://developer.apple.com/sign-in-with-apple/get-started/
+
+## Configuration
+
+https://developer.apple.com/account/resources/identifiers/list/serviceId
+
+## Options
+
+The **Apple Provider** comes with a set of default options:
+
+- [Apple Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/apple.ts)
+
+You can override any of the options to suit your own use case.
+
+### Generating a secret
+
+Apple requires the client secret to be a JWT. To generate one, you can use the following script: https://bal.so/apple-gen-secret.
+
+For more information, see the [Apple docs](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens#3262048)
+
+Then, you can paste the result into your `.env.local` file under `APPLE_SECRET`, so you can refer to it from your code:
+
+```js
+import AppleProvider from "next-auth/providers/apple";
+...
+providers: [
+  AppleProvider({
+    clientId: process.env.APPLE_ID,
+    clientSecret: process.env.APPLE_SECRET
+  })
+]
+...
+```
+
+:::tip
+The TeamID is located on the top right after logging in.
+:::
+
+:::tip
+The KeyID is located after you create the key. Look for it before you download the k8 file.
+:::
+
+## Testing on a development server
+
+:::tip
+Apple requires all sites to run HTTPS (including local development instances).
+:::
+
+:::tip
+Apple doesn't allow you to use localhost in domains or subdomains.
+:::
+
+### Host name resolution
+
+Edit your host file and point your site to `127.0.0.1`.
+
+_Linux/macOS_
+
+```
+sudo echo '127.0.0.1 dev.example.com' >> /etc/hosts
+```
+
+_Windows_ (run PowerShell as administrator)
+
+```ps
+Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value "127.0.0.1 dev.example.com" -Force
+```
+
+More info: [How to edit my host file?](https://phoenixnap.com/kb/how-to-edit-hosts-file-in-windows-mac-or-linux)
+
+### Create certificate
+
+Create a directory `certificates` and add the certificate files `localhost.key` and `localhost.crt`, which you generate using OpenSSL:
+
+_Linux/macOS_
+
+```bash
+openssl req -x509 -out localhost.crt -keyout localhost.key \
+  -newkey rsa:2048 -nodes -sha256 \
+  -subj "/CN=localhost" -extensions EXT -config <( \
+   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
+```
+
+_Windows_
+
+The OpenSSL executable is distributed with [Git](https://git-scm.com/download/win) for Windows. Once installed you will find the openssl.exe file in `C:\Program Files\Git\mingw64\bin`, which you can add to the system PATH environment variable if it’s not already done.
+
+Add environment variable `OPENSSL_CONF=C:\Program Files\Git\mingw64\ssl\openssl.cnf`
+
+```cmd
+ req -x509 -out localhost.crt -keyout localhost.key \
+  -newkey rsa:2048 -nodes -sha256 \
+  -subj "/CN=localhost"
+```
+
+### Deploy to server
+
+You can create a `server.js` in the root of your project and run it with `node server.js` to test Sign in with Apple integration locally:
+
+```js
+const { createServer } = require("https")
+const { parse } = require("url")
+const next = require("next")
+const fs = require("fs")
+
+const dev = process.env.NODE_ENV !== "production"
+const app = next({ dev })
+const handle = app.getRequestHandler()
+
+const httpsOptions = {
+  key: fs.readFileSync("./certificates/localhost.key"),
+  cert: fs.readFileSync("./certificates/localhost.crt"),
+}
+
+app.prepare().then(() => {
+  createServer(httpsOptions, (req, res) => {
+    const parsedUrl = parse(req.url, true)
+    handle(req, res, parsedUrl)
+  }).listen(3000, (err) => {
+    if (err) throw err
+    console.log("> Ready on https://localhost:3000")
+  })
+})
+```
+
+### Helpful guides
+
+- [How to setup localhost with HTTPS with a Next.js app](https://medium.com/@anMagpie/secure-your-local-development-server-with-https-next-js-81ac6b8b3d68)
+
+- [Guide to configuring Sign in with Apple](https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple)

docs/docs/reference/05-oauth-providers/atlassian.md

@@ -0,0 +1,52 @@
+---
+id: atlassian
+title: Atlassian
+---
+
+## Documentation
+
+https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/#implementing-oauth-2-0--3lo-
+
+## Options
+
+The **Atlassian Provider** comes with a set of default options:
+
+- [Atlassian Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/atlassian.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import AtlassianProvider from "next-auth/providers/atlassian";
+...
+providers: [
+  AtlassianProvider({
+    clientId: process.env.ATLASSIAN_CLIENT_ID,
+    clientSecret: process.env.ATLASSIAN_CLIENT_SECRET,
+    authorization: {
+      params: {
+        scope: "write:jira-work read:jira-work read:jira-user offline_access read:me"
+      }
+    }
+  })
+]
+...
+```
+
+## Instructions
+
+### Configuration
+
+:::tip
+An app can be created at https://developer.atlassian.com/apps/
+:::
+
+Under "Apis and features" in the side menu, configure the following for "OAuth 2.0 (3LO)":
+
+- Redirect URL
+  - http://localhost:3000/api/auth/callback/atlassian
+
+:::warning
+To enable access to Jira Platform REST API you must enable User Identity API and add `read:me` to your provider scope option.
+:::

docs/docs/reference/05-oauth-providers/auth0.md

@@ -0,0 +1,39 @@
+---
+id: auth0
+title: Auth0
+---
+
+## Documentation
+
+https://auth0.com/docs/api/authentication#authorize-application
+
+## Configuration
+
+https://manage.auth0.com/dashboard
+
+## Options
+
+The **Auth0 Provider** comes with a set of default options:
+
+- [Auth0 Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/auth0.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import Auth0Provider from "next-auth/providers/auth0";
+...
+providers: [
+  Auth0Provider({
+    clientId: process.env.AUTH0_CLIENT_ID,
+    clientSecret: process.env.AUTH0_CLIENT_SECRET,
+    issuer: process.env.AUTH0_ISSUER
+  })
+]
+...
+```
+
+:::note
+`issuer` should be the fully qualified URL – e.g. `https://dev-s6clz2lv.eu.auth0.com`
+:::

docs/docs/reference/05-oauth-providers/authentik.md

@@ -0,0 +1,35 @@
+---
+id: authentik
+title: Authentik
+---
+
+## Documentation
+
+https://goauthentik.io/docs/providers/oauth2
+
+## Options
+
+The **Authentik Provider** comes with a set of default options:
+
+- [Authentik Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/authentik.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import AuthentikProvider from "next-auth/providers/authentik";
+...
+providers: [
+  AuthentikProvider({
+    clientId: process.env.AUTHENTIK_ID,
+    clientSecret: process.env.AUTHENTIK_SECRET,
+    issuer: process.env.AUTHENTIK_ISSUER,
+  })
+]
+...
+```
+
+:::note
+`issuer` should include the slug without a trailing slash – e.g., `https://my-authentik-domain.com/application/o/My_Slug`
+:::

docs/docs/reference/05-oauth-providers/azure-ad-b2c.md

@@ -0,0 +1,117 @@
+---
+id: azure-ad-b2c
+title: Azure Active Directory B2C
+---
+
+:::note
+Azure AD B2C returns the following fields on `Account`:
+
+- `refresh_token_expires_in` (number)
+- `not_before` (number)
+- `id_token_expires_in` (number)
+- `profile_info` (string).
+
+See their [docs](https://docs.microsoft.com/en-us/azure/active-directory-b2c/access-tokens). Remember to add these fields to your database schema, in case if you are using an [Adapter](/reference/adapters/overview).
+:::
+
+## Documentation
+
+https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
+
+## Configuration
+
+https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant
+
+## Options
+
+The **Azure Active Directory Provider** comes with a set of default options:
+
+- [Azure Active Directory Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/azure-ad-b2c.ts)
+
+You can override any of the options to suit your own use case.
+
+## Configuration (Basic)
+
+Basic configuration sets up Azure AD B2C to return an ID Token. This should be done as a prerequisite prior to running through the Advanced configuration.
+
+Step 1: Azure AD B2C Tenant
+https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
+
+Step 2: App Registration
+https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications
+
+Step 3: User Flow
+https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows
+
+Note: For the step "User attributes and token claims" you might minimally:
+
+- Collect attribute:
+  - Email Address
+  - Display Name
+  - Given Name
+  - Surname
+- Return claim:
+  - Email Addresses
+  - Display Name
+  - Given Name
+  - Surname
+  - Identity Provider
+  - Identity Provider Access Token
+  - User's Object ID
+
+## Example
+
+In `.env.local` create the following entries:
+
+```
+AZURE_AD_B2C_TENANT_NAME=<copy the B2C tenant name here from Step 1>
+AZURE_AD_B2C_CLIENT_ID=<copy Application (client) ID here from Step 2>
+AZURE_AD_B2C_CLIENT_SECRET=<copy generated secret value here from Step 2>
+AZURE_AD_B2C_PRIMARY_USER_FLOW=<copy the name of the signin user flow you created from Step 3>
+```
+
+In `pages/api/auth/[...nextauth].js` find or add the AZURE_AD_B2C entries:
+
+```js
+import AzureADB2CProvider from "next-auth/providers/azure-ad-b2c";
+...
+providers: [
+  AzureADB2CProvider({
+    tenantId: process.env.AZURE_AD_B2C_TENANT_NAME,
+    clientId: process.env.AZURE_AD_B2C_CLIENT_ID,
+    clientSecret: process.env.AZURE_AD_B2C_CLIENT_SECRET,
+    primaryUserFlow: process.env.AZURE_AD_B2C_PRIMARY_USER_FLOW,
+    authorization: { params: { scope: "offline_access openid" } },
+  }),
+]
+...
+```
+
+## Configuration (Advanced)
+
+Advanced configuration sets up Azure AD B2C to return an Authorization Token. This builds on the steps completed in the Basic configuration above.
+
+Step 4: Add a Web API application
+https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-single-page-app-webapi?tabs=app-reg-ga
+
+Note: this is a second app registration (similar to Step 2) but with different setup and configuration.
+
+## Example
+
+Nothing in `.env.local` needs to change here. The only update is in `pages/api/auth/[...nextauth].js` where you will need to add the additional scopes that were created in Step 4 above:
+
+```js
+import AzureADB2CProvider from "next-auth/providers/azure-ad-b2c";
+...
+providers: [
+  AzureADB2CProvider({
+    tenantId: process.env.AZURE_AD_B2C_TENANT_NAME,
+    clientId: process.env.AZURE_AD_B2C_CLIENT_ID,
+    clientSecret: process.env.AZURE_AD_B2C_CLIENT_SECRET,
+    primaryUserFlow: process.env.AZURE_AD_B2C_PRIMARY_USER_FLOW,
+    authorization: { params: { scope: `https://${process.env.AZURE_AD_B2C_TENANT_NAME}.onmicrosoft.com/api/demo.read https://${process.env.AZURE_AD_B2C_TENANT_NAME}.onmicrosoft.com/api/demo.write offline_access openid` } },
+  }),
+]
+...
+
+```

docs/docs/reference/05-oauth-providers/azure-ad.md

@@ -0,0 +1,59 @@
+---
+id: azure-ad
+title: Azure Active Directory
+---
+
+## Documentation
+
+https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+
+## Configuration
+
+https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
+
+## Example
+
+### To allow specific Active Directory users access:
+
+- In https://portal.azure.com/ search for "Azure Active Directory", and select your organization.
+- Next, go to "App Registration" in the left menu, and create a new one.
+- Pay close attention to "Who can use this application or access this API?"
+  - This allows you to scope access to specific types of user accounts
+  - Only your tenant, all azure tenants, or all azure tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
+- When asked for a redirection URL, use `https://yourapplication.com/api/auth/callback/azure-ad` or for development `http://localhost:3000/api/auth/callback/azure-ad`.
+- After your App Registration is created, under "Client Credential" create your Client secret.
+- Now copy your:
+  - Application (client) ID
+  - Directory (tenant) ID
+  - Client secret (value)
+
+In `.env.local` create the following entries:
+
+```
+AZURE_AD_CLIENT_ID=<copy Application (client) ID here>
+AZURE_AD_CLIENT_SECRET=<copy generated client secret value here>
+AZURE_AD_TENANT_ID=<copy the tenant id here>
+```
+
+That will default the tenant to use the `common` authorization endpoint. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
+
+:::note
+Azure AD returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples. The default image size is 48x48 to avoid [running out of space](https://authjs.dev/concepts/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT.
+:::
+
+In `pages/api/auth/[...nextauth].js` find or add the `AzureAD` entries:
+
+```js
+import AzureADProvider from "next-auth/providers/azure-ad";
+
+...
+providers: [
+  AzureADProvider({
+    clientId: process.env.AZURE_AD_CLIENT_ID,
+    clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
+    tenantId: process.env.AZURE_AD_TENANT_ID,
+  }),
+]
+...
+
+```

docs/docs/reference/05-oauth-providers/battlenet.md

@@ -0,0 +1,46 @@
+---
+id: battle.net
+title: Battle.net
+---
+
+## Documentation
+
+https://develop.battle.net/documentation/guides/using-oauth
+
+## Configuration
+
+https://develop.battle.net/access/clients
+
+## Options
+
+The **Battle.net Provider** comes with a set of default options:
+
+- [Battle.net Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/battlenet.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import BattleNetProvider from "next-auth/providers/battlenet";
+...
+providers: [
+  BattleNetProvider({
+    clientId: process.env.BATTLENET_CLIENT_ID,
+    clientSecret: process.env.BATTLENET_CLIENT_SECRET,
+    issuer: process.env.BATTLENET_ISSUER
+  })
+]
+...
+```
+
+`issuer` must be one of these values, based on the [available regions](https://develop.battle.net/documentation/guides/regionality-and-apis):
+
+```ts
+type BattleNetIssuer =
+  | "https://www.battlenet.com.cn/oauth"
+  | "https://us.battle.net/oauth"
+  | "https://eu.battle.net/oauth"
+  | "https://kr.battle.net/oauth"
+  | "https://tw.battle.net/oauth"
+```

docs/docs/reference/05-oauth-providers/box.md

@@ -0,0 +1,34 @@
+---
+id: box
+title: Box
+---
+
+## Documentation
+
+https://developer.box.com/reference/
+
+## Configuration
+
+https://developer.box.com/guides/sso-identities-and-app-users/connect-okta-to-app-users/configure-box/
+
+## Options
+
+The **Box Provider** comes with a set of default options:
+
+- [Box Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/box.js)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import BoxProvider from "next-auth/providers/box";
+...
+providers: [
+  BoxProvider({
+    clientId: process.env.BOX_CLIENT_ID,
+    clientSecret: process.env.BOX_CLIENT_SECRET
+  })
+]
+...
+```

docs/docs/reference/05-oauth-providers/boxyhq-saml.md

@@ -0,0 +1,58 @@
+---
+id: boxyhq-saml
+title: BoxyHQ SAML
+---
+
+## Documentation
+
+BoxyHQ SAML is an open source service that handles the SAML login flow as an OAuth 2.0 flow, abstracting away all the complexities of the SAML protocol.
+
+You can deploy BoxyHQ SAML as a separate service or embed it into your app using our NPM library. [Check out the documentation for more details](https://boxyhq.com/docs/jackson/deploy)
+
+## Configuration
+
+SAML login requires a configuration for every tenant of yours. One common method is to use the domain for an email address to figure out which tenant they belong to. You can also use a unique tenant ID (string) from your backend for this, typically some kind of account or organization ID.
+
+Check out the [documentation](https://boxyhq.com/docs/jackson/saml-flow#2-saml-config-api) for more details.
+
+## Options
+
+The **BoxyHQ SAML Provider** comes with a set of default options:
+
+- [BoxyHQ Provider options](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers/boxyhq-saml.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```ts
+import BoxyHQSAMLProvider from "next-auth/providers/boxyhq-saml"
+...
+providers: [
+  BoxyHQSAMLProvider({
+    issuer: "http://localhost:5225",
+    clientId: "dummy", // The dummy here is necessary since we'll pass tenant and product custom attributes in the client code
+    clientSecret: "dummy", // The dummy here is necessary since we'll pass tenant and product custom attributes in the client code
+  })
+}
+...
+```
+
+On the client side you'll need to pass additional parameters `tenant` and `product` to the `signIn` function. This will allow BoxyHQL SAML to figure out the right SAML configuration and take your user to the right SAML Identity Provider to sign them in.
+
+```tsx
+import { signIn } from "next-auth/react";
+...
+
+  // Map your users's email to a tenant and product
+  const tenant = email.split("@")[1];
+  const product = 'my_awesome_product';
+...
+  <Button
+    onClick={async (event) => {
+      event.preventDefault();
+
+      signIn("boxyhq-saml", {}, { tenant, product });
+    }}>
+...
+```

docs/docs/reference/05-oauth-providers/bungie.md

@@ -0,0 +1,137 @@
+---
+id: bungie
+title: Bungie
+---
+
+## Documentation
+
+https://github.com/Bungie-net/api/wiki/OAuth-Documentation
+
+## Configuration
+
+https://www.bungie.net/en/Application
+
+## Options
+
+The **Bungie Provider** comes with a set of default options:
+
+- [Bungie Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/bungie.js)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import BungieProvider from "next-auth/providers/bungie";
+...
+providers: [
+  BungieProvider({
+    clientId: process.env.BUNGIE_CLIENT_ID,
+    clientSecret: process.env.BUNGIE_SECRET,
+    headers: {
+      "X-API-Key": process.env.BUNGIE_API_KEY
+    }
+  }),
+]
+...
+```
+
+### Configuration
+
+:::tip
+Bungie require all sites to run HTTPS (including local development instances).
+:::
+
+:::tip
+Bungie doesn't allow you to use localhost as the website URL, instead you need to use https://127.0.0.1:3000
+:::
+
+Navigate to https://www.bungie.net/en/Application and fill in the required details:
+
+- Application name
+- Application Status
+- Website
+- OAuth Client Type
+  - Confidential
+- Redirect URL
+  - https://localhost:3000/api/auth/callback/bungie
+- Scope
+  - `Access items like your Bungie.net notifications, memberships, and recent Bungie.Net forum activity.`
+- Origin Header
+
+The following guide may be helpful:
+
+- [How to setup localhost with HTTPS with a Next.js app](https://medium.com/@anMagpie/secure-your-local-development-server-with-https-next-js-81ac6b8b3d68)
+
+### Example server
+
+You will need to edit your host file and point your site at `127.0.0.1`
+
+[How to edit my host file?](https://phoenixnap.com/kb/how-to-edit-hosts-file-in-windows-mac-or-linux)
+
+On Windows (Run Powershell as administrator)
+
+```ps
+Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value "127.0.0.1`tdev.example.com" -Force
+```
+
+```
+127.0.0.1 dev.example.com
+```
+
+#### Create certificate
+
+Creating a certificate for localhost is easy with openssl. Just put the following command in the terminal. The output will be two files: localhost.key and localhost.crt.
+
+```bash
+openssl req -x509 -out localhost.crt -keyout localhost.key \
+  -newkey rsa:2048 -nodes -sha256 \
+  -subj "/CN=localhost" -extensions EXT -config <( \
+   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
+```
+
+:::tip
+**Windows**
+
+The OpenSSL executable is distributed with [Git](https://git-scm.com/download/win]9) for Windows.
+Once installed you will find the openssl.exe file in `C:/Program Files/Git/mingw64/bin` which you can add to the system PATH environment variable if it’s not already done.
+
+Add environment variable `OPENSSL_CONF=C:/Program Files/Git/mingw64/ssl/openssl.cnf`
+
+```bash
+ req -x509 -out localhost.crt -keyout localhost.key \
+  -newkey rsa:2048 -nodes -sha256 \
+  -subj "/CN=localhost"
+```
+
+:::
+
+Create directory `certificates` and place `localhost.key` and `localhost.crt`
+
+You can create a `server.js` in the root of your project and run it with `node server.js` to test Sign in with Bungie integration locally:
+
+```js
+const { createServer } = require("https")
+const { parse } = require("url")
+const next = require("next")
+const fs = require("fs")
+
+const dev = process.env.NODE_ENV !== "production"
+const app = next({ dev })
+const handle = app.getRequestHandler()
+
+const httpsOptions = {
+  key: fs.readFileSync("./certificates/localhost.key"),
+  cert: fs.readFileSync("./certificates/localhost.crt"),
+}
+
+app.prepare().then(() => {
+  createServer(httpsOptions, (req, res) => {
+    const parsedUrl = parse(req.url, true)
+    handle(req, res, parsedUrl)
+  }).listen(3000, (err) => {
+    if (err) throw err
+    console.log("> Ready on https://localhost:3000")
+  })
+})
+```

docs/docs/reference/05-oauth-providers/cognito.md

@@ -0,0 +1,49 @@
+---
+id: cognito
+title: Amazon Cognito
+---
+
+## Documentation
+
+https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
+
+## Configuration
+
+https://console.aws.amazon.com/cognito/users/
+
+You need to select your AWS region to go the the Cognito dashboard.
+
+## Options
+
+The **Amazon Cognito Provider** comes with a set of default options:
+
+- [Amazon Cognito Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/cognito.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import CognitoProvider from "next-auth/providers/cognito";
+...
+providers: [
+  CognitoProvider({
+    clientId: process.env.COGNITO_CLIENT_ID,
+    clientSecret: process.env.COGNITO_CLIENT_SECRET,
+    issuer: process.env.COGNITO_ISSUER,
+  })
+]
+...
+```
+
+:::tip
+The issuer is a URL, that looks like this: `https://cognito-idp.{region}.amazonaws.com/{PoolId}`
+:::
+
+`PoolId` is from `General Settings` in Cognito, not to be confused with the App Client ID.
+
+:::warning
+Make sure you select all the appropriate client settings or the OAuth flow will not work.
+:::
+
+![cognito](https://user-images.githubusercontent.com/7902980/83951604-cd096e80-a832-11ea-8bd2-c496ec9a16cb.PNG)

docs/docs/reference/05-oauth-providers/coinbase.md

@@ -0,0 +1,38 @@
+---
+id: coinbase
+title: Coinbase
+---
+
+## Documentation
+
+https://developers.coinbase.com/api/v2
+
+## Configuration
+
+https://www.coinbase.com/settings/api
+
+## Options
+
+The **Coinbase Provider** comes with a set of default options:
+
+- [Coinbase Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/coinbase.js)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import CoinbaseProvider from "next-auth/providers/coinbase";
+...
+providers: [
+  CoinbaseProvider({
+    clientId: process.env.COINBASE_CLIENT_ID,
+    clientSecret: process.env.COINBASE_CLIENT_SECRET
+  })
+]
+...
+```
+
+:::tip
+This Provider template has a 2 hour access token to it. A refresh token is also returned.
+:::