Loading…
Guide
Quick answer
To add authentication to a Next.js App Router app, use a provider like Supabase Auth: handle sign-up and login, store the session in cookies for SSR, refresh it in middleware, protect routes server-side, and enforce Row Level Security in the database. A starter kit ships this already wired.
Auth done wrong is a security risk; auth done right is mostly boilerplate. Here's the modern, SSR-friendly path.
Supabase Auth, Auth.js or Clerk are common in 2026. Supabase pairs auth with a Postgres database and Row Level Security.
Add forms and server actions for email/password (and OAuth if needed). Create a profile row on signup with a database trigger.
Use cookie-based sessions so server components and the middleware can read the user. With Supabase, the @supabase/ssr helpers handle this.
Add middleware that refreshes the session on each request and redirects unauthenticated users away from protected routes.
Turn on Row Level Security and write policies so users can only read and write their own rows — the real security boundary, not the UI.
Use cookie-based sessions so server components and middleware can read the user, refresh the session in middleware, protect routes server-side, and enforce Row Level Security in the database. Supabase Auth with the @supabase/ssr helpers is a common, well-supported choice.
Production-ready kits, components, agent skills and more — with live previews and clear licensing.
Explore the marketplace