Nextjs 15 auth v5: How to do REST login

[moltco]

I have a nextjs 15 project with api router and auth v5 beta 25 and I am struggling a little with the REST endpoints.

So far, I have setup login page (/login) with email and password and a couple of providers although I use 'credentials' for now. Everything works well if I want to login via the web page.

I wanted to use credentials provider to allow 'devices' to log-on by providing email/password to the same mechanism as the users. The hope was that I could call /api/auth/login and get session/token so I can use this with REST calls from the 'device' client.

So I have setup /api/[...nextauth] as per the guide but when I try to do POST to endpoints I get errors. My router.ts in [...nextauth] is completely vanilla ie

import { handlers } from "@/auth" 
export const { GET, POST } = handlers

I also have

session: {
  strategy: "jwt",
},
callbacks:[
...
    async jwt({ token, user }) {
            if (user) {
                token.orgId = user.orgId;
                token.role = user.role;
            }
            return token;
        },

I want to spare you reading thousands of lines of config files as I feel I may be doing something fundamentally bad. Happy to share configs etc if you feel I am calling endpoints correctly and seeing configs would be useful.

What I tried doing is:

1. POST json body {email: "[email protected]", password: "plain text"} to /api/auth/login - I get error [auth][error] UnknownAction: Cannot parse action at /api/auth/login. Read more at https://errors.authjs.dev#unknownaction

2. GET /api/auth/csrf - this works and I get csrf

3. I tried POST to /api/auth/signin - but this returns web page with error "missing CSRF" which I guess is not the endpoint I am looking for

4. I have successfully created 'protected' /api/something routes that can pick up if the user has logged on via the web browser

Do I need to create a custom action for REST login or am I not calling the endpoints correctly or something else??

[Aman3899]

Why is /api/auth/login not working?

The error UnknownAction: Cannot parse action at /api/auth/login occurs because NextAuth does not expose a /api/auth/login endpoint. Instead, you need to send a POST request to /api/auth/callback/credentials.

---

Steps to Implement REST Login with Credentials Provider

1. Update auth.ts Configuration

Ensure your auth.ts is set up correctly for credentials-based authentication:

import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";

export const authOptions = {
  providers: [
    CredentialsProvider({
      name: "Credentials",
      credentials: {
        email: { label: "Email", type: "text", placeholder: "[email protected]" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials, req) {
        // Replace this with your own authentication logic
        const res = await fetch("https://your-api.com/auth", {
          method: "POST",
          body: JSON.stringify(credentials),
          headers: { "Content-Type": "application/json" },
        });

        const user = await res.json();
        if (res.ok && user) {
          return user; // Must return an object with `id` or `email`
        }
        return null;
      },
    }),
  ],
  session: {
    strategy: "jwt",
  },
  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.orgId = user.orgId;
        token.role = user.role;
      }
      return token;
    },
    async session({ session, token }) {
      session.user.orgId = token.orgId;
      session.user.role = token.role;
      return session;
    },
  },
  pages: {
    signIn: "/login", // Redirect login failures here
  },
};

export default NextAuth(authOptions);

---

2. Make the REST API Call

Instead of calling /api/auth/login, use:

POST to /api/auth/callback/credentials

curl -X POST "http://localhost:3000/api/auth/callback/credentials" \
     -H "Content-Type: application/json" \
     -d '{"email": "[email protected]", "password": "yourpassword"}' \
     -c cookies.txt

OR in JavaScript (fetch request):

const response = await fetch("/api/auth/callback/credentials", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ email: "[email protected]", password: "yourpassword" }),
  credentials: "include", // Important for handling sessions
});
const data = await response.json();
console.log(data);

---

3. Handling CSRF Errors

NextAuth enforces CSRF protection on login requests. To get the CSRF token:

GET /api/auth/csrf

curl -X GET "http://localhost:3000/api/auth/csrf"

Then, include the csrfToken in the login request:

const csrfRes = await fetch("/api/auth/csrf");
const { csrfToken } = await csrfRes.json();

const loginRes = await fetch("/api/auth/callback/credentials", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    email: "[email protected]",
    password: "yourpassword",
    csrfToken, // Include the CSRF token
  }),
  credentials: "include",
});

[moltco]

Thanks - this helpful as the official documentation is lacking. My code is pretty much the same as the one you kindly shared, aside probably from the login form.

My expectation was that if I use /api endpoint that I could get a JWT token that I can use later to perform more /api calls.

The issue for me - when running this code (pretty similar/same as mine) - when calling endpoint /api/auth/callback/credentials I get the following:

1. The user is not logged on, I get HTML of the (custom) login page instead
2. I expect to get a JWT token from /api endpoint not a login page or cookies.

I have a custom / very basic login page with inputs for email and password and not much else. So instead of posting json I tried posting x-www-form-urlencoded params and this at least logs the user in, but I still get a HTML page back not token.

My expectation is when calling /api that I should get a JWT token. Should I try somehow in the login page to figure out if the caller is using /api route and then issue token or to pass token somehow in HTML? I don't know how would I access Next-Auth's JWT token for the session even if I was to do that... also, how would I then consume that token? Should I use Bearer token or something else?

What is the correct pattern with next-auth so I can have HTML login page for humans and /api endpoint for software clients that understand JWT/REST?

[surbhi-dot-dev]

Hi,
Thanks for this great project!

I’m facing the same issue as mentioned above. I need the login system to work with a React Native (or any cookie-less) environment, but when I send the login request via cURL (POST to /api/auth/callback/credentials), it returns the HTML of the login page instead of the expected response (JWT token which client can store and pass in subsequent requests).

Is there a solution for this?

[jamescoletti]

You need to make sure you are getting a CSRF token string (csrfToken) and CSRF cookie (authjs.csrf-token) first, and then passing both of these to the credentials endpoint, along with the login credentials. Something like this should demonstrate the flow:

Make CSRF request to get token and save cookie:

csrf_request=$(curl -s -c next_cookies.txt http://localhost:3000/api/auth/csrf)

Get the token string from the returned csrfToken JSON object key:

CSRF_TOKEN=$(echo "$csrf_request" | jq -r .csrfToken)

Log in with CSRF token string, CSRF cookie, and credentials to get session token cookie (authjs.session-token):

curl -s -b next_cookies.txt -c next_cookies.txt \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode "[email protected]" \
  --data-urlencode "password=yoursecretpassword" \
  --data-urlencode "csrfToken=$CSRF_TOKEN" \
  http://localhost:3000/api/auth/callback/credentials

Get current session info using session token cookie:

curl -b next_cookies.txt http://localhost:3000/api/auth/session