Loading project...
Loading project...
Production-ready authentication starter for Next.js — JWT, email verification, password reset, account dashboard
A concise look at the project, its purpose, and its value.
Next Auth Kit is a complete authentication starter for Next.js 15 applications. It includes JWT-based authentication with automatic token refresh, email verification flows, password reset, and a full account dashboard — so developers never have to build auth from scratch again.
Next.js developers who need a production-quality authentication system without spending weeks implementing and testing JWT, email flows, and account management.
A complete, tested authentication system that can be integrated into any Next.js project in minutes. Includes all the edge cases that take weeks to get right: token refresh, email verification, password reset, session management, and account settings.
Auth is the most repetitive and security-critical part of every SaaS application. I built this kit after implementing authentication for multiple projects and realizing the same patterns could be packaged into a reusable starter.
Building authentication from scratch requires handling: secure password storage, JWT generation and verification, token refresh with rotation, email verification to prevent fake accounts, password reset flows, rate limiting to prevent brute force, and session management. Getting any of these wrong creates security vulnerabilities. Using NextAuth.js works for some cases but doesn't cover custom JWT strategies or account management dashboards.
The impact: Developers spend 1-2 weeks building and testing auth for every project. Common mistakes like missing refresh token rotation or weak password validation create security holes. Many projects launch without email verification or password reset because they're too complex to implement properly.
Next Auth Kit provides a drop-in authentication system with Next.js 15 App Router. It uses JWT with access/refresh token pattern, bcryptjs for password hashing, MongoDB for session storage, and React Email for beautiful email templates. The kit includes middleware for route protection, API routes for auth endpoints, and a complete account dashboard UI.
What this project can do
Access/refresh token pattern with automatic rotation. Short-lived access tokens (15min) minimize security risk.
Email verification flow with unique verification tokens. Expiring tokens with automatic cleanup.
Forgot password flow with email-based reset links. Secure token storage with one-time use enforcement.
Automatic access token refresh when expired. Refresh tokens rotate on each use. No user-visible interruptions.
Full account management page — profile editing, password change, email preferences, session management.
Strong password requirements with real-time validation feedback. Common password blacklist.
Update name, email, avatar, and account preferences. Change password with current password verification.
All auth pages (login, register, forgot password, reset password, verify email) are fully responsive and accessible.
How the system is designed and how components interact
Next Auth Kit uses Next.js 15 App Router with a hybrid architecture. Auth API endpoints use Route Handlers, form submissions use Server Actions, and route protection uses Middleware. JWT tokens are stored in HttpOnly cookies. Email templates use React Email with Resend for delivery. MongoDB stores user profiles, hashed passwords, and verification tokens.
Visual overview of system design, data flow, and key processes
Complete registration sequence from signup through email verification to authenticated session.
Sequence showing access token refresh flow and protected route access.
The technologies used to build this project
The hard problems that needed solving
How the system is designed for speed and scale
Route protection runs at the Next.js middleware level, not in React components. This means protected routes redirect before any page JavaScript loads.
Access tokens are verified without database lookups. Only refresh token operations require database access, minimizing latency for the most common auth path.
Account dashboard uses optimistic updates for profile changes — the UI updates immediately while the server request completes in the background.
How the system is protected
Access tokens valid for 15 minutes. Refresh tokens rotate on each use — old refresh tokens are invalidated immediately.
Passwords hashed with bcryptjs (12 salt rounds). Common password blacklist prevents weak passwords. Minimum complexity requirements enforced.
Login, registration, and password reset endpoints are rate-limited per IP address. Prevents brute force and enumeration attacks.
All mutation endpoints include CSRF tokens. Next.js Server Actions have built-in CSRF protection.
All auth inputs validated with Zod schemas. Email format, password strength, and token format checked before processing.
JWT tokens stored in HttpOnly, Secure, SameSite=Strict cookies. Inaccessible to JavaScript, preventing XSS token theft.
What I learned building this project and what I'd do differently
Security vulnerabilities in authentication are catastrophic. Every edge case — token expiration race conditions, refresh token reuse detection, timing-safe comparisons — must be handled correctly. There is no room for 'we'll fix it later' in auth.
Next.js middleware runs on the Edge Runtime, which has limited Node.js API access. Database calls for user data can't happen in middleware. I had to design the auth flow to work with just cookie verification at the middleware level and defer database lookups to the page level.
Using Resend with React Email improved deliverability significantly compared to SMTP. But email still fails sometimes — verification emails land in spam, resets get delayed. The system needs to handle these gracefully with user-friendly error messages and retry options.
I'd add OAuth provider support (Google, GitHub), multi-factor authentication (TOTP), WebAuthn/passkey support, and an admin panel for user management.
Other projects you might find interesting
I build production-ready auth systems. Let's discuss your authentication requirements.
