AUTH_SECRET vs NEXTAUTH_SECRET
Auth.js v5 renamed the environment variable from NEXTAUTH_SECRET to AUTH_SECRET. If you are starting a new project today, use AUTH_SECRET. If you are on next-auth@4, use NEXTAUTH_SECRET. Both require the same thing: a random, high-entropy string kept secret on the server.
What does the secret actually do?
Auth.js uses the secret to sign and verify JWTs (session tokens), to encrypt cookies, and to derive CSRF tokens. The minimum safe length is 32 bytes (256 bits), encoded as base64. This matches what openssl rand -base64 32 produces and what npx auth secret generates.
How to add it to your project
- Copy the generated value and paste it into your
.env.local:AUTH_SECRET=<paste here> - Add it to your hosting provider (Vercel, Railway, Fly.io) under production environment variables — never check it into git.
- Add the key with a blank value to
.env.example:AUTH_SECRET=
Rotating the secret
Rotate if you suspect the secret was exposed. When you rotate, all existing sessions immediately invalidate — users are logged out. Auth.js v5 supports an array value for graceful rotation (new secret first, old secret still accepted). Deploy atomically — never mix old and new secrets across instances.