Editorial take
Why it stands out
Rotate NEXTAUTH_SECRET (or equivalent) on schedule—session forgery is an app bug, not Auth.js’s invoice.
Loading
Tool profile
Open-source auth library for JavaScript apps with OAuth, email, and credentials support.
Next.js products that need custom-branded auth without Clerk
Open-source authentication for Next.js and other frameworks: OAuth providers, credentials, sessions, and adapters you host yourself.
Auth.js (successor to NextAuth.js) ships under a permissive ISC-style open-source license on published packages—no per-user license fee. Costs are entirely operational: Postgres or another session store, secrets management, email (Resend, SES, etc.), and OAuth app quotas from Google, GitHub, or enterprise IdPs.
Compare Clerk when you need hosted UI and compliance packaging tomorrow; compare Lucia when you want a lighter session primitive you compose yourself.
Quick fit
Editorial take
Rotate NEXTAUTH_SECRET (or equivalent) on schedule—session forgery is an app bug, not Auth.js’s invoice.
What it does well
Primary use cases
Fit notes
Compare with
Pressure-test this pick against nearby alternatives.
Pricing snapshot
Auth.js is open-source and free to use. The license cost is $0, and actual spend comes from your hosting, database, email provider, OAuth providers, and any supporting auth infrastructure you choose to run alongside it.
Casbin
Free planApplication authorization and policy enforcement
Open-source authorization library for ACL, RBAC, ABAC, ReBAC, and other access-control models across many programming languages.
Choose Casbin when embedded authorization logic and policy flexibility matter more than hosted admin UX.
