AUTH_SECRET vs NEXTAUTH_SECRET

Auth.js v5 (the successor to NextAuth v4) renamed the environment variable from NEXTAUTH_SECRET to AUTH_SECRET. If you are starting a new project today, use AUTH_SECRET. If you are on next-auth@4, use NEXTAUTH_SECRET. Both require the same thing: a random, high-entropy string kept secret on the server.

What does the secret actually do?

Auth.js uses the secret to sign and verify JWTs (session tokens), to encrypt cookies, and to derive CSRF tokens. If the secret leaks, an attacker can forge session tokens and impersonate any user. If it changes without warning, every active session invalidates immediately.

The minimum safe length is 32 bytes (256 bits), encoded as base64. This matches what openssl rand -base64 32 produces and what npx auth secret generates.

How to add it to your project

Copy the generated value above and paste it into your .env.local:
```
AUTH_SECRET=<paste here>
```
Add it to your hosting provider (Vercel, Railway, Fly.io) under the production environment variables — never check it into git.
If you use a .env.example file, add the key with a blank value so teammates know it is required:
```
AUTH_SECRET=
```

Rotating the secret

Rotate AUTH_SECRET if you suspect it was exposed (committed to git, logged, shared in Slack). When you rotate:

All existing sessions immediately invalidate — users are logged out
Update the variable in every environment (preview, staging, production)
Deploy atomically — a rolling deploy with mixed secrets breaks auth

Auth.js v5 supports a AUTH_SECRET array for graceful rotation (new secret first, old secret still accepted during rollover). See the Auth.js deployment docs for details.

Related tools

Secret Generator — JWT secrets, API keys, session tokens, and passwords for any stack
Next.js .env Generator — full .env scaffold for a Next.js project including AUTH_SECRET
ENV Leak Checker — scan your .env to make sure secrets are not accidentally exposed