SDKs
Next.js SDK
Middleware and helpers for Next.js applications.
The Next.js SDK wires App Router applications through one server-side middleware path.
Recommended path
Let the CLI generate this setup first. Manual setup is useful when reviewing or adapting the generated files.
Install
pnpm add @zitadel/sdk-nextnpm install @zitadel/sdk-nextyarn add @zitadel/sdk-nextSetup
The CLI adds the SDK package, creates auth routes, writes a profile page, and installs middleware that runs nextgenMiddleware.
app/login/page.tsx
app/register/page.tsx
app/profile/page.tsx
middleware.ts
package.json
Create src/proxy.ts at the root of your Next.js app and call the middleware:
import { nextgenMiddleware } from "@zitadel/sdk-next/middleware";
import type { NextRequest } from "next/server";
export function proxy(req: NextRequest) {
return nextgenMiddleware(req, {
url: process.env.ZITADEL_URL,
protectedRoutes: ["/profile"],
loginPath: "/login",
});
}
export const config = {
matcher: ["/__nextgen/:path*", "/profile", "/login"],
};Runtime model
Proxy
/__nextgen/* requests to the Zitadel backend.Verify the session JWT via JWKS using Web Crypto.
Redirect unauthenticated users from protected routes to
loginPath.Usage
Read auth state in a server component:
import { auth } from "@zitadel/sdk-next";
export default async function Page() {
const session = await auth();
if (!session.isAuthenticated) return <p>Not signed in</p>;
return <p>Hello {session.session.email}</p>;
}Verify
- Start the app with the generated environment.
- Visit
/loginand register a user. - Confirm
/profileis reachable after login. - Log out and confirm
/profileredirects back to/login.
See also
- SDK proxy — why
/__nextgen/*must be same-origin and how the project key is attached. apps/demo-next— a runnable Next.js example in this repo.@zitadel/sdk-nextsource and the CLI Next.js patcher.