Auth0 getAccessToken() and getSession() Not Working in Next.js 15 App Router (Server & Client Components)

I’m having persistent issues integrating @auth0/nextjs-auth0 (v4.4.2) with a Next.js 15 project (using the App Router). The main problem:

  • Calling getAccessToken() or getSession() in API routes, server actions, or server components throws:

TypeError: Failed to parse URL from /auth/access-token

  • The same error occurs when attempting to use these methods in client components (via fetch to an API route).
  • Auth0 setup (provider, env vars, etc.) appears correct and authentication redirects work, but retrieving the access token/session on the server side is broken.
  • Wrapping components in <Suspense> or using the recommended UserProvider does not help.
  • I am using Turbopack (next dev --turbopack), but the problem persists even without it.
  • Installing the suggested peer dependency @edge-runtime/cookies does not resolve the issue.

What I’ve tried:

  • Creating a dedicated API route to call and log getAccessToken().
  • Using both server and client components to fetch the access token/session.
  • Ensuring correct Auth0 configuration and session setup.

Versions:

  • next: 15.3.0
  • @auth0/nextjs-auth0: 4.4.2

Request:
Is there a known compatibility issue between Auth0’s SDK and Next.js 15 App Router? Are there any workarounds or recommended approaches to retrieve the access token/session in this setup? Any help or guidance would be appreciated!


Let me know if you want to add more details or clarify anything further!

NOTE: All other features (Login/Signup/Signout and profile ) work fine just the route:
/auth/access-token does not in Nextjs App router.

Hi @nithinsriharir,

Welcome to the Auth0 Community!

Make sure you’ve set up the SDK correctly by checking our quickstart guide:

Let us know if this fixes your issue.

Also could you provide the snippet of code where the error occurs?

Have a good one,
Vlad

Yes, I’ve followed the guide. All other pre-defined endpoints work fine except /auth/access-token
Here are the .env vars saved:

AUTH0_SECRET={SECRET}
APP_BASE_URL=http://localhost:3000
AUTH0_DOMAIN=dev-rmhdvcklahazorlu.us.auth0.com
AUTH0_CLIENT_ID={CLIENT_ID}
AUTH0_CLIENT_SECRET={CLIENT_SECRET}
AUTH0_AUDIENCE=https://api.qhsse.com
AUTH0_SCOPE=openid profile email

Here is my code snippet from lib/auth0-token.ts

import { auth0 } from "./auth0";

export async function fetchAccesstoken() {
  try {
    const session = await auth0.getSession();
    if (!session) {
      throw new Error("Not authenticated");
    }
    const { token: accessToken } = await auth0.getAccessToken();
    return { accessToken };
  } catch (error: any) {
    return { error: error.message, status: error.status || 500 };
  }
}

Calling this const accessToken = await fetchAccesstoken(); console.log('sample',accessToken)

Always returns a JWE token, It seems, I’m not allowed to pass the AUTH0_AUDIENCE param when calling getAccessToken in ver.4.x + of next.auth0

I’ve also tried the same by cloning the provided example project:

and applying my .env variables but this also still results the same issue.

Am I missing something here? perhaps in the auth0.dashboard?
I’ve also authorised the app from the API settings (machine to machine applications) and also ensured that the option to pass JWE Encrypting the signed access_token issued for this API is ‘Disabled’

But its still passing a JWE token instead of a JWT. (Which is not possible for me to handle in the Backend)

Hi @nithinsriharir,

Thank you for this info.

Looking further into it I found a great post that seems to address this issue:

Let us know if this solves your issue.

Have a good one,
Vlad

Hi @vlad.murarasu ,

I looked into the same forum post earlier.
The newer version of “@auth0/nextjs-auth0”: “4.2.2” supports app router for Next.js.
The solution you referenced fixes the issue where an opaque access token is returned because the right audience or scope was not passed in as parameters (which works for pages router). However, for Next.js app router (or at least the newer version 4.x+), it does not allow passing the audience or scope env directly to auth0.getAccessToken().

Which likely causes the issue. I’ve also noted that in the latest versions of
@auth0/nextjs-auth0 (v4+), the SDK expects the audience and scope to be set globally during Auth0 client initialization, not per-request as in earlier versions.

i.e as per the example shown in the GitHub - auth0-samples/auth0-nextjs-samples: Auth0 Integration Samples for Next.js Applications

import { Auth0Client } from "@auth0/nextjs-auth0/server";

// Initialize the Auth0 client 
export const auth0 = new Auth0Client({
  // Options are loaded from environment variables by default
  // Ensure necessary environment variables are properly set
  // domain: process.env.AUTH0_DOMAIN,
  // clientId: process.env.AUTH0_CLIENT_ID,
  // clientSecret: process.env.AUTH0_CLIENT_SECRET,
  // appBaseUrl: process.env.APP_BASE_URL,
  // secret: process.env.AUTH0_SECRET,
  authorizationParameters: {
    // In v4, the AUTH0_SCOPE and AUTH0_AUDIENCE environment variables are no longer automatically picked up by the SDK.
    // Instead, we need to provide the values explicitly.
    scope: process.env.AUTH0_SCOPE,
    audience: process.env.AUTH0_AUDIENCE,
  }
});

Not sure how to proceed from here..
Please let me know if you want me to add more details or clarify anything further!

Hello,

Has any advancements been made on this issue ?