The error “cookies was called outside a request scope” in your Next.js middleware occurs because auth0.getSession() needs the request context to be properly set up, which is typically done by auth0.middleware(request). When you commented out return authRes; for the root path (/), the execution continued past auth0.middleware(request) without its intended return, leading to getSession() being called in an invalid state. To protect all routes, including /, you should always call auth0.middleware(request) first and then return its result immediately if the path starts with /auth. For all other paths, proceed to check auth0.getSession() and redirect if no session exists, otherwise let the request proceed.