Next.js Edge Runtime build warning: Auth0 loads Node crypto via @auth0/nextjs-auth0 when used in middleware

Get Help
,
1

I’m getting this warning during next build:

./node_modules/@auth0/nextjs-auth0/dist/utils/dpopUtils.js
A Node.js module is loaded ('crypto' at line 1) which is not supported in the Edge Runtime.
Learn More: https://nextjs.org/docs/messages/node-module-in-edge-runtime

Import trace for requested module:
./node_modules/@auth0/nextjs-auth0/dist/utils/dpopUtils.js
./node_modules/@auth0/nextjs-auth0/dist/server/client.js
./node_modules/@auth0/nextjs-auth0/dist/server/index.js
./lib/auth0.ts

Setup:

  • “next”: “15.3.8”

  • @auth0/nextjs-auth0”: “^4.14.0”

My middleware.ts file:

import type { NextRequest } from "next/server";

import { auth0 } from "./lib/auth0"; // Adjust path if your auth0 client is elsewhere

export async function middleware(request: NextRequest) {
  return await auth0.middleware(request);
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico, sitemap.xml, robots.txt (metadata files)
     */
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)"
  ]
};

This is the recommended pattern from the docs.
But during build, my guess is Auth0 internally pulls in Node’s crypto, which Edge doesn’t support.

This started only after upgrading from Auth0 v3 to v4.
v4 introduced using Auth0 in middleware.ts, which runs on the Edge Runtime.

Edge Runtime doesn’t support Node crypto, so Next warns — even though:

  • next dev works

  • next build && next start works

  • App behavior is correct at runtime

So:

  • Is @auth0/nextjs-auth0 v4 actually Edge-safe?

  • Or is this a known limitation where middleware works but still bundles Node-only code?

  • Is there a recommended way to avoid this warning when using Auth0 in middleware?

3

Hi @ReetamBG

Welcome to the Auth0 Community!

Is @auth0/nextjs-auth0 v4 actually Edge-safe?

Yes, NextJS v4 is compatible with Edge Runtime and it is safe to run.

Or is this a known limitation where middleware works but still bundles Node-only code?

Basically, no. This issue is caused by a dependency chain where if Edge Runtime is being used, it ignores the standard Node crypto module and uses the standard Web Crypto API. The behaviour you have described above would be expected regarding the matter

Is there a recommended way to avoid this warning when using Auth0 in middleware?

You can safely ignore this error or you can suppress the warning via NextConfig. It should look something like this:

import type { NextConfig } from "next";

const nextConfig: NextConfig = {
  webpack: (config, { isServer, nextRuntime }) => {
    // Only target the Edge runtime
    if (nextRuntime === 'edge') {
      config.resolve.fallback = {
        ...config.resolve.fallback,
        // Tell Webpack to replace 'crypto' with an empty object in the Edge bundle
        crypto: false, 
        stream: false, // Sometimes 'stream' is also flagged
      };
    }
    return config;
  },
};

export default nextConfig;

If you have any other questions, let me know!

Kind Regards,
Nik