We are encountering intermittent HTTP 400 errors from Nginx with the message “Request Header Or Cookie Too Large” for some users when using the latest Auth0 Next.js SDK (@auth0/nextjs-auth0).
After investigation, this appears related to large session cookies generated by the SDK, as similar reports exist from other Auth0 users. We are not manually adding large cookies on our side.
Our app only uses the /auth/profile endpoint to fetch user profile information after login. We rely entirely on the SDK defaults for session and cookie handling.
The default behavior of the SDK is to have the user’s sessions stored in encrypted cookies, which indeed have a fixed size limit of 8KB that can easily be surpassed, especially by the large size of the access token.
To reduce the size of the request headers you can try removing any unnecessary cookies and headers:
Review and reduce the number of scopes or additional claims requested for the Access Token.
Remove any non-essential cookies being sent in the request header.
If using a custom domain with a reverse proxy, review its configuration to prevent it from adding unnecessary cookies to the request.
Also by design of the Nextjs SDK, both the ID Token, Access Token and Refresh Token will be stored in a cookie, but you can avoid storing the accesstoken ( if you do not need it for external API calls ) or the ID token by setting the AUTH0_SESSION_STORE_ID_TOKEN or the AUTH0_SESSION_STORE_ACCESS_TOKENenvironment variable to false.