Hello Auth0 Community,
I’m hoping to share a challenging debugging journey and its solution for an issue with @auth0/nextjs-auth0 on Vercel with the Next.js App Router.
Core Framework & Auth Libraries:
- Next.js: ^14.2.15
- React: ^18.3.1
- @auth0/nextjs-auth0: ^3.5.0
- jsonwebtoken: ^9.0.2
- @types/jsonwebtoken: ^9.0.10
Database & API Libraries:
- @supabase/supabase-js: ^2.47.10
- @supabase/ssr: ^0.5.2
The Initial Problem
My application worked perfectly on localhost. However, when deployed to production on Vercel, the login flow would fail silently.
- A user would access a protected page (e.g.,
/dashboard). - Our middleware would correctly detect no session and issue a
307redirect to/api/auth/login. - The browser’s URL would change, but the request would hang. The page never redirected to the Auth0 Universal Login.
- There were no errors in the browser console, no crash logs in the Vercel function, and no log entries at all in our Auth0 Dashboard. This proved the crash was happening entirely within the Vercel function before it could ever contact Auth0.
The Debugging Journey: What We Ruled Out
We exhaustively checked every common cause of this issue:
- All Environment Variables (
AUTH0_SECRET,AUTH0_BASE_URL,AUTH0_CLIENT_ID,AUTH0_CLIENT_SECRET,AUTH0_ISSUER_BASE_URL,AUTH0_AUDIENCE) were confirmed to be present and correct in the Vercel production environment. - All Auth0 Application URLs (
Allowed Callback URLs,Allowed Logout URLs,Allowed Web Origins) were confirmed to be correct. - The
Application Login URIwas correctly left blank. - Middleware
matcherConfiguration: We found and fixed a secondary issue where ourmatcherwas incorrectly running on/apiroutes, causing a loop. Fixing this did not solve the original silent crash.
The Core Issue: The SDK Handlers were Failing
To isolate the issue, we were forced to implement a fully manual authentication flow, completely bypassing the SDK’s handleLogin and handleCallback functions. This manual process, while complex, is the only thing that works in our production environment.
Our manual flow consists of:
- A manual login route (
/api/auth/manual-login): This route manually constructs the full Auth0/authorizeURL, encodes our desiredreturnTopath into thestateparameter, and redirects the user. This step was successful. - A manual callback route (
/api/auth/manual-callback): This route receives thecodefrom Auth0, manually performs the server-to-server POST request to the/oauth/tokenendpoint, and upon success, uses thejoselibrary to create its own secure, JWE-encrypted session cookie. Finally, it decodes thestateparameter and performs the redirect to the user’s original destination.
We are reaching out to the community because this solution feels unsustainable and overly complex. It required us to essentially reinvent the core functionality of the SDK, including session management and encryption, just to get a basic login to work on Vercel.
The Most Baffling Symptoms
Throughout this process, two key behaviors made debugging nearly impossible:
-
Absence of Auth0 Logs: Despite countless failed login attempts, our Auth0 Dashboard never once showed a “Failed Exchange” or any error log related to the callback. We only ever saw a “Success Login” event (after the manual login implementation). This is the critical evidence proving the Vercel function was crashing silently before it could ever make the server-to-server request to exchange the token. The failure was a complete black box between Auth0-to-Vercel side.
-
The Silent Redirect Loop: The user-facing symptom was a silent failure. The browser would be redirected to an SDK route like
/api/auth/loginor/api/auth/callback, and the request would simply hang, eventually re-rendering the previous page without any error message in the console. This created a frustrating loop with no feedback for the user or our developers.
Any help we can get to look into this to know what could be the issue that we missed out? Appreciate the help.