I built a CLI that adds production-ready auth to any Next.js app in under a minute

Gaurav Kumar — Wed, 25 Feb 2026 04:59:55 +0000

Every time I started a new Next.js project, I found myself writing the same authentication code over and over.

JWT setup. bcrypt hashing. httpOnly cookies. Mongoose models. Middleware protection. Login and signup pages. It takes hours to get right and it's the same every single time.

So I built nextauthforge — a CLI that scaffolds the entire auth system into any Next.js App Router project in under a minute.

How it works

npx nextauthforge init

Answer a few questions and you're done.

◆ AUTHFORGE — Next.js Auth Scaffolder

? What is your project name? my-app
? Which database are you using? MongoDB
? Include login & signup pages? Yes
? Include example dashboard ? Yes

✓ Auth files scaffolded
✓ Dependencies installed
✓ AuthForge setup complete!

What gets generated

Running the CLI scaffolds a complete auth system:

API Routes:

POST /api/auth/signup — register + auto login
POST /api/auth/login — verify credentials + set cookie
POST /api/auth/logout — clear session
GET /api/auth/me — get current user

Frontend Pages:

Landing page
Login page
Signup page
Dashboard (protected)

Utilities:

lib/jwt.ts — sign and verify JWT using jose
lib/hash.ts — bcrypt helpers
lib/session.ts — cookie reader
lib/dbConfig.ts — MongoDB connection singleton
hooks/useAuth.tsx — client-side auth state
components/ToasterProvider.tsx — toast notifications
proxy.ts — middleware route protection

The auth strategy

I made some deliberate choices about how auth works:

JWT in httpOnly cookies — not localStorage. This is the right call for security. httpOnly cookies can't be accessed by JavaScript so they're immune to XSS attacks. localStorage tokens are a common mistake.

jose instead of jsonwebtoken. Next.js middleware runs on the Edge Runtime which doesn't support Node.js built-ins. jsonwebtoken breaks in middleware. jose is Web Crypto API compatible and works everywhere in Next.js.

bcrypt with 12 rounds. Intentionally slow to make brute force attacks impractical.

Generic error messages. Both "user not found" and "wrong password" return the same "Invalid credentials" message. This prevents email enumeration attacks where an attacker can figure out which emails are registered.

What's coming next

This is v1.0 and there's a lot more planned:

PostgreSQL + Prisma support
Refresh tokens
Google OAuth — npx nextauthforge add google
GitHub OAuth
Email verification flow

Try it

npx nextauthforge init

npm → npmjs.com/package/nextauthforge
GitHub → github.com/Gauravkumar512/authforge

Would love feedback from the community. If you run into any issues or have feature requests, open an issue on GitHub.