Where to put AUTH in Next.js 16?

By Tobi Mey

Categories: Design, Product

Summary

Nextjs 16's new proxy feature is a game-changer for auth, allowing fast session checks (1-2ms) without costly database lookups. But securing data access is critical - a dedicated data access layer (DAL) is the solution to protect sensitive data fetching across your app.

Key Takeaways

1. Use the fast session check method (like getCookie) in the proxy instead of expensive database lookups.
2. Never rely solely on session cookie checks for security, as anyone can create a valid session cookie.
3. Protect sensitive data fetching and mutations with a dedicated Data Access Layer (DAL) that handles auth checks.
4. Don't use layout.tsx for auth checks, as it won't update when user permissions change.
5. Subscribe to the Nextjs Weekly newsletter to stay up-to-date on the latest Nextjs authentication best practices.
6. Leverage linters and CI/CD checks to enforce secure data access practices across your Nextjs app.

Topics

• NextJS Authentication
• NextJS Data Fetching
• NextJS Proxy
• NextJS Security
• NextJS Best Practices

Transcript Excerpt

We have to talk about authentication. It's 2026 and it got kind of messy. Middleware got renamed to proxy and somehow the reason for that is authentication. But where do we place O checks when not in middleware or now proxy and how to make them actually secure but fast? Let's have a look. So this is how we used to do it a middleware.ts. But as I already said this got renamed to clarify our direction. We are renaming the file convention to proxy. This highlights that we are moving away from middl...