Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
How OAuth works



Auth.js is designed to work with any OAuth service, it supports OAuth 2.0 and OpenID Connect and has built-in support for most popular sign-in services.

Authentication Providers in Auth.js are predefined OAuth configurations that allow your users to sign in with pre-existing logins at their favorite services. You can use any of our predefined providers, or write your own custom OAuth configuration. For customizing or writing your own OAuth provider, see our configuring OAuth providers guide.

At a high level, the OAuth Authorization Code flow we support generally has 6 parts:

  1. The application requests authorization to access service resources from the user
  2. If the user authorized the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
  5. The application requests the resource from the resource server (API) and presents the access token for authentication
  6. If the access token is valid, the resource server (API) serves the resource to the application


Below are two diagrams visually illustrating the same basic flow as described above, the OAuth Authorization Code flow. First is a sequence diagram.

Next is a swim lane diagram which comes from a great article, Setting up OAuth with Auth.js and SvelteKit by Andrey Mikhaylov of

OAuth Flow Diagram

Further Reading

To learn more, check out the following blog posts:

Auth.js © Balázs Orbán and Team - 2024