Skip to content
Migrating from NextAuth.js v4? Read our migration guide.

Supported versions

  • Security updates are only released for the current latest version.
  • Old releases are not maintained and do not receive updates.

@auth/* packages (other than the database adapters) are currently under development and - unless stated otherwise - they are not considered ready for production yet. That said, we encourage you to reach out to us if you have any questions or concerns via the below-mentioned channels. We are committed to making Auth.js a secure and reliable solution for your authentication needs.

Reporting a Vulnerability

Auth.js practices responsible disclosure. We request that you contact us directly to report serious issues that might impact the security of sites using Auth.js.

If you contact us regarding a serious issue:

Getting back to you

We will endeavour to get back to you within 72 hours.

Publishing a fix

We will aim to publish a fix within 30 days.

Disclosing the issue

We will disclose the issue ( and credit you, with your consent ) once a fix to resolve the issue has been released.

90 days limit

If 90 days have elapsed and we still don’t have a fix, we will disclose the issue publicly.

The best way to report an issue is by contacting us via email at,, and, or raise a public issue - without disclosing any sensitive details - requesting someone get in touch with you via whatever means you prefer for more details.

For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to make these public as bug reports or feature requests or to raise a question to open a discussion around them.

Auth.js © Balázs Orbán and Team - 2024