Next.js quickstart
Add Wocha authentication to a Next.js App Router application in minutes.
Add Wocha sign-in to Next.js using @wocha/nextjs. The SDK implements a BFF pattern: OAuth runs server-side with a confidential client, and sessions are stored in encrypted HTTP-only cookies.
What you'll build
A Next.js app with hosted sign-in, encrypted session cookies, and opt-in route protection.
Welcome back
After sign-in
✓ Session stored securely
✓ User profile available in your app
✓ Organisation context ready for multi-tenant features
Quick start (CLI)
The recommended path scaffolds everything for you — route handler, middleware, providers, auth header, and credentials.
npx @wocha/cli init -y --framework nextjsGenerated files
| File | Purpose |
|---|---|
app/api/auth/[...wocha]/route.ts | OAuth BFF — login, callback, logout, session |
middleware.ts | Opt-in route protection (public by default) |
app/providers.tsx | Session provider + keyless banner |
app/wocha-header.tsx | Sign in / Sign up / Sign out header |
.env.local | Auto-provisioned tenant credentials |
Route handler
The CLI generates a zero-config handler — credentials are read from .env.local and .wocha/credentials.json:
The catch-all segment must be named wocha — the SDK reads params.wocha to route login, callback, logout, and other auth actions.
Middleware
Routes are public by default. Protect specific paths with createRouteMatcher:
Layout and providers
The CLI updates your root layout to wrap the app with providers and an auth header:
Your layout.tsx imports both and wraps {children} with <Providers>.
What you get
After pnpm dev:
- Auth header — Sign in and Sign up links visible on every page
- Public routes — homepage, marketing pages, and anything not matched by
createRouteMatcher - Protected routes —
/dashboard/*,/settings/*, and non-auth API routes redirect to login when unauthenticated - Hosted auth UI — users sign in at
{tenant}.auth.wocha.aiand return with an encrypted session cookie
Test
- Run
pnpm dev. - Open
http://localhost:3000— click Sign in in the header. - Complete login on the hosted auth UI.
- Confirm your email appears in the header with a Sign out link.
Next steps
- SDK reference — hooks, server helpers, and configuration options
- Webhooks overview — receive user and session lifecycle events
- Common patterns — protect routes, org switching, and role-based UI
Alternative: Manual setup
Prerequisites
- Node.js 18+
- Next.js 14+ (App Router)
- A Wocha project with a confidential OAuth application
- Redirect URI registered:
http://localhost:3000/api/auth/callback
Installation
pnpm add @wocha/nextjsEnvironment variables
Create the route handler, middleware, and providers manually using the code samples above, or run npx @wocha/cli init --framework nextjs to generate them.