Wocha Docs

Next.js quickstart

Add Wocha authentication to a Next.js App Router application in minutes.

Add Wocha sign-in to Next.js using @wocha/nextjs. The SDK implements a BFF pattern: OAuth runs server-side with a confidential client, and sessions are stored in encrypted HTTP-only cookies.

What you'll build

A Next.js app with hosted sign-in, encrypted session cookies, and opt-in route protection.

your-app.local

Welcome back

After sign-in

✓ Session stored securely

✓ User profile available in your app

✓ Organisation context ready for multi-tenant features

Quick start (CLI)

The recommended path scaffolds everything for you — route handler, middleware, providers, auth header, and credentials.

Scaffold Next.js auth
npx @wocha/cli init -y --framework nextjs

Generated files

FilePurpose
app/api/auth/[...wocha]/route.tsOAuth BFF — login, callback, logout, session
middleware.tsOpt-in route protection (public by default)
app/providers.tsxSession provider + keyless banner
app/wocha-header.tsxSign in / Sign up / Sign out header
.env.localAuto-provisioned tenant credentials

Route handler

The CLI generates a zero-config handler — credentials are read from .env.local and .wocha/credentials.json:

app/api/auth/[...wocha]/route.ts
import { createWochaHandler } from "@wocha/nextjs";
 
export const { GET, POST } = createWochaHandler();

The catch-all segment must be named wocha — the SDK reads params.wocha to route login, callback, logout, and other auth actions.

Middleware

Routes are public by default. Protect specific paths with createRouteMatcher:

middleware.ts
import { withWochaAuth, createRouteMatcher } from "@wocha/nextjs/middleware";
 
const isProtectedRoute = createRouteMatcher([
  "/dashboard(.*)",
  "/settings(.*)",
  "/api/(?!auth)(.*)",
]);
 
export default withWochaAuth((auth, req) => {
  if (isProtectedRoute(req)) auth.protect();
});
 
export const config = {
  matcher: ["/((?!_next/static|_next/image|favicon.ico|api/auth).*)"],
};

Layout and providers

The CLI updates your root layout to wrap the app with providers and an auth header:

app/providers.tsx
"use client";
 
import { WochaSessionProvider, KeylessBanner } from "@wocha/nextjs/client";
 
export function Providers({ children }: { children: React.ReactNode }) {
  return (
    <WochaSessionProvider>
      <KeylessBanner />
      {children}
    </WochaSessionProvider>
  );
}
app/wocha-header.tsx
"use client";
 
import { useSession } from "@wocha/nextjs/client";
 
export function WochaAuthHeader() {
  const { data, status } = useSession();
 
  if (status === "authenticated" && data?.user) {
    return (
      <header>
        <span>{data.user.email}</span>
        <a href="/api/auth/logout">Sign out</a>
      </header>
    );
  }
 
  return (
    <header>
      <a href="/api/auth/login">Sign in</a>
      <a href="/api/auth/login?screen=register">Sign up</a>
    </header>
  );
}

Your layout.tsx imports both and wraps {children} with <Providers>.

What you get

After pnpm dev:

  • Auth headerSign in and Sign up links visible on every page
  • Public routes — homepage, marketing pages, and anything not matched by createRouteMatcher
  • Protected routes/dashboard/*, /settings/*, and non-auth API routes redirect to login when unauthenticated
  • Hosted auth UI — users sign in at {tenant}.auth.wocha.ai and return with an encrypted session cookie

Test

  1. Run pnpm dev.
  2. Open http://localhost:3000 — click Sign in in the header.
  3. Complete login on the hosted auth UI.
  4. Confirm your email appears in the header with a Sign out link.

Next steps

Alternative: Manual setup

Prerequisites

  • Node.js 18+
  • Next.js 14+ (App Router)
  • A Wocha project with a confidential OAuth application
  • Redirect URI registered: http://localhost:3000/api/auth/callback

Installation

pnpm add @wocha/nextjs

Environment variables

.env.local
WOCHA_CLIENT_ID=your-client-id
WOCHA_CLIENT_SECRET=your-client-secret
WOCHA_ISSUER=https://your-tenant.auth.wocha.ai
WOCHA_API_URL=https://your-tenant.api.wocha.ai  # optional
WOCHA_COOKIE_SECRET=your-cookie-secret             # optional

Create the route handler, middleware, and providers manually using the code samples above, or run npx @wocha/cli init --framework nextjs to generate them.

On this page