providers/credentials
default()β
The Credentials provider allows you to handle signing in with arbitrary credentials, such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).
It is intended to support use cases where you have an existing system you need to authenticate users against.
It comes with the constraint that users authenticated in this manner are not persisted in the database, and consequently that the Credentials provider can only be used if JSON Web Tokens are enabled for sessions.
The functionality provided for credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords.
Exampleβ
import Auth from "@auth/core";
import Credentials from "@auth/core/providers/credentials";
const request = new Request("https://example.com");
const response = await AuthHandler(request, {
providers: [
Credentials({
credentials: {
username: { label: "Username" },
password: { label: "Password", type: "password" },
},
async authorize({ request }) {
const response = await fetch(request);
if (!response.ok) return null;
return (await response.json()) ?? null;
},
}),
],
secret: "...",
trustHost: true,
});
Seeβ
default<CredentialsInputs>(
config
:Partial
<CredentialsConfig
<CredentialsInputs
>>):CredentialsConfig
Type parametersβ
CredentialsInputs
extendsRecord
<string
,CredentialInput
> =Record
<string
,CredentialInput
>
Parametersβ
Parameter | Type |
---|---|
config | Partial <CredentialsConfig <CredentialsInputs >> |
Returnsβ
CredentialInputβ
Besides providing type safety inside authorize it also determines how the credentials input fields will be rendered on the default sign in page.
CredentialsConfigβ
The Credentials Provider needs to be configured.
Type parametersβ
CredentialsInputs
extendsRecord
<string
,CredentialInput
> =Record
<string
,CredentialInput
>
Propertiesβ
authorizeβ
authorize:
Function
Type declarationβ
Gives full control over how you handle the credentials received from the user.
There is no validation on the user inputs by default, so make sure you do so by a popular library like Zod
Exampleβ
//...
async authorize(, request) {
const response = await fetch(request)
if(!response.ok) return null
return await response.json() ?? null
}
//...
> (`credentials`: `Partial`<`Record`<*keyof* `CredentialsInputs`, `unknown`\>\>, `request`: `Request`): `Awaitable`<null \| [`User`](types.md#user)\>
###### Parameters
| Parameter | Type | Description |
| :------ | :------ | :------ |
| `credentials` | `Partial`<`Record`<*keyof* `CredentialsInputs`, `unknown`\>\> | The available keys are determined by [CredentialInput](providers_credentials.md#credentialinput).<br /><br />`Note`<br /><br />The existence/correctness of a field cannot be guaranteed at compile time,<br />so you should always validate the input before using it.<br /><br />You can add basic validation depending on your use case,<br />or you can use a popular library like [Zod](https://zod.dev) for example. |
| `request` | `Request` | The original request is forward for convenience |
###### Returns
`Awaitable`<null \| [`User`](types.md#user)\>
#### id
> **id**: `string`
Uniquely identifies the provider in AuthConfig.providers
It's also part of the URL
##### Inherited from
[CommonProviderOptions](providers.md#commonprovideroptions).[id](providers.md#id)
#### name
> **name**: `string`
The provider name used on the default sign-in page's sign-in button.
For example if it's "Google", the corresponding button will say:
"Sign in with Google"
##### Inherited from
[CommonProviderOptions](providers.md#commonprovideroptions).[name](providers.md#name)
---