Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
Guides
Extending the Session

Extending the Session

Auth.js libraries only expose a subset of the user’s information by default in a session to not accidentally expose sensitive user information. This is name, email, and image.

All callbacks are asnyc functions, so you can also get extra information from a database or external APIs.

A common use case is to add the user’s id to the session. Below it is shown how to do this based on the session strategy you are using.

With JWT

To have access to the user id, add the following to your Auth.js configuration:

  callbacks: {
    jwt({ token, user }) {
      if (user) { // User is available during sign-in
        token.id = user.id
      }
      return token
    },
    session({ session, token }) {
      session.user.id = token.id
      return session
    },
  },

During sign-in, the jwt callback exposes the user’s profile information coming from the provider. You can leverage this to add the user’s id to the JWT token. Then, on subsequent calls of this API will have access to the user’s id via token.id. Then, to expose the user’s id in the actual session, you can access token.id in the session callback and save it on session.user.id.

Calls to auth() or useSession() will now have access to the user’s id.

With Database

If you are using a database session strategy, you can add the user’s id to the session by modifying the session callback:

  callbacks: {
    session({ session, user }) {
      session.user.id = user.id
      return session
    },
  },

This will add the user’s id to the session object. Notice that in this case, we are getting the id from the user object, not the token. With the database session strategy, the user object is the user from the database, and there is no token.

Calls to auth() or useSession() will now have access to the user’s id.

⚠️

The session object is not persisted server-side, even when using database sessions - only data such as the session token (id), the user, and the expiry time is stored in the session table. If you need to persist session data server-side, you must save it elsewhere. You can connect to the database in the session() callback to retrieve this information.

Resources

Auth.js © Balázs Orbán and Team - 2024