Issue with signIn('credentials') inside a Next.js Route Handler

[abgonzalez93]

I’m working on a Next.js 15 (App Router) project using Auth.js (NextAuth v5 beta).
I’ve configured a CredentialsProvider that works perfectly on the client side.
Now I want to handle login from the server, specifically inside an API Route Handler (app/api/login/route.ts) — but I’m running into issues when calling signIn.

signIn links to my NextAuth configuration file

import CredentialsProvider from 'next-auth/providers/credentials'
import { jwtCallback, sessionCallback } from './authCallbacks'
import { Credentials, SessionUser } from '@models/index'
import NextAuth, { User } from 'next-auth'

/**
 * Función principal que configura NextAuth con el proveedor de credenciales personalizado.
 *
 * Configura:
 * - Autenticación basada en JWT.
 * - Provider de tipo `credentials` que acepta un accessToken, refreshToken y un `user` serializado.
 * - Callbacks personalizados para gestionar JWT (`jwtCallback`) y sesión (`sessionCallback`).
 *
 * @returns Handlers, funciones `signIn`, `signOut` y `auth` exportables para uso global.
 */
export const { handlers, signIn, signOut, auth } = NextAuth({
  secret: process.env.AUTH_SECRET,
  session: {
    strategy: 'jwt',
  },
  providers: [
    CredentialsProvider({
      name: '',
      credentials: {
        token: { label: 'Token', type: 'text' },
        refreshToken: { label: 'Refresh Token', type: 'text' },
        expiresIn: { label: 'Expires In', type: 'text' },
        user: { label: 'User', type: 'text' },
      },

      /**
       * Autoriza al usuario a través del proveedor de credenciales personalizado.
       *
       * Parsea el usuario desde `credentials.user`, valida que las credenciales mínimas existan
       * y construye un objeto `User` que será utilizado por el callback `jwt()`.
       *
       * ⚠️ Se recomienda usar Zod/Joi para validar la estructura del objeto `user`.
       *
       * @param credentials Objeto con los campos enviados desde `signIn('credentials', {...})`
       * @returns Usuario autenticado (formato compatible con NextAuth), o `null` si no es válido
       */
      async authorize(credentials): Promise<User | null> {
        console.log('🧪 [Authorize] Credenciales recibidas:', credentials)

        const { token, refreshToken, expiresIn, user } = credentials as Credentials

        if (!token || !refreshToken || !expiresIn || !user) {
          console.error('❌ Falta uno o más campos requeridos:', { token, refreshToken, expiresIn, user })
          return null
        }

        try {
          const parsedUser: SessionUser = JSON.parse(user)
          console.log('✅ Usuario parseado correctamente:', parsedUser)

          console.log('🚀 Usuario final que se devuelve desde authorize():', {
            ...parsedUser,
            access_token: token,
            refresh_token: refreshToken,
            expires_in: Number(expiresIn),
            token_type: 'bearer',
          })

          return {
            ...parsedUser,
            access_token: token,
            refresh_token: refreshToken,
            expires_in: Number(expiresIn),
            token_type: 'bearer',
          }
        } catch (error) {
          console.error('❌ Error al hacer JSON.parse(user):', error)
          return null
        }
      },
    }),
  ],
  debug: process.env.NODE_ENV === 'development',
  callbacks: {
    jwt: jwtCallback,
    session: sessionCallback,
  },
})

...

import { authToken, getUserData, signIn } from '@services/index'
import { NextResponse } from 'next/server'

export async function POST(req: Request) {
  const { token } = await req.json()

  if (!token) return NextResponse.json({ error: 'Token required' }, { status: 400 })

  try {
    const { access_token, refresh_token, expires_in } = await authToken(token)
    const user = await getUserData(access_token)

    console.log('📦 signIn payload:', {
      token: access_token,
      refreshToken: refresh_token,
      expiresIn: expires_in.toString(),
      user: JSON.stringify(user),
    })

    const res = await signIn('credentials', {
      token: access_token,
      refreshToken: refresh_token,
      expiresIn: expires_in.toString(),
      user: JSON.stringify(user),
      redirect: false,
    })

    console.log('📦 res:', res) // ➡️ Only logs a URL, not a result object

    if (!res?.ok) return NextResponse.json({ error: res.error }, { status: 401 })

    return NextResponse.json({ ok: true })
  } catch (error) {
    console.error('Server login error:', error)
    return NextResponse.json({ error: 'Server login failed' }, { status: 500 })
  }
}

🔍 The issue
Calling signIn('credentials') inside this route returns a string (URL) like http://localhost:3000/ instead of an object with { ok, error }. No session is created, and cookies are not modified.

Is it supported to call signIn() inside a Route Handler (in App Router)?

[Fredneyy]

As far as I know signIn() is not supported in route handlers. It is primarily designed to be used on the client side. signIn() generates a redirection URL or performs a client-side redirect, but it does not directly modify cookies or session state on the server.
If you would like to handle login on the server side, you would need to manually interact with NextAuth's session and JWT mechanisms.

[ValentinGurkov]

In version 5, it signIn should also be usable on the server if imported from the auth file

[abgonzalez93]

well, its getting exported from the auth file (actually was rename to authProvider.ts, but it still exports handlers, signIn, signOut and auth) And still does not work. signIn return an url instead of a response object

[abgonzalez93]

You have up there the example of the file anyway

[jeslor]

You appear to be attempting to call signIn('credentials') inside a Next.js API route (or in a custom backend handler), but neither a session nor cookies are being created, and instead of returning an object with { ok, error } as you would anticipate from a server-side function, it is returning a URL string (such as http://localhost:3000/). This most likely happens because you are using signIn() in a non-client context (such as an API route), and NextAuth's behavior is designed to handle redirects rather than directly manage server-side sessions.

Here are the key issues;

• signIn() in NextAuth is not intended to be used in API routes directly for programmatic login.
• signIn() is designed for use on the client-side (e.g., in components, forms, or in frontend code) to trigger the redirection flow after authentication.

The best work around I would recommend is to Programmatically Handle Credentials Login on the Server.

``

[abgonzalez93]

Thanks for the detailed explanation — it helps clarify the expected behavior of signIn().
At the moment, I’m using signIn('credentials') on the client side via a custom hook, and that part works as expected.

However, one of the core issues I'm facing is:

🌀 When a session already exists in the browser (stored in cookies), and I try to log in again — even with different credentials — the jwt() callback enters an infinite loop, and the session is never updated. This only works reliably in an incognito window or after manually clearing cookies.

What I really need is a way to force a logout or session invalidation on the server, to ensure a clean login flow.

My questions are:

• Does Auth.js (NextAuth v5) provide any way to programmatically sign out or invalidate an existing session on the server?
• Is there a way to force signIn() to override the existing session, rather than silently failing or looping in the jwt() callback?

If no such mechanism currently exists, what would be the recommended approach to avoid this session persistence issue and safely replace an existing session?

Thanks in advance for any guidance!

[jeslor]

For the first question, If you're using the JWT strategy (session.strategy = "jwt"), sessions are stateless and stored only in cookies. Therefore there's no server-side session store to invalidate.
However, iff you're using the database session strategy (strategy = "database"), you can invalidate sessions by deleting them from your DB.

For the second question, signIn() will not override an existing session or clear cookies by default. If a session already exists, it persists. The only work around I would think of is to always signOut first before signing In. something like this;

await signOut({ redirect: false });

await signIn("credentials", {
  redirect: false,
  email,
  password,
});