Frequently Asked Questions

Technical Integration: Next.js, NextAuth.js, and Hygraph

How do I integrate NextAuth.js authentication with Hygraph in a Next.js project?

To integrate NextAuth.js authentication with Hygraph in a Next.js project, you need to: 1) Set up a Hygraph account and project, 2) Create a NextUser model in Hygraph with Email (unique, required) and Password (API only, required) fields, 3) Install dependencies (next-auth, bcrypt, graphql-request, graphql), 4) Configure your environment variables with your Hygraph endpoint and token, 5) Set up the CredentialsProvider in [...nextauth].js to handle user sign-in and creation, and 6) Use bcrypt to hash passwords before storing them. For a step-by-step guide, see the original tutorial on this page. Note: This approach requires careful management of API permissions and secure handling of authentication tokens.

What fields should I create in Hygraph for user authentication with NextAuth.js?

You should create a NextUser model with two fields:

Email: Single line text, required, unique
Password: Single line text, required, API only (set in advanced visibility settings)

This setup allows NextAuth.js to store and validate user credentials securely. Note: Storing passwords requires secure hashing and API-only access to prevent exposure. Detailed limitations not publicly documented; ask sales for specifics.

Which dependencies are required to set up authentication with Next.js, NextAuth.js, and Hygraph?

The required dependencies are: next-auth (for authentication), bcrypt (for password hashing), graphql-request (for making GraphQL requests to Hygraph), and graphql (for query/mutation definitions). Install them using npm install next-auth@beta bcrypt graphql-request graphql. Note: Dependency versions and compatibility should be checked for your specific Next.js version.

How do I securely store and validate passwords when using Hygraph with NextAuth.js?

Passwords should never be stored in plain text. Use the bcrypt library to hash passwords before storing them in Hygraph. When a user signs in, compare the provided password with the stored hash using bcrypt.compare. The Password field in Hygraph should be set to API only to prevent exposure in the UI. Note: Always follow best practices for credential management and regularly review your API permissions.

Features & Capabilities

What APIs does Hygraph provide for integration with authentication systems?

Hygraph provides several APIs relevant for authentication and integration:

GraphQL Content API: For querying and mutating content, including user models.
Management API: For managing project structure and schema.
Asset Upload API: For uploading user assets if needed.
MCP Server API: For secure communication between AI assistants and Hygraph.

For more details, see the API Reference documentation. Note: Not all APIs are required for authentication use cases; focus on the Content API for user management.

What integrations does Hygraph support for authentication and content management?

Hygraph supports integrations with various platforms, including Digital Asset Management (DAM) systems (e.g., Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), hosting and deployment platforms (Netlify, Vercel), Product Information Management (Akeneo), and translation/localization tools (EasyTranslate). For authentication, you can integrate with Auth0 and other providers using custom logic. See the full list at the Hygraph Marketplace. Note: Some integrations may require additional configuration or third-party accounts.

Security & Compliance

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant (achieved August 3rd, 2022), ISO 27001 certified for hosting infrastructure, and GDPR compliant. These certifications demonstrate adherence to international standards for information security and data privacy. For more details, visit the Hygraph Secure Features page. Note: Always review your own compliance requirements before implementation.

How does Hygraph help secure user data in authentication scenarios?

Hygraph provides granular permissions, SSO integrations (OIDC/LDAP/SAML), audit logs, encryption in transit and at rest, regular backups, and secure API policies (custom origin policies, IP firewalls). For authentication, you should set sensitive fields (like passwords) to API only and use secure hashing. Note: Security is a shared responsibility; application-level vulnerabilities must also be addressed by your implementation. Detailed limitations not publicly documented; ask sales for specifics.

Use Cases & Implementation

Who can benefit from integrating Hygraph with Next.js and NextAuth.js?

Developers building React/Next.js applications that require custom authentication and content management can benefit from this integration. It is suitable for teams needing flexible user models, secure credential storage, and API-driven content workflows. Hygraph's user-friendly interface also supports non-technical content editors. Note: Teams requiring advanced authentication features (e.g., multi-factor authentication, social logins) may need to extend the basic setup or use dedicated authentication providers.

How long does it take to implement Hygraph for a typical project?

Implementation time varies by project complexity. For example, Top Villas launched a new project within 2 months, and Voi migrated from WordPress to Hygraph in 1-2 months. Starter projects and structured onboarding can accelerate adoption. Note: Custom authentication flows may require additional development and testing time. See case studies for more details.

Customer Proof & Success Stories

What are some real-world examples of companies using Hygraph?

Notable companies using Hygraph include Samsung (improved customer engagement by 15%), Komax (3x faster time to market), AutoWeb (20% increase in website monetization), Voi (scaled multilingual content across 12 countries), and Dr. Oetker (enhanced digital experience with MACH architecture). See the Hygraph case studies page for more examples. Note: Results may vary based on implementation and use case.

Documentation & Support

Where can I find technical documentation for integrating Hygraph with authentication systems?

Hygraph provides extensive technical documentation, including API references, schema guides, and integration tutorials. Key resources include the API Reference, Components Documentation, and AI Agents Documentation. For onboarding and starter projects, visit the Getting Started section. Note: Documentation for advanced authentication scenarios may require combining Hygraph docs with NextAuth.js and Next.js resources.

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Webinar: One Vision, one Platform - Content Architecture for Multi-brandRegister now

Next.js Authentication with NextAuth.js and Hygraph

Learn how to integrate NextAuth.js with Hygraph to authenticate your Next.js users.

Last updated by Jamie

on Jan 21, 2026

Originally written by Jamie

The popular React framework that has dominated developers node_modules folders over the last few years we all know of is Next.js — and rightly so, with its stellar developer experience, blazing fast compiler, and tons more.

One topic that often comes up in discussions when evaluating if Next.js is right for you is whether or not it can handle authentication. For a long time there wasn't any "documentation" around this, which led to many developers building and pitching their own solutions to handle Next.js Auth.

Let me introduce to you NextAuth.js — Authentication for Next.js. It's completely open source, and you are in control of your data. It boasts itself on being secure, flexible, and easy to use.

Note: You'll need a Hygraph account, and Next.js application if you're following along. You'll also need your Hygraph endpoint, and a Permanent Auth Token with permissions to query and mutate the NextUser model.

#1. Configure Hygraph

I'll make the assumption you already have a Hygraph account, and project. If not, you know what to do.

We'll opt to store user data from NextAuth.js, including user email and encrypted passwords.

To keep things simple for the purposes of this tutorial, create the model NextUser with two fields:

Email / Single line text / Required / Unique
Password / Single line text / Required / API Only

NextUser Model Schema

Make sure you set the Password field to API only within the advanced visibility settings.

#2. Setup dependencies

We'll be using the following dependencies to configure, and work with NextAuth.js:

next-auth
bcrypt
graphql-request
graphql

npm install next-auth@beta bcrypt graphql-request graphql

Next, create the file .env and add your Hygraph endpoint and token:

HYGRAPH_ENDPOINT=
HYGRAPH_TOKEN=

#3. Configure NextAuth.js

Within your Next.js project, add the file [...nextauth].js in pages/api/auth and invoke the CredentialsProvider.

import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";

export default NextAuth({
    providers: [
        CredentialsProvider({
            name: "Email and Password",
            credentials: {
                email: {
                    label: "Email",
                    type: "email",
                    placeholder: "jamie@hygraph.com"
                },
                password: {
                    label: "Password",
                    type: "password",
                    placeholder: "Password"
                },
            },
        },
    ]
})

Now, this code alone won't do anything other than give you an email and password form at the route /api/auth/signin.

NextAuth Credentials Form

Next you'll want to create (or update if it exists) pages/_app.[js,ts] to wrap your application with `SessionProvider, passing it the session from the component props:

import { SessionProvider } from 'next-auth/react';

export default function MyApp({
  Component,
  pageProps: { session, ...pageProps },
}) {
  return (
    <SessionProvider session={session}>
      <Component {...pageProps} />
    </SessionProvider>
  );
}

#4. Integrate Hygraph

We'll be working within pages/api/auth/[...nextauth].js to handle checking Hygraph if a user exists, and if they don't, create one.

Add the following imports:

import { compare, hash } from "bcrypt";
import { GraphQLClient } from "graphql-request";

Let's now create a GraphQL client for Hygraph with our endpoint and Permanent Auth Token.

const client = new GraphQLClient(process.env.HYGRAPH_ENDPOINT, {
  headers: {
    Authorization: `Bearer ${process.env.HYGRAPH_TOKEN}`,
  },
});

Now, we'll add a query to get a user by email and a mutation to create a user with an email and password:

const GetUserByEmail = gql`
  query GetUserByEmail($email: String!) {
    user: nextUser(where: { email: $email }, stage: DRAFT) {
      id
      password
    }
  }
`;

const CreateNextUserByEmail = gql`
  mutation CreateNextUserByEmail($email: String!, $password: String!) {
    newUser: createNextUser(data: { email: $email, password: $password }) {
      id
    }
  }
`;

Don't worry, we won't be saving passwords as plain text, but instead using the bcrypt library we installed to hash, and verify.

Inside of the CredentialsProvider config below credentials, add the following authorize function:

authorize: async ({ email, password }) => {
  const { user } = await client.request(GetUserByEmail, {
    email,
  });

  if (!user) {
    const { newUser } = await client.request(
      CreateNextUserByEmail,
      {
        email,
        password: await hash(password, 12),
      }
    );

    return {
      id: newUser.id,
      username: email,
      email,
    };
  }

  const isValid = await compare(password, user.password);

  if (!isValid) {
    throw new Error("Wrong credentials. Try again.");
  }

  return {
    id: user.id,
    username: email,
    email,
  };
},

#5. Current user UI

Now, let's finish by updating creating an pages/index.js to show our current user state and links to sign in/out based on our session state.

import { useSession, signIn, signOut } from "next-auth/react";

function AuthLinks() {
  const { data: session, status } = useSession();

  const loading = status === "loading";

  if (loading) return null;

  return (
    <>
      {session ? (
        <p>
          <span>Signed in as {session?.user?.email}</span>
          <button onClick={signOut}>Sign out</button>
        </p>
      ) : (
        <>
          <button onClick={signIn}>Sign in</button>
        </>
      )}
    </>
  );
}

export default function IndexPage() {
  return <AuthLinks />;
}

#6. Demo

You should by now have something that looks like this:

CleanShot 2021-10-15 at 09.08.51.gif

There you have it! You've now used NextAuth.js and Hygraph to authenticate your Next.js users.

Blog Author

Jamie Barton

Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.

Share with others

Sign up for our newsletter!

Be the first to know about releases and industry news and insights.

Explore more blogs from Hygraph

How to Hygraph

How to build and manage multilingual products with Hygraph and Lokalise

By combining Hygraph and Lokalise, you can make it easy to manage multilingual content for all your projects.

Jan 21, 2026

Headless CMS Build with Hygraph

Best CMSs for Nuxt

Learn about the best CMS options for your Nuxt.js projects.

Jan 21, 2026

Headless CMS Next.js

10 best CMSs for Next.js in 2026

Discover the ten best content management systems (CMSs) for Next.js in 2026.

Jan 21, 2026

Webinar: One Vision, one Platform - Content Architecture for Multi-brandRegister now

Next.js Authentication with NextAuth.js and Hygraph

Learn how to integrate NextAuth.js with Hygraph to authenticate your Next.js users.

Last updated by Jamie

on Jan 21, 2026

Originally written by Jamie

Let me introduce to you NextAuth.js — Authentication for Next.js. It's completely open source, and you are in control of your data. It boasts itself on being secure, flexible, and easy to use.

#1. Configure Hygraph

I'll make the assumption you already have a Hygraph account, and project. If not, you know what to do.

We'll opt to store user data from NextAuth.js, including user email and encrypted passwords.

To keep things simple for the purposes of this tutorial, create the model NextUser with two fields:

Email / Single line text / Required / Unique
Password / Single line text / Required / API Only

NextUser Model Schema

Make sure you set the Password field to API only within the advanced visibility settings.

#2. Setup dependencies

We'll be using the following dependencies to configure, and work with NextAuth.js:

next-auth
bcrypt
graphql-request
graphql

npm install next-auth@beta bcrypt graphql-request graphql

Next, create the file .env and add your Hygraph endpoint and token:

HYGRAPH_ENDPOINT=
HYGRAPH_TOKEN=

#3. Configure NextAuth.js

Within your Next.js project, add the file [...nextauth].js in pages/api/auth and invoke the CredentialsProvider.

import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";

export default NextAuth({
    providers: [
        CredentialsProvider({
            name: "Email and Password",
            credentials: {
                email: {
                    label: "Email",
                    type: "email",
                    placeholder: "jamie@hygraph.com"
                },
                password: {
                    label: "Password",
                    type: "password",
                    placeholder: "Password"
                },
            },
        },
    ]
})

Now, this code alone won't do anything other than give you an email and password form at the route /api/auth/signin.

NextAuth Credentials Form

Next you'll want to create (or update if it exists) pages/_app.[js,ts] to wrap your application with `SessionProvider, passing it the session from the component props:

import { SessionProvider } from 'next-auth/react';

export default function MyApp({
  Component,
  pageProps: { session, ...pageProps },
}) {
  return (
    <SessionProvider session={session}>
      <Component {...pageProps} />
    </SessionProvider>
  );
}

#4. Integrate Hygraph

We'll be working within pages/api/auth/[...nextauth].js to handle checking Hygraph if a user exists, and if they don't, create one.

Add the following imports:

import { compare, hash } from "bcrypt";
import { GraphQLClient } from "graphql-request";

Let's now create a GraphQL client for Hygraph with our endpoint and Permanent Auth Token.

const client = new GraphQLClient(process.env.HYGRAPH_ENDPOINT, {
  headers: {
    Authorization: `Bearer ${process.env.HYGRAPH_TOKEN}`,
  },
});

Now, we'll add a query to get a user by email and a mutation to create a user with an email and password:

const GetUserByEmail = gql`
  query GetUserByEmail($email: String!) {
    user: nextUser(where: { email: $email }, stage: DRAFT) {
      id
      password
    }
  }
`;

const CreateNextUserByEmail = gql`
  mutation CreateNextUserByEmail($email: String!, $password: String!) {
    newUser: createNextUser(data: { email: $email, password: $password }) {
      id
    }
  }
`;

Don't worry, we won't be saving passwords as plain text, but instead using the bcrypt library we installed to hash, and verify.

Inside of the CredentialsProvider config below credentials, add the following authorize function:

authorize: async ({ email, password }) => {
  const { user } = await client.request(GetUserByEmail, {
    email,
  });

  if (!user) {
    const { newUser } = await client.request(
      CreateNextUserByEmail,
      {
        email,
        password: await hash(password, 12),
      }
    );

    return {
      id: newUser.id,
      username: email,
      email,
    };
  }

  const isValid = await compare(password, user.password);

  if (!isValid) {
    throw new Error("Wrong credentials. Try again.");
  }

  return {
    id: user.id,
    username: email,
    email,
  };
},

#5. Current user UI

Now, let's finish by updating creating an pages/index.js to show our current user state and links to sign in/out based on our session state.

import { useSession, signIn, signOut } from "next-auth/react";

function AuthLinks() {
  const { data: session, status } = useSession();

  const loading = status === "loading";

  if (loading) return null;

  return (
    <>
      {session ? (
        <p>
          <span>Signed in as {session?.user?.email}</span>
          <button onClick={signOut}>Sign out</button>
        </p>
      ) : (
        <>
          <button onClick={signIn}>Sign in</button>
        </>
      )}
    </>
  );
}

export default function IndexPage() {
  return <AuthLinks />;
}

#6. Demo

You should by now have something that looks like this:

CleanShot 2021-10-15 at 09.08.51.gif

There you have it! You've now used NextAuth.js and Hygraph to authenticate your Next.js users.

Blog Author

Jamie Barton

Share with others

Sign up for our newsletter!

Be the first to know about releases and industry news and insights.

Explore more blogs from Hygraph

How to Hygraph

How to build and manage multilingual products with Hygraph and Lokalise

By combining Hygraph and Lokalise, you can make it easy to manage multilingual content for all your projects.

Jan 21, 2026

Headless CMS Build with Hygraph

Best CMSs for Nuxt

Learn about the best CMS options for your Nuxt.js projects.

Jan 21, 2026

Headless CMS Next.js

10 best CMSs for Next.js in 2026

Discover the ten best content management systems (CMSs) for Next.js in 2026.

Jan 21, 2026

Webinar: One Vision, one Platform - Content Architecture for Multi-brandRegister now

Next.js Authentication with NextAuth.js and Hygraph

Learn how to integrate NextAuth.js with Hygraph to authenticate your Next.js users.

Last updated by Jamie

on Jan 21, 2026

Originally written by Jamie

Let me introduce to you NextAuth.js — Authentication for Next.js. It's completely open source, and you are in control of your data. It boasts itself on being secure, flexible, and easy to use.

#1. Configure Hygraph

I'll make the assumption you already have a Hygraph account, and project. If not, you know what to do.

We'll opt to store user data from NextAuth.js, including user email and encrypted passwords.

To keep things simple for the purposes of this tutorial, create the model NextUser with two fields:

Email / Single line text / Required / Unique
Password / Single line text / Required / API Only

NextUser Model Schema

Make sure you set the Password field to API only within the advanced visibility settings.

#2. Setup dependencies

We'll be using the following dependencies to configure, and work with NextAuth.js:

next-auth
bcrypt
graphql-request
graphql

npm install next-auth@beta bcrypt graphql-request graphql

Next, create the file .env and add your Hygraph endpoint and token:

HYGRAPH_ENDPOINT=
HYGRAPH_TOKEN=

#3. Configure NextAuth.js

Within your Next.js project, add the file [...nextauth].js in pages/api/auth and invoke the CredentialsProvider.

import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";

export default NextAuth({
    providers: [
        CredentialsProvider({
            name: "Email and Password",
            credentials: {
                email: {
                    label: "Email",
                    type: "email",
                    placeholder: "jamie@hygraph.com"
                },
                password: {
                    label: "Password",
                    type: "password",
                    placeholder: "Password"
                },
            },
        },
    ]
})

Now, this code alone won't do anything other than give you an email and password form at the route /api/auth/signin.

NextAuth Credentials Form

Next you'll want to create (or update if it exists) pages/_app.[js,ts] to wrap your application with `SessionProvider, passing it the session from the component props:

import { SessionProvider } from 'next-auth/react';

export default function MyApp({
  Component,
  pageProps: { session, ...pageProps },
}) {
  return (
    <SessionProvider session={session}>
      <Component {...pageProps} />
    </SessionProvider>
  );
}

#4. Integrate Hygraph

We'll be working within pages/api/auth/[...nextauth].js to handle checking Hygraph if a user exists, and if they don't, create one.

Add the following imports:

import { compare, hash } from "bcrypt";
import { GraphQLClient } from "graphql-request";

Let's now create a GraphQL client for Hygraph with our endpoint and Permanent Auth Token.

const client = new GraphQLClient(process.env.HYGRAPH_ENDPOINT, {
  headers: {
    Authorization: `Bearer ${process.env.HYGRAPH_TOKEN}`,
  },
});

Now, we'll add a query to get a user by email and a mutation to create a user with an email and password:

const GetUserByEmail = gql`
  query GetUserByEmail($email: String!) {
    user: nextUser(where: { email: $email }, stage: DRAFT) {
      id
      password
    }
  }
`;

const CreateNextUserByEmail = gql`
  mutation CreateNextUserByEmail($email: String!, $password: String!) {
    newUser: createNextUser(data: { email: $email, password: $password }) {
      id
    }
  }
`;

Don't worry, we won't be saving passwords as plain text, but instead using the bcrypt library we installed to hash, and verify.

Inside of the CredentialsProvider config below credentials, add the following authorize function:

authorize: async ({ email, password }) => {
  const { user } = await client.request(GetUserByEmail, {
    email,
  });

  if (!user) {
    const { newUser } = await client.request(
      CreateNextUserByEmail,
      {
        email,
        password: await hash(password, 12),
      }
    );

    return {
      id: newUser.id,
      username: email,
      email,
    };
  }

  const isValid = await compare(password, user.password);

  if (!isValid) {
    throw new Error("Wrong credentials. Try again.");
  }

  return {
    id: user.id,
    username: email,
    email,
  };
},

#5. Current user UI

Now, let's finish by updating creating an pages/index.js to show our current user state and links to sign in/out based on our session state.

import { useSession, signIn, signOut } from "next-auth/react";

function AuthLinks() {
  const { data: session, status } = useSession();

  const loading = status === "loading";

  if (loading) return null;

  return (
    <>
      {session ? (
        <p>
          <span>Signed in as {session?.user?.email}</span>
          <button onClick={signOut}>Sign out</button>
        </p>
      ) : (
        <>
          <button onClick={signIn}>Sign in</button>
        </>
      )}
    </>
  );
}

export default function IndexPage() {
  return <AuthLinks />;
}