🚀Announcing Flightcontrol - Easily Deploy Blitz.js and Next.js to AWS 🚀
Back to Documentation Menu

Auth Configuration


Jump to a Topic

You can customize session management by passing an object to the AuthServerPlugin() in src/blitz-server.

// src/blitz-server.ts
import { AuthServerPlugin, PrismaStorage } from "@blitzjs/auth"
import { simpleRolesIsAuthorized } from "@blitzjs/auth"

  plugins: [
      cookiePrefix: "web-cookie-prefix",
      storage: PrismaStorage(db),
      isAuthorized: simpleRolesIsAuthorized,

Available options:

type SessionConfigOptions = {
  cookiePrefix?: string /* Default: 'blitz' */
  sessionExpiryMinutes?: number /* Default: 30 days */
  anonSessionExpiryMinutes?: number /* Default: 5 years */
  method?: "essential" | "advanced" /* Default: 'essential' */
  sameSite?: "strict" | "lax" | "none" /* Default: 'lax'. 
    If you set this to 'none', you also have to set `secureCookies: true`. 
    See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite */
  secureCookies?: boolean /* Default: undefined. This flag is skipped if running app on hostname `localhost` */
  domain?: string /* Default: undefined. Can set as `.yourDomain.com` to work across subdomains */
  publicDataKeysToSyncAcrossSessions?: string[] /* Default: ['role', 'roles'] */

Customize Session Persistence & Database Access

By default, session persistence is zero-config with PrismaStorage. However, you can customize this to save sessions somewhere else, like Redis. You can also customize this if you have Prisma but want to customize the attribute names on the user or session model.

Customize session persistence by overriding the database access functions. The functions can do anything, but they must conform to the defined input and outputs types.

import { setupBlitzServer } from "@blitzjs/next"
import {
} from "@blitzjs/auth"

const { gSSP, gSP, api } = setupBlitzServer({
  plugins: [
      cookiePrefix: "blitz-app-prefix",
      isAuthorized: simpleRolesIsAuthorized,
      storage: {
        getSession: (handle) => redis.get(`session:${handle}`),
        createSession: (session) =>
          redis.set(`session:${handle}`, session),
        deleteSession: (handle) => redis.del(`session:${handle}`),
        // ...

export { gSSP, gSP, api }

Here's a GitHub gist with a full Redis example.

The storage methods need to conform to the following interface:

interface SessionConfigMethods {
  getSession: (handle: string) => Promise<SessionModel | null>
  getSessions: (userId: PublicData["userId"]) => Promise<SessionModel[]>
  createSession: (session: SessionModel) => Promise<SessionModel>
  updateSession: (
    handle: string,
    session: Partial<SessionModel>
  ) => Promise<SessionModel | undefined>
  deleteSession: (handle: string) => Promise<SessionModel>

interface SessionModel extends Record<any, any> {
  handle: string
  userId?: PublicData["userId"] | null
  expiresAt?: Date | null
  hashedSessionToken?: string | null
  antiCSRFToken?: string | null
  publicData?: string | null
  privateData?: string | null

Idea for improving this page? Edit it on GitHub.