Skip to main content

Interface: AuthPluginOptions

Configuration options for the @robojs/auth plugin.

Refer to the plugin README for a comprehensive table of options and defaults. The CLI applies sane defaults; most fields are optional.

Notable defaults:

  • basePath: "/api/auth"
  • session.maxAge: 2592000 (30 days)
  • session.updateAge: 86400 (24 hours)
  • session.strategy: 'database' when an adapter is present, otherwise 'jwt'

Security notes:

  • allowDangerousEmailAccountLinking should remain false unless all OAuth providers are fully trusted.

Properties

adapter?

optional adapter: unknown;

Storage adapter for users, sessions, and accounts.

Example

createFlashcoreAdapter({ secret: process.env.AUTH_SECRET! })

allowDangerousEmailAccountLinking?

optional allowDangerousEmailAccountLinking: boolean;

⚠️ Security: automatically link accounts by email across OAuth providers. Only enable if you fully trust every provider to verify email ownership.

Default

false

appName?

optional appName: string;

Display name for the application. Used in emails and default UI strings.

Default

"Robo.js"

Example

"My Awesome App"

basePath?

optional basePath: string;

Base path for all auth routes.

Default

"/api/auth"

Examples

"/api/auth"
"/auth"

callbacks?

optional callbacks: any;

Auth.js callback hooks.

cookies?

optional cookies: CookiesOptions;

Cookie overrides for Auth.js cookies.

debug?

optional debug: boolean;

Enable verbose Auth.js debug logging.

Default

false

email?

optional email: any;

Legacy email configuration (prefer the richer emails object).

emails?

optional emails: EmailsOptions;

Email system configuration: mailer, templates, and triggers.

events?

optional events: any;

Auth.js event handlers.

pages?

optional pages: PagesOptions;

Custom UI page paths for Auth.js built‑in routes.

providers?

optional providers: Provider[];

Array of authentication providers (OAuth, email, credentials).

Default

[]

redirectProxyUrl?

optional redirectProxyUrl: string;

Proxy URL used on preview deployments to build correct redirects.

secret?

optional secret: string;

Secret for JWT signing and token hashing.

⚠️ Security: Required in production. Reads from AUTH_SECRET or NEXTAUTH_SECRET.

Example

process.env.AUTH_SECRET

session?

optional session: SessionOptions;

Session strategy and timing controls.

Default

strategy: adapter ? 'database' : 'jwt', maxAge: 2592000, updateAge: 86400

upstream?

optional upstream: UpstreamOptions;

Forward all auth routes to another Robo instance.

Default

cookieName: "authjs.session-token"; sessionStrategy falls back to local strategy when omitted

url?

optional url: string;

Canonical app URL used by Auth.js in redirects.