Auth.js vs Lucia for Solo Developers
Comparing Auth.js (NextAuth) and Lucia for solo developers, with a 2026 update covering Lucia's deprecation and Auth.js moving to security-only maintenance under Better Auth.
Quick Comparison
| Feature | Auth.js (NextAuth) | Lucia |
|---|---|---|
| Type | Auth library with 80+ providers | Session library (now a learning resource) |
| Latest version | next-auth 4.24.14 (Apr 2026), v5 still beta | 3.2.2 (Oct 2024), npm package deprecated |
| Pricing | Free / Open Source (MIT) | Free / Open Source (MIT) |
| GitHub stars | 28,259 | 10,466 |
| npm weekly downloads | 4.24M (next-auth) + 3.09M (@auth/core) | 203K (and shrinking) |
| Maintenance status | Security patches only, now run by Better Auth | Deprecated, no active development |
| Learning Curve | Moderate | Moderate |
| Best For | Existing Next.js apps already on it | Reading the source to learn auth, not shipping |
| Solo Dev Rating | 6/10 (legacy, not for new builds) | 4/10 (deprecated) |
Update for 2026: Read This First
This comparison was written in early 2026, and the ground has shifted hard under both libraries since then. If you are starting a new project today, the honest answer is that this is no longer really a live matchup. Here is what happened.
Lucia v3 was deprecated by its maintainer in March 2025. The npm lucia package now carries an official deprecation notice, and the project has been reframed as a learning resource for implementing sessions from scratch rather than a library you install. The homepage now says Lucia is "an open source project to provide resources on implementing authentication using JavaScript and TypeScript." The last code push to the repository was July 2025.
Auth.js had its own upheaval. Its lead maintainer stepped back in January 2025, and on September 22, 2025 the project announced it is now part of Better Auth. Auth.js / NextAuth is in security-patch-only maintenance mode. The official guidance from the new stewards is blunt: "we strongly recommend new projects to start with Better Auth unless there are some very specific feature gaps."
So the practical 2026 read is this. If you already run one of these in production, you are fine. Both keep working, and Auth.js still gets security fixes. But for a new build, the modern answer most people land on is Better Auth (the project that absorbed Auth.js, now at 28,487 GitHub stars and roughly 3.08M weekly npm downloads). The rest of this article stands as an honest record of how the two stacked up, and the trade-offs it describes are still useful for understanding what good auth ownership looks like.
Auth.js Overview
Auth.js (formerly NextAuth.js) is the most popular open-source authentication library for Next.js, now expanding to support SvelteKit, Express, and other frameworks. It handles OAuth with 80+ providers, JWT and database sessions, email magic links, and credentials-based login.
The main appeal is that it's free and you own everything. No monthly fees, no MAU limits, no vendor to depend on. Auth.js runs in your application, stores sessions in your database (or as JWTs), and gives you full control over the auth flow.
I've used NextAuth in several Next.js projects. Getting Google and GitHub OAuth working takes about an hour with the documentation. The callback system lets you customize tokens, sessions, and sign-in behavior. But I'll be honest: the configuration can be frustrating. The docs have improved, but edge cases and version migration paths still trip people up.
Lucia Overview
Lucia is a lightweight auth library focused on session management. Unlike Auth.js, which tries to handle everything (OAuth, sessions, database adapters, JWT), Lucia takes a minimal approach. It manages sessions and provides helpers for password hashing, but leaves OAuth and the rest to you.
The philosophy is explicit: Lucia gives you building blocks, not a complete solution. You implement OAuth flows yourself (using libraries like arctic for OAuth providers), hash passwords with Lucia's utilities, and create sessions through Lucia's API. Every piece is visible and under your control.
Lucia works with any JavaScript framework: Next.js, SvelteKit, Astro, Express, Hono, and more. It also provides database adapters for Prisma, Drizzle, PostgreSQL, MySQL, SQLite, and MongoDB. The TypeScript support is excellent, with strong type inference throughout.
Key Differences
Scope and philosophy. Auth.js is a complete auth solution. Configure providers, set up callbacks, and it handles the OAuth flow, session creation, and token management end to end. Lucia is a session management library. You build the auth flows yourself using Lucia for the session layer. Auth.js gives you more out of the box. Lucia gives you more control.
OAuth handling. Auth.js has built-in support for 80+ OAuth providers. Add a provider to your config and the login flow works. Lucia doesn't handle OAuth directly. You use a companion library like arctic to implement OAuth flows, then create Lucia sessions from the result. Auth.js is faster for adding social logins. Lucia requires more code but gives you full visibility into the flow.
Configuration complexity. Auth.js has a reputation for confusing configuration, especially around callbacks, session strategies, and database adapters. The v5 rewrite improved things, but debugging auth issues still involves digging through callback chains. Lucia's configuration is simpler because there's less to configure. Sessions have clear creation and validation APIs.
Framework support. Auth.js started as NextAuth and expanded to other frameworks, but the Next.js integration is still the most polished. SvelteKit and Express support exists but feels secondary. Lucia is framework-agnostic by design. The session API works identically across frameworks, and the documentation covers each one equally.
Documentation quality. Lucia's documentation is notably clean and well-organized. The guides walk through complete implementations with clear code examples. Auth.js documentation has improved significantly with v5 but still has gaps, especially for non-Next.js frameworks. If documentation quality matters to you, Lucia has the edge.
Maintenance and community. Auth.js has a larger community with more Stack Overflow answers, GitHub discussions, and blog posts. Lucia has a smaller but dedicated community. Both projects are actively maintained. Auth.js benefits from more real-world usage, which means edge cases are more likely to be documented.
Migration risk. Auth.js has had breaking changes between major versions (v3 to v4, v4 to v5) that required significant migration work. Lucia's API has been more stable, though as a newer library it's had fewer major versions. If you've been burned by NextAuth migrations, Lucia's stability is appealing.
By the Numbers (2026)
The raw figures tell the same story as the prose, and they tell it fast. All numbers below were checked on 2026-05-28.
Auth.js (NextAuth)
- Latest stable:
next-auth4.24.14, published 2026-04-14. The long-promised v5 is still on thebetadist-tag (5.0.0-beta.31), and v5 ships as the@auth/corefamily, latest 0.41.2. - Pricing: free, MIT-licensed, fully self-hosted. No monthly fee, no monthly-active-user cap, no vendor.
- GitHub: 28,259 stars, 4,043 forks, 587 open issues. Primary language TypeScript.
- npm weekly downloads: 4.24M for
next-auth, plus 3.09M for@auth/core. This is still one of the most-installed auth packages in the ecosystem. - Status: maintained for security only, under the Better Auth umbrella since September 2025.
Lucia
- Latest stable:
lucia3.2.2, published 2024-10-20. The npm package is flagged deprecated. There is no v4 on npm. - Pricing: free, MIT-licensed. Same ownership model as Auth.js when it was live.
- GitHub: 10,466 stars, 525 forks, 23 open issues. Last push July 2025.
- npm weekly downloads: about 203K, trending down as projects migrate off it.
- Companion library
arctic(the OAuth client the Lucia author still maintains for roll-your-own flows) sits at 1,700 stars and roughly 593K weekly downloads, which tells you most of Lucia's old audience now wires OAuth by hand. - Status: deprecated, no active development, repositioned as documentation.
The download gap is the part worth sitting with. Auth.js still moves millions of installs a week even in maintenance mode, while Lucia is a fraction of that and falling. For a solo dev, install volume is a proxy for how many Stack Overflow answers and blog posts exist when you hit a wall at 11pm.
When to Choose Auth.js
- You're building with Next.js and want the most popular auth library
- You need OAuth with many providers and want pre-built integrations
- You prefer a more complete solution that handles the full auth flow
- Community size and available resources matter for troubleshooting
- You want social logins working quickly with minimal custom code
When to Choose Lucia
- You want full control over every part of the auth flow
- Clean, well-documented API matters more than convenience
- You're using a framework other than Next.js (SvelteKit, Astro, Hono)
- You've been frustrated by Auth.js configuration complexity
- You want a lightweight library that does one thing well (sessions)
Which One Ships Faster for a Solo Dev
Both are free, so the real cost is your time, and time is where the numbers actually bite. Here is a grounded framework for picking, given where each project sits in 2026.
Start with maintenance status, because it overrides everything. Lucia is deprecated and its npm package says so out loud. Building a new app on a deprecated dependency means you inherit a codebase no one is fixing. Auth.js is in security-only mode, which is a softer landing: it still ships fixes and still pulls millions of weekly installs, so it will keep working. For a solo dev who cannot afford to babysit infrastructure, "still patched" beats "frozen" every time.
Then weigh the support surface. Auth.js carries 28,259 stars and roughly 7.3M combined weekly downloads across next-auth and @auth/core. Lucia has 10,466 stars and about 203K weekly downloads, dropping. When you are stuck at midnight, the bigger install base is the thing that has already answered your question on Stack Overflow. That advantage compounds the more obscure your edge case is.
Factor in how much you want to build yourself. Lucia was always the "bring your own OAuth" option, which is why its companion library arctic (about 593K weekly downloads) outpaces Lucia itself now. Choosing Lucia today effectively means choosing to hand-roll the auth flow with arctic plus the official from-scratch guide. That is a real, defensible path if you want to deeply understand sessions, but it is slower to ship than dropping in a provider config.
The fastest-to-ship answer for a brand new project is neither. The team that now runs Auth.js points new builds at Better Auth (28,487 stars, around 3.08M weekly downloads, current version 1.6.11). If your goal is to get sign-in working this weekend and not revisit it, that is the path with the most momentum behind it. If you are extending an app already on Auth.js, stay put; the migration is not free either.
The Verdict
Both libraries are free, open-source, and give you full ownership of your auth data. The choice comes down to how much you want handled for you versus how much control you want.
Auth.js is the pragmatic choice for Next.js projects that need OAuth quickly. The 80+ provider integrations save real development time. Accept the configuration complexity as the cost of convenience.
Lucia is the purist choice for developers who want to understand and control every part of authentication. The lightweight API is a joy to work with once you accept that you're building more of the flow yourself.
My recommendation: if you just need "sign in with Google/GitHub" in a Next.js app, Auth.js gets you there faster. If you want clean, understandable auth code that you fully control across any framework, Lucia is the better foundation. And honestly, if auth feels like too much work either way, consider a managed service like Clerk or Supabase Auth instead.
One closing caveat now that you have read the 2026 update at the top: that recommendation was written for the world as it stood in early 2026. With Lucia deprecated and Auth.js frozen to security patches, a new project is better served by Better Auth (the successor the Auth.js team itself points to) or a managed service. The principle holds; the specific pick has moved on.
Sources
All figures checked on 2026-05-28.
- next-auth GitHub repository (stars, forks, open issues, last push): https://github.com/nextauthjs/next-auth
- Lucia GitHub repository (stars, forks, last push): https://github.com/lucia-auth/lucia
- arctic GitHub repository: https://github.com/pilcrowOnPaper/arctic
- Better Auth GitHub repository: https://github.com/better-auth/better-auth
- next-auth version (npm registry): https://registry.npmjs.org/next-auth/latest
- @auth/core version (npm registry): https://registry.npmjs.org/@auth/core/latest
- lucia version and deprecation flag (npm registry): https://registry.npmjs.org/lucia/latest
- better-auth version (npm registry): https://registry.npmjs.org/better-auth/latest
- next-auth weekly downloads (npm API): https://api.npmjs.org/downloads/point/last-week/next-auth
- lucia weekly downloads (npm API): https://api.npmjs.org/downloads/point/last-week/lucia
- arctic weekly downloads (npm API): https://api.npmjs.org/downloads/point/last-week/arctic
- better-auth weekly downloads (npm API): https://api.npmjs.org/downloads/point/last-week/better-auth
- Lucia v3 deprecation and learning-resource reframe: https://lucia-auth.com/lucia-v3/migrate
- Auth.js v5 still in beta, migration guidance: https://authjs.dev/getting-started/migrating-to-v5
- Auth.js joins Better Auth, maintenance mode, new-project recommendation: https://better-auth.com/blog/authjs-joins-better-auth
- Auth.js project announcement discussion: https://github.com/nextauthjs/next-auth/discussions/13252
Like this? You'll like what I'm building too.
Two ways to support and get more of this work.
HEARTH
A privacy-first Life OS for your desktop. Journal, tasks, and notes that stay on your machine. Coming soon, direct download from this site.
Read moreMY TOOLKITS
Receipts-first toolkits for shipping after hours, building Claude agents, publishing on Amazon, and more. The exact methods I used, not theory.
Browse on WhopRelated Articles
Angular vs HTMX for Solo Developers
Comparing Angular and HTMX for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs Qwik for Solo Developers
Comparing Angular and Qwik for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.
Angular vs SolidJS for Solo Developers
Comparing Angular and SolidJS for solo developers. Features, pricing, pros and cons, and which one to pick for your next project.