/ tool-comparisons / Auth.js vs Lucia for Solo Developers
tool-comparisons 11 min read

Auth.js vs Lucia for Solo Developers

Comparing Auth.js (NextAuth) and Lucia for solo developers, with a 2026 update covering Lucia's deprecation and Auth.js moving to security-only maintenance under Better Auth.

Hero image for Auth.js vs Lucia for Solo Developers

Quick Comparison

Feature Auth.js (NextAuth) Lucia
Type Auth library with 80+ providers Session library (now a learning resource)
Latest version next-auth 4.24.14 (Apr 2026), v5 still beta 3.2.2 (Oct 2024), npm package deprecated
Pricing Free / Open Source (MIT) Free / Open Source (MIT)
GitHub stars 28,259 10,466
npm weekly downloads 4.24M (next-auth) + 3.09M (@auth/core) 203K (and shrinking)
Maintenance status Security patches only, now run by Better Auth Deprecated, no active development
Learning Curve Moderate Moderate
Best For Existing Next.js apps already on it Reading the source to learn auth, not shipping
Solo Dev Rating 6/10 (legacy, not for new builds) 4/10 (deprecated)

Update for 2026: Read This First

This comparison was written in early 2026, and the ground has shifted hard under both libraries since then. If you are starting a new project today, the honest answer is that this is no longer really a live matchup. Here is what happened.

Lucia v3 was deprecated by its maintainer in March 2025. The npm lucia package now carries an official deprecation notice, and the project has been reframed as a learning resource for implementing sessions from scratch rather than a library you install. The homepage now says Lucia is "an open source project to provide resources on implementing authentication using JavaScript and TypeScript." The last code push to the repository was July 2025.

Auth.js had its own upheaval. Its lead maintainer stepped back in January 2025, and on September 22, 2025 the project announced it is now part of Better Auth. Auth.js / NextAuth is in security-patch-only maintenance mode. The official guidance from the new stewards is blunt: "we strongly recommend new projects to start with Better Auth unless there are some very specific feature gaps."

So the practical 2026 read is this. If you already run one of these in production, you are fine. Both keep working, and Auth.js still gets security fixes. But for a new build, the modern answer most people land on is Better Auth (the project that absorbed Auth.js, now at 28,487 GitHub stars and roughly 3.08M weekly npm downloads). The rest of this article stands as an honest record of how the two stacked up, and the trade-offs it describes are still useful for understanding what good auth ownership looks like.

Auth.js Overview

Auth.js (formerly NextAuth.js) is the most popular open-source authentication library for Next.js, now expanding to support SvelteKit, Express, and other frameworks. It handles OAuth with 80+ providers, JWT and database sessions, email magic links, and credentials-based login.

The main appeal is that it's free and you own everything. No monthly fees, no MAU limits, no vendor to depend on. Auth.js runs in your application, stores sessions in your database (or as JWTs), and gives you full control over the auth flow.

I've used NextAuth in several Next.js projects. Getting Google and GitHub OAuth working takes about an hour with the documentation. The callback system lets you customize tokens, sessions, and sign-in behavior. But I'll be honest: the configuration can be frustrating. The docs have improved, but edge cases and version migration paths still trip people up.

Lucia Overview

Lucia is a lightweight auth library focused on session management. Unlike Auth.js, which tries to handle everything (OAuth, sessions, database adapters, JWT), Lucia takes a minimal approach. It manages sessions and provides helpers for password hashing, but leaves OAuth and the rest to you.

The philosophy is explicit: Lucia gives you building blocks, not a complete solution. You implement OAuth flows yourself (using libraries like arctic for OAuth providers), hash passwords with Lucia's utilities, and create sessions through Lucia's API. Every piece is visible and under your control.

Lucia works with any JavaScript framework: Next.js, SvelteKit, Astro, Express, Hono, and more. It also provides database adapters for Prisma, Drizzle, PostgreSQL, MySQL, SQLite, and MongoDB. The TypeScript support is excellent, with strong type inference throughout.

Key Differences

Scope and philosophy. Auth.js is a complete auth solution. Configure providers, set up callbacks, and it handles the OAuth flow, session creation, and token management end to end. Lucia is a session management library. You build the auth flows yourself using Lucia for the session layer. Auth.js gives you more out of the box. Lucia gives you more control.

OAuth handling. Auth.js has built-in support for 80+ OAuth providers. Add a provider to your config and the login flow works. Lucia doesn't handle OAuth directly. You use a companion library like arctic to implement OAuth flows, then create Lucia sessions from the result. Auth.js is faster for adding social logins. Lucia requires more code but gives you full visibility into the flow.

Configuration complexity. Auth.js has a reputation for confusing configuration, especially around callbacks, session strategies, and database adapters. The v5 rewrite improved things, but debugging auth issues still involves digging through callback chains. Lucia's configuration is simpler because there's less to configure. Sessions have clear creation and validation APIs.

Framework support. Auth.js started as NextAuth and expanded to other frameworks, but the Next.js integration is still the most polished. SvelteKit and Express support exists but feels secondary. Lucia is framework-agnostic by design. The session API works identically across frameworks, and the documentation covers each one equally.

Documentation quality. Lucia's documentation is notably clean and well-organized. The guides walk through complete implementations with clear code examples. Auth.js documentation has improved significantly with v5 but still has gaps, especially for non-Next.js frameworks. If documentation quality matters to you, Lucia has the edge.

Maintenance and community. Auth.js has a larger community with more Stack Overflow answers, GitHub discussions, and blog posts. Lucia has a smaller but dedicated community. Both projects are actively maintained. Auth.js benefits from more real-world usage, which means edge cases are more likely to be documented.

Migration risk. Auth.js has had breaking changes between major versions (v3 to v4, v4 to v5) that required significant migration work. Lucia's API has been more stable, though as a newer library it's had fewer major versions. If you've been burned by NextAuth migrations, Lucia's stability is appealing.

By the Numbers (2026)

The raw figures tell the same story as the prose, and they tell it fast. All numbers below were checked on 2026-05-28.

Auth.js (NextAuth)

  • Latest stable: next-auth 4.24.14, published 2026-04-14. The long-promised v5 is still on the beta dist-tag (5.0.0-beta.31), and v5 ships as the @auth/core family, latest 0.41.2.
  • Pricing: free, MIT-licensed, fully self-hosted. No monthly fee, no monthly-active-user cap, no vendor.
  • GitHub: 28,259 stars, 4,043 forks, 587 open issues. Primary language TypeScript.
  • npm weekly downloads: 4.24M for next-auth, plus 3.09M for @auth/core. This is still one of the most-installed auth packages in the ecosystem.
  • Status: maintained for security only, under the Better Auth umbrella since September 2025.

Lucia

  • Latest stable: lucia 3.2.2, published 2024-10-20. The npm package is flagged deprecated. There is no v4 on npm.
  • Pricing: free, MIT-licensed. Same ownership model as Auth.js when it was live.
  • GitHub: 10,466 stars, 525 forks, 23 open issues. Last push July 2025.
  • npm weekly downloads: about 203K, trending down as projects migrate off it.
  • Companion library arctic (the OAuth client the Lucia author still maintains for roll-your-own flows) sits at 1,700 stars and roughly 593K weekly downloads, which tells you most of Lucia's old audience now wires OAuth by hand.
  • Status: deprecated, no active development, repositioned as documentation.

The download gap is the part worth sitting with. Auth.js still moves millions of installs a week even in maintenance mode, while Lucia is a fraction of that and falling. For a solo dev, install volume is a proxy for how many Stack Overflow answers and blog posts exist when you hit a wall at 11pm.

When to Choose Auth.js

  • You're building with Next.js and want the most popular auth library
  • You need OAuth with many providers and want pre-built integrations
  • You prefer a more complete solution that handles the full auth flow
  • Community size and available resources matter for troubleshooting
  • You want social logins working quickly with minimal custom code

When to Choose Lucia

  • You want full control over every part of the auth flow
  • Clean, well-documented API matters more than convenience
  • You're using a framework other than Next.js (SvelteKit, Astro, Hono)
  • You've been frustrated by Auth.js configuration complexity
  • You want a lightweight library that does one thing well (sessions)

Which One Ships Faster for a Solo Dev

Both are free, so the real cost is your time, and time is where the numbers actually bite. Here is a grounded framework for picking, given where each project sits in 2026.

Start with maintenance status, because it overrides everything. Lucia is deprecated and its npm package says so out loud. Building a new app on a deprecated dependency means you inherit a codebase no one is fixing. Auth.js is in security-only mode, which is a softer landing: it still ships fixes and still pulls millions of weekly installs, so it will keep working. For a solo dev who cannot afford to babysit infrastructure, "still patched" beats "frozen" every time.

Then weigh the support surface. Auth.js carries 28,259 stars and roughly 7.3M combined weekly downloads across next-auth and @auth/core. Lucia has 10,466 stars and about 203K weekly downloads, dropping. When you are stuck at midnight, the bigger install base is the thing that has already answered your question on Stack Overflow. That advantage compounds the more obscure your edge case is.

Factor in how much you want to build yourself. Lucia was always the "bring your own OAuth" option, which is why its companion library arctic (about 593K weekly downloads) outpaces Lucia itself now. Choosing Lucia today effectively means choosing to hand-roll the auth flow with arctic plus the official from-scratch guide. That is a real, defensible path if you want to deeply understand sessions, but it is slower to ship than dropping in a provider config.

The fastest-to-ship answer for a brand new project is neither. The team that now runs Auth.js points new builds at Better Auth (28,487 stars, around 3.08M weekly downloads, current version 1.6.11). If your goal is to get sign-in working this weekend and not revisit it, that is the path with the most momentum behind it. If you are extending an app already on Auth.js, stay put; the migration is not free either.

The Verdict

Both libraries are free, open-source, and give you full ownership of your auth data. The choice comes down to how much you want handled for you versus how much control you want.

Auth.js is the pragmatic choice for Next.js projects that need OAuth quickly. The 80+ provider integrations save real development time. Accept the configuration complexity as the cost of convenience.

Lucia is the purist choice for developers who want to understand and control every part of authentication. The lightweight API is a joy to work with once you accept that you're building more of the flow yourself.

My recommendation: if you just need "sign in with Google/GitHub" in a Next.js app, Auth.js gets you there faster. If you want clean, understandable auth code that you fully control across any framework, Lucia is the better foundation. And honestly, if auth feels like too much work either way, consider a managed service like Clerk or Supabase Auth instead.

One closing caveat now that you have read the 2026 update at the top: that recommendation was written for the world as it stood in early 2026. With Lucia deprecated and Auth.js frozen to security patches, a new project is better served by Better Auth (the successor the Auth.js team itself points to) or a managed service. The principle holds; the specific pick has moved on.

Sources

All figures checked on 2026-05-28.

Built by Kevin

Like this? You'll like what I'm building too.

Two ways to support and get more of this work.

Desktop App

HEARTH

A privacy-first Life OS for your desktop. Journal, tasks, and notes that stay on your machine. Coming soon, direct download from this site.

Read more
Digital Products

MY TOOLKITS

Receipts-first toolkits for shipping after hours, building Claude agents, publishing on Amazon, and more. The exact methods I used, not theory.

Browse on Whop

Need This Built?

Kevin builds products solo, from first version to live. If you want something like this made, work with him.