Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

hussein_97's avatar

Best Authentication Method for Laravel and Next.js (SSR) with Server-Side Requests

I’m building an e-commerce website using Laravel (backend API) and Next.js (Server-Side Rendering - SSR). The challenge I’m facing is handling authentication and session synchronization between Laravel and the Next.js server, given that Next.js (SSR) cannot directly access browser cookies since requests are made from the server. I’ve explored multiple authentication strategies, but I’m unsure which is the best approach for seamless authentication and session management. Here are my options:

Approach 1: Laravel Session-Based Auth + NextAuth.js with JWT Session Laravel uses session-based authentication (via Laravel’s session). On the Next.js server, I use NextAuth.js to create a session based on the Laravel session (JWT option as recommended by NextAuth.js). To fetch data and submit forms from Next.js (server-side), I first need to: Send a GET request to Laravel to retrieve the CSRF token and session ID. Manually merge the session ID and CSRF token in the request headers for authenticated routes. 👉 Concerns: Is manually handling CSRF and session merging the best practice?

Approach 2: Laravel Sanctum Token (Cookies) + NextAuth.js JWT Session Laravel uses cookie-based authentication with Sanctum. Next.js uses NextAuth.js to create a session based on the Laravel token. The Laravel Sanctum token and user data will be added to NextAuth.js JWT Session. To fetch and submit data from Next.js (server-side), I get the Laravel token from JWT and send it with requests. 👉 Challenges: How do I synchronize authentication between Laravel’s session-based authentication and NextAuth.js JWT? If a user logs out in Laravel, how do I invalidate the session in NextAuth.js?

Approach 3: Laravel JWT Authentication + NextAuth.js Session Laravel uses JWT authentication (instead of sessions or cookies). The JWT is passed to the Next.js server, and NextAuth.js creates a session based on it. For each request from the Next.js server, the JWT is sent to Laravel for authentication. 👉 Concerns: I have never used this approach before. Is it possible to securely pass JWT between Laravel and NextAuth.js while ensuring proper session management? What is the best way to handle token expiration and refresh tokens in this setup?

Key Questions: What is the best authentication method for my Laravel + Next.js SSR setup? How can I securely sync authentication between Laravel (backend) and the Next.js server? Is there an optimal way to handle session persistence and token expiration in this case? I’d appreciate any guidance, best practices, or real-world experiences from those who have tackled this challenge before! 🚀

1 like
1 reply
vincent15000's avatar

Some errors in your post : SSR is not for Server-Side Requests, but for Server-Side Rendering. The requests are always sent by the frontend to the backend and are always handled server side.

Furthermore the authentication is totally independant from SSR or no SSR.

I don't think that there is a best way to authenticate, it depends on your needs. I use Fortify.

Please or to participate in this conversation.