Ship auth that feels effortless.
Kleis is an OIDC provider and a Next.js SDK built for the modern web. PKCE, HTTP-only cookies, full SSO, and Edge-ready middleware - without the bloat.
$ pnpm add @kleis-auth/nextjs# Initializing session management...# Setting up PKCE handshake...✔ Auth ready in 1.4s
Stop fighting your auth
and start shipping features.
The Traditional Way
- Complex OIDC configurations that take weeks to debug.
- Insecure localStorage patterns for session storage.
- Massive dependencies that bloat your bundle size.
The Kleis Way
- Zero-config setup with sane, secure defaults.
- HTTP-only cookies for maximum security.
- Lightweight: Only jose and zod under the hood.
Everything you need.
A complete auth suite designed for the Next.js ecosystem and beyond.
Standards Compliant
Full OpenID Connect (OIDC) support with Discovery and JWKS endpoints. Full SSO across all your apps.
Edge Ready
Middleware and session logic built to run on the Edge without Node.js APIs.
BYO Database
Use Prisma, Mongoose, or raw SQL. Kleis doesn't care where you store users.
PKCE Handshake
The most secure OAuth flow for single-page applications by default.
Type Safe
End-to-end TypeScript support for sessions, users, and configuration.
Language Agnostic
Use the IdP manually via standard OIDC APIs with any language, framework, or HTTP client.
Built for the
Next.js App Router.
Kleis splits into two parts: A robust OIDC Identity Provider and a Next.js SDK. Your app stays lean while we handle the heavy lifting of security. Log in once - every registered app gets SSO for free.
User Initiates
User clicks login and redirected to Kleis IdP via PKCE.
Secure Callback
IdP validates and sends auth code back to your SDK handler.
Session Issued
SDK exchanges code for tokens and sets an HTTP-only cookie.
YOUR APP
Next.js + Kleis SDK
KLEIS IDP
Auth Server
SECURE SESSION
HTTP-only + AES-256
Up and running in minutes.
Get Kleis running in your Next.js project by following these three essential steps.
Env variables
Add these to your .env.local.
NEXT_PUBLIC_KLEIS_URL=https://auth.atharvdangedev.in
NEXT_PUBLIC_APP_URL=http://localhost:3000
KLEIS_CLIENT_ID=your_client_id
KLEIS_CLIENT_SECRET=your_client_secret
KLEIS_SECRET=your_session_encryption_secretRoute handler
Handle the OIDC callback at api/auth/[...kleis]/route.ts.
import { handleAuth } from "@kleis-auth/nextjs/server";
const handler = handleAuth({
scopes: ["openid", "profile", "email"],
});
export { handler as GET, handler as POST };Middleware
Protect your routes globally using authMiddleware.
import { authMiddleware } from "@kleis-auth/nextjs/server";
export default authMiddleware({
publicRoutes: ["/"],
});
export const config = {
matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
};Common Questions
Is Kleis production ready?
Kleis is currently in v1.0.0. It implements OIDC standards and uses industry-standard libraries like `jose`. We recommend it for small-to-medium projects while we stabilize.
Why not just use NextAuth?
NextAuth is great but can be heavy. Kleis is designed to be lightweight, edge-compatible, and focused purely on the OIDC + PKCE flow with HTTP-only cookies.
Can I use my own UI for login?
Yes! Kleis is an OIDC provider. You can build your own login and registration pages and simply point Kleis to them.
What databases are supported?
Kleis IdP uses Prisma by default, meaning you can use PostgreSQL, MySQL, SQLite, or MongoDB. The SDK is database agnostic.
Can I use Kleis without Next.js?
Absolutely. While we provide a high-level SDK for Next.js, the Kleis Identity Provider is a standalone OIDC server. You can integrate it with any application using standard OIDC libraries or raw HTTP calls to our endpoints.