Ship auth that feels effortless.
Kleis is an OIDC provider and a Next.js SDK built for the modern web. PKCE, HTTP-only cookies, and Edge-ready middleware-without the bloat.
$ pnpm add @kleis-auth/nextjs# Initializing session management...# Setting up PKCE handshake...✔ Auth ready in 1.4s
Stop fighting your auth
and start shipping features.
The Traditional Way
- Complex OIDC configurations that take weeks to debug.
- Insecure localStorage patterns for session storage.
- Massive dependencies that bloat your bundle size.
The Kleis Way
- Zero-config setup with sane, secure defaults.
- HTTP-only cookies for maximum security.
- Lightweight: Only jose and zod under the hood.
Everything you need.
A complete auth suite designed for the Next.js ecosystem.
Standards Compliant
Full OpenID Connect (OIDC) support with Discovery and JWKS endpoints.
Edge Ready
Middleware and session logic built to run on the Edge without Node.js APIs.
BYO Database
Use Prisma, Mongoose, or raw SQL. Kleis doesn't care where you store users.
PKCE Handshake
The most secure OAuth flow for single-page applications by default.
Type Safe
End-to-end TypeScript support for sessions, users, and configuration.
Minimal Footprint
Less than 10kb gzipped. No heavy client-side bundles or hidden costs.
Built for the
Next.js App Router.
Kleis splits into two parts: A robust OIDC Identity Provider and a Next.js SDK. Your app stays lean while we handle the heavy lifting of security.
User Initiates
User clicks login and redirected to Kleis IdP via PKCE.
Secure Callback
IdP validates and sends auth code back to your SDK handler.
Session Issued
SDK exchanges code for tokens and sets an HTTP-only cookie.
YOUR APP
Next.js + Kleis SDK
KLEIS IDP
Auth Server
SECURE SESSION
HTTP-only + AES-256
Up and running in minutes.
Get Kleis running in your Next.js project by following these three essential steps.
Env variables
Add these to your .env.local.
NEXT_PUBLIC_KLEIS_URL=http://localhost:4000
NEXT_PUBLIC_APP_URL=http://localhost:3000
KLEIS_CLIENT_ID=your_client_id
KLEIS_CLIENT_SECRET=your_client_secret
KLEIS_SECRET=your_session_encryption_secretRoute handler
Handle the OIDC callback at api/auth/[...kleis]/route.ts.
import { handleAuth } from "@kleis-auth/nextjs/server";
const handler = handleAuth({
scopes: ["openid", "profile", "email"],
});
export { handler as GET, handler as POST };Middleware
Protect your routes globally using authMiddleware.
import { authMiddleware } from "@kleis-auth/nextjs/server";
export default authMiddleware({
publicRoutes: ["/"],
});
export const config = {
matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
};Common Questions
Is Kleis production ready?
Kleis is currently in v1.0.0-beta. It implements OIDC standards and uses industry-standard libraries like `jose`. We recommend it for small-to-medium projects while we stabilize.
Why not just use NextAuth?
NextAuth is great but can be heavy. Kleis is designed to be lightweight, edge-compatible, and focused purely on the OIDC + PKCE flow with HTTP-only cookies.
Can I use my own UI for login?
Yes! Kleis is an OIDC provider. You can build your own login and registration pages and simply point Kleis to them.
What databases are supported?
Kleis IdP uses Prisma by default, meaning you can use PostgreSQL, MySQL, SQLite, or MongoDB. The SDK is database agnostic.