Skip to content

feat: allow initializing AuthKit with secrets from outside process.env #448

Description

@ShooTeX

Problem

AuthKit for Next.js currently requires all secrets (WORKOS_API_KEY, WORKOS_CLIENT_ID, WORKOS_COOKIE_PASSWORD, etc.) to be provided as environment variables. This is limiting for:

  • Applications that pull secrets from a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, GCP Secret Manager, etc.)
  • Environments where secrets aren't available in process.env at startup
  • Serverless runtimes that inject secrets outside the process environment

Proposed Solution

Export an initAuthKit(config) function that accepts configuration values programmatically. Values set via initAuthKit take precedence over environment variables; missing keys fall back to the corresponding env var. This means existing deployments that rely on env vars work without any changes.

import { initAuthKit } from '@workos-inc/authkit-nextjs';

initAuthKit({
  apiKey: await secrets.get('WORKOS_API_KEY'),
  clientId: await secrets.get('WORKOS_CLIENT_ID'),
  cookiePassword: await secrets.get('WORKOS_COOKIE_PASSWORD'),
  redirectUri: 'https://myapp.com/callback',
});

initAuthKit should be called before any other AuthKit function. Successive calls are merged, so groups of settings can be set independently.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions