Authentication
The template uses MailKite for authentication — JWT-based sessions, email/password login, magic links, and OAuth with Google and GitHub.
How it works
Authentication is handled by MailKite's API at https://api.mailkite.dev. When a user signs in, the API returns a JWT which is set as an httpOnly cookie named mk_session. The middleware reads this cookie on every request to determine if the user is authenticated.
Auth Methods
- Email / Password — standard sign-in and sign-up forms
- Magic Link — passwordless login via email (set
MAILKITE_MAGIC_LINK=true) - Google OAuth — requires
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRET - GitHub OAuth — requires
GITHUB_CLIENT_IDandGITHUB_CLIENT_SECRET
Protected Routes
Routes under /dashboard are protected by default. Unauthenticated users are redirected to /sign-in.
Configure this in middleware.ts:
import { createAuthMiddleware } from '@/lib/mailkite-auth';
export default createAuthMiddleware({
protectedRoutes: ['/dashboard'],
loginUrl: '/sign-in',
});Session Management
Sessions last 7 days and auto-refresh when within 24 hours of expiry. The session cookie is httpOnly for security — JavaScript cannot read it, protecting against XSS attacks.
Getting API Keys
- Sign up at mailkite.dev
- By default, the
MAILKITE_API_URLpoints to the hosted API - Set
AUTH_SECRETto any secure random string — this signs your JWTs