Auth-Gated proxy.ts in Next.js 16

proxy.ts in Next.js 16 replaces the old middleware.ts and runs on the Node.js runtime instead of the Edge. This snippet shows the canonical auth gate pattern: a fast cookie check that redirects unauthenticated users away from protected routes before any rendering happens.

Tested on Next.js 16.0+, Node 24 LTS.

When to Use This

• Gating an entire /dashboard or /admin section behind a session check
• Redirecting logged-out users to /sign-in with a return-to URL
• Forcing a tenant-slug check on multi-tenant routes
• Adding a security header layer in front of authenticated routes

Don't use this when you need fine-grained per-resource authorization (do that in the layout or route handler) or when the protected paths are too few to justify a proxy at all (use auth() directly in the layout).

Code

// proxy.ts (project root, next to app/)
import { NextResponse, type NextRequest } from 'next/server';
 
const PROTECTED_PREFIXES = ['/dashboard', '/admin', '/account'];
const SESSION_COOKIE = 'session-token';
 
export function proxy(request: NextRequest) {
  const { pathname, search } = request.nextUrl;
 
  const isProtected = PROTECTED_PREFIXES.some((p) =>
    pathname === p || pathname.startsWith(`${p}/`)
  );
 
  if (!isProtected) {
    return NextResponse.next();
  }
 
  const session = request.cookies.get(SESSION_COOKIE)?.value;
  if (!session) {
    const signInUrl = new URL('/sign-in', request.url);
    signInUrl.searchParams.set('returnTo', `${pathname}${search}`);
    return NextResponse.redirect(signInUrl);
  }
 
  return NextResponse.next();
}
 
export const config = {
  matcher: [
    // Run on every path except static files and Next internals
    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
  ],
};

The matcher regex excludes static assets so the proxy doesn't run on every image request. The returnTo query param survives the redirect so your sign-in page can bounce the user back after login.

Usage

In your /sign-in page, read the returnTo and bounce after successful auth:

// app/sign-in/page.tsx
import { redirect } from 'next/navigation';
import { signInAction } from './actions';
 
export default async function SignInPage({
  searchParams,
}: {
  searchParams: Promise<{ returnTo?: string }>;
}) {
  const { returnTo } = await searchParams;
 
  async function handleSignIn(formData: FormData) {
    'use server';
    const ok = await signInAction(formData);
    if (ok) redirect(returnTo || '/dashboard');
  }
 
  return <form action={handleSignIn}>{/* ... */}</form>;
}

Caveats

• proxy.ts lives at the project root, not inside app/. Same level as next.config.ts. If you use src/, place it at src/proxy.ts.
• The cookie check is coarse on purpose. It only checks existence, not validity. Validate the token in your layout or server action before trusting it.
• Don't hit the database in proxy.ts. Even on Node.js runtime, this code runs on every request — keep it O(1). Save DB calls for layouts.
• The matcher excludes patterns are critical. Without them, the proxy runs on every static asset, which adds latency to images and CSS.
• Set the cookie as httpOnly and Secure everywhere. A cookie readable by JS defeats the purpose of this entire pattern.

Related Snippets & Reading

• Geo-Based Redirects in proxy.ts(coming soon) — another proxy.ts pattern, different use case
• Server Action with Zod Validation(coming soon) — for the sign-in form itself
• Goodbye middleware.ts, Hello proxy.ts — the deep dive on why Next.js made this change