{"id":45172922,"url":"https://github.com/mbeps/nextjs-authjs","last_synced_at":"2026-02-20T08:32:32.270Z","repository":{"id":329814221,"uuid":"1069405296","full_name":"mbeps/nextjs-authjs","owner":"mbeps","description":"Comprehensive implementation of user authnetication with credentials, OAuth providers, 2FA and email verification using Auth.JS 5 and NextJS (with app directory). ","archived":false,"fork":false,"pushed_at":"2025-12-21T20:39:31.000Z","size":341,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-23T08:52:07.561Z","etag":null,"topics":["2fa","authjs","authjs-v5","credentials","email-verification","full-stack","nextauth","nextjs","oauth2","shadcn-ui","user-authentication","zod","zod-validation"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mbeps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-03T22:09:44.000Z","updated_at":"2025-12-21T20:39:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mbeps/nextjs-authjs","commit_stats":null,"previous_names":["mbeps/nextjs-authjs"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mbeps/nextjs-authjs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbeps%2Fnextjs-authjs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbeps%2Fnextjs-authjs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbeps%2Fnextjs-authjs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbeps%2Fnextjs-authjs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mbeps","download_url":"https://codeload.github.com/mbeps/nextjs-authjs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbeps%2Fnextjs-authjs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29645864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-20T05:21:04.652Z","status":"ssl_error","status_checked_at":"2026-02-20T05:21:04.238Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","authjs","authjs-v5","credentials","email-verification","full-stack","nextauth","nextjs","oauth2","shadcn-ui","user-authentication","zod","zod-validation"],"created_at":"2026-02-20T08:32:31.663Z","updated_at":"2026-02-20T08:32:32.263Z","avatar_url":"https://github.com/mbeps.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# **Next.js Authentication System with Auth.js v5**\n\nA comprehensive authentication system built with Next.js 15, NextAuth v5, Prisma, and PostgreSQL.\nThis application demonstrates modern authentication patterns including OAuth integration, email verification, two-factor authentication, and role-based access control.\n\nThe application implements a complete authentication flow with support for both OAuth providers (Google and GitHub) and credential-based authentication.\nJWT-based sessions provide stateless authentication whilst Prisma with PostgreSQL ensures persistent storage for users, tokens, and account data.\nEmail verification, password reset, and two-factor authentication are handled through secure token-based flows using Resend for email delivery.\n\n# Features\n\n## OAuth 2.0 Authentication\nThe application provides complete OAuth authentication functionality:\n- Google OAuth 2.0 integration with NextAuth\n- GitHub OAuth 2.0 integration with NextAuth\n- Automatic account linking for OAuth providers\n- Automatic email verification for OAuth users\n- Separate user flow for OAuth vs. credentials authentication\n\n## Credentials Authentication\nEmail and password authentication with security features:\n- Email and password registration with validation\n- Password hashing with bcryptjs (10 salt rounds)\n- Email verification required before first login\n- Account validation against database\n- Prevention of OAuth account conflicts\n\n## Email Verification\nEmail verification system for new accounts:\n- Verification email sent on registration via Resend\n- Single-use verification tokens (UUID v4)\n- Token expiration (1 hour)\n- Automatic verification for OAuth users\n- Re-send verification option during login\n- Token validation on protected verification page\n\n## Password Reset\nSecure password reset functionality:\n- Password reset request via email form\n- Single-use reset tokens sent via email\n- Token expiration (1 hour)\n- New password validation (minimum 8 characters)\n- Automatic token deletion after successful reset\n- Current password verification for password changes\n\n## Two-Factor Authentication (2FA)\nOptional email-based two-factor authentication:\n- 6-digit random code generation\n- Code delivery via email\n- Token expiration (15 minutes)\n- Per-user 2FA toggle in settings\n- Enforced during credential login flow\n- Not available for OAuth users\n\n## Role-Based Access Control (RBAC)\nUser role management and enforcement:\n- Two roles: ADMIN and USER (default)\n- Server-side role validation via server actions\n- Client-side role-based UI hiding with RoleGate component\n- API route protection with role checks\n- Admin-only endpoints returning 403 for non-admins\n- Role changes via settings page\n\n## Session Management\nSecure session handling:\n- JWT-based sessions for stateless authentication\n- Session token stored in httpOnly cookies\n- Automatic session refresh on data changes\n- Extended session data (role, 2FA status, OAuth flag)\n- Callback URL preservation for redirect after login\n- Logout with session cleanup\n\n## Protected Routes\nRoute protection with middleware:\n- Authentication-required routes under `(protected)` group\n- Automatic redirect to login for unauthenticated users\n- Callback URL preservation in redirect\n- Prevention of authenticated users accessing auth pages\n- Public routes accessible without authentication\n- Middleware running on all routes except static assets\n\n## User Profile Management\nProfile settings and updates:\n- Name, email, and password updates\n- Email change with verification flow\n- Current password validation before password change\n- 2FA toggle in settings\n- Role selection (for demonstration)\n- OAuth user restrictions (cannot change email/password/2FA)\n\n## Token Management\nSecure token generation and validation:\n- Verification tokens (UUID v4, 1-hour expiry)\n- Password reset tokens (UUID v4, 1-hour expiry)\n- Two-factor tokens (6-digit number, 15-minute expiry)\n- Automatic deletion of expired tokens\n- Single-use token enforcement\n- Token validation before operations\n\n# Requirements\nThese are the requirements needed to run the project:\n- Node.js 20 or higher\n- PostgreSQL database (local or cloud-hosted like Neon)\n- Google OAuth Application credentials (Client ID and Client Secret)\n- GitHub OAuth Application credentials (Client ID and Client Secret)\n- Resend API key for email delivery\n\n# Stack\nThese are the main technologies used in this project:\n\n## Language\n- [**TypeScript**](https://www.typescriptlang.org/): Strongly typed programming language building on JavaScript.\n\n## Front-End\n- [**Next.js**](https://nextjs.org/): A React framework with server-side rendering, App Router, and Turbopack support.\n- [**React.js**](https://react.dev/): A JavaScript library for building user interfaces with components.\n- [**Tailwind CSS**](https://tailwindcss.com/): A utility-first CSS framework for rapid UI development.\n- [**shadcn/ui**](https://ui.shadcn.com/): Beautifully designed components built with Radix UI and Tailwind CSS.\n- [**React Hook Form**](https://react-hook-form.com/): Performant, flexible forms with easy-to-use validation.\n- [**Zod**](https://zod.dev/): TypeScript-first schema declaration and validation library.\n- [**Lucide React**](https://lucide.dev/): Beautiful \u0026 consistent icon toolkit.\n- [**Sonner**](https://sonner.emilkowal.ski/): An opinionated toast component for React.\n\n## Back-End\n- [**Auth.js (NextAuth.js)**](https://authjs.dev/): Complete authentication solution for Next.js applications with OAuth and credentials support.\n- [**PostgreSQL**](https://www.postgresql.org/): Advanced open-source relational database with strong data integrity.\n- [**Prisma**](https://www.prisma.io/): Next-generation ORM for Node.js and TypeScript with type safety.\n- [**bcryptjs**](https://www.npmjs.com/package/bcryptjs): Library for hashing and comparing passwords securely.\n- [**Resend**](https://resend.com/): Modern email API for developers with high deliverability.\n\n\n# Design\n\n## Authentication Strategy\nThe application uses NextAuth v5 with a JWT session strategy rather than database sessions.\nThis approach enables edge runtime compatibility and reduces database queries.\nSession tokens are stored in httpOnly cookies to prevent XSS attacks.\nThe JWT contains extended user information including role, two-factor status, and OAuth flag, which is synchronized with the database on every request through the jwt callback.\n\n## Database Architecture\nPostgreSQL stores six main collections via Prisma:\n- `User`: Stores user accounts with email, password hash, role, and 2FA preferences\n- `Account`: Stores OAuth provider data (Google, GitHub) linked to users\n- `VerificationToken`: Stores email verification tokens with 1-hour expiry\n- `PasswordResetToken`: Stores password reset tokens with 1-hour expiry\n- `TwoFactorToken`: Stores 2FA codes with 15-minute expiry\n- `TwoFactorConfirmation`: Stores 2FA confirmation state per user\n\nAll token models use unique constraints on email and token to prevent duplicates.\nPrevious tokens are automatically deleted when generating new ones for the same email.\n\n## Database Schema\n```\n                     +-----------------------+\n                     |         User          |\n                     |-----------------------|\n                     | id (PK)               |\n                     | email (unique)        |\n                     | role                  |\n                     | password (nullable)   |\n                     | isTwoFactorEnabled    |\n                     +-----------+-----------+\n                                 |\n                                 | 1 ────────* accounts\n                                 v\n                      +----------+-----------+\n                      |        Account       |\n                      |----------------------|\n                      | id (PK)              |\n                      | userId (FK → User)   |\n                      | provider             |\n                      | providerAccountId    |\n                      | access/refresh tokens|\n                      +----------------------+\n                                 ^\n                                 | 1 ──────── 0..1 confirmation\n                     +-----------+-----------+\n                     | TwoFactorConfirmation |\n                     |-----------------------|\n                     | id (PK)               |\n                     | userId (unique FK)    |\n                     +-----------------------+\n\n      +-----------------------+  +-----------------------+  +---------------------+\n      |   VerificationToken   |  |  PasswordResetToken   |  |    TwoFactorToken   |\n      |-----------------------|  |-----------------------|  |---------------------|\n      | id (PK)               |  | id (PK)               |  | id (PK)             |\n      | email (unique + token)|  | email (unique + token)|  | email (unique token)|\n      | token (unique)        |  | token (unique)        |  | token (unique)      |\n      | expires               |  | expires               |  | expires             |\n      +-----------------------+  +-----------------------+  +---------------------+\n```\n\nThe `User` table sits at the center of the schema with a one-to-many relationship\nto `Account` for OAuth providers and a one-to-one relationship with\n`TwoFactorConfirmation` to mark successful 2FA challenges. The token tables\n(`VerificationToken`, `PasswordResetToken`, `TwoFactorToken`) are intentionally\ndecoupled from foreign keys and instead use unique `(email, token)` pairs so that\ntokens can be issued before an account exists and can be rotated without\nreferential constraints. Cascading deletes on the `Account` and\n`TwoFactorConfirmation` relations ensure that removing a user automatically\ncleans up linked records.\n\n## Token Structure\nVerification and password reset tokens use UUID v4 for cryptographic randomness.\nTwo-factor tokens use 6-digit random numbers (100,000 to 999,999) for user convenience.\nAll tokens include expiration timestamps validated server-side before operations.\nTokens are single-use and deleted immediately after successful validation.\n\n## Route Protection Strategy\nMiddleware intercepts all requests to enforce authentication rules.\nUnauthenticated users accessing protected routes are redirected to login with the original URL preserved as a callback parameter.\nAuthenticated users cannot access authentication pages and are redirected to the settings page.\nPublic routes and NextAuth API endpoints bypass all protection checks.\n\n## Authentication Flow\n1. User initiates login (credentials or OAuth)\n2. For credentials: validates email verification and 2FA if enabled\n3. NextAuth processes authentication via signIn callback\n4. JWT token generated with user claims (ID, role, 2FA status, OAuth flag)\n5. Session cookie set as httpOnly with Secure flag\n6. User redirected to callback URL or default protected page\n7. Subsequent requests include session cookie automatically\n8. Middleware validates authentication on protected routes\n\n## Email Verification Flow\n1. User registers with email and password\n2. Server generates verification token (UUID, 1-hour expiry)\n3. Verification email sent via Resend with token link\n4. User clicks link to `/auth/new-verification?token=xxx`\n5. Server validates token exists and not expired\n6. User's `emailVerified` timestamp updated in database\n7. Token deleted from database\n8. User redirected to login\n\n## Password Reset Flow\n1. User requests password reset via email form\n2. Server generates reset token (UUID, 1-hour expiry)\n3. Reset email sent via Resend with token link\n4. User clicks link to `/auth/new-password?token=xxx`\n5. User enters new password\n6. Server validates token and password strength\n7. Password hashed with bcryptjs and updated in database\n8. Token deleted from database\n9. User redirected to login\n\n## Two-Factor Authentication Flow\n1. User enables 2FA in settings page\n2. On next credential login, server detects 2FA enabled\n3. Server generates 6-digit code (15-minute expiry)\n4. Code sent via email\n5. Login form shows 2FA code input\n6. User enters code from email\n7. Server validates code against database\n8. TwoFactorConfirmation record created\n9. Session created and user logged in\n10. TwoFactorConfirmation deleted after successful login\n\n## Logout Flow\n1. User clicks logout button\n2. Client calls logout server action\n3. Server calls NextAuth `signOut()`\n4. Session cookie deleted\n5. User redirected to home page\n\n# Setting Up Project\nThese are simple steps to run the application locally.\n\n## 1. Clone the Project Locally\n```sh\ngit clone https://github.com/mbeps/oauth-nextjs-springboot-backend.git\ncd oauth-nextjs-springboot-backend\n```\n\n## 2. Install Dependencies\n```sh\nyarn install\n```\n\n## 3. Set Up PostgreSQL Database\nEnsure PostgreSQL is running locally or create a serverless PostgreSQL database on [Neon](https://neon.tech/).\nNote your database connection string for the next step.\n\n## 4. Create OAuth Applications\n\n### Google OAuth Application\nCreate a Google OAuth application with the following settings:\n- **Authorized JavaScript origins**: `http://localhost:3000`\n- **Authorized redirect URIs**: `http://localhost:3000/api/auth/callback/google`\n\nNote your Client ID and Client Secret.\n\n**For Production**: Update the origins and redirect URIs to your production domain (e.g., `https://yourdomain.com` instead of `http://localhost:3000`).\n\n### GitHub OAuth Application\nCreate a GitHub OAuth application with the following settings:\n- **Homepage URL**: `http://localhost:3000`\n- **Authorization callback URL**: `http://localhost:3000/api/auth/callback/github`\n\nNote your Client ID and Client Secret.\n\n**For Production**: Update the Homepage URL and Authorization callback URL to your production domain (e.g., `https://yourdomain.com` instead of `http://localhost:3000`).\n\n## 5. Create Resend Account\nSign up for a [Resend](https://resend.com/) account and obtain your API key from the dashboard.\n\n**For Production**: Verify your domain in Resend to send emails from your own domain instead of `onboarding@resend.dev`.\n\n## 6. Configure Environment Variables\nCreate a `.env` file in the project root:\n\n```env\n# Database\nDATABASE_URL=\"postgresql://user:password@localhost:5432/auth_db?schema=public\"\n\n# NextAuth\nAUTH_SECRET=\"your-auth-secret-here\"  # Generate with: openssl rand -base64 32\nNEXTAUTH_URL=\"http://localhost:3000\"\nNEXTAUTH_TRUST_HOST=\"true\"\n\n# GitHub OAuth\nGITHUB_CLIENT_ID=\"your-github-client-id\"\nGITHUB_CLIENT_SECRET=\"your-github-client-secret\"\n\n# Google OAuth\nGOOGLE_CLIENT_ID=\"your-google-client-id\"\nGOOGLE_CLIENT_SECRET=\"your-google-client-secret\"\n\n# Resend\nRESEND_API_KEY=\"your-resend-api-key\"\n\n# Public App URL for email links\nNEXT_PUBLIC_APP_URL=\"http://localhost:3000\"\n```\n\n**Environment Variable Descriptions:**\n\n`DATABASE_URL`:\n- PostgreSQL connection string for Prisma\n- Format: `postgresql://USER:PASSWORD@HOST:PORT/DATABASE?schema=SCHEMA`\n- Example local: `postgresql://postgres:password@localhost:5432/auth_db`\n- Example Neon: `postgresql://user:pass@ep-xxx.region.aws.neon.tech/dbname?sslmode=require`\n\n`AUTH_SECRET`:\n- Secret key for signing and encrypting JWT tokens\n- Generate with: `openssl rand -base64 32`\n- Keep this secret and never commit to version control\n\n`NEXTAUTH_URL`:\n- The canonical URL of your site for OAuth callbacks\n- Local development: `http://localhost:3000`\n- Production: `https://yourdomain.com`\n\n`GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET`:\n- Credentials from GitHub OAuth application\n- Obtained from GitHub Developer Settings \u003e OAuth Apps\n\n`GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET`:\n- Credentials from Google Cloud Console OAuth application\n- Obtained from Google Cloud Console \u003e Credentials\n\n`RESEND_API_KEY`:\n- API key for Resend email service\n- Obtained from Resend dashboard\n\n`NEXT_PUBLIC_APP_URL`:\n- Public URL used in email links for verification and reset\n- Must match your actual site URL\n- Local: `http://localhost:3000`\n- Production: `https://yourdomain.com`\n\n**For Production**:\n- Set `NEXTAUTH_URL` to your production domain\n- Set `NEXT_PUBLIC_APP_URL` to your production domain\n- Use a strong, randomly generated `AUTH_SECRET`\n- Configure PostgreSQL with SSL/TLS\n- Update OAuth callback URLs to production domain\n\n## 7. Set Up Database Schema\n```sh\nnpm run prisma-push\n```\n\nThis will push the Prisma schema to your database and generate the Prisma Client.\n\n## 8. Run the Application\n```sh\nnpm run dev\n```\n\nThe application should now be running on [`http://localhost:3000`](http://localhost:3000)\n\n# Usage\n\n## Registration Flow\n1. Navigate to `/auth/register`\n2. Enter name, email, and password (minimum 8 characters)\n3. Click \"Create an account\"\n4. Verification email sent to provided email address\n5. Click verification link in email\n6. Redirected to login page\n7. Login with credentials\n\n## Credential Login\n**Standard Login:**\n```\n1. Navigate to /auth/login\n2. Enter email and password\n3. Click \"Sign In\"\n4. Redirected to callback URL or /settings\n```\n\n**Login with 2FA Enabled:**\n```\n1. Navigate to /auth/login\n2. Enter email and password\n3. Click \"Sign In\"\n4. 2FA code input appears\n5. Check email for 6-digit code\n6. Enter code and submit\n7. Redirected to callback URL or /settings\n```\n\n**Login with Unverified Email:**\n```\n1. Navigate to /auth/login\n2. Enter email and password\n3. Click \"Sign In\"\n4. New verification email sent\n5. Click verification link in email\n6. Return to login and try again\n```\n\n## OAuth Login\n**Google Login:**\n```\n1. Navigate to /auth/login\n2. Click \"Continue with Google\" button\n3. Authenticate with Google\n4. Redirected back to application\n5. Logged in and redirected to /settings\n```\n\n**GitHub Login:**\n```\n1. Navigate to /auth/login\n2. Click \"Continue with GitHub\" button\n3. Authenticate with GitHub\n4. Redirected back to application\n5. Logged in and redirected to /settings\n```\n\n## Password Reset\n```\n1. Navigate to /auth/reset\n2. Enter email address\n3. Click \"Send reset email\"\n4. Check email for reset link\n5. Click link to /auth/new-password?token=xxx\n6. Enter new password (minimum 8 characters)\n7. Click \"Reset password\"\n8. Redirected to login page\n9. Login with new password\n```\n\n## Enabling Two-Factor Authentication\n```\n1. Login to application\n2. Navigate to /settings\n3. Find \"Two Factor Authentication\" section\n4. Toggle switch to ON\n5. Save changes\n6. Logout and login again\n7. Enter 6-digit code from email\n8. Successfully logged in with 2FA\n```\n\n## Changing Email\n```\n1. Login to application (credentials only, not OAuth)\n2. Navigate to /settings\n3. Enter new email address\n4. Click \"Save\"\n5. Verification email sent to new email address\n6. Click verification link in email\n7. Email updated in profile\n```\n\n## Changing Password\n```\n1. Login to application (credentials only, not OAuth)\n2. Navigate to /settings\n3. Enter current password\n4. Enter new password (minimum 8 characters)\n5. Click \"Save\"\n6. Password updated successfully\n```\n\n## Accessing Protected Routes\nProtected routes require authentication:\n\n**Settings Page:**\n```\nNavigate to /settings\n- Redirected to login if not authenticated\n- Access granted if authenticated\n```\n\n**Admin Page:**\n```\nNavigate to /admin\n- Redirected to login if not authenticated\n- Access granted if authenticated\n- Admin-only content hidden for non-admin users via RoleGate\n```\n\n**Server Component Demo:**\n```\nNavigate to /server\n- Demonstrates server-side authentication\n- Shows user information from server session\n```\n\n**Client Component Demo:**\n```\nNavigate to /client\n- Demonstrates client-side authentication\n- Shows user information from client session\n```\n\n## Using Admin API Route\nAdmin-only API endpoint with role validation:\n```http\nGET /api/admin\nAuthorization: Session Cookie (automatic)\n```\n\n**Response if Admin:**\n```json\n{\n  \"message\": \"Access granted\"\n}\n```\n\n**Response if Not Admin:**\n```\n403 Forbidden\n```\n\n## Checking Authentication Status\nAll protected pages automatically check authentication via middleware.\nUse the `currentUser()` server function in server components or `useCurrentUser()` hook in client components to access user data.\n\n## Logging Out\n```\n1. Click user avatar in top right\n2. Click \"Logout\" from dropdown menu\n3. Session cleared\n4. Redirected to home page\n```\n\n# References\n- [Next.js Documentation](https://nextjs.org/docs)\n- [NextAuth Documentation](https://authjs.dev/)\n- [Prisma Documentation](https://www.prisma.io/docs)\n- [shadcn/ui Documentation](https://ui.shadcn.com/)\n- [Google OAuth Documentation](https://developers.google.com/identity/protocols/oauth2)\n- [GitHub OAuth Documentation](https://docs.github.com/en/apps/oauth-apps)\n- [Resend Documentation](https://resend.com/docs)\n- [React Hook Form Documentation](https://react-hook-form.com/docs)\n- [Zod Documentation](https://zod.dev/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbeps%2Fnextjs-authjs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmbeps%2Fnextjs-authjs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbeps%2Fnextjs-authjs/lists"}