Add NodeOps PKCE OAuth to an existing Next.js (App Router) project.
Before each step, check if the work is already done. Skip steps that are already complete:
-
Detect project setup — read package.json and check for lock files:
- Package manager: if
pnpm-lock.yaml exists → pnpm, if yarn.lock exists → yarn, else → npm
- TypeScript: if
tsconfig.json exists use .ts/.tsx extensions, else .js/.jsx
- Confirm
app/ directory exists (App Router). If only pages/ exists, stop.
- Confirm
next is in dependencies. If not, stop.
-
Install the package — run the appropriate install command:
- npm:
npm install @nodeops-createos/integration-oauth
- pnpm:
pnpm add @nodeops-createos/integration-oauth
- yarn:
yarn add @nodeops-createos/integration-oauth
- If install fails: check if the user has network access and the registry is reachable. Suggest running the command manually if it keeps failing.
-
Create the API routes — create two separate route files, creating directories as needed:
app/api/auth/me/route.ts (or .js):
export { GET } from '@nodeops-createos/integration-oauth/server/me';
app/api/auth/token/route.ts (or .js):
export { POST } from '@nodeops-createos/integration-oauth/server/token';
-
Wrap layout with AuthProvider — read the root layout file. It could be app/layout.tsx, app/layout.jsx, app/layout.js, or app/layout.ts. Find whichever exists.
-
Create the callback page — ask the user: "Where should users be redirected after login? (default: /dashboard)". Use their answer as the redirectTo value. Then create app/callback/page.tsx (or .jsx):
"use client";
import { useCallbackHandler } from "@nodeops-createos/integration-oauth";
export default function Callback() {
const { loading, error } = useCallbackHandler({ redirectTo: "/dashboard" });
if (loading) return (
<div style={{ display: "flex", justifyContent: "center", alignItems: "center", height: "100vh" }}>
<p>Signing in...</p>
</div>
);
if (error) return <p>Login failed: {error}</p>;
return null;
}
-
Create .env.example — create this file at the project root:
# ── Client-side (exposed to browser via NEXT_PUBLIC_ prefix) ──────────────────
NEXT_PUBLIC_NODEOPS_AUTH_URL=https://id.nodeops.network/oauth2/auth
NEXT_PUBLIC_NODEOPS_CLIENT_ID=your_client_id_here
NEXT_PUBLIC_NODEOPS_REDIRECT_URI=http://localhost:3000/callback
NEXT_PUBLIC_NODEOPS_SCOPES=offline_access offline openid
# ── Server-side only (never sent to browser) ──────────────────────────────────
NODEOPS_CLIENT_SECRET=your_client_secret_here
NODEOPS_TOKEN_URL=https://id.nodeops.network/oauth2/token
NODEOPS_USERINFO_URL=https://autogen-v2-api.nodeops.network/v1/users/me
-
Create .env.local — if .env.local does not already exist, copy .env.example to .env.local and remind the user to fill in NEXT_PUBLIC_NODEOPS_CLIENT_ID and NODEOPS_CLIENT_SECRET with their credentials from the NodeOps developer portal. If .env.local already exists, append the missing NODEOPS_ vars only — do NOT overwrite existing values.
-
Check .gitignore — read .gitignore (if it exists). If .env.local is NOT listed, add it to prevent leaking secrets. Also ensure .env is listed. If no .gitignore exists, create one with at least:
.env
.env.local
-
Docker/container deployment — check if a Dockerfile exists in the project root. If it does, verify it handles NodeOps env vars correctly and warn the user if not. If the user asks about Docker or deployment, create or update the Dockerfile.
Critical: NEXT_PUBLIC_* vars are baked into the JS bundle at build time by Next.js. They must be set as ENV or ARG in the Dockerfile before RUN npm run build. Setting them only at runtime does nothing — the bundle will contain undefined.
The two categories of vars:
| Variable | When needed | Why |
|---|
NEXT_PUBLIC_NODEOPS_AUTH_URL | Build time | Inlined into client JS bundle |
NEXT_PUBLIC_NODEOPS_CLIENT_ID | Build time | Inlined into client JS bundle |
NEXT_PUBLIC_NODEOPS_REDIRECT_URI | Build time | Inlined into client JS bundle |
NEXT_PUBLIC_NODEOPS_SCOPES | Build time | Inlined into client JS bundle |
NODEOPS_CLIENT_SECRET | Runtime only | Read by API route on each request |
NODEOPS_TOKEN_URL | Runtime only | Read by API route on each request |
NODEOPS_USERINFO_URL | Runtime only | Read by API route on each request |
CreateOS note: CreateOS uses the Dockerfile when one is present. Use a single-stage Dockerfile only — multi-stage builds with COPY --from=builder fail on this platform. Remove the Dockerfile entirely to fall back to CreateOS's default install/run commands. See the CreateOS section (step 10) for the runtime config workaround for NEXT_PUBLIC_* vars.
Example Dockerfile (single-stage, compatible with CreateOS):
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
# NEXT_PUBLIC_* must be present at build time — they get baked into the JS bundle
ARG NEXT_PUBLIC_NODEOPS_AUTH_URL=https://id.nodeops.network/oauth2/auth
ARG NEXT_PUBLIC_NODEOPS_CLIENT_ID
ARG NEXT_PUBLIC_NODEOPS_REDIRECT_URI
ARG NEXT_PUBLIC_NODEOPS_SCOPES=offline_access offline openid
ENV NEXT_PUBLIC_NODEOPS_AUTH_URL=$NEXT_PUBLIC_NODEOPS_AUTH_URL
ENV NEXT_PUBLIC_NODEOPS_CLIENT_ID=$NEXT_PUBLIC_NODEOPS_CLIENT_ID
ENV NEXT_PUBLIC_NODEOPS_REDIRECT_URI=$NEXT_PUBLIC_NODEOPS_REDIRECT_URI
ENV NEXT_PUBLIC_NODEOPS_SCOPES=$NEXT_PUBLIC_NODEOPS_SCOPES
# Server-side vars — only needed at runtime, read per-request by API routes
ENV NODEOPS_CLIENT_SECRET=""
ENV NODEOPS_TOKEN_URL=https://id.nodeops.network/oauth2/token
ENV NODEOPS_USERINFO_URL=https://autogen-v2-api.nodeops.network/v1/users/me
RUN npm run build
EXPOSE 3000
CMD ["npm", "start"]
Also ensure .dockerignore excludes .env.local:
.env
.env.local
node_modules
.next
If the project deploys to Vercel or similar: no Dockerfile is needed — those platforms inject env vars before building automatically. Just remind the user to add the vars in their platform's dashboard.
-
CreateOS / build-then-inject platforms — CreateOS uses the Dockerfile when one is present, but injects env vars after the build step. This means NEXT_PUBLIC_* vars are undefined at build time even with ARG/ENV in the Dockerfile. Use the runtime config workaround below, or remove the Dockerfile entirely to fall back to CreateOS's default install/run commands.
What the package handles automatically (v1.x+)
AuthProvider from @nodeops-createos/integration-oauth v1.x+ auto-fetches /api/config at runtime if NEXT_PUBLIC_* vars are missing from the bundle. No extra setup is needed — just make sure the API route exists (step 10a below).
If using an older package version, add manually:
10a. Create app/api/config/route.ts (or .js):
import { NextResponse } from 'next/server';
export const dynamic = 'force-dynamic';
export async function GET() {
return NextResponse.json({
NEXT_PUBLIC_NODEOPS_AUTH_URL: process.env.NEXT_PUBLIC_NODEOPS_AUTH_URL || 'https://id.nodeops.network/oauth2/auth',
NEXT_PUBLIC_NODEOPS_CLIENT_ID: process.env.NEXT_PUBLIC_NODEOPS_CLIENT_ID || '',
NEXT_PUBLIC_NODEOPS_REDIRECT_URI: process.env.NEXT_PUBLIC_NODEOPS_REDIRECT_URI || '',
NEXT_PUBLIC_NODEOPS_SCOPES: process.env.NEXT_PUBLIC_NODEOPS_SCOPES || 'offline_access offline openid',
});
}
This route reads NEXT_PUBLIC_* vars from the server environment at runtime (where they ARE available) and exposes them to the client via a JSON endpoint.
10b. Create components/EnvBootstrap.tsx (or .jsx):
"use client";
import { useEffect, useState } from "react";
export default function EnvBootstrap({ children }: { children: React.ReactNode }) {
const [ready, setReady] = useState(
typeof window !== "undefined" && !!process.env.NEXT_PUBLIC_NODEOPS_CLIENT_ID
);
useEffect(() => {
if (ready) return;
fetch("/api/config")
.then((r) => r.json())
.then((env) => {
Object.assign(process.env, env);
setReady(true);
})
.catch((err) => {
console.error("Failed to load runtime config:", err);
setReady(true);
});
}, [ready]);
if (!ready) return null;
return <>{children}</>;
}
10c. Update the root layout to wrap AuthProvider with EnvBootstrap:
import { AuthProvider } from '@nodeops-createos/integration-oauth';
import EnvBootstrap from '@/components/EnvBootstrap';
<EnvBootstrap>
<AuthProvider>{children}</AuthProvider>
</EnvBootstrap>
This ensures env vars are fetched from the server and patched into process.env before AuthProvider initializes on the client.
-
Show a summary — print a clear summary:
- Files created/modified (list each one)
- Files skipped (if any were already present)
- Remind user to fill in the 2 required env vars:
NEXT_PUBLIC_NODEOPS_CLIENT_ID and NODEOPS_CLIENT_SECRET
- If a Dockerfile exists, remind that
NEXT_PUBLIC_* vars must be set before npm run build in the Dockerfile
- Show how to use the hooks in any page:
import { useAuth, useUser } from '@nodeops-createos/integration-oauth';
const { isAuthenticated, login, logout, loading, authError } = useAuth();
const { user } = useUser();