I’m using next-auth with the JWT session strategy and running into a problem with cookie size when storing multiple API tokens.
Here’s my JWT callback:
async jwt({ token, user }) { if (user) { token.agentInfo = user.agentInfo; } const cognitoTokens = await manageTokens(token as Record<string, Token>); token = { ...token, ...cognitoTokens }; return token; } In my case, manageTokens merges three different API tokens (Cognito + other APIs) into the JWT payload. but in __Secure-next-auth.session-token cookie becomes too large and NextAuth splits it into multiple cookies (.0, .1, .2).
Why this is a problem
- Some APIs start returning 431 Request Header Fields Too Large because the cookies in the request headers are too big
- I don’t actually use the cookie-based JWT anywhere in our app.
- I only rely on the session token inside next-auth.
- Because the JWT grows with multiple tokens, the cookie approach creates unnecessary complexity.
Questions
- Is there a way to disable cookie storage of the JWT when using the jwt session strategy and only keep it in memory/server-side?
- If not, what’s the recommended pattern for handling multiple tokens without hitting cookie size limits?
- Should i be moving to a server-side session store (e.g., PrismaAdapter + DB/Redis)?
- Or should NextAuth provide an option to avoid serializing everything into cookies?
I tried only non-serializing the token it worked but sometimes it does not work it is very weird
