Error: Cookies can only be modified in a Server Action or Route Handler.

[alireza-asgharii]

Issue: Logging Out Users on 401 Error in Next.js with auth.js

Scenario:

While fetching data on the server side, I use a custom wrapper function based on fetch as a centralized API handler for my application. When the server returns a 401 (Unauthorized) error, I expected to be able to log the user out (or take similar actions), just like how Axios interceptors handle such cases.

Initial Implementation:

To handle this, I implemented the following logic in my fetch function:

• I use auth.js (next-auth) to manage user sessions.
• If a 401 error occurs, I call signOut to log the user out.

Problem:

When executing signOut, the following error occurs:

Error: Cookies can only be modified in a Server Action or Route Handler.

This makes sense, as fetch runs on the server, and Next.js does not allow direct modification of cookies at this level.
(This issue has also been discussed in a previous GitHub Issue.)

Even manually attempting to delete cookies did not work.
I tried the following approaches, but none resolved the issue:

1. Calling signOut directly on the server
2. Executing signOut inside a Server Action
3. Calling signOut from within a Route Handler

---

Proposed Solution:

To resolve this issue, I created a Route Handler and implemented the logout operation within it.
Instead of calling signOut directly inside the fetch function, I created an API Route that handles the logout process.

🚀 The trick:

• In the fetch function, when a 401 error is detected, I redirect the user to this API Route.
• The GET method of this route immediately logs the user out.
• This approach is similar to how many authentication services handle session invalidation.

---

Implementation:

1. Centralized Fetch Function

/* eslint-disable @typescript-eslint/no-explicit-any */
"server-only";

import { redirectTo } from "@/actions";
import { auth } from "@/auth";

type FetchApiResponse<T, ET> = {
  status: number;
  isError: boolean;
  errorData: ET | null;
  data: T | null;
  message: string | null;
};

// Fetch API Proxy (Middleware)
async function fetchApiProxy<T, ET = any>(
  url: string,
  options?: RequestInit & { authorize?: boolean },
) {
	  const res = await fetchApi<T, ET>(url, options);

	  if (res.status === 401 || res.message === "UnAuthentication") {
	    await redirectTo("/api/logout");
	  }

	  return res;
	}

// Main Fetch API
async function fetchApi<T, ET = any>(
  url: string,
  options?: RequestInit & { authorize?: boolean },
): Promise<FetchApiResponse<T, ET>> {
  try {
const session = await auth();

const res = await fetch(`${process.env.API_BASE_URL}${url}`, {
  ...options,
  headers: {
    "Content-Type": "application/json",
    ...options?.headers,
    ...(options?.authorize && {
      Authorization: `Bearer ${session?.accessToken}`,
    }),
  },
});

const data = await res.json();

if (!res.ok) {
  return {
    isError: true,
    message: data?.message || res.statusText || "Unknown error",
    data: null,
    status: res.status,
    errorData: data?.data ?? null,
  };
}

return {
  isError: false,
  message: data?.message || null,
  data: data?.data,
  errorData: null,
  status: res.status,
};
   } catch (error) {
console.log({ fetchApiError: error });
return {
  isError: true,
  message: error instanceof Error ? error.message : "Unknown error",
  data: null,
  status: 500,
  errorData: null,
};
  }
}

export { fetchApiProxy as fetchApi };
export { fetchApi as fetchApiRaw };

2. Logout Route Handler

import { signOut } from "@/auth";
import { cookies } from "next/headers";
import { NextResponse } from "next/server";

export async function GET() {
  const cookieStore = cookies();
  const cookieKeys = ["authjs.session-token", "next-auth.session-token", "access_token"];

  cookieKeys.forEach((key) => cookieStore.delete(key));

  await signOut({ redirect: false });

  return NextResponse.redirect("/login");
}

Outcome:

🔹 401 errors are now handled in a clean and structured manner.
🔹 The issue with modifying cookies on the server is resolved.
🔹 The fetch function remains clean, without relying on client-side methods that cannot execute on the server.

⚡ This approach not only fixes the issue but also provides a standardized pattern for handling authentication in Next.js + auth.js.

---

✅ Suggestion for Next.js:
Adding support for handling signOut on the server without requiring an API Route or providing an official solution for this challenge.

[github-actions]

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository (template for App Router, template for Pages Router), but you can also use these templates: CodeSandbox: App Router or CodeSandbox: Pages Router.

The bug template that you filled out has a section called "Link to the code that reproduces this issue", which is where you should provide the link to the reproduction.

• If you did not provide a link or the link you provided is not valid, we will close the issue.
• If you provide a link to a private repository, we will close the issue.
• If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

• If you did not provide a link, please open a new issue with a link to a reproduction.
• If you provided a link to a private repository, please open a new issue with a link to a public repository.
• If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

• Remove any code that is not related to the issue. (pages, API routes, components, etc.)
• Remove any dependencies that are not related to the issue.
• Remove any third-party service that would require us to sign up for an account to reproduce the issue.
• Remove any environment variables that are not related to the issue.
• Remove private packages that we do not have access to.
• If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every Next.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

• How to Contribute to Open Source (Next.js)
• How to create a Minimal, Complete, and Verifiable example
• Reporting a Next.js bug
• Next.js Triaging issues