NextAuth uses JWT despite session.strategy = "database" and MongoDBAdapter

[Shani-Sinojiya]

Adapter type

@auth/mongodb-adapter

Environment

  System:
    OS: Windows 11 10.0.26100
    CPU: (8) x64 AMD Ryzen 3 5300U with Radeon Graphics
    Memory: 957.40 MB / 15.33 GB
  Binaries:
    Node: 22.16.0 - C:\Program Files\nodejs\node.EXE
    Yarn: 3.4.1 - ~\AppData\Roaming\npm\yarn.CMD
    npm: 11.3.0 - C:\Program Files\nodejs\npm.CMD
    pnpm: 10.12.4 - ~\AppData\Local\pnpm\pnpm.CMD
    bun: 1.1.2 - ~\.bun\bin\bun.EXE
  Browsers:
    Edge: Chromium (131.0.2903.70)
    Internet Explorer: 11.0.26100.1882
  npmPackages:
    @auth/mongodb-adapter: ^3.10.0 => 3.10.0
    next: 15.3.5 => 15.3.5
    next-auth: 5.0.0-beta.29 => 5.0.0-beta.29
    react: ^19.0.0 => 19.1.0

Reproduction URL

i have not created

Describe the issue

I'm using NextAuth@beta with the following config:

• strategy: "database" in the session option
• MongoDBAdapter properly connected with a working MongoDB instance
• CredentialsProvider for email/password login

However, after successful login:

• The browser receives a JWT-based session token (encrypted JWE format), instead of a session-token referencing a DB record
• The MongoDB sessions collection remains empty
• Debug logs show calls like adapter_getSessionAndUser using a JWT instead of a DB ID

I've tried the following:

• Clearing cookies
• Rechecking the adapter config
• Enabling debug logging
• Ensuring authorize() returns { id, name, email }

Still, the session is never persisted to MongoDB and the cookie format indicates fallback to JWT mode even though "database" is configured.

How to reproduce

🧪 How to Reproduce

1. Clone the reproduction repository (linked above).

2. Install dependencies:

   pnpm install

3. Set environment variables in .env.local:

   AUTH_SECRET=some-secret
   MONGODB_URI=mongodb+srv://<user>:<pass>@<cluster>.mongodb.net/<db>?retryWrites=true&w=majority
   API_URL=http://localhost:3000
   AUTH_GOOGLE_ID=your-google-id
   AUTH_GOOGLE_SECRET=your-google-secret
   

4. Start the dev server:

   pnpm dev

5. Visit /login and use the Credentials Provider (email/password) to sign in.

6. Check:

   • Browser cookie: session-token is an encrypted JWT
   • MongoDB: sessions collection is empty
   • Debug log: adapter_getSessionAndUser tries to use JWT

Expected behavior

• After signing in using the Credentials Provider, the session token should be stored as a random string (UUID or similar) in a cookie (e.g., session-token).
• This token should correspond to a session document stored in the MongoDB sessions collection using MongoDBAdapter.
• The cookie should not contain a JWT or encrypted JWE-style token.
• When accessing a protected route, NextAuth should fetch the session from the database via adapter.getSessionAndUser() using the sessionToken.

[github-actions]

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository. Example: (NextAuth.js example repository).

The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.

• If you did not provide a link or the link you provided is not hosted on github.com outside of the next-auth organization, we will close the issue.
• If you provide a link to a private repository, we will close the issue.
• If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

• If you did not provide a link hosted on github.com outside of the next-auth organization, please open a new issue with a link to such a reproduction.
• If you provided a link to a private repository, please open a new issue with a link to a public repository.
• If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

• Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
• Remove any dependencies that are not related to the issue.
• Remove any third-party service that would require us to sign up for an account to reproduce the issue.
• Remove any environment variables that are not related to the issue.
• Remove private packages that we do not have access to.
• If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every issue and monitor open issues for new comments.

However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

• How to create a Minimal, Complete, and Verifiable example
• Bug report: Framework
• Bug report: Provider
• Bug report: Adapter