By default NextAuth authenticates the domain provided by the NEXTAUTH_URL environmental variable and if it is on a sub domain like also all domains below www like or It is often smart to make the domain authentication work across all sub domains to avoid restrains when branching out API services or deploying on sub domains.

To do this you need to set the cookie domain to root wildcard. If my web app is deployed on then the root domain is The wildcard cookie domain that can be accessed on all subdomains is The is only available on and its sub domains.

Customize the cookie domain in the [...nextuaht].ts file by adding:

const { hostname } = new URL(process.env.NEXTAUTH_URL);
// This doesn't work for * domains and it might be easier to simply write the root domain:
const ROOT_DOMAIN = hostname.split('.').reverse().splice(0, 2).reverse().join('.');
const isSecure = process.env.NODE_ENV !== 'development';

export default NextAuth({
  //... omitted for brevity
  cookies: {
    sessionToken: {
      name: isSecure ? `__Secure-next-auth.session-token` : `next-auth.session-token`,
      options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        domain: `.${ROOT_DOMAIN}`, // Note the dot
        secure: isSecure,