workos · parkersm1th-magical · Aug 25, 2025
@@ -462,6 +462,20 @@ export default async function middleware(request: NextRequest) {
 export const config = { matcher: ['/', '/account/:path*'] };
 ```
 
+### After auth functions
+
+If you do not want to run your own middleware with `authkit` and instead want to run a function after a user is authenticated, you can use the `afterAuth` option on `authkitMiddleware`.
+
+```ts
+
+export default authkitMiddleware({
+  // Run after the user is authenticated
+  afterAuth: async (userInfo, req) => {
+    ErrorClient.setUser(userInfo);
+  },
+});
+```
+
 ### Signing out
 
 Use the `signOut` method to sign out the current logged in user and redirect to your app's default Logout URI. The Logout URI is set in your WorkOS dashboard settings under "Redirect".

@@ -71,11 +71,14 @@ export interface AuthkitMiddlewareAuth {
   unauthenticatedPaths: string[];
 }
 
+export type AfterAuthFunction = (userInfo: UserInfo, req: NextRequest) => void | Promise<void>;
+
 export interface AuthkitMiddlewareOptions {
   debug?: boolean;
   middlewareAuth?: AuthkitMiddlewareAuth;
   redirectUri?: string;
   signUpPaths?: string[];
+  afterAuth?: AfterAuthFunction;
 }
 
 export interface AuthkitOptions {

@@ -8,9 +8,10 @@ export function authkitMiddleware({
   middlewareAuth = { enabled: false, unauthenticatedPaths: [] },
   redirectUri = WORKOS_REDIRECT_URI,
   signUpPaths = [],
+  afterAuth,
 }: AuthkitMiddlewareOptions = {}): NextMiddleware {
   return function (request) {
-    return updateSessionMiddleware(request, debug, middlewareAuth, redirectUri, signUpPaths);
+    return updateSessionMiddleware({ request, debug, middlewareAuth, redirectUri, signUpPaths, afterAuth });
   };
 }
 

@@ -10,6 +10,7 @@ import { WORKOS_CLIENT_ID, WORKOS_COOKIE_NAME, WORKOS_COOKIE_PASSWORD, WORKOS_RE
 import { getAuthorizationUrl } from './get-authorization-url.js';
 import {
   AccessToken,
+  AfterAuthFunction,
   AuthkitMiddlewareAuth,
   AuthkitOptions,
   AuthkitResponse,
@@ -36,13 +37,21 @@ async function encryptSession(session: Session) {
   });
 }
 
-async function updateSessionMiddleware(
-  request: NextRequest,
-  debug: boolean,
-  middlewareAuth: AuthkitMiddlewareAuth,
-  redirectUri: string,
-  signUpPaths: string[],
-) {
+async function updateSessionMiddleware({
+  request,
+  debug,
+  middlewareAuth,
+  redirectUri,
+  signUpPaths,
+  afterAuth,
+}: {
+  request: NextRequest;
+  debug: boolean;
+  middlewareAuth: AuthkitMiddlewareAuth;
+  redirectUri: string;
+  signUpPaths: string[];
+  afterAuth?: AfterAuthFunction;
+}) {
   if (!redirectUri && !WORKOS_REDIRECT_URI) {
     throw new Error('You must provide a redirect URI in the AuthKit middleware or in the environment variables.');
   }
@@ -102,6 +111,10 @@ async function updateSessionMiddleware(
     headers.set(signUpPathsHeaderName, signUpPaths.join(','));
   }
 
+  if (afterAuth && session.user) {
+    await afterAuth(session, request);
+  }
+
   return NextResponse.next({
     headers,
   });