InvalidCheck: pkceCodeVerifier value could not be parsed. (Oath Provider Error)

[Lucifer472]

Provider type

GitHub, Google

Environment

System:
OS: macOS 15.1.1
CPU: (8) arm64 Apple M2
Memory: 305.41 MB / 8.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.1.0 - /opt/homebrew/bin/node
Yarn: 1.22.19 - /opt/homebrew/bin/yarn
npm: 10.8.3 - /opt/homebrew/bin/npm
bun: 1.1.38 - /opt/homebrew/bin/bun
Browsers:
Chrome: 131.0.6778.108
Safari: 18.1.1
npmPackages:
@auth/prisma-adapter: ^2.7.4 => 2.7.4
next: 15.0.3 => 15.0.3
next-auth: ^5.0.0-beta.25 => 5.0.0-beta.25
react: 19.0.0-rc-66855b96-20241106 => 19.0.0-rc-66855b96-20241106

Reproduction URL

https://github.com/Lucifer472/slack-clone

Describe the issue

[auth][error] InvalidCheck: pkceCodeVerifier value could not be parsed. Read more at https://errors.authjs.dev#invalidcheck
at parseCookie (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d_@auth_core_d1f52f..js:3030:15)
at Object.use (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d@auth_core_d1f52f..js:3058:30)
at handleOAuth (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d@auth_core_d1f52f..js:3288:247)
at async Module.callback (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d@auth_core_d1f52f..js:3782:41)
at async AuthInternal (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d@auth_core_d1f52f..js:4859:24)
at async Auth (/Users/truepubmedia/Desktop/sites/slack-clone/.next/server/chunks/e044d@auth_core_d1f52f._.js:5120:34)
at async AppRouteRouteModule.do (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:10:33313)
at async AppRouteRouteModule.handle (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:10:40382)
at async doRender (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:1455:42)
at async responseGenerator (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:1814:28)
at async DevServer.renderToResponseWithComponentsImpl (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:1824:28)
at async DevServer.renderPageComponent (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:2240:24)
at async DevServer.renderToResponseImpl (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:2278:32)
at async DevServer.pipeImpl (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:960:25)
at async NextNodeServer.handleCatchallRenderRequest (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/next-server.js:281:17)
at async DevServer.handleRequestImpl (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/base-server.js:853:17)
at async /Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/dev/next-dev-server.js:373:20
at async Span.traceAsyncFn (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/trace/trace.js:153:20)
at async DevServer.handleRequest (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/dev/next-dev-server.js:370:24)
at async invokeRender (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/lib/router-server.js:183:21)
at async handleRequest (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/lib/router-server.js:360:24)
at async requestHandlerImpl (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/lib/router-server.js:384:13)
at async Server.requestListener (/Users/truepubmedia/Desktop/sites/slack-clone/node_modules/next/dist/server/lib/start-server.js:142:13)

Credentials Provider works like charm without any issues but Oath Providers are not working all the give the same error i tried different ways to sort it out but nothing works. i think the issue is with latest version on next js and prisma because i tried going to past version but same issue also the same config works perfectly fine in next js 14 i tried that

How to reproduce

Just clone the repo and added github client id and secret in env file also connect a database

Expected behavior

Github provider should redirect to authorized page then logged in to App.

[OtisTemler]

Same issue here, using Next.js 15.1.0 & React 19.

Sometimes works, sometimes doesn't with the above stated error.

[pr-citrate]

I encountered the same issue as you described with Next 15.1 and React 19.0. If you’ve found any potential workarounds or additional details since your post, I’d appreciate it if you could share them here!

[junheeLee96]

I also encountered the same error. In my case, I used Chrome's incognito mode to log in and found that the error disappeared.

[rubinpaudel]

I have the same issue with Notion, using these versions:

"next": "15.1.2",
"next-auth": "5.0.0-beta.25",
"react": "^19.0.0",

[Harisene]

I have the same issue. I get this error when I try to log in using google provider.

�[31m[auth][error]�[0m InvalidCheck: pkceCodeVerifier value could not be parsed. Read more at https://errors.authjs.dev#invalidcheck

20:24:42.971
at i8 (/var/task/.next/server/chunks/555.js:368:26741)
    at Object.use (/var/task/.next/server/chunks/555.js:368:27149)
    at os (/var/task/.next/server/chunks/555.js:368:33213)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async ob (/var/task/.next/server/chunks/555.js:368:40282)
    at async oR (/var/task/.next/server/chunks/555.js:368:51845)
    at async oC (/var/task/.next/server/chunks/555.js:368:56536)
    at async te.do (/var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:17826)
    at async te.handle (/var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:18:22492)
    at async eB (/var/task/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:2871:21083)

I use,

"react": "19.0.0-rc-66855b96-20241106",
"next": "15.0.3",
"next-auth": "^5.0.0-beta.25"

[Lucifer472]

well downgraded to next 14.2.20 and next auth beta to 5.0.0-beta.20 and everything if fixed and also clear your cookies as well.

[Ferdinand737]

well downgraded to next 14.2.20 and next auth beta to 5.0.0-beta.20 and everything if fixed and also clear your cookies as well.

Doing this did not solve the issue for me.

[Harisene]

well downgraded to next 14.2.20 and next auth beta to 5.0.0-beta.20 and everything if fixed and also clear your cookies as well.

Doing this did not solve the issue for me.

Same here. Issue still exists

[wouteth]

Also experiencing the same issue. It occurs randomly on sign in. Some sign-ins work, some throw this exact error.

[stephan-noel]

Same happening for me using the Cognito provider. Works most of the time but getting these errors in the logs and some users saying they can't log in. Please let me know if there's any other info I can provide to help out.

"next-auth": "5.0.0-beta.20"
"next": "14.2.22",
"react": "18.3.1"

[lucassalicanorc]

I got this error today, and I don't know if it helps, but for me, the reason was that I was subscribing to the pkceCodeVerifier cookie, and the SameSite attribute was set to None. So, I followed the documentation and set it to Lax, and it worked for me.

[arxkdev]

This error is happening to me, React 19 & Next.js 15.. Can we get an update on this?

[pauleway]

Also happening to me, also on Next.js 15.

[sameerxanand]

Just happened to me as well. React 19, Next.js 15.2.0-canary.19 and next-auth 5.0.0-beta.25.

[mutgarth]

It's the same to me. I was using next-auth 5.0.0-beta-25 and even after downgrading to next-aht 5.0.0-beta-20 the issues still exist.

[Chetan-KK]

why is this issue closed, it's still not get solved i'm also facing this issue.

[crazytweeks]

Am having same issue with latest version. Github auth works, Google auth doesnt

[mutgarth]

Hi all,

I fixed it, at least for my use case.

My system uses auth.js only to handle stuff like JWT, callbacks, etc. I am using Google provider to get the access_token and then send it to my backend auth service (where JWT is generated and sent back to the front end).

The callback URL in my backend is configured to send the Google info (after a successful login) to a "www" subdomain. It is important to note here that the callback URL must be the same on Google API console.

The problem arises when user tries to login using the non-www subdomain, which is not configured as callback in my backend.

To fix the error I routed all non-www traffic to a www subdomain in my Nginx web server.

Edit by maintainer bot: Comment was automatically minimized because it was considered unhelpful. (If you think this was by mistake, let us know). Please only comment if it adds context to the issue. If you want to express that you have the same problem, use the upvote 👍 on the issue description or subscribe to the issue for updates. Thanks!

[koyo-snow]

I met this error in the Auth.js turorial.
https://authjs.dev/getting-started/authentication/oauth?framework=next-js

This is my solution.

I set clientId and clientSecret like this.
https://authjs.dev/guides/environment-variables?framework=next-js

import NextAuth from "next-auth"
import Google from "next-auth/providers/google"

export const { handlers, auth } = NextAuth({
providers: [
Google({
clientId: process.env.AUTH_WEBAPP_GOOGLE_CLIENT_ID,
clientSecret: process.env.AUTH_WEBAPP_GOOGLE_CLIENT_SECRET,
}),
],
})

And add localhost in OAuth 2.0 in Google Console,
・Authorized JavaScript origins
→http://localhost:3000
・Authorized redirect URIs
→http://localhost:3000/api/auth/callback/google

[rtm200]

if you submitted your callback in google console as (http://localhost:3000/api/auth/callback/google) it is important to know its only for LOCALHOST dont visit your page as (http://192.168.1.7:3000) visit it as (http://localhost:3000) if you dont you will get pkceCodeVerifier error (next 15, react 19)

[Lucifer472]

well the issue still present in latest version on Next Js 15.2.3 and Auth 5.0.0-beta.25 this time i can't downgrade anyone here find any fix for this.

[koyo-snow]

I didn't know the difference between latest version and next.auth.
Sorry.

[wasimsandhu]

I was running into this error with the Google provider after setting AUTH_REDIRECT_PROXY_URL to my staging deployment URL (e.g. https://vercel-staging-deployment.app/api/auth).

Long story short, I had set AUTH_REDIRECT_PROXY_URL in my preview and production environments, but NOT in the staging environment (e.g. my stable deployment).

This was an oversight on my part. The docs for "Securing a preview deployment" clearly state:

In both the preview and stable environment, set AUTH_REDIRECT_PROXY_URL to that stable deployment URL...

[zuluaica18]

In my case, it happened because:

1. The user would open several tabs to log in.
2. 15 minutes would pass without entering credentials.
3. The browser would block cookies.

For cases 1 and 2, I did the following to resolve it with a retry.

1. In config

pages: {
    signIn: "/api/custom/auth/signin",
    error: "/api/custom/auth/error",
  }

2. In /api/custom/auth/signin/route.ts

import { signIn } from "...";
import { NextRequest } from "next/server";

export async function GET(request: NextRequest) {
  const callbackUrl = request.nextUrl.searchParams.get('callbackUrl') ?? request.nextUrl.origin;
  return signIn("keycloak", { redirectTo: callbackUrl });
}

3. In /api/custom/auth/error/route.ts

import { NextRequest, NextResponse } from "next/server";

function setCookie(response: NextResponse, cookiePrefix: string, maxAge: number) {
  response.cookies.set(
    `${cookiePrefix}authjs.signin-attempt`,
    `true`,
    {
      httpOnly: true,
      sameSite: "lax",
      path: "/",
      secure: cookiePrefix === "__Secure-",
      maxAge: maxAge,
    }
  );
}
export async function GET(request: NextRequest) {
  const cookiePrefix = request.nextUrl.protocol === "https:" ? "__Secure-" : "";
  const callbackUrlCookie = request.cookies.get(`${cookiePrefix}authjs.callback-url`)?.value ?? "";
  const signinAttemptCookie = request.cookies.get(`${cookiePrefix}authjs.signin-attempt`)?.value ?? "";
  const error = request.nextUrl.searchParams.get('error') ?? "Configuration";
  if (error === "Configuration" && signinAttemptCookie !== "true") {
    const signInUrl = new URL("/api/custom/auth/signin", request.nextUrl.origin);
    signInUrl.searchParams.set("callbackUrl", callbackUrlCookie);
    const response = NextResponse.redirect(signInUrl);
    setCookie(response, cookiePrefix, 5 * 60); // 5 minutes
    return response;
  }
  const errorUrl = new URL("/auth/error", request.nextUrl.origin);
  errorUrl.searchParams.set("error", error);
  const response = NextResponse.redirect(errorUrl);
  setCookie(response, cookiePrefix, 0); // 0 minutes
  return response;
}

Keep in mind that you'll need to create your own error handling page: /auth/error/page.tsx