User Auth at Scale with Next.js and AWS Amplify

IT admins at the company were managing thousands of user accounts through Auth0's dashboard directly: resetting passwords, assigning roles, pulling audit logs. It worked but it was slow, error-prone, and gave the whole team broader Auth0 access than they needed. We built an internal console to replace it.

Stack

• Next.js App Router with Server Actions for mutations
• AWS Amplify for hosting and environment management
• Auth0 as the identity provider
• Auth0 Management API for admin operations server-side

Keeping Management API Credentials Server-Side

The main constraint: Auth0 Management API tokens must never reach the browser. Server Actions made this clean. All Management API calls stay server-side with no extra API route layer. The client posts a form, the action runs on the server, the response comes back. No tokens exposed, no client-side SDK.

Pagination

The Auth0 Management API returns paginated results. We wrapped the pagination parameters in a cursor abstraction so the UI could do standard next/previous navigation without leaking Auth0 API details to the frontend. Caching results per session meant back-navigation didn't require a full re-fetch, which also helped stay within Auth0's Management API rate limits.

Role Assignment

Auth0 roles mapped to application permissions. Role changes through the console hit the Management API, then propagated into the app's own data layer so authorization checks didn't require a Management API call on every request.

What Worked

Server Actions were the right call here. The pattern fits admin consoles well: one server function per operation, typed input via Zod, error state returned to the form. The alternative (dedicated API routes) would have added routing boilerplate without any real benefit for an internal tool with predictable traffic.