Environment

  System:
    OS: macOS 26.3.1
    CPU: (12) arm64 Apple M4 Pro
    Memory: 229.48 MB / 48.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.14.0 - /Users/elliott/.nvm/versions/node/v24.14.0/bin/node
    npm: 11.9.0 - /Users/elliott/.nvm/versions/node/v24.14.0/bin/npm
    pnpm: 10.33.0 - /Users/elliott/.nvm/versions/node/v24.14.0/bin/pnpm
    Deno: 2.7.4 - /Users/elliott/.deno/bin/deno
  Browsers:
    Chrome: 147.0.7727.138
    Firefox: 150.0.1
    Safari: 26.3.1
  npmPackages:
    next: ^14.2.24 => 14.2.35 
    next-auth: 5.0.0-beta.31 => 5.0.0-beta.31 
    react: ^18.3.1 => 18.3.1 

Reproduction URL

https://github.com/vast-elliott/next-auth-parse-action-log-error

Describe the issue

When debug: true is set in the NextAuth() config, Auth.js's client-side logger POSTs log messages to /api/auth/_log. However, _log is not included in the recognized actions list in @auth/core@0.41.2, so the [...nextauth] catch-all route handler throws an UnknownAction error on every request to that endpoint.

This surfaces in server logs as:

[auth][error] UnknownAction: Cannot parse action at /api/auth/_log. Read more at https://errors.authjs.dev#unknownaction
    at parseActionAndProviderId (node_modules/@auth/core/lib/utils/web.js)
    at node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js

The exhaustive actions list in node_modules/@auth/core/lib/utils/actions.js is:

const actions = [
  "providers", "session", "csrf", "signin", "signout",
  "callback", "verify-request", "error", "webauthn-options",
]

_log is absent, so parseActionAndProviderId throws UnknownAction instead of handling the request. The error does not crash the server but produces noise in production logs on every auth interaction when debug: true.

We first observed this in a production Kubernetes deployment running a Next.js 14 standalone build — the error appeared in pod logs. It can be reproduced locally with a single curl against the built app (no browser needed):

curl -X POST http://localhost:3000/api/auth/_log \
  -H "Content-Type: application/json" \
  -d '{"level":"error","message":"test"}'

We attempted a workaround by adding a dedicated Next.js route at src/app/api/auth/_log/route.ts to intercept the request before it reaches [...nextauth], but this did not resolve the issue — the [...nextauth] handler still received and errored on the request regardless of route precedence.

How to reproduce

1. Clone the minimal reproduction repository: https://github.com/vast-elliott/next-auth-parse-action-log-error

2. Install dependencies and build:

npm install
cp .env.local.example .env.local  # set AUTH_SECRET to any random string
npm run build
npm start

3. In a second terminal, POST to the _log endpoint:

curl -X POST http://localhost:3000/api/auth/_log \
  -H "Content-Type: application/json" \
  -d '{"level":"error","message":"test"}'

4. Observe the server logs — the error appears immediately:

[auth][error] UnknownAction: Cannot parse action at /api/auth/_log. Read more at https://errors.authjs.dev#unknownaction
    at parseActionAndProviderId (node_modules/@auth/core/lib/utils/web.js)
    at node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js

Expected behavior

The POST request to /api/auth/_log should return 200 OK and the log entry should be handled server-side, matching the behavior of newer @auth/core releases where _log is a recognized action.