How to fix: Why can’t my client-side Supabase auth read the session after middleware sets cookies in Next.js 16?
This Supabase/Next.js failure usually means the server session, middleware refresh, and browser client cookies are out of sync after redirect or deploy. Use request-scoped SSR clients, refresh cookies in middleware, and retest login plus hard refresh on the production domain.
This pattern is common in AI-built Next.js and Supabase apps because generated code often leaves auth, cookie, deployment, or type boundaries unfinished. The exact symptom matters, so preserve the original error before changing code.
Why it happens
The server can see the Supabase session, but the browser client or middleware refresh path is not synchronized after redirect.
What to check
Confirm the app has Supabase SSR middleware that refreshes cookies using the current request and response.
Check that callback redirects happen after `exchangeCodeForSession` or `verifyOtp` has written cookies.
Avoid a module-level server client in SSR paths; create request-scoped clients so cookies are current.
Inspect whether the first client render reads stale state before the session refresh completes.
Fix plan
Use request-scoped Supabase server and browser helpers from `@supabase/ssr`.
Add middleware to refresh auth cookies and exclude only public/static paths.
Gate auth-bound client fetches until the first session check completes, then refetch after `SIGNED_IN`.
Smoke test anonymous view, login callback, redirected view, and hard refresh.
When to stop guessing
If this touches auth, RLS, database writes, storage, redirects, or deployment callbacks, a build-only fix is not enough. Verify the real user path against the same Supabase project and domain that failed.
Need a second set of eyes? Paste the exact error into the free diagnosis form and get a focused rescue plan before you spend more time guessing.