Next.js 16 proxy.ts Migration: From middleware.ts

Next.js 16 renamed middleware.ts to proxy.ts. The official reason is naming clarity — but unpacking why the name matters reveals a decade of misuse patterns and one memorable security incident that proved the conceptual confusion had real consequences. This is part of a broader architecture question covered in how I build a production SaaS checklist — where auth belongs in the stack.

This is not a cosmetic rename. The official migration docs are explicit about why the old name was wrong: "middleware" implied Express-style capabilities that this layer never had, led developers to treat it as a security boundary it was never designed to be, and accumulated so much misuse that the team felt the name itself was misleading. The rename is a deliberate signal — reach for proxy.ts as a last resort, not as your default request-handling strategy.

Here is the full picture: what changed, why the name mattered more than most people realized, the security incident that made the conceptual confusion concrete, and how to migrate auth correctly.

What Changed in Next.js 16

The API surface change is minimal. NextRequest, NextResponse, the config matcher — all identical. The differences: