Supabase Auth: Changes to default email provider

[kangmingtay]

As our user base has grown, we are taking steps to make sure we are able to continue to provide a safe, secure, robust free plan experience. To ensure that email-based auth continues to work for all users on Supabase, we're making changes if you're using the default email provider. This allows us to continue to offer our default provider in a more sustainable and resilient manner.

For maximum flexibility and control over your auth emails, we suggest one of the following:

• Use a custom SMTP provider instead
• Send emails through your own email provider using the email send hook

If you still want to use the default email provider, these are the changes being planned:

• Email template customization will be allowed and customized email templates will not be reverted to default.

• 26th September: If you do not have a custom SMTP server set up, emails can only be sent to email addresses in your project's organization. So for example, if your organization has the following members: person-a@example.com, person-b@example.com and person-c@example.com , this means that email messages from Auth will only be sent to these addresses.

These measures are taken to prevent abuse to our shared SMTP service. In the future, we may consider increasing the email rate limits once we see a drop in abuse.

Frequently asked questions

Why such a short notice?

Supabase uses a third-party email sending provider that has mandated we reduce email abuse significantly or they will be forced to block all email sending. A tragedy of the commons.

Can't Supabase switch to a different email sending partner?

Yes, but we would run into the same issues. All email sending services are required to monitor abuse and force their customers to follow the same rules.

Can't Supabase send emails on their own, without a third party?

Not really. You can't just send email on the web today without investing a lot of money and time (unblocking port 25, keeping IP addresses out of spam lists, etc.). This is not our core competency and do not have plans to start doing this today.

How long does it take to set up a custom SMTP provider?

Fortunately this is very easy. You can use any email sending service for this, really popular ones include:

• Resend
• AWS SES
• Postmark
• SendGrid
• Zepto Mail
• Brevo

All you need to do is create an account, verify your sending domain and finally input the SMTP username and password in the Auth settings page.

What if I turn off email confirmations, can I use it then?

Currently this behavior is not supported and we'll be rolling out a fix for it during the first week of October.

Confirming email addresses is where most of the email message activity for a project originates. Turning it off can be a viable option for some projects that are still in the early testing, development or experimental phase.

Be aware that even if you turn off email confirmations the forgot password or reset password flows in your app continue to function. They also send messages, and starting 26th September those messages will be delivered only to the members of the Supabase organization that owns the project. All other end-users will get a message similar to "Email address not authorized." Effectively, the forgot password / reset password flow will be broken for your project.

What if I want just username + password authentication and using <username>@<fakedomain> instead?

Please don't do this. Part of the reason why we were forced to lock down these changes is bounced emails, probably from use cases like this.

Official username + password support is going to be made available in the coming year, and until then:

• Use a real domain, that you control
• Send emails to that domain, so set up a receiving server

But the best thing to do is:

• Set up a Send Email Auth Hook that does nothing. You don't even need to use a server or an Edge Function. Just define a Postgres function that just does nothing.

I'm using the admin API to generate links, and not really sending using Supabase's default provider. Do I need to do anything?

All projects using generate link via the admin API without custom SMTP have been patched to allow the behavior. We still strongly urge those customers to set up custom SMTP regardless.

Just because you're mostly using the admin API to generate links to send in custom email messages, doesn't mean that the Auth server is not configured to use Supabase's shared SMTP service. Your Auth API can be called from your frontend at any time, especially in edge cases such as to handle forgot password or other similar flows, which you may not be handling via the admin API.

Therefore we urge all customers that do use the admin API to set up a custom SMTP sending service regardless.

If you are not interested in setting this up, you can instruct the Auth server to ignore all emails (pretend it's sending them) by configuring a Send Email Auth Hook as a Postgres function that does nothing.

How can I disable the warning banner?

You can disable the warning banner by setting up a custom SMTP provider , or, if your project doesn't use email at all, by disabling the email provider.

Updates

20th September 2024

Email template customization will be allowed and customized email templates will not be reverted to default.

Team has decided that restricting email template customization is not viable and a big breaking change. We may need to do go back to this in the future if abuse continues and our other measures like allowing projects to only send messages to authorized email addresses do not improve the situation. We continue to urge all customers regardless of plan that use the default SMTP service for live applications to move to a custom SMTP provider as soon as able.

• 20th September: Email template customization will no longer be possible without setting up a custom SMTP provider. Email templates already customized can still be customized until 24th September.

• 24th September: Projects without a custom SMTP provider will have their custom email templates returned back to the default ones from Supabase. This means that any auth emails sent out from your project will use the default email template.

[echarrod]

Appreciate the reasoning behind the changes 👍

It does feel like a short timeline though, in order for us to implement a custom SMTP server, so we can send emails outside of our org 😒

[kangmingtay]

yeah it was a tough decision to make since the risk is our email sending partner shutting down our service which will prevent everyone from sending any emails

fortunately, setting up a custom SMTP service is quite easy and straightforward - my preference is to use Resend which we have an integration with

[tanoabeleyra]

[hf]

Why such a short notice?

We do not send emails ourselves, so our email sending partner is forcing our hand to significantly restrict abuse or they are going to block us from sending any emails.

Had we had a choice, we wouldn't have done it in such a short notice.

[khera]

While you can differentiate this kind of usage pattern, it doesn't protect a service provider in reality. People who abuse systems will find any way they can to automate the "let me convince them I'm a legitimate user" then flip over to abusing it once their limits are lifted. It is especially bad when the service is free of cost.

The only thing stopping you personally from suddenly sending hundreds of messages using a customized confirmation message is that you are acting in good faith.

[GaryAustin1]

Also I and other users on Discord use Brevo .
It has a decent free plan.

[khera]

For those who are not inclined to use a free service, Zoho has a service called zeptomail that is dirt cheap and pretty good at delivery.

[MarkOSullivan94]

Are there any cons to be aware of before using them?

[marcsasson]

Does this only affect free plans? If I upgrade will I not be affected?

[GaryAustin1]

Pro plan users are getting emails (warnings about this) and the wording/description here sounds like it applies to all plans.

[marcsasson]

robust free plan experience.

That's why I though it was only affecting free plans.

Also, is the abuse mostly coming from free plans? If yes, maybe give pro plans more time to migrate?

[GaryAustin1]

Have to wait for clarification from SB then. But they have always recommended that in production you do not use their email service. Of course that was mainly focused on the 3 to 4 email hour limit.

[J0]

Hey,

Thanks for the query. Unfortunately, this affects all plans. Free plan users have a great percentage of projects without custom SMTP and will probably be most significantly affected by this change. In general, most folks on paid plans tend to have set up Custom SMTP as part of the going into production guide.

[hf]

Also, is the abuse mostly coming from free plans? If yes, maybe give pro plans more time to migrate?

@marcsasson Turns out most of the abuse actually comes from paid plans that have not moved to custom SMTP, as those projects tend to be live and have a user base or are prone to abuse themselves.

[sheprograms]

Since I'm being forced to use SendGrid, I'd strongly prefer to use their dynamic email templates instead of Supabase's. Can you recommend any step-by-step documentation for setting up an Email Hook with the SendGrid API? I'm mostly struggling with figuring out how to pass custom parameters. My use case is to send invites to join a team. I'd like to include the logo of the team in the email. My dynamic template is set up to accept this parameter, but I need to pull it from the teams table in supabase before hitting the sendgrid API with all of the relevant confirmation links and tokens.

[kangmingtay]

@sheprograms have you seen this guide? you can swap out the places where resend's api is called with sendgrid's

[hf]

Hey everyone, update from today.

Email template customization will be allowed and customized email templates will not be reverted to default.

Team has decided that restricting email template customization is not viable and a big breaking change. We may need to do go back to this in the future if abuse continues and our other measures like allowing projects to only send messages to authorized email addresses do not improve the situation. We continue to urge all customers regardless of plan that use the default SMTP service for live applications to move to a custom SMTP provider as soon as able.

During the day today the platform will allow you to customize email templates.

[GaryAustin1]

@Sergio-P there is now an auth hook to do things like that. https://supabase.com/docs/guides/auth/auth-hooks/send-email-hook

[adeniranbukunmi]

please could this be the reason why my Django application keep saying 500: INTERNAL_SERVER_ERROR on vercel ? after supplying my environment variables

[kangmingtay]

nope, it should still work - check your project's auth logs here and if it's still an issue, please open a ticket at https://supabase.help so we can investigate

[nukeop]

I don't mind paying for an email service but I do mind being de-anonymized and doxed, and so many of those providers required actual, real documents which is a huge invasion of privacy. Can I just pay you more to have this go away? You must have info on who's sending spam (because what other email abuse can there be). Very unsportsmanlike for them to give you only such a short notice which you then have to pass on to your clients. In general I'd rather pay Supabase a premium for handling emails so that I don't have to worry about one more third party provider.

[hf]

You must have info on who's sending spam (because what other email abuse can there be).

This is actually quite hard to figure out. From our analysis essentially all customers use Auth emails for their right purpose. However, the "spam" actually comes from unwanted email or in relation to projects that are operating in a "spammy" industry.

We don't want to police customers and set up complex review rules. Anyone can build apps on Supabase, but to send email unfortunately you will need to do some extra work.

Can I just pay you more to have this go away?

At this time we don't plan to offer this as a service, but given how important this is we may be looking at other alternatives such as partnering with some companies to ease the burden. No concrete plans yet.

[nukeop]

Thanks! Supabase is a fantastic service, with outstanding support.

[alphanumericaracters]

Today I open my dashboard and I found the message, I check the list of emails sent and there were only 5: (mom, dad, my wife, my daughter and my dog ​​[who has a service role]).

Aand I said... 'WTF Supabase!' This is not abuse at all! 🤷‍♂️

Then I read this. 😁

There will be no choice but to make a script in a Google account, which acts as a webhook, some triggers to communicate the creation of a new user and token, the email is sent with a magicklink that redirects to the App and blah blah blah...

(☞ﾟヮﾟ)☞ Argentinian way 😎 The Favaloro Script [bypass master] ☜(ﾟヮﾟ☜)

[enriquesalomon]

I am not using the auth email sending confirmation for the created user account in my app. I just turn off the confirmation of the email. Does it resolve the issue? since my app , was the only admin account can create or signup a user account. My question is, it will still affect to my app? or it will not.

[hf]

Turning off email confirmation gets you there 80% of the way. However be mindful that when you use email + password in your app, the forgot password / reset password flow still requires for emails to be sent.

On 26th of September only the people part of your Supabase organization will be able to effectively reset their passwords, all others will get an error message "Email not authorized."

[EmePin]

Turning off email confirmation gets you there 80% of the way. However be mindful that when you use email + password in your app, the forgot password / reset password flow still requires for emails to be sent.

On 26th of September only the people part of your Supabase organization will be able to effectively reset their passwords, all others will get an error message "Email not authorized."

thanks

[muchirajunior]

First how can i get rid of this warning off my view, i don't even send emails on supabase

[hf]

Disabling the email provider will get rid of the warning.

[damiensedgwick]

Does this include Magic Link sign ins? So going forward I would need to setup a provider for logging in?

[j4w8n]

Does this include Magic Link sign ins? So going forward I would need to setup a provider for logging in?

Yep

[damiensedgwick]

No dramas, just wanted to double check.

[alok-mishra143]

i am a free plan user and i don`t have custom domain also how can i use custom smtp

[J0]

Hey @alok-mishra143,

Rest assured that you don't need the custom domain add-on to set up custom smtp. You can find instructions for configuring a custom SMTP here

[J0]

I realized that you might be referring to the sender email. There are providers which don't require purchase of a domain iirc (e.g outlook,gmail). It's also possible to find free domains though I would recommend buying one if within budget.

[samifouad]

Was planning on integrating with Postmark, as I only plan to use e-mail auth for my project. I guess my timeline to make that happen is now bumped up. Bad situation for everyone not prepared for this, but it is what it is. Thanks for the communication on this, that's all we can ask for when situations like this arise.

[hf]

We expect that most projects that were serious about email sending already have set up custom SMTP, as the existing rate limit was around 2 messages per hour.

[richleach]

I'm on the free/hobby account, is there anyway I can see my log files? I keep getting "Error sending confirmation email" but can't see any more details than that. BTW I set up with Brevo, pretty easy I guess. I wish I'd seen your note about Resend though

[GaryAustin1]

Goto the logs section of the dashboard and then Auth log. There might be a bit more info on the error back from the provider if that is the issue. Also make sure your rate limit is set higher than 3. I use Brevo and have had no issues.

[richleach]

Rate limit?

[GaryAustin1]

[richleach]

Thank you Gary, still getting used to the UI

[evguu]

I see no problem with this as I don't send the emails, however this also completely prevents me from creating fake users for testing purposes from the UI.

I don't see why this would be blocked since 'Creating users via this form does not send email'.

Attempts to create user fail with the message 'Failed to create user: Email address "a@a.com" cannot be used as it is not authorized'.

Could you look into this or give advice on a different way to create test users? And no, creating custom SMTP for such simple testing that does not require email sending is not viable.

[byrnehollander]

@kangmingtay @hf This change appears to have impacted the generateLink function; the docs say that this function was designed for use with custom email providers.

I am generating magic links on my server and sending them through Mailgun, but I was getting the following error that was preventing users from logging in:

Email address "someUser@gmail.com" cannot be used as it is not authorized

I was able to toggle on Enable Custom SMTP and enter fake credentials to get around this.

But I imagine that this is impacting actual customers in production (like me), and not just breaking people's tests.

---

Edit:

I believe this was introduced in https://github.com/supabase/auth/pull/1778/files#diff-97dfc3310e5139b4d9c7a160bd077aeb81ca1e7b8d7cfa837a402f54b4c03a3d

Some evidence: the above error message is not in the codebase until it is added in this PR in internal/api/mail.go, line 578

I'm not certain this will fix the issue, but I put up a PR here: supabase/auth#1779

[hf]

There is a slight misconception here. Yes there's a bug where the admin API shouldn't have been affected by the change, that's clear and getting fixed.

However, it's not true that if you use the admin API to generate links for email messages that you are not using the built-in SMTP provider. Your project's APIs are live and open to the world to call, so your application could be calling the forgot password flow without using the admin link.

This is not entirely obvious, so I urge all customers facing the same issue to set up custom SMTP regardless of using the admin APIs. If you really don't want any emails to be sent, it's best to setup a Send Email Auth Hook that is a no-op Postgres function instead.

[hf]

All projects that have used the generate link admin API recently have been patched. Fix is rolling out to all projects in the next week.

[byrnehollander]

Thank you @hf. I understand that there are a lot of moving parts here and you had to work under a short deadline.

---

I urge all customers facing the same issue to set up custom SMTP regardless of using the admin APIs. If you really don't want any emails to be sent, it's best to setup a Send Email Auth Hook that is a no-op Postgres function instead.

Is there another way to disable emails from being sent? I feel like there could just be a toggle built into the product.

All projects that have used the generate link admin API recently have been patched. Fix is rolling out to all projects in the next week.

Can you share more about how changes get rolled out to prod? This bug impacted me at Friday night, which was pretty bad timing.

Do bug fixes roll out faster than feature releases? "in the next week" seems like a very long time horizon for a bug fix that can break login

[Frikster]

Am brand new to Supabase and I just bumped into this. If you run a services that does email as a service in any way test accounts are absolutely essential so this is pretty annoying. Am very glad to hear it will be fixed in the next week.

[hf]

This is unlikely to be related to the changes. Reach out to https://supabase.help, check your logs and SES integration.

[davidd8]

I did file a ticket, but I think it is related, as I changed nothing in my setup since my last post and retried today and it all works again. There seems to have been a regression in the rollout, which was reverted?

[davidd8]

I spoke too soon, the issue has been resolved for NEW users, but EXISTING users are still seeing 500s like this:

"auth_event":{"action":"user_recovery_requested"... actor_via_sso":false,"log_type":"user"},"component":"api","error":"html/template:https://api.supabase.com/platform/auth/<app-id>/templates/magic-link: "\"" in attribute name: "\"\u003eMacOS\u003c/a\u003e) \nand Mobile (\u003ca hre"","level":"error","method":"POST","msg":"500: Error sending magic link "

[kangmingtay]

@davidd8 that's seems like an issue with your email template

[davidd8]

Oh wow, great catch @kangmingtay you are correct, I had a typo in one of the email templates - user error! Problem solved :)

[sean-dev-only]

I am not using the email approach. I am using notion provider's

const {data, error} = await supabase.auth.signInWithOAuth({
    provider: 'notion',
    options: {
      redirectTo: someUrlWithSearchParams?a=a&b=b`,
    },
  })

I checked the log, it says

"error":"oauth2: \"invalid_client\"","level":"error","method":"GET","msg":"500: Unable to exchange external code: xxxx-3c18-xxxx-xx-xx"

The error starts to show this afternoon too

[J0]

Hey @sean-dev-only,

Thanks for the query - the change shouldn't affect OAuth sign ins as they don't involve emails. This looks like a separate error, related to the exchange of the Auth code between Auth and notion.

Could we trouble you to double check the Client ID and Secret in use?

Thanks

[sean-dev-only]

@J0
Thanks for the reply.
I want to close my thread by this https://status.notion.so/incidents/ch2cmpln7jjg
it's on Notion. Sry for the distraction.

[Juiciator]

Hi, I'm not a tech guy, we use supabase for a flutterflow app. I get the message that I need to configure smtp every time I log in in supabase, but we don't actually send emails through supabase, and our accounts are google workspace. Could you please disable that message for my account?
thanks

[Juiciator]

May be you can add this button to that option

[hf]

You can disable the email provider on this page which will remove the message: https://supabase.com/dashboard/project/_/auth/providers

[hf]

We will add a button to help you turn it off soon, but at this time we want to increase awareness of this change for all customers that are affected.

[Juiciator]

All the users of my app login using google workspace, the question is
¿To disable the Email provider in supabase will allow me to login in my app using google auth login?
thanks in advance for the answer

[hf]

Yes, using Social Login / OAuth with Google, Apple, or any other such provider remains unaffected.

[sidharthhhh]

while created user mannually, i am only able to created one user while my own gmail, with other gmail id , i am not able to create any user. How can i allow that that with all email i can create user?

[hf]

Please open a support ticket at https://supabase.help for us to help you most effectively.

[sidharthhhh]

thanks sir

[alignbenpersitz]

Is this impacting existing users? I'm getting an error when trying to login now that my email address is not authorized. We aren't sending any emails, and don't require confirmation of accounts. These emails have worked previously, but now I can't login with them.

Emails that are members of the project CAN login even though they're listed as the same domain of the users who cannot login.

[ScriabinOp8No12]

I guess the issue is fixed, I'm able to login without even setting up SMTP

Edit: Partially working for me now, existing signed up users can sign back in, but a new user can't signup like before.

[EvdB1975]

Same here. Existing users can log in, but new users can't register. I'm not using email confirmation. I'm using the database as a backend for a school project/research. When trying to register a new user, I get the 'email_address_not_authorized' error.

[ScriabinOp8No12]

Same here. Existing users can log in, but new users can't register. I'm not using email confirmation. I'm using the database as a backend for a school project/research. When trying to register a new user, I get the 'email_address_not_authorized' error.

I see, good to know, thanks. We are using Supabase in production, so it's not very optimal for this to happen lol

[enriquesalomon]

Same here. Existing users can log in, but new users can't register. I'm not using email confirmation. I'm using the database as a backend for a school project/research. When trying to register a new user, I get the 'email_address_not_authorized' error.

have you tried setting an SMTP ? try resend, it will helps solving that problem, just try to add that and then turning off the auth email. It works at my side, it was the same scenarios as yours.

[hf]

I guess the issue is fixed, I'm able to login without even setting up SMTP

Yes unfortunately we were too aggressive with it but realized quickly and fixed as soon as we could. Sorry about that!

[AdditionAddict]

Getting hit hard by this this morning, please add instructions for Mailgun 😭

[hf]

Please visit this page: https://documentation.mailgun.com/docs/mailgun/user-manual/sending-messages/#send-via-smtp

[nukeop]

Everything works on my end, before and after using Resend for SMTP, even though I did it after the deadline. Supabase is the superior choice as always.

[maagyei04]

please help with it, don't get it

[AndersonMamede]

My project was also affected and was only fixed 20 minutes ago after I found the workaround mentioned above, set up Resend as a custom SMTP provider, and finally made new user registrations possible again. However, wasn't this supposed to be only about sending emails, or did I miss the information indicating that it would also prevent new user registrations?

[hf]

If you call supabase.auth.signUp() unfortunately that counts as sending an email, as we are not able to distinguish between customers that have already sent a link and those that just call this to send a link.

[ErwinAI]

I've just added a fake SMTP to allow account creation again. Same situation as others: I don't use Supabase to send emails.

If you are sure that you don't rely on any emails being sent from Supabase, just fill in: smtp.gmail.com with random username/password.

[hf]

You can instead add a Send Email Auth Hook with a Postgres function that does nothing.

[Amirshp75]

I use gmail smtp with random username and password.
But when creating a new user, I receive the following message:
Exception: Failed to sign up: AuthException(message: {"code":"unexpected_failure","message":"Database error saving new user"}, statusCode: 500, errorCode: null
I am not technical, please explain the suggested method of Send Email Auth Hook with a Postgres function by mentioning the steps.
thanks.

[felipesnts]

To use our own SMTP provider we need to be able to whitelist where the connection is coming from. Are the IP addresses used by Supabase for this documented anywhere? I was not able to find anything related to that. Thanks

[w3b6x9]

unfortunately, we do not expose IP addresses that you can add to your smtp provider's allowlist.

[kxvich]

we should be able to sign up new users after turning off email confirmation for testing purposes