Supabase Auth rejects an email address during signup or authentication due to format validation rules. This typically occurs when the email format violates Supabase's validation requirements, which may be stricter than standard RFC 5322 specifications.
This error occurs when Supabase Auth's email validation logic determines that the provided email address doesn't meet its format requirements. While the email might appear valid to you, Supabase enforces specific validation rules that can reject certain technically valid email formats. Common issues include email addresses with unusual but RFC-compliant characters (like "+" symbols), very short domain names (like "[email protected]"), or formats that Supabase's validator doesn't recognize as legitimate. The validation happens server-side during authentication operations like signup, sign-in, or password reset requests. Supabase returns a 400 Bad Request status with the error code "email_address_invalid" when this validation fails, preventing the authentication operation from proceeding.
First, check that the email address follows a standard format that Supabase expects:
// Test with a standard email format first
const standardEmail = '[email protected]';
const { data, error } = await supabase.auth.signUp({
email: standardEmail,
password: 'secure-password-123',
});
if (error) {
console.error('Validation error:', error.message);
} else {
console.log('Success with standard format');
}If this works, your original email likely contains characters or patterns that Supabase doesn't accept.
If you're using the "+" symbol for email aliasing (like [email protected]), try the base email instead:
// Instead of: [email protected]
// Use: [email protected]
// If you need to track different signups, use metadata instead
const { data, error } = await supabase.auth.signUp({
email: '[email protected]',
password: 'secure-password-123',
options: {
data: {
signup_source: 'test_campaign',
},
},
});Store tracking information in user metadata rather than email aliases.
Supabase requires domain names with at least 3 characters. Avoid very short domains:
// ❌ Will fail: domain too short
const invalidEmail = '[email protected]';
// ✅ Should work: standard domain length
const validEmail = '[email protected]';
// Validate domain length before submission
function isValidSupabaseDomain(email) {
const domain = email.split('@')[1];
if (!domain) return false;
const parts = domain.split('.');
return parts.every(part => part.length >= 2); // At least 2 chars per segment
}
if (isValidSupabaseDomain(email)) {
await supabase.auth.signUp({ email, password });
} else {
alert('Please use an email with a standard domain format');
}Add validation on your frontend to catch issues before submission:
function validateSupabaseEmail(email) {
// Basic format check
const emailRegex = /^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
if (!emailRegex.test(email)) {
return { valid: false, error: 'Invalid email format' };
}
// Check for special characters that might cause issues
if (email.includes('+')) {
return {
valid: false,
error: 'Email addresses with + are not supported'
};
}
// Verify domain length
const domain = email.split('@')[1];
const domainParts = domain.split('.');
for (const part of domainParts) {
if (part.length < 2) {
return {
valid: false,
error: 'Domain segments must be at least 2 characters'
};
}
}
return { valid: true };
}
// Usage in form
async function handleSignup(email, password) {
const validation = validateSupabaseEmail(email);
if (!validation.valid) {
setError(validation.error);
return;
}
const { error } = await supabase.auth.signUp({ email, password });
if (error) {
setError(error.message);
}
}Provide clear feedback when email validation fails:
async function signupWithErrorHandling(email, password) {
try {
const { data, error } = await supabase.auth.signUp({
email,
password,
});
if (error) {
if (error.message.includes('email_address_invalid')) {
return {
success: false,
message: 'Please use a standard email format (e.g., [email protected])',
suggestion: 'Avoid special characters and very short domain names',
};
}
return { success: false, message: error.message };
}
return { success: true, data };
} catch (err) {
return {
success: false,
message: 'An unexpected error occurred during signup'
};
}
}
// In your component
const result = await signupWithErrorHandling(email, password);
if (!result.success) {
setErrorMessage(result.message);
if (result.suggestion) {
setHelpText(result.suggestion);
}
}Supabase Validation vs RFC 5322
Supabase's email validation is intentionally stricter than RFC 5322 (the official email standard) to reduce spam and abuse. While addresses like "[email protected]" or "[email protected]" are technically valid per RFC 5322, Supabase may reject them to enforce security and deliverability best practices.
Known Validation Quirks
According to GitHub issues in the Supabase Auth repository, specific patterns known to cause validation failures include:
- Plus (+) symbols in the local part (before @)
- Domain names with segments shorter than 2-3 characters
- Certain Unicode or internationalized domain names
These restrictions are documented in various GitHub issues (#2252, #35082) but aren't explicitly detailed in official documentation.
Custom SMTP and Team Restrictions
Even if your email passes format validation, Supabase Auth has additional restrictions in development. Without a custom SMTP configuration, Auth will only send emails to team members of your project. This is a separate concern from format validation but can appear similar to end users.
Workarounds for Edge Cases
If you have users with legitimately unusual email addresses that Supabase rejects:
1. Consider implementing phone-based authentication as an alternative
2. Use OAuth providers (Google, GitHub) which handle their own email validation
3. For enterprise customers, configure a custom SMTP server which may offer more flexible validation
Monitoring and Debugging
Check your Supabase Auth logs in the dashboard under Authentication > Logs. Failed validation attempts appear with error code "email_address_invalid" and include the rejected email format (with sensitive parts redacted). This helps identify patterns in validation failures.
email_conflict_identity_not_deletable: Cannot delete identity because of email conflict
How to fix "Cannot delete identity because of email conflict" in Supabase
mfa_challenge_expired: MFA challenge has expired
How to fix "mfa_challenge_expired: MFA challenge has expired" in Supabase
conflict: Database conflict, usually related to concurrent requests
How to fix "database conflict usually related to concurrent requests" in Supabase
phone_exists: Phone number already exists
How to fix "phone_exists" in Supabase
StorageApiError: resource_already_exists
StorageApiError: Resource already exists