Supabase Auth restricts email sending to pre-authorized addresses when using the default email provider. This error occurs when trying to send authentication emails to addresses not in your project's authorized list.
This error occurs when Supabase Auth attempts to send an email (signup confirmation, password reset, magic link, etc.) to an email address that is not authorized for your project. By default, Supabase only permits sending to email addresses that are members of your organization team to prevent spam and maintain the reputation of the default email sending service. The default SMTP provider has strict limitations to protect against abuse.
The most reliable solution is to set up a custom SMTP server:
1. Go to your Supabase dashboard
2. Select your project and navigate to Project Settings → Auth → SMTP Settings
3. Toggle Enable Custom SMTP
4. Configure your SMTP credentials (host, port, username, password)
5. Set the sender email and sender name
6. Click Save
Recommended SMTP providers: Resend, Mailgun, SendGrid, Mailtrap, or AWS SES. Each offers free tiers to get started.
If you need to use Supabase's default SMTP temporarily, add the recipient email as a team member:
1. Go to Organization Settings → Team
2. Click Invite member
3. Enter the email address you want to send to
4. Send the invitation
5. Once accepted, that email will be authorized for receiving Auth emails
Note: This is only a temporary workaround. The default provider has a 2-4 messages per hour rate limit and is not suitable for production applications.
After setting up custom SMTP, improve email deliverability:
1. Access your domain's DNS settings (GoDaddy, Namecheap, AWS Route 53, etc.)
2. Add SPF record (usually looks like: v=spf1 include:provider.com ~all)
3. Add DKIM record (provided by your SMTP provider)
4. Add DMARC record (template: v=DMARC1; p=quarantine; rua=mailto:[email protected])
5. Wait for DNS propagation (can take up to 48 hours)
6. Verify in your SMTP provider's dashboard that records are correctly configured
This ensures emails from your domain don't land in spam folders.
Once custom SMTP is configured, test it:
const { error } = await supabase.auth.signUp({
email: '[email protected]',
password: 'TestPassword123!',
});
if (error) {
console.error('Sign up error:', error.message);
} else {
console.log('Sign up successful - check email for confirmation');
}Check your inbox (and spam folder) to confirm the email was received. If still failing, verify SMTP credentials are correct in Supabase settings.
Rate Limits: Supabase's default SMTP provider has strict limits (2-4 emails/hour) due to spam abuse history. Custom SMTP providers typically offer much higher limits (hundreds or thousands per hour). Domain Reputation: For production apps, use separate sending domains for auth emails (auth.example.com) and marketing emails (marketing.example.com) to prevent reputation issues from affecting both. Google Workspace SMTP: If using Google Workspace SMTP, the sender email must match your admin email, and you must use an app-specific password (not your account password). Passwordless vs Password Auth: If using passwordless email-link auth, the email sending system is critical and must be properly configured before launch.
reauthentication_needed: Reauthentication required for security-sensitive actions
Reauthentication required for security-sensitive actions
no_authorization: No authorization header was provided
How to fix "no authorization header was provided" in Supabase
otp_expired: OTP has expired
How to fix 'otp_expired: OTP has expired' in Supabase
bad_oauth_state: OAuth state parameter is missing or invalid
How to fix 'bad_oauth_state: OAuth state parameter missing' in Supabase
mfa_factor_not_found: MFA factor could not be found
How to fix "mfa_factor_not_found: MFA factor could not be found" in Supabase