This error occurs when signing up or logging in with an OAuth provider (Google, GitHub, etc.) if the provider's email hasn't been verified by that provider. OAuth providers require verified emails to prevent account takeover attacks. The solution involves verifying the email with the OAuth provider or configuring Supabase's email verification settings.
The "provider_email_needs_verification" error in Supabase's OAuth authentication indicates that the email address returned by the OAuth provider has not been verified by that provider. Here's what's happening: 1. OAuth Provider Email Verification: OAuth providers like Google and GitHub maintain their own email verification systems. When you sign in with these providers, they return your email address along with an email_verified flag. 2. Supabase's Security Check: For security reasons, Supabase requires that emails be verified by their OAuth provider before linking or creating an account. This prevents account takeover attacks where someone could register a fake account with an unverified email or later claim ownership of the real user's account. 3. Identity Linking Issue: When a new OAuth identity could be linked to an existing user account, Supabase must ensure the email is verified to maintain account security. Unverified emails could be exploited for pre-account takeover. This error typically appears during initial OAuth sign-up when email isn't verified with the provider, attempting to link a new OAuth identity to an existing account, or automatic identity linking when emails match but aren't verified.
The primary fix is to ensure the email address is verified with the OAuth provider:
For Google accounts:
1. Go to https://myaccount.google.com/
2. Click "Security" in the left menu
3. Verify that your email is confirmed (it should show a checkmark)
4. If not verified, click "Email address" and follow the verification steps
5. Check your email inbox for verification link from Google
For GitHub accounts:
1. Go to https://github.com/settings/emails
2. Check the "Primary email address" section
3. If there's a yellow warning, click "Resend" to verify
4. Check your email inbox for GitHub verification link
5. Ensure "Keep my email address private" is not blocking public email access
For other OAuth providers:
- Check their account settings for email verification
- Look for "Verified Emails" or similar section
- Complete any pending email verification steps
After verifying your email with the OAuth provider, the changes may take a few minutes to propagate:
1. Clear your browser's local storage and cache:
- Open browser DevTools (F12 or right-click → Inspect)
- Go to Application tab
- Clear localStorage and sessionStorage
- Close all app tabs
2. Close your browser completely
3. Re-open and try the OAuth login again
Alternatively, use incognito/private mode to avoid cached data:
- Chrome: Press Ctrl+Shift+N (Windows) or Cmd+Shift+N (Mac)
- Firefox: Press Ctrl+Shift+P (Windows) or Cmd+Shift+P (Mac)
- Safari: Press Cmd+Shift+N
Verify your Supabase project's email configuration:
1. Go to Supabase Dashboard → Authentication → Providers
2. Look for "Email" provider settings
3. Check the "Confirm email" setting:
- Enabled: Users must verify email before signing in
- Disabled: Email is auto-confirmed, allowing immediate access
For OAuth providers specifically:
1. Go to Supabase Dashboard → Authentication → Providers
2. Expand the OAuth provider (Google, GitHub, etc.)
3. Check if there's an "Auto-confirm OAuth email" or similar option
4. Enable it if available to auto-confirm emails from trusted OAuth providers
Note: Having Confirm Email disabled assumes the OAuth provider's email verification is sufficient security.
Verify your OAuth provider configuration:
1. Go to Supabase Dashboard → Authentication → Providers
2. Click on the failing OAuth provider (Google, GitHub, etc.)
3. Verify credentials are correct:
- Client ID matches provider's console
- Client secret is valid
- Redirect URL matches provider's configuration
4. For Google OAuth specifically:
- Go to Google Cloud Console → APIs & Services
- Click the project with your OAuth credentials
- Go to Credentials
- Click the OAuth 2.0 Client ID
- Under "Authorized redirect URIs", ensure it includes:
- https://[project-ref].supabase.co/auth/v1/callback
5. For GitHub OAuth:
- Go to GitHub Settings → Developer settings → OAuth Apps
- Click your application
- Verify "Authorization callback URL" is:
- https://[project-ref].supabase.co/auth/v1/callback
Add error handling in your client code to catch and respond to this error. Create a function to sign in with OAuth and handle the provider_email_needs_verification error specifically.
In your authentication handler:
- Check if error.message includes 'provider_email_needs_verification'
- Show user-friendly message explaining email verification is needed
- Direct user to provider's email settings
- Offer retry option after verification
For example:
- Catch the error from signInWithOAuth call
- Display message: "Email not verified - Please verify your email with [Provider] and try again"
- Handle identity linking errors separately from initial signup errors
- Log full error details for debugging
If the error occurs when attempting to link OAuth to existing account:
1. Review Supabase Dashboard → Authentication → User Management
2. Check the user's "Identities" tab to see linked accounts
3. Verify "Manual Linking" is enabled if users need to manually link accounts:
- Go to Supabase Dashboard → Authentication → Providers
- Look for "Manual Linking" option in OAuth provider settings
- Enable if users should manually link identities
4. Check for conflicting identities:
- In Supabase SQL editor, look up the user's identities
- Verify each identity has email_verified status
- Check if email exists with unconfirmed identity
If the email is verified with the OAuth provider but the error persists:
For Google accounts:
- Go to https://support.google.com/accounts
- Search for "email verification"
- Verify account security settings are correct
For GitHub accounts:
- Go to https://github.com/contact
- Report account access issues
- Verify no suspicious login attempts
For other providers:
- Check their official support documentation
- Verify email is on account settings
- Look for email verification or confirmation status
Also test the OAuth flow with detailed logging to see what data Supabase receives from the provider.
OAuth Email Verification Architecture
OAuth providers like Google and GitHub maintain independent email verification systems. When users sign in, the provider returns user information including an email_verified flag. Supabase checks this flag for security to prevent account takeover attacks. This two-layer verification (provider plus Supabase) protects against exploitation.
Auto-Confirmation vs Manual Verification
Auto-confirmation approach (Confirm Email disabled):
- Assumes OAuth provider's verification is sufficient
- Faster user experience
- Lower security if provider is compromised
- Recommended for trusted OAuth providers like Google and GitHub
Manual verification approach (Confirm Email enabled):
- Requires user to verify via additional email
- More control over verification
- Slower user experience
- Recommended for email authentication flows
Debugging Email Verification
Check Supabase logs for detailed information. Go to Supabase Dashboard, navigate to Logs → Auth Logs, and filter by error type or user email. Look for provider_email_needs_verification entries and check the provider's response payload for the identity_data field showing email_verified status.
Custom SMTP Configuration
If using custom SMTP for sending verification emails:
1. Configure in Supabase Dashboard → Authentication → Email
2. Set "Sender name" and "Sender email"
3. Ensure SMTP credentials are valid
4. Test with "Test email" function
5. Verify emails are being delivered to users' inboxes
email_address_not_authorized: Email sending to this address is not authorized
Email address not authorized for sending in Supabase Auth
reauthentication_needed: Reauthentication required for security-sensitive actions
Reauthentication required for security-sensitive actions
no_authorization: No authorization header was provided
How to fix "no authorization header was provided" in Supabase
otp_expired: OTP has expired
How to fix 'otp_expired: OTP has expired' in Supabase
bad_oauth_state: OAuth state parameter is missing or invalid
How to fix 'bad_oauth_state: OAuth state parameter missing' in Supabase