Supabase requires reauthentication before allowing users to change their password or email address. This security measure prevents unauthorized account modifications when the Secure password change or Secure email change options are enabled.
Supabase Auth enforces reauthentication for sensitive operations to protect user accounts from unauthorized changes. When you attempt to update a user's password or email and the Secure password change or Secure email change settings are enabled, the system requires the user to verify their identity first. This happens when a user's session is older than 24 hours or when these security features are configured. The error occurs because Supabase doesn't allow these critical changes without confirming the user's identity.
First, send a reauthentication challenge to the user. This will send an OTP (one-time password) to their confirmed email or phone number:
const { data, error } = await supabase.auth.reauthenticate();This sends a nonce to the user's email address. If they don't have a confirmed email, it goes to their confirmed phone number instead.
The user will receive an email with a 6-digit OTP code (also called a nonce). They need to enter this code into your application's reauthentication form.
After the user provides the OTP, use it as the nonce parameter when updating the password or email:
const { data: result, error } = await supabase.auth.updateUser({
password: newPassword,
nonce: otpFromEmail,
});For email changes, include the nonce similarly:
const { data: result, error } = await supabase.auth.updateUser({
email: newEmail,
nonce: otpFromEmail,
});Check for errors after the updateUser() call. If successful, the user's password or email has been updated:
if (error) {
console.error('Update failed:', error.message);
} else {
console.log('Update successful');
// User is now logged out - they need to sign in again
}Note that after a password change, the user is automatically logged out and must sign in again with the new password.
For a production application, create a dedicated reauthentication modal or page:
// Step 1: Initiate reauthentication
async function startReauth() {
const { error } = await supabase.auth.reauthenticate();
if (error) console.error('Reauthentication failed:', error);
// Show OTP input form to user
}
// Step 2: Submit OTP and update password
async function confirmReauthAndUpdatePassword(otp: string, newPassword: string) {
const { data, error } = await supabase.auth.updateUser({
password: newPassword,
nonce: otp,
});
if (error) console.error('Password update failed:', error);
else {
console.log('Password updated. User must sign in again.');
// Redirect to login page
}
}By default, when a user changes their password, they are logged out and must sign in again with the new credentials. If Secure password change is disabled in your project settings, the reauthentication flow is not required, but you lose the security benefit of verifying identity before password changes. For sessions created via magic link, the reauthentication requirement may be stricter since magic link sessions don't establish traditional password authentication. The 24-hour recently-signed-in window is reset whenever a user successfully authenticates. If your application uses Multi-Factor Authentication (MFA), you may want to require reauthentication not just for password/email changes but also for other sensitive operations. Reauthentication emails use Supabase's default email template unless you customize the email templates in your project settings.
email_address_not_authorized: Email sending to this address is not authorized
Email address not authorized for sending in Supabase Auth
no_authorization: No authorization header was provided
How to fix "no authorization header was provided" in Supabase
otp_expired: OTP has expired
How to fix 'otp_expired: OTP has expired' in Supabase
bad_oauth_state: OAuth state parameter is missing or invalid
How to fix 'bad_oauth_state: OAuth state parameter missing' in Supabase
mfa_factor_not_found: MFA factor could not be found
How to fix "mfa_factor_not_found: MFA factor could not be found" in Supabase