# How to send Auth0 emails with a Nylas Agent Account Source: https://developer.nylas.com/docs/cookbook/agent-accounts/send-auth0-emails/ Auth0 ships with a default test email provider for system emails (verification, welcome, password change, blocked account, breached password, MFA verification, user invitation), but it's rate-limited and explicitly intended for development only — Auth0 tells you to switch before going to production. The supported fix is to plug in your own provider. A Nylas Agent Account fits well in that slot: you get a real mailbox the emails send from, and unlike a one-way transactional service like SES or SendGrid, replies land back in the same mailbox where your app can pick them up via webhook. This guide wires an Agent Account into Auth0 as a custom SMTP email provider. Auth0's own reference for the screen is [Configure an Email Provider with SMTP Server Details](https://auth0.com/docs/customize/email/smtp-email-providers/smtp-server). > **Info:** > **Before you begin.** You need a domain registered with Nylas. A `*.nylas.email` trial subdomain works for prototyping (no DNS setup); for production, register your own domain and add the MX and TXT records. Both paths are covered in [Setup domains](/docs/v3/agent-accounts/dns-provider-setup/). ## 1. Create an Agent Account with an app password Auth0's SMTP client authenticates with an `app_password` set on the grant, not your Nylas API key. Set it at creation time so the account is ready to send right away. From the [Nylas CLI](https://cli.nylas.com/): ```bash nylas agent account create noreply@notifications.yourcompany.com \ --app-password "MySecureP4ssword!2024" ``` Or through the API: ```bash curl --request POST \ --url "https://api.us.nylas.com/v3/connect/custom" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "provider": "nylas", "settings": { "email": "noreply@notifications.yourcompany.com", "app_password": "MySecureP4ssword!2024" } }' ``` Save the `grant_id` and the `app_password`. Nylas stores a bcrypt hash of the password, so you can reset it later but you can't read it back. See [Mail client access](/docs/v3/agent-accounts/mail-clients/) for the full password rules (18-40 chars, mixed case, digit, printable ASCII). ## 2. Open Auth0's email provider settings In the Auth0 Dashboard: 1. Open your tenant. 2. Go to **Branding** in the left sidebar. 3. Select **Email Provider**. 4. Toggle **Use my own email provider** on, then choose **SMTP** (the generic option, not one of the named integrations like SendGrid or Mailgun). If you're scripting this with the Management API instead, you'll `PATCH /api/v2/emails/provider` with `name: "smtp"` and the credentials below. Auth0 requires `host`, `port`, `username`, and `password` to all be sent together on update — supplying only one field returns an error. ## 3. Plug in the Agent Account Fill the SMTP fields with your Agent Account credentials. Use **port 587** with STARTTLS — that's Auth0's recommended default and what their dashboard pre-fills. | Auth0 field | Value | | --- | --- | | **From** | The Agent Account email (e.g., `noreply@notifications.yourcompany.com`) | | **Host** | `mail.us.nylas.email` (US region) or `mail.eu.nylas.email` (EU region) | | **Port** | `587` | | **Username** | The Agent Account email (same as From) | | **Password** | The `app_password` you set on the grant in step 1 | The **From** address must match the **Username**. Nylas rejects SMTP submissions where the `MAIL FROM` doesn't match the authenticated account, and Auth0 will surface that as a verification failure when you save. Save the settings. The real verification happens when you click **Send Test Email** — that's the action that opens an SMTP connection end to end. ## 4. Send a test email Click **Send Test Email** in the Email Provider screen, or trigger a real flow (sign up a test user to fire a verification email, or hit the **Forgot Password** action on the login page). The message should arrive from your Agent Account address, and a copy lands in the account's `Sent` folder. You can confirm it via the API at [`GET /v3/grants/{grant_id}/messages?in=sent`](/docs/reference/api/messages/get-messages/). If the test fails, the [Auth0 logs](https://manage.auth0.com/#/logs) (Monitoring → Logs) record SMTP errors with the exact server response, which makes debugging credentials or DNS issues much faster than guessing. ## Things to know - **Auth0 sends more email types than Supabase.** Verification, welcome, password change, blocked account, breached password, MFA verification, user invitation — they all go through this provider. Customize each one under **Branding → Email Templates** before flipping the switch, otherwise your users get Auth0's defaults from your new sender address. The full list is in [Auth0's email template descriptions](https://auth0.com/docs/customize/email/email-templates). - **Replies have somewhere to go now.** If a user hits "reply" on a verification or password-reset email, the reply lands in the Agent Account's inbox and fires a `message.created` webhook. Wire that up if you want the agent (or a human) to act on it. See [Handle replies in an agent loop](/docs/cookbook/agent-accounts/handle-replies/). - **Use a dedicated subdomain.** A subdomain like `notifications.yourcompany.com` keeps Auth0 traffic isolated from your primary mail domain's reputation, so a deliverability dip on auth mail doesn't bleed into team email. - **Watch the send cap.** Agent Accounts default to 100 messages per day. That's fine for a low-volume tenant; for higher volume (or a B2C app with constant signups), request a raise or split traffic across multiple Agent Accounts. - **Management API updates are all-or-nothing.** When you `PATCH /api/v2/emails/provider`, Auth0 requires the full set of `host`, `port`, `username`, and `password` even if you only want to rotate the password. Send all four on every update. - **Rotate the app password by updating the grant.** Update `settings.app_password` on the grant and re-paste the new value into Auth0's email provider settings (along with the unchanged host/port/username). Active SMTP sessions disconnect on the next authenticated command. - **Port 465 also works** if your environment blocks 587. It uses implicit TLS on the same host, and both ports send through the same outbound pipeline. Avoid port 25 — Auth0 warns against it and many networks block it outright. ## What's next - [Auth0: Configure an Email Provider with SMTP Server Details](https://auth0.com/docs/customize/email/smtp-email-providers/smtp-server) — Auth0's reference for the screen we just filled in - [Mail client access (IMAP & SMTP)](/docs/v3/agent-accounts/mail-clients/) for the full reference on app passwords, ports, and protocol behavior - [Handle replies in an agent loop](/docs/cookbook/agent-accounts/handle-replies/) to process inbound replies to your transactional mail - [Setup domains](/docs/v3/agent-accounts/dns-provider-setup/) for registering a custom domain and publishing DNS records - [Migrate from transactional email](/docs/cookbook/agent-accounts/migrate-from-transactional-email/) for the broader migration recipe across SendGrid, Resend, and Postmark