How to send Auth0 emails with a Nylas Agent Account

Auth0 ships with a default test email provider for system emails (verification, welcome, password change, blocked account, breached password, MFA verification, user invitation), but it’s rate-limited and explicitly intended for development only — Auth0 tells you to switch before going to production. The supported fix is to plug in your own provider. A Nylas Agent Account fits well in that slot: you get a real mailbox the emails send from, and unlike a one-way transactional service like SES or SendGrid, replies land back in the same mailbox where your app can pick them up via webhook.

This guide wires an Agent Account into Auth0 as a custom SMTP email provider. Auth0’s own reference for the screen is Configure an Email Provider with SMTP Server Details.

1. Create an Agent Account with an app password

Auth0’s SMTP client authenticates with an app_password set on the grant, not your Nylas API key. Set it at creation time so the account is ready to send right away.

From the Nylas CLI:

nylas agent account create [email protected] \
  --app-password "MySecureP4ssword!2024"

Or through the API:

curl --request POST \
  --url "https://api.us.nylas.com/v3/connect/custom" \
  --header "Authorization: Bearer <NYLAS_API_KEY>" \
  --header "Content-Type: application/json" \
  --data '{
    "provider": "nylas",
    "settings": {
      "email": "[email protected]",
      "app_password": "MySecureP4ssword!2024"
    }
  }'

Save the grant_id and the app_password. Nylas stores a bcrypt hash of the password, so you can reset it later but you can’t read it back. See Mail client access for the full password rules (18-40 chars, mixed case, digit, printable ASCII).

2. Open Auth0’s email provider settings

In the Auth0 Dashboard:

Open your tenant.
Go to Branding in the left sidebar.
Select Email Provider.
Toggle Use my own email provider on, then choose SMTP (the generic option, not one of the named integrations like SendGrid or Mailgun).

If you’re scripting this with the Management API instead, you’ll PATCH /api/v2/emails/provider with name: "smtp" and the credentials below. Auth0 requires host, port, username, and password to all be sent together on update — supplying only one field returns an error.

3. Plug in the Agent Account

Fill the SMTP fields with your Agent Account credentials. Use port 587 with STARTTLS — that’s Auth0’s recommended default and what their dashboard pre-fills.

Auth0 field	Value
From	The Agent Account email (e.g., `[email protected]`)
Host	`mail.us.nylas.email` (US region) or `mail.eu.nylas.email` (EU region)
Port	`587`
Username	The Agent Account email (same as From)
Password	The `app_password` you set on the grant in step 1

The From address must match the Username. Nylas rejects SMTP submissions where the MAIL FROM doesn’t match the authenticated account, and Auth0 will surface that as a verification failure when you save.

Save the settings. The real verification happens when you click Send Test Email — that’s the action that opens an SMTP connection end to end.

4. Send a test email

Click Send Test Email in the Email Provider screen, or trigger a real flow (sign up a test user to fire a verification email, or hit the Forgot Password action on the login page). The message should arrive from your Agent Account address, and a copy lands in the account’s Sent folder. You can confirm it via the API at GET /v3/grants/{grant_id}/messages?in=sent.

If the test fails, the Auth0 logs (Monitoring → Logs) record SMTP errors with the exact server response, which makes debugging credentials or DNS issues much faster than guessing.

Things to know

Auth0 sends more email types than Supabase. Verification, welcome, password change, blocked account, breached password, MFA verification, user invitation — they all go through this provider. Customize each one under Branding → Email Templates before flipping the switch, otherwise your users get Auth0’s defaults from your new sender address. The full list is in Auth0’s email template descriptions.
Replies have somewhere to go now. If a user hits “reply” on a verification or password-reset email, the reply lands in the Agent Account’s inbox and fires a message.created webhook. Wire that up if you want the agent (or a human) to act on it. See Handle replies in an agent loop.
Use a dedicated subdomain. A subdomain like notifications.yourcompany.com keeps Auth0 traffic isolated from your primary mail domain’s reputation, so a deliverability dip on auth mail doesn’t bleed into team email.
Watch the send cap. Agent Accounts default to 100 messages per day. That’s fine for a low-volume tenant; for higher volume (or a B2C app with constant signups), request a raise or split traffic across multiple Agent Accounts.
Management API updates are all-or-nothing. When you PATCH /api/v2/emails/provider, Auth0 requires the full set of host, port, username, and password even if you only want to rotate the password. Send all four on every update.
Rotate the app password by updating the grant. Update settings.app_password on the grant and re-paste the new value into Auth0’s email provider settings (along with the unchanged host/port/username). Active SMTP sessions disconnect on the next authenticated command.
Port 465 also works if your environment blocks 587. It uses implicit TLS on the same host, and both ports send through the same outbound pipeline. Avoid port 25 — Auth0 warns against it and many networks block it outright.

What’s next

Auth0: Configure an Email Provider with SMTP Server Details — Auth0’s reference for the screen we just filled in
Mail client access (IMAP & SMTP) for the full reference on app passwords, ports, and protocol behavior
Handle replies in an agent loop to process inbound replies to your transactional mail
Provisioning and domains for DNS records and multi-domain patterns
Migrate from transactional email for the broader migration recipe across SendGrid, Resend, and Postmark