# How to send Supabase auth emails with a Nylas Agent Account Source: https://developer.nylas.com/docs/cookbook/agent-accounts/send-supabase-emails/ Supabase ships with a default SMTP server for Auth emails (signup confirmations, magic links, password resets, invites), but it's capped at 30 messages per hour and refuses to deliver to addresses outside your project's team. The supported fix is to plug in your own SMTP provider. A Nylas Agent Account fits well in that slot: you get a real mailbox the emails send from, and unlike a one-way transactional service, replies land back in the same mailbox where your app can pick them up via webhook. This guide wires an Agent Account into Supabase Auth's custom SMTP settings. Supabase's own reference for the screen is [Send emails with custom SMTP](https://supabase.com/docs/guides/auth/auth-smtp). > **Info:** > **Before you begin.** You need a domain registered with Nylas. A `*.nylas.email` trial subdomain works for prototyping (no DNS setup); for production, register your own domain and add the MX and TXT records. Both paths are covered in [Setup domains](/docs/v3/agent-accounts/dns-provider-setup/). ## 1. Create an Agent Account with an app password Supabase's SMTP client authenticates with an `app_password` set on the grant, not your Nylas API key. Set it at creation time so the account is ready to send right away. From the [Nylas CLI](https://cli.nylas.com/): ```bash nylas agent account create noreply@notifications.yourcompany.com \ --app-password "MySecureP4ssword!2024" ``` Or through the API: ```bash curl --request POST \ --url "https://api.us.nylas.com/v3/connect/custom" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "provider": "nylas", "settings": { "email": "noreply@notifications.yourcompany.com", "app_password": "MySecureP4ssword!2024" } }' ``` Save the `grant_id` and the `app_password`. Nylas stores a bcrypt hash of the password, so you can reset it later but you can't read it back. See [Mail client access](/docs/v3/agent-accounts/mail-clients/) for the full password rules (18-40 chars, mixed case, digit, printable ASCII). ## 2. Open Supabase's SMTP settings In the Supabase Dashboard: 1. Open your project. 2. Go to **Authentication** in the left sidebar. 3. Open the **Emails** section. 4. Select the **SMTP Settings** tab. 5. Toggle **Enable Custom SMTP** on. For self-hosted Supabase, set the equivalent `GOTRUE_SMTP_*` environment variables on your Auth container instead. ## 3. Plug in the Agent Account Fill the SMTP fields with your Agent Account credentials. Use **port 465** (implicit TLS) so the connection starts encrypted, with no STARTTLS negotiation. | Supabase field | Value | | --- | --- | | **Sender email** | The Agent Account email (e.g., `noreply@notifications.yourcompany.com`) | | **Sender name** | What recipients see in the From line (e.g., `Acme Notifications`) | | **Host** | `mail.us.nylas.email` (US region) or `mail.eu.nylas.email` (EU region) | | **Port** | `465` | | **Username** | The Agent Account email (same as Sender email) | | **Password** | The `app_password` you set on the grant in step 1 | The **Sender email** must match the **Username**. Nylas rejects SMTP submissions where the `MAIL FROM` doesn't match the authenticated account. Save the settings. Supabase verifies the connection on save, so a wrong host, port, or password surfaces in the dashboard immediately. ## 4. Send a test email Trigger a password reset or magic link from Supabase (the Auth UI in the dashboard has a "Send test email" action, or you can do it from your app). The message should arrive from your Agent Account address, and a copy lands in the account's `Sent` folder. You can confirm it via the API at [`GET /v3/grants/{grant_id}/messages?in=sent`](/docs/reference/api/messages/get-messages/). ## Things to know - **Replies have somewhere to go now.** If a user hits "reply" on a Supabase auth email, the reply lands in the Agent Account's inbox and fires a `message.created` webhook. Wire that up if you want the agent (or a human) to act on it. See [Handle replies in an agent loop](/docs/cookbook/agent-accounts/handle-replies/). - **Use a dedicated subdomain.** A subdomain like `notifications.yourcompany.com` keeps Supabase auth traffic isolated from your primary mail domain's reputation, so a deliverability dip on transactional mail doesn't bleed into team email. - **Watch the send cap.** Agent Accounts default to 100 messages per day. That's fine for a low-volume Supabase project; for higher volume, request a raise or split traffic across multiple Agent Accounts. - **Rotate the app password by updating the grant.** Update `settings.app_password` on the grant and re-paste the new value into Supabase's SMTP settings. Active SMTP sessions disconnect on the next authenticated command. - **Port 587 also works** if your environment blocks 465. It negotiates STARTTLS on the same host, and both ports send through the same outbound pipeline. ## What's next - [Supabase: Send emails with custom SMTP](https://supabase.com/docs/guides/auth/auth-smtp) — Supabase's reference for the screen we just filled in - [Mail client access (IMAP & SMTP)](/docs/v3/agent-accounts/mail-clients/) for the full reference on app passwords, ports, and protocol behavior - [Handle replies in an agent loop](/docs/cookbook/agent-accounts/handle-replies/) to process inbound replies to your transactional mail - [Setup domains](/docs/v3/agent-accounts/dns-provider-setup/) for registering a custom domain and publishing DNS records - [Migrate from transactional email](/docs/cookbook/agent-accounts/migrate-from-transactional-email/) for the broader migration recipe across SendGrid, Resend, and Postmark