How to send Supabase auth emails with a Nylas Agent Account

Agent Accounts are in beta. The APIs this guide uses may change before general availability.

Supabase ships with a default SMTP server for Auth emails (signup confirmations, magic links, password resets, invites), but it caps at low volume and locks the sender to a Supabase domain. The supported fix is to plug in your own SMTP provider. A Nylas Agent Account fits well in that slot: you get a real mailbox the emails send from, and unlike a one-way transactional service, replies land back in the same mailbox where your app can pick them up via webhook.

This guide wires an Agent Account into Supabase Auth’s custom SMTP settings.

Before you begin. You need a domain registered with Nylas. A *.nylas.email trial subdomain works for prototyping (no DNS setup); for production, register your own domain and add the MX and TXT records. Both paths are covered in Provisioning and domains for Agent Accounts.

1. Create an Agent Account with an app password

Supabase’s SMTP client authenticates with an app_password set on the grant, not your Nylas API key. Set it at creation time so the account is ready to send right away.

From the Nylas CLI:

nylas agent account create [email protected] \
  --app-password "MySecureP4ssword!2024"

Or through the API:

curl --request POST \
  --url "https://api.us.nylas.com/v3/connect/custom" \
  --header "Authorization: Bearer <NYLAS_API_KEY>" \
  --header "Content-Type: application/json" \
  --data '{
    "provider": "nylas",
    "settings": {
      "email": "[email protected]",
      "app_password": "MySecureP4ssword!2024"
    }
  }'

Save the grant_id and the app_password. Nylas stores a bcrypt hash of the password, so you can reset it later but you can’t read it back. See Mail client access for the full password rules (18-40 chars, mixed case, digit, printable ASCII).

2. Open Supabase’s SMTP settings

In the Supabase Dashboard:

1. Open your project.
2. Go to Authentication in the left sidebar.
3. Open the Emails section.
4. Select the SMTP Settings tab.
5. Toggle Enable Custom SMTP on.

For self-hosted Supabase, set the equivalent GOTRUE_SMTP_* environment variables on your Auth container instead.

3. Plug in the Agent Account

Fill the SMTP fields with your Agent Account credentials. Use port 465 (implicit TLS) so the connection starts encrypted, with no STARTTLS negotiation.

Supabase field	Value
Sender email	The Agent Account email (e.g., [email protected])
Sender name	What recipients see in the From line (e.g., Acme Notifications)
Host	mail.us.nylas.email (US region) or mail.eu.nylas.email (EU region)
Port	465
Username	The Agent Account email (same as Sender email)
Password	The app_password you set on the grant in step 1

The Sender email must match the Username. Nylas rejects SMTP submissions where the MAIL FROM doesn’t match the authenticated account.

Save the settings. Supabase verifies the connection on save, so a wrong host, port, or password surfaces in the dashboard immediately.

4. Send a test email

Trigger a password reset or magic link from Supabase (the Auth UI in the dashboard has a “Send test email” action, or you can do it from your app). The message should arrive from your Agent Account address, and a copy lands in the account’s Sent folder. You can confirm it via the API at GET /v3/grants/{grant_id}/messages?in=sent.

Things to know

• Replies have somewhere to go now. If a user hits “reply” on a Supabase auth email, the reply lands in the Agent Account’s inbox and fires a message.created webhook. Wire that up if you want the agent (or a human) to act on it. See Handle replies in an agent loop.
• Use a dedicated subdomain. A subdomain like notifications.yourcompany.com keeps Supabase auth traffic isolated from your primary mail domain’s reputation, so a deliverability dip on transactional mail doesn’t bleed into team email.
• Watch the send cap. Agent Accounts default to 100 messages per day. That’s fine for a low-volume Supabase project; for higher volume, request a raise or split traffic across multiple Agent Accounts.
• Rotate the app password by updating the grant. Update settings.app_password on the grant and re-paste the new value into Supabase’s SMTP settings. Active SMTP sessions disconnect on the next authenticated command.
• Port 587 also works if your environment blocks 465. It negotiates STARTTLS on the same host, and both ports send through the same outbound pipeline.

What’s next

• Mail client access (IMAP & SMTP) for the full reference on app passwords, ports, and protocol behavior
• Handle replies in an agent loop to process inbound replies to your transactional mail
• Provisioning and domains for DNS records and multi-domain patterns
• Migrate from transactional email for the broader migration recipe across SendGrid, Resend, and Postmark