Clerk, Auth0, and Supabase auth emails can be sent from user-owned mailboxes via Nylas agents

Send Clerk Emails Through an Agent Account

A user signs up for your app. Clerk emails them a verification code, they squint at it, hit reply, and type "is this actually you? I got two of these." That reply goes nowhere. Clerk's default sender is unattended, the user's question evaporates, and the first interaction someone has with your product is an email that ignores them. Clerk's escape hatch for this is unusual — and honestly, kind of elegant. There's no SMTP host/port/password form like Supabase or Auth0 have. Instead, each email template carries a Delivered by Clerk toggle. Flip it off and Clerk still renders the email — template, OTP code, magic link, all of it — but instead of sending, it hands the finished email to your application through an emails.created webhook. Delivery becomes your problem, which means delivery becomes your choice. A good choice: relay it to a Nylas Agent Account — a hosted mailbox you control entirely through an API, currently in beta. Clerk keeps the auth flow and templates; the mailbox sends the email and, the real prize, catches replies. The whole integration is two webhooks: emails.created in, message.created back when someone responds. Provision the sending mailbox No app_password needed here — your handler calls the REST API directly with your standard API key: curl --request POST \ --url "https://api.us.nylas.com/v3/connect/custom" \ --header "Authorization: Bearer $NYLAS_API_KEY" \ --header "Content-Type: application/json" \ --data '{ "provider": "nylas", "settings": { "email": "noreply@auth.yourcompany.com" } }' Stash the returned grant_id next to your API key. Domain prerequisite: a *.nylas.email trial subdomain works instantly for prototyping; production wants your own domain with MX and TXT records, per the provisioning guide. Flip the toggle — one template at a time In the Clerk Dashboard under Customization → Emails, open a template and switch Delivered by Clerk off. The toggle is per-template, so there's no flag day: move verification first, watch it in production, then migrate magic links and invitations once you trust the pipe. Anything left on keeps shipping through Clerk's default ESP untouched. While you're there, set the From local part to match your mailbox. Clerk composes the sender as <local part>@<your-clerk-mail-domain> — if that domain and your provisioned domain drift apart, the address users see in previews and the envelope address on the wire won't match, and deliverability pays for it. Catch the webhook, relay the send Subscribe to emails.created on Clerk's Webhooks page, then verify and relay: import { verifyWebhook } from "@clerk/backend/webhooks"; export async function POST(request) { let event; try { event = await verifyWebhook(request); } catch { return new Response("bad signature", { status: 400 }); } if (event.type !== "emails.created") { return new Response("ignored", { status: 200 }); } await deliverViaNylas(event.data); return new Response("ok", { status: 200 }); } deliverViaNylas is where Clerk's webhook becomes a real send — a single POST /v3/grants/{grant_id}/messages/send with Clerk's rendered HTML as the body: async function deliverViaNylas(email) { const res = await fetch( `https://api.us.nylas.com/v3/grants/${process.env.NYLAS_GRANT_ID}/messages/send`, { method: "POST", headers: { Authorization: `Bearer ${process.env.NYLAS_API_KEY}`, "Content-Type": "application/json", }, body: JSON.stringify({ subject: email.subject, body: email.body, // Clerk's rendered HTML to: [{ email: email.to_email_address }], }), } ); if (!res.ok) { throw new Error(`Nylas send failed: ${res.status} ${await res.text()}`); } } Log the full event.data payload once on your first real delivery — it carries the subject, HTML body, plain-text fallback, template slug, and a nested data field with the OTP or magic-link URL — and compare it against the Clerk Dashboard's Send example payload to confirm the shape before depending on it. The field names are stable per template, but five minutes of inspection beats a production surprise. The three production rules Clerk retries on non-2xx and on timeouts, which makes your handler's response semantics load-bearing: Dedupe by the Svix message ID. If your send succeeds but the 200 never reaches Clerk, the retry will double-send a verification code. Use the Svix ID from the request headers as an idempotency key. Answer fast, send async. A slow handler looks like a failure and triggers a retry. Return 200 and queue the send if it might be slow. 4xx is permanent, 5xx is retryable. A bad recipient won't improve on retry — acknowledge with 200 and log it. A 5xx from the send API is worth letting Clerk re-fire. When something breaks, Clerk's Message Attempts view shows every delivery, your response code, and the raw payload; the grant logs on the other side show whether the send arrived at all. Why bother: the reply comes back Test it end to end — create a user, get the verification email, and check the mailbox's Sent folder via GET /v3/grants/{grant_id}/messages?in=sent. Then reply to that email. It lands in the mailbox's inbox and fires message.created, and suddenly the scenario from the top of this post has a different ending: the confused user's question reaches your reply-handling loop instead of the void. One capacity note: the send cap is 200 messages per account per day on the free plan — fine for early traffic, but a B2C app with steady signups should move to a paid plan or shard across multiple accounts, picking one per recipient. If you'd rather speak SMTP This recipe calls the REST API because it's the most direct path from a webhook handler — no credentials beyond the API key you already have. But the same Agent Account can serve an SMTP transport too: set an app_password on the grant (at creation or later) and point an existing nodemailer transport at mail.us.nylas.email:587. That's handy if your codebase already has a mail abstraction you don't want to rework. Same mailbox, same Sent folder, same replies coming back — just a different wire protocol on the way out. The full recipe is at send Clerk emails through an Agent Account. Start with exactly one template — verification — flipped off in a dev instance, and see how far you get in an afternoon. Which template would you migrate first?

14 hours ago

Send Supabase Auth Emails From Your Own Mailbox

Supabase's built-in SMTP server delivers 30 auth emails per hour, and only to addresses on your project's team; a production app needs to send confirmations, magic links, and password resets to anyone, at signup speed. That mismatch is by design — the default exists so Auth works out of the box in development, and Supabase's docs point you at custom SMTP the moment you have real users. Most people plug in a one-way transactional sender and move on. The alternative worth considering: a mailbox your application owns end to end, where outgoing auth mail and incoming replies live at the same address. That's what a Nylas Agent Account gives you — a hosted, API-driven mailbox (the feature is in beta) that happens to speak plain SMTP. Step one: a mailbox with an app password Supabase authenticates over SMTP with an app_password set on the grant — your API key never goes near the Supabase dashboard. Create the account with the password in place: curl --request POST \ --url "https://api.us.nylas.com/v3/connect/custom" \ --header "Authorization: Bearer $NYLAS_API_KEY" \ --header "Content-Type: application/json" \ --data '{ "provider": "nylas", "settings": { "email": "noreply@notifications.yourcompany.com", "app_password": "MySecureP4ssword!2024" } }' The Nylas CLI equivalent is one line, if you prefer the terminal: nylas agent account create noreply@notifications.yourcompany.com \ --app-password "MySecureP4ssword!2024" Keep the grant_id from the response and the password itself — what's stored server-side is a bcrypt hash, so the password can be reset but never retrieved. The rules: 18–40 characters, mixed case, at least one digit, printable ASCII. Full reference in mail client access. Prerequisite either way: a registered domain. Trial *.nylas.email subdomains need no DNS setup; production domains need MX and TXT records, covered in the provisioning docs. Step two: the Supabase side Dashboard path: project → Authentication → Emails → SMTP Settings tab → toggle Enable Custom SMTP on. Then map the fields: Supabase field Value Sender email The mailbox address Sender name What recipients see (e.g., Acme Notifications) Host mail.us.nylas.email (US) or mail.eu.nylas.email (EU) Port 465 Username Same as Sender email Password The app_password Port 465 means implicit TLS — the connection starts encrypted, no STARTTLS negotiation. If your network blocks 465, port 587 works on the same host with STARTTLS; both feed the same outbound pipeline. One hard rule: Sender email must equal Username, because SMTP submissions where MAIL FROM doesn't match the authenticated account get rejected. Self-hosting Supabase? Skip the dashboard and set the matching GOTRUE_SMTP_* environment variables on the Auth container. Supabase verifies the connection when you save, so a wrong host or password fails loudly right there rather than silently at the first signup. What actually changed: before and after Supabase default SMTP Agent Account as custom SMTP Rate limit 30 emails per hour 200 messages per account per day (free plan) Recipients Project team members only Anyone Sender address Supabase's Your own domain (or a trial *.nylas.email subdomain) Replies Nowhere to go Land in the mailbox, fire message.created Intended use Development Production The recipient restriction on the default server surprises people more than the rate limit does — it's why "signups work for me but not for beta users" is such a common first bug report. Step three: prove it end to end Trigger a password reset or magic link — the dashboard's Auth UI has a test-email action, or fire one from your app. Two places to confirm: the recipient inbox, and the mailbox's own Sent folder: curl --request GET \ --url "https://api.us.nylas.com/v3/grants/$GRANT_ID/messages?in=sent" \ --header "Authorization: Bearer $NYLAS_API_KEY" If the copy is in Sent but never arrived, you're debugging deliverability; if it's not in Sent, you're debugging config. That single split cuts most debugging sessions in half. The part transactional senders can't do Users reply to auth emails. "I didn't request this." "My link expired." "Is this legit?" With a no-reply pipe those messages die; with this setup they land in the mailbox's inbox and fire a message.created webhook, so your app — or an agent, or a human — can respond. The reply-handling recipe shows the loop. For an auth mailbox it can be as simple as forwarding anything inbound to your support queue, which already beats silence. Operational details worth writing down: The send cap is 200 messages per account per day on the free plan. Plenty for a side project's signup volume; a busier app should move to a paid plan or split traffic across multiple accounts. Put it on a subdomain. notifications.yourcompany.com isolates auth-mail reputation from your team's primary domain. Rotation is grant-side first. Update settings.app_password on the grant, then paste the new value into Supabase. Live SMTP sessions drop on the next authenticated command. Two quick questions Port 465 or 587? Either. 465 starts encrypted (implicit TLS); 587 negotiates STARTTLS after connecting. Both run on the same host and feed the same outbound pipeline, so the choice comes down to what your network allows. Supabase's dashboard takes either value — just keep the rest of the fields identical. Does the 30-per-hour limit still apply after switching? No — that cap belongs to Supabase's built-in development server, along with the team-members-only recipient restriction. Once custom SMTP is enabled, your sending capacity is whatever your provider allows, which for an Agent Account means 200 messages per account per day on the free plan. Where to go from here The complete walkthrough is in the Supabase email recipe; the Auth0 version and the broader transactional-email migration guide cover adjacent setups. If you've got a Supabase project on the default SMTP right now, here's a fifteen-minute experiment: provision a trial-subdomain mailbox, drop it into the SMTP settings, and send yourself a magic link. Then reply to it, list the inbox via the API, and ask yourself what your app could do with that reply. That question is where this stops being plumbing and starts being product.

14 hours ago

Send Auth0 Authentication Emails From an Agent Account

Seven distinct email types flow through Auth0's email provider: verification, welcome, password change, blocked account, breached password, MFA verification, and user invitation. Every one of them ships through a default test provider that's rate-limited and explicitly meant for development — Auth0's own docs tell you to replace it before production. The usual replacement is a one-way transactional service. But there's a more interesting option: point Auth0's SMTP settings at a mailbox your app fully owns, so the address that sends your password-reset emails can also receive what comes back. A Nylas Agent Account — a hosted, API-controlled mailbox, currently in beta — fits that slot. Here's the wiring. Create the mailbox with an app password Auth0's SMTP client authenticates with an app_password set on the grant — not your API key. Set it at creation: curl --request POST \ --url "https://api.us.nylas.com/v3/connect/custom" \ --header "Authorization: Bearer $NYLAS_API_KEY" \ --header "Content-Type: application/json" \ --data '{ "provider": "nylas", "settings": { "email": "noreply@notifications.yourcompany.com", "app_password": "MySecureP4ssword!2024" } }' If you live in the terminal, the Nylas CLI does the same thing in one line: nylas agent account create noreply@notifications.yourcompany.com \ --app-password "MySecureP4ssword!2024" Save both the returned grant_id and the password. The password is stored as a bcrypt hash, so it can be reset later but never read back. Rules: 18–40 characters, mixed case, a digit, printable ASCII — full details in mail client access. You'll need a domain registered first. A *.nylas.email trial subdomain works with zero DNS setup for prototyping; production wants your own domain with MX and TXT records, per the provisioning guide. Fill in five fields on the Auth0 side In the Auth0 Dashboard: Branding → Email Provider, toggle Use my own email provider on, pick SMTP (the generic option, not a named integration). Then: Auth0 field Value From noreply@notifications.yourcompany.com Host mail.us.nylas.email (or mail.eu.nylas.email for EU) Port 587 Username Same as From Password The app_password from step 1 Two constraints hide in that table. The From must match the Username — SMTP submissions where MAIL FROM doesn't match the authenticated account get rejected, and Auth0 surfaces that as a verification failure on save. And port 587 with STARTTLS is Auth0's recommended default, but 465 (implicit TLS) works on the same host if your environment blocks 587. Avoid port 25 entirely; Auth0 warns against it and many networks drop it. Scripting it instead? PATCH /api/v2/emails/provider on the Management API — but note Auth0 requires host, port, username, and password together on every update. Rotating just the password still means sending all four. Verify with a real send Click Send Test Email, or sign up a throwaway user to fire a verification email. The message should arrive from your address, and a copy lands in the account's Sent folder — confirm via GET /v3/grants/{grant_id}/messages?in=sent. If it fails, skip the guessing: Auth0's Monitoring → Logs records SMTP errors with the exact server response. A credentials typo and a DNS misconfiguration look identical from the outside but completely different in that log. What you get that SES doesn't give you Here's the part that makes this more than an SMTP swap. When a confused user hits "reply" on a verification email — and some always do — that reply doesn't evaporate. It lands in the mailbox's inbox and fires a message.created webhook your app can act on, whether that means routing to support or letting an agent answer. The reply-handling recipe covers the loop. A few operational notes from the field: Customize templates first. All seven email types route through this provider the moment you flip the switch. Edit them under Branding → Email Templates before going live, or users get Auth0's defaults from your shiny new sender. Use a dedicated subdomain. notifications.yourcompany.com keeps auth-mail reputation isolated from your team's primary domain. A deliverability dip on reset emails shouldn't touch everyone's regular mail. Mind the send cap: 200 messages per account per day on the free plan. Fine for a low-volume B2B tenant; a B2C app with steady signups should move to a paid plan or split traffic across multiple accounts. Password rotation is two steps. Update settings.app_password on the grant, then re-paste it into Auth0 (with the other three unchanged fields, per the all-or-nothing rule above). Active SMTP sessions disconnect on the next authenticated command. When it breaks: a short troubleshooting map Symptom Likely cause Where to look Verification fails when you save the provider From doesn't match Username — the SMTP submission is rejected when MAIL FROM differs from the authenticated account The five-field table above; make both the same address Test email never sends Connection blocked on port 587 Switch to port 465 (implicit TLS, same host) Test email fails with an opaque error Credentials typo or DNS misconfiguration Auth0 Monitoring → Logs — the SMTP server response is recorded verbatim Password rotation "didn't take" Partial Management API update PATCH /api/v2/emails/provider requires host, port, username, and password together — send all four The Monitoring → Logs entry is the one to remember. From the outside, a wrong password and a missing MX record produce the same user-visible failure; the logged server response tells them apart in seconds. And one verification trick that beats any dashboard indicator: after a successful test send, list the mailbox's sent folder via the API. If the message is in Sent, the whole chain — Auth0, SMTP auth, outbound pipeline — worked. curl --request GET \ --url "https://api.us.nylas.com/v3/grants/$GRANT_ID/messages?in=sent" \ --header "Authorization: Bearer $NYLAS_API_KEY" Try the round trip The full guide lives at send Auth0 emails with an Agent Account, with sibling recipes for Supabase and Clerk if your stack differs. Concrete next step: provision a trial-subdomain mailbox, point a dev tenant's SMTP at it, trigger a password reset, and then — the fun part — reply to that email and watch it show up in the inbox via the API. That reply path is the whole reason to do this instead of another no-reply pipe.

14 hours ago