Password reset & email rate limits (429)

Why you see 429

resetPasswordForEmail sends mail through Supabase Auth. Free and trial projects have strict limits (often about 2 auth emails per hour for the whole project). Clicking “Send reset link” many times while testing quickly hits 429 Too Many Requests.

The app cannot remove that limit; only waiting, using the dashboard, custom SMTP, or an admin password update can help.

What to do right now

1. Use an email you already received

If you requested a reset earlier, search inbox and spam for “Reset your password” from Supabase. The link may still work for a while.

2. Wait, then try once

Wait at least 60 minutes, then submit one request. The forgot-password page enforces a short client cooldown so repeated clicks do not make the limit worse.

3. Reset from Supabase Dashboard

Supabase Dashboard → your project
Authentication → Users
Find the user → ⋮ → Send password recovery (or update password if your plan shows that option)

4. Local dev: set password without email

Add the service_role key to .env.local (never commit it):

SUPABASE_SERVICE_ROLE_KEY=eyJ...   # Dashboard → Settings → API

Then:

npm run auth:reset-password -- you@example.com YourNewPassword

Redirect URLs (required for email links)

Authentication → URL configuration:

Site URL: http://localhost:3000 (dev) or your production URL
Redirect URLs must include:
- http://localhost:3000/auth/callback
- http://localhost:3000/** (or explicit production URLs)

Password reset flow: email → /auth/callback?next=/reset-password?portal=manager → set new password.

Raise limits long-term

Project Settings → Authentication → SMTP Settings: configure custom SMTP (Resend, SendGrid, etc.) for higher volume and your own domain.

2.0 KiB Raw Blame History