SendGrid SMTP 535 bad username/password means wrong credentials. SMTP username must be the literal string apikey; the password must be a Mail Send API key.
Updated Jul 1, 2026
The short answer
SendGrid 535 "Authentication failed: Bad username / password" is the SMTP server (smtp.sendgrid.net) rejecting your AUTH credentials. The single most common cause is the wrong username: SendGrid SMTP requires the literal username "apikey" and your full SendGrid API key (with Mail Send permission) as the password — not your account email or login password. Fix it by regenerating a Mail-enabled API key and setting username = apikey.
SendGrid returns 535 Authentication failed: Bad username / password from smtp.sendgrid.net when the credentials sent in the SMTP AUTH exchange are rejected. The 535 reply with enhanced status 5.7.8 ("Authentication credentials invalid") is defined directly in RFC 4954 §6 — it is the server telling you the supplied credentials are wrong or insufficient, not a network or TLS-handshake failure.
In order of how often they're the real culprit on SendGrid specifically:
apikey (Twilio SendGrid SMTP docs).535 Authentication failed: Basic authentication is not allowed with 2FA enabled. Fix: switch to apikey Note: a genuinely wrong host or TLS version usually surfaces as a connection/handshake failure rather than 535, but SendGrid requires TLS 1.2+ and 535 has been observed when a legacy client negotiates down — see the fix below.
smtp.sendgrid.netapikey (the literal word — not your email, not the key)587 or 2525 (STARTTLS), 25, or 465 (implicit TLS/SSL). Port 587 is recommended. All of these are valid — 465 is not deprecated.Example (Nodemailer):
const transporter = nodemailer.createTransport({host: "smtp.sendgrid.net",port: 587,secure: false, // STARTTLS on 587auth: {user: "apikey", // literal stringpass: process.env.SENDGRID_API_KEY, // full API key},});
Verify outside your app with a raw test before blaming code. SendGrid recommends testing the connection with Telnet/OpenSSL to isolate credential vs. network issues:
openssl s_client -connect smtp.sendgrid.net:587 -starttls smtp# then issue AUTH LOGIN and supply base64(apikey) / base64(API key)
If a correct, Mail-enabled key still returns 535, check whether your account is suspended or under compliance review in the SendGrid dashboard, or contact SendGrid support.
With Courier
apikey-username and per-app credential pitfalls that produce 535.References
FAQ
The username is the literal string "apikey" (not your account email or login). The password is your full SendGrid API key (about 69 characters) that has at least Mail Send permission. Connect to smtp.sendgrid.net on port 587, 2525, 25, or 465.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 4954 (535 / enhanced status code 5.7.8, defined directly in RFC 4954 §6 — not present in RFC 3463's original X.7.0–X.7.7 table). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.