SMTP
"SMTP error: could not authenticate" is an AUTH rejection (usually 535 5.7.8). Fix it with the right provider credentials — App Passwords, API keys, or OAuth2.
Updated Jul 1, 2026
The short answer
"SMTP error: could not authenticate" means the mail server rejected your AUTH attempt — almost always an SMTP 535 5.7.8 (invalid credentials) per RFC 4954. The fix: use the correct username/password for your provider (for SendGrid, username apikey plus the full API key; for Gmail/Workspace, an App Password or OAuth2, never your account password), and confirm the host, port, and TLS mode are right.
This is a client-side wrapper message (Nodemailer reports it as EAUTH, PHPMailer/smtplib surface it similarly) for a failed SMTP AUTH exchange. The server almost always returned a 535 reply with enhanced status 5.7.8 — "authentication credentials invalid" per RFC 4954. It means the TCP/TLS connection succeeded but the server refused your login. This is distinct from 530 5.7.0 (authentication required — you skipped AUTH entirely) and 538 5.7.11 (the mechanism needs an encrypted connection first).
apikey and the full ~69-character API key as the password — not your account email/password.apikey, password = the full unencoded API key, and the key must have Mail Send permission (SendGrid docs).535 ... invalid, expired, or revoked message means the API key/password is no longer valid — issue a new one and update the client.Example Nodemailer config that authenticates against SendGrid:
const transport = nodemailer.createTransport({host: "smtp.sendgrid.net",port: 587, // STARTTLS; use 465 for implicit TLSauth: {user: "apikey", // literal string, not your emailpass: process.env.SENDGRID_API_KEY, // full key with Mail Send scope},});
If AUTH still fails after the credentials and TLS are confirmed correct, capture the server's full reply line — the 3-digit code plus the x.x.x enhanced status tells you whether it's invalid credentials (5.7.8), a too-weak mechanism (5.7.9/534), or a temporary failure (4.7.0/454) — see RFC 4954 for these AUTH-specific enhanced codes, which extend the general x.x.x framework introduced by RFC 3463.
References
FAQ
Effectively yes. "Could not authenticate" is a client-side message (e.g. Nodemailer's EAUTH) that wraps the server's response to AUTH, which is almost always a 535 with enhanced status 5.7.8 — "authentication credentials invalid" per RFC 4954. The wording differs but the underlying condition is a rejected login.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 4954 (535 / 5.7.8); RFC 3463. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.