SMTP

SMTP error: could not authenticate

"SMTP error: could not authenticate" is an AUTH rejection (usually 535 5.7.8). Fix it with the right provider credentials — App Passwords, API keys, or OAuth2.

Updated Jul 1, 2026

The short answer

"SMTP error: could not authenticate" means the mail server rejected your AUTH attempt — almost always an SMTP 535 5.7.8 (invalid credentials) per RFC 4954. The fix: use the correct username/password for your provider (for SendGrid, username apikey plus the full API key; for Gmail/Workspace, an App Password or OAuth2, never your account password), and confirm the host, port, and TLS mode are right.

This is a client-side wrapper message (Nodemailer reports it as EAUTH, PHPMailer/smtplib surface it similarly) for a failed SMTP AUTH exchange. The server almost always returned a 535 reply with enhanced status 5.7.8 — "authentication credentials invalid" per RFC 4954. It means the TCP/TLS connection succeeded but the server refused your login. This is distinct from 530 5.7.0 (authentication required — you skipped AUTH entirely) and 538 5.7.11 (the mechanism needs an encrypted connection first).

What causes "SMTP error: could not authenticate"?

  • Wrong username or password. The single most common cause. The credential pair the server expects is not what the client sent.
  • Using a provider that requires a non-obvious username. SendGrid, for example, requires the literal username apikey and the full ~69-character API key as the password — not your account email/password.
  • Using an account password where the provider forbids it. Gmail and Google Workspace permanently ended basic password authentication (the change rolled out through 2024–2025, after "Less Secure Apps" was removed in 2022). A raw account password will now always fail.
  • 2-Step Verification enabled without an App Password. When 2SV/MFA is on, your normal password is rejected for SMTP; you need a generated App Password or OAuth2.
  • Whitespace/newline in a base64-encoded credential. SMTP is line-oriented, so a stray linefeed inside a base64 API key breaks AUTH (a documented SendGrid pitfall).
  • TLS too old or wrong security mode. Some providers require TLS 1.2+; if your client offers an outdated TLS version or uses SSL where STARTTLS is expected, AUTH can fail or never start.

How do I fix "SMTP error: could not authenticate"?

  1. Verify the exact credentials your provider expects. Re-read your provider's SMTP integration page. For SendGrid: username apikey, password = the full unencoded API key, and the key must have Mail Send permission (SendGrid docs).
  2. For Gmail / Google Workspace, do NOT use your account password. Enable 2-Step Verification, then generate an App Password and use that 16-character value, or switch to OAuth2. (Ignore any old advice to "enable Less Secure Apps" — that toggle no longer exists.)
  3. Strip whitespace from encoded credentials. If you base64-encode the username/password yourself, ensure there are no embedded newlines or spaces.
  4. Confirm host, port, and TLS mode match. Use a valid pair: port 587 with STARTTLS, or port 465 with implicit TLS — both are standard (RFC 8314); 465 is not deprecated. Ensure the client negotiates TLS 1.2 or higher.
  5. Regenerate the secret if it may be revoked. A 535 ... invalid, expired, or revoked message means the API key/password is no longer valid — issue a new one and update the client.

Example Nodemailer config that authenticates against SendGrid:

const transport = nodemailer.createTransport({
host: "smtp.sendgrid.net",
port: 587, // STARTTLS; use 465 for implicit TLS
auth: {
user: "apikey", // literal string, not your email
pass: process.env.SENDGRID_API_KEY, // full key with Mail Send scope
},
});

If AUTH still fails after the credentials and TLS are confirmed correct, capture the server's full reply line — the 3-digit code plus the x.x.x enhanced status tells you whether it's invalid credentials (5.7.8), a too-weak mechanism (5.7.9/534), or a temporary failure (4.7.0/454) — see RFC 4954 for these AUTH-specific enhanced codes, which extend the general x.x.x framework introduced by RFC 3463.

FAQ

Common questions

Effectively yes. "Could not authenticate" is a client-side message (e.g. Nodemailer's EAUTH) that wraps the server's response to AUTH, which is almost always a 535 with enhanced status 5.7.8 — "authentication credentials invalid" per RFC 4954. The wording differs but the underlying condition is a rejected login.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 4954 (535 / 5.7.8); RFC 3463. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.