A question about auth rate limits
Hi, everyone in the help channel:
I have a Next.js project integrated with Supabase Auth, and email registration is used as the registration method. Yesterday, during a class, nearly 80 people registered within a short period of time (as shown in the figure, most registration requests were within half an hour). They all received the registration confirmation emails and completed the registration. However, as shown in the figure, I received an email from Supabase suggesting that I should configure SMTP. Therefore, I looked into the documentation regarding auth rate limits. Now I have two questions:
Why didn't the high concurrency of registration requests trigger the rate limit of 2 requests per hour for the
/auth/v1/signup endpoint as mentioned in the documentation, and why were nearly 80 people able to successfully send requests and receive registration confirmation emails and complete the registration?
Why were my users able to smoothly receive the registration confirmation emails, but this behavior triggered a prompt from Supabase, which told me it was due to a large number of email bounces?
Can anyone help me with these questions? Thank you again.
4 Replies
Do you mean when using the default SMTP provided by Supabase? they may have upped the limit and not mentioned it in the docs. However you should be using a custom SMTP as this can change at anytime and would affect you.
Thank you for your reply. Perhaps your summary is exactly the issue I'm facing. I have this doubt because the result I encountered in my project is completely different from what is described in the official documentation regarding auth rate limits. Also, I haven't found anyone else with the same problem as mine. Maybe Supabase's policy is to allow the requests first and notify the user when they first hit this limit, rather than triggering the limit directly. I'm still puzzled, but I've already started configuring custom SMTP support.🥲
Yes it's likely they might have changed how it work with their default SMTP as their email reputation might have gotten better. The original change was because the reputation was becoming bad due to email bounce rates, but they did say they would review it once the reputation got better, so maybe this is a result of it getting better.
The error message you got is supposed to be because you are sending to too many fake emails. I've not seen a definition of what that count is and not sure it is measured by the hour.