Here's the filled-out report:
Describe the bug
When a signing secret is configured for the send_email Auth Hook (Authentication → Hooks → HTTPS endpoint), Supabase does not attach an Authorization: Bearer <jwt> header to outgoing hook requests. The secret is visible and confirmed saved in the dashboard, but the hook is called unsigned on every invocation.
To Reproduce
- Go to Authentication → Hooks → Add hook → Send Email hook
- Set an HTTPS endpoint URL
- Set a signing secret (using the
v1,whsec_<base64> format shown in the Supabase docs)
- Save the hook
- Trigger a password recovery email for an existing user
- Inspect the incoming request at your hook endpoint - the
Authorization header is absent
Expected behavior
Every hook request includes Authorization: Bearer <hs256-signed-jwt>, signed with the configured secret, as described in the Auth Hooks documentation.
Actual behavior
No Authorization header is present. Server-side logs confirm:
authHeader present: false, len: 0
GoTrue's own logs show 500: Hook requires authorization token - this is the GoTrue error generated when the hook endpoint returns 401 due to the missing header.
Bypassing signature verification at the hook endpoint confirms the rest of the pipeline (payload parsing, email delivery) works correctly. The issue is solely that the Authorization header is never attached.
Screenshots
N/A
System information
- OS: macOS
- Browser: N/A (server-to-server hook call)
- Version of supabase-js: N/A (this is a server-side Auth Hook, not client SDK)
- Node.js: 24.x (Vercel serverless function receiving the hook)
Additional context
- The signing secret in the Supabase dashboard and the server-side env var are confirmed identical (matched by prefix and length in logs)
- The hook is called by GoTrue (
User-Agent: Go-http-client/2.0) - the request arrives, just unsigned
- Auth Hooks are currently labeled BETA in the Supabase dashboard
- Workaround: accept requests without auth header and log a warning - email delivery then works end-to-end
Here's the filled-out report:
Describe the bug
When a signing secret is configured for the
send_emailAuth Hook (Authentication → Hooks → HTTPS endpoint), Supabase does not attach anAuthorization: Bearer <jwt>header to outgoing hook requests. The secret is visible and confirmed saved in the dashboard, but the hook is called unsigned on every invocation.To Reproduce
v1,whsec_<base64>format shown in the Supabase docs)Authorizationheader is absentExpected behavior
Every hook request includes
Authorization: Bearer <hs256-signed-jwt>, signed with the configured secret, as described in the Auth Hooks documentation.Actual behavior
No
Authorizationheader is present. Server-side logs confirm:GoTrue's own logs show
500: Hook requires authorization token- this is the GoTrue error generated when the hook endpoint returns 401 due to the missing header.Bypassing signature verification at the hook endpoint confirms the rest of the pipeline (payload parsing, email delivery) works correctly. The issue is solely that the Authorization header is never attached.
Screenshots
N/A
System information
Additional context
User-Agent: Go-http-client/2.0) - the request arrives, just unsigned