I’m struggling with implementing password reset through email in my Supabase and Lovable setup. The registration process works fine when users sign up with email and password. Users can also change their password when they’re already logged in without any issues.
The problem happens when users try to reset their password from the login screen. I have a “Forgot Password” link that asks users to enter their email address. The email gets sent successfully through Mailgun, but clicking the reset link causes problems.
Sometimes I get a Supabase validation error saying the token is missing:
{
"code": 400,
"error_code": "validation_failed",
"msg": "Verify requires a token or a token hash"
}
Other times there is a token present but it just redirects to the /auth page and nothing happens after that. Has anyone dealt with similar password reset issues in Supabase? I’ve been trying different approaches but can’t get it working properly.
Been there with Supabase auth headaches. Those token validation errors and random redirects? Classic workflow automation issues.
Skip Supabase’s finicky token handling entirely. Build your own password reset flow instead. User requests a reset → workflow generates a secure token with expiration → stores it → sends custom email with your reset link.
Your reset link hits your endpoint, validates the token, then uses Supabase’s admin API to update the password directly. No more token corruption or timing issues with their callback system.
I’ve done this for three different apps. You get full control over UX and can add rate limiting or custom validation. Plus you can log everything for debugging.
The workflow handles token generation, email sending, validation, and password updates in one sequence. No guessing what Supabase does behind the scenes.
check ur supabase email templates first - the redirect URL might be wrong. i had this same problem, just a typo in the redirect_to param. also, make sure ur app is listening for auth state changes when users come back from the email.
This happens when there’s a timing issue or the token gets corrupted during redirect. I hit this exact problem last month - Supabase’s password reset flow is tricky with state transitions. When users click the reset link, grab both the access_token and refresh_token from the URL before they disappear. Your redirect to /auth might be catching the callback before the tokens process properly. I’d build a dedicated callback handler just for password resets instead of using the general auth redirect. Also check if you’re calling signOut() somewhere in your auth flow - that’ll kill tokens before the reset finishes. Since it’s happening intermittently, you’ve probably got a race condition in your token handling.
I faced a similar challenge with Supabase’s password reset functionality. It’s crucial to ensure that the callback URLs in your Supabase settings exactly match the ones in your application. Often, issues arise when there’s a mismatch, leading to token validation errors. Additionally, verify that your application is correctly handling the tokens from the URL after the user clicks the reset link. You might want to add some logging to confirm that the token is being received and processed correctly. This should help resolve the redirect issues you’re experiencing.