Docs/Integrations/Email

Email Provider Integration

Configure email delivery for two-factor authentication codes and notifications via Resend.

Overview

Hygate uses Resend to deliver email one-time passwords (OTPs) for two-factor authentication. When you enable Email OTP or Either Method 2FA, Hygate sends a 6-digit code to the user's email address on each login.

What You Need

  • A Resend account (resend.com)
  • A verified sending domain in Resend
  • A Resend API key

Setup Steps

Step 1: Create a Resend Account

  1. Go to resend.com and create an account
  2. Verify your email address
  3. Verify your sending domain (required for sending to external addresses)

Step 2: Verify Your Domain

  1. In Resend Dashboard, go to Domains
  2. Add your domain (e.g., yourcompany.com)
  3. Add the DNS records Resend provides (MX, SPF, DKIM)
  4. Wait for verification (usually takes a few minutes)

Why verification matters: Resend requires domain verification to prevent spam and ensure deliverability. Without a verified domain, emails may go to recipients' spam folders or be rejected.

Step 3: Create an API Key

  1. In Resend Dashboard, go to API Keys
  2. Click Create API Key
  3. Give it a name (e.g., "Hygate Integration")
  4. Copy the API key

Step 4: Enter in Hygate

  1. Go to Settings → Email
  2. Paste your Resend API Key
  3. Enter your From Email address (must be from your verified domain, e.g., no-reply@yourcompany.com)
  4. Click Test Connection
  5. Check your inbox for the test email
  6. If received, click Save

How Email OTP Works

Login Flow with Email OTP

User enters email + password on login page
        │
        ▼
  Credentials validated
        │
        ▼
  2FA required → system generates 6-digit code
        │
        ▼
  Hygate → Resend API: send email
  Email contains: 6-digit code, expiry time (5 minutes)
        │
        ▼
  User receives email
  Enters code on 2FA screen
        │
        ▼
  Code validated
  Valid: session created, redirected to dashboard
  Invalid: error shown, code expires after 3 attempts or 5 minutes

Code Security

FeatureDetail
6-digit code1,000,000 possible combinations
ExpiryCode expires after 5 minutes
Attempt limitCode locked after 3 incorrect attempts
One-time useCode can only be used once
Per-sessionA new code is generated on each login

Email Templates

Hygate sends emails for these purposes:

EmailWhen SentContent
2FA CodeUser requests email OTP on login6-digit code + expiry time
InvitationAdmin invites a new team memberInvitation link + role
Password ResetUser requests a password resetReset link + expiry

Troubleshooting

Test Email Not Received

CheckAction
Resend accountVerify your Resend account is active
Domain verifiedCheck Domains in Resend Dashboard
From emailEnsure the From address matches your verified domain
Spam folderCheck your spam folder
Email addressVerify the recipient email is correct
API keyEnsure the Resend API key is valid

"Connection test failed"

CheckAction
API keyVerify the key is correct (starts with re_)
Resend statusCheck resend.com for service status
Domain verificationEnsure your domain is verified in Resend
From emailMust be from your verified domain

Email Going to Spam

FixHow
Verify your domainResend requires domain verification for deliverability
Add SPF recordAlready included in Resend's DNS setup
Add DKIM recordAlready included in Resend's DNS setup
Use a recognized From addressSomething like no-reply@yourcompany.com

Resend API Errors

Hygate logs email delivery errors. Check audit logs or server logs for details:

  • invalid_api_key — API key is wrong or revoked
  • domain_not_verified — Domain verification issue
  • rate_limit_exceeded — Too many emails sent

Deliverability Best Practices

  1. Use a consistent From addressno-reply@yourcompany.com is recognizable
  2. Verify your sending domain — Required by Resend and improves deliverability
  3. Keep emails transactional — Hygate only sends OTP, invitation, and reset emails
  4. Monitor bounce rates — Check Resend Dashboard for delivery issues
  5. Use HTTPS for Hygate — Ensures email links in Hygate-generated emails are secure

Security Notes

  • Resend API keys are encrypted at rest in the Hygate database
  • OTPs are single-use and expire after 5 minutes
  • OTPs are hashed before storage (not stored in plain text)
  • Failed delivery does not bypass 2FA — the user cannot proceed without a valid code