Email Providers
The authenticator supports four email providers. You choose one per authentication flow and can enable automatic fallback to Keycloak SMTP.
Supported Providers
| Provider | Description | Requirements |
|---|---|---|
| Keycloak SMTP (Default) | Uses Keycloak's built-in SMTP config | Realm SMTP settings configured |
| SendGrid | SendGrid cloud email service | API key + verified sender |
| AWS SES | Amazon Simple Email Service | IAM credentials + verified identity |
| Mailgun | Mailgun email delivery | API key + sending domain |
Configure Provider
- Navigate to Authentication → Flows
- Select your custom flow with the Email OTP authenticator
- Click ⚙️ next to Email OTP
- Set the provider and credentials (see options below)
- Keycloak SMTP
- SendGrid
- AWS SES
- Mailgun
Email Provider: KEYCLOAK
Enable Fallback to Keycloak SMTP: true
No credentials needed — uses Realm Settings → Email.
Email Provider: SENDGRID
SendGrid API Key: SG.xxxxxxxxxxxxxxxxxxxx
SendGrid From Email: noreply@yourdomain.com
SendGrid From Name: Your Company Name (optional)
Enable Fallback to Keycloak SMTP: true (recommended)
SendGrid Setup
- Sign up at sendgrid.com
- Settings → API Keys → Create API Key (needs Mail Send permission)
- Settings → Sender Authentication — verify your sender email or domain
- Enter the key and verified address in Keycloak
Email Provider: AWS_SES
AWS SES Region: us-east-1
AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS SES From Email: noreply@yourdomain.com
AWS SES From Name: Your Company Name (optional)
Enable Fallback to Keycloak SMTP: true (recommended)
AWS SES Setup
- IAM → create a user with
AmazonSESFullAccess(orses:SendEmail). Save the access key pair. - SES Console → Verified identities → verify your sender email or domain (DNS records required for domain).
- Sandbox mode: by default SES only sends to verified addresses. Request production access to send to any recipient.
- Choose a region close to your users — verified identities are region-specific.
Email Provider: MAILGUN
Mailgun API Key: key-xxxxxxxxxxxxxxxxxxxx
Mailgun Domain: mg.yourdomain.com
Mailgun From Email: noreply@yourdomain.com
Mailgun From Name: Your Company Name (optional)
Mailgun Region: US (or EU for European accounts)
Enable Fallback to Keycloak SMTP: true (recommended)
Mailgun Setup
- Sign up at mailgun.com
- Settings → API Keys → Add new key — copy the Private API key (starts with
key-). - Sending → Domains → Add New Domain — use
mg.yourdomain.comand complete DNS verification. - Region:
- Account at
app.mailgun.com→ US - Account at
app.eu.mailgun.com→ EU
- Account at
Fallback Mechanism
When Enable Fallback to Keycloak SMTP is on:
- If the primary provider fails, the system automatically retries via Keycloak's realm SMTP
- Ensures delivery even when a 3rd-party service is temporarily unavailable
- Fallback events are logged for monitoring
:::tip Best practice Always enable fallback in production. Configure realm SMTP as the safety net regardless of which primary provider you use. :::
Troubleshooting
Emails are not being delivered
1. Verify realm SMTP first
Before blaming the provider integration, confirm the base SMTP configuration works:
- Realm Settings → Email → click "Test connection"
- A test email is sent to the admin account — if this fails, fix SMTP before proceeding
2. Enable Simulation Mode temporarily
In the OTP authenticator settings, set Simulation mode to true. Codes will appear in the Keycloak server logs instead of being sent:
docker logs keycloak | grep "SIMULATION MODE"
# ***** SIMULATION MODE ***** Email code send to user@example.com is: 123456
If codes appear in the logs, Keycloak is running correctly — the problem is with the email provider configuration.
3. Check Keycloak logs for provider errors
docker logs keycloak 2>&1 | grep -i "email\|provider\|sendgrid\|ses\|mailgun"
Provider-specific issues
- SendGrid
- AWS SES
- Mailgun
- Keycloak SMTP
| Symptom | Likely cause | Fix |
|---|---|---|
403 Forbidden | Sender not verified | Verify sender identity in SendGrid dashboard |
401 Unauthorized | Invalid API key | Regenerate key with Mail Send permission |
| Emails land in spam | No domain authentication | Set up domain authentication (SPF/DKIM) in SendGrid |
| Symptom | Likely cause | Fix |
|---|---|---|
MessageRejected | Sending to unverified address | In Sandbox mode, only verified recipients are allowed — request production access |
InvalidClientTokenId | Wrong access key | Double-check AWS Access Key ID and Secret Access Key |
SignatureDoesNotMatch | Clock skew | Ensure the server clock is synchronized (NTP) |
IllegalArgumentException: region | Invalid region string | Use format us-east-1, not US East (N. Virginia) |
| Symptom | Likely cause | Fix |
|---|---|---|
401 Unauthorized | Wrong API key | Use the Private API key, not the Public key |
Domain not found | Wrong domain | Check Sending → Domains for the exact domain string |
| Emails bounce | Domain not verified | Complete DNS verification (MX, TXT, CNAME records) |
| No delivery, no error | Wrong region | Match region to your account: app.mailgun.com → US, app.eu.mailgun.com → EU |
| Symptom | Likely cause | Fix |
|---|---|---|
Connection refused | Wrong host/port | Confirm host and port, try port 465 (SSL) if 587 (TLS) fails |
Authentication failed | Wrong credentials | For Gmail, use an App Password, not your account password |
Certificate error | Untrusted TLS cert | Enable SSL or StarTLS in Realm Settings → Email |
For issues not covered here, see the Troubleshooting guide or open an issue.