simstudioai · waleedlatif1 · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/apps/docs/content/docs/en/self-hosting/environment-variables.mdx b/apps/docs/content/docs/en/self-hosting/environment-variables.mdx
@@ -66,11 +66,48 @@ import { Callout } from 'fumadocs-ui/components/callout'
 | `API_ENCRYPTION_KEY` | Encrypts stored API keys (32 hex chars): `openssl rand -hex 32` |
 | `COPILOT_API_KEY` | API key for copilot features |
 | `ADMIN_API_KEY` | Admin API key for GitOps operations |
-| `RESEND_API_KEY` | Email service for notifications |
 | `ALLOWED_LOGIN_DOMAINS` | Restrict signups to domains (comma-separated) |
 | `ALLOWED_LOGIN_EMAILS` | Restrict signups to specific emails (comma-separated) |
 | `DISABLE_REGISTRATION` | Set to `true` to disable new user signups |
 
+## Email Providers
+
+Configure one provider — the mailer auto-detects in priority order: **Resend → AWS SES → SMTP → Azure Communication Services**. If none are configured, emails are logged to the console instead.
+
+| Variable | Description |
+|----------|-------------|
+| `FROM_EMAIL_ADDRESS` | Sender address (e.g. `Sim <noreply@example.com>`). Falls back to `noreply@EMAIL_DOMAIN`. |
+| `EMAIL_DOMAIN` | Default domain when `FROM_EMAIL_ADDRESS` is unset |
+| `EMAIL_VERIFICATION_ENABLED` | Set to `true` to require email verification on signup |
+
+**Resend**
+
+| Variable | Description |
+|----------|-------------|
+| `RESEND_API_KEY` | API key from [resend.com](https://resend.com) |
+
+**AWS SES**
+
+| Variable | Description |
+|----------|-------------|
+| `AWS_SES_REGION` | AWS region for SES (e.g. `us-east-1`). Credentials are resolved through the standard AWS SDK provider chain (env vars, IRSA, ECS/EC2 instance role, SSO). |
+
+**SMTP** (works with MailHog, Postfix, SendGrid SMTP, etc.)
+
+| Variable | Description |
+|----------|-------------|
+| `SMTP_HOST` | SMTP server hostname |
+| `SMTP_PORT` | `465` for implicit TLS, `587` for STARTTLS, `25` for plain |
+| `SMTP_USER` | Optional — omit for unauthenticated relays |
+| `SMTP_PASS` | Optional — omit for unauthenticated relays |
+| `SMTP_SECURE` | Set to `true` to force TLS on connect; auto-true on port 465 |
+
+**Azure Communication Services**
+
+| Variable | Description |
+|----------|-------------|
+| `AZURE_ACS_CONNECTION_STRING` | Azure Communication Services connection string |
+
 ## Example .env
 
 ```bash

diff --git a/apps/docs/content/docs/en/triggers/hubspot.mdx b/apps/docs/content/docs/en/triggers/hubspot.mdx
diff --git a/apps/sim/.env.example b/apps/sim/.env.example
@@ -19,8 +19,30 @@ INTERNAL_API_SECRET=your_internal_api_secret # Use `openssl rand -hex 32` to gen
 API_ENCRYPTION_KEY=your_api_encryption_key # Use `openssl rand -hex 32` to generate, used to encrypt api keys
 
 # Email Provider (Optional)
-# RESEND_API_KEY=  # Uncomment and add your key from https://resend.com to send actual emails
-                   # If left commented out, emails will be logged to console instead
+# Configure ONE provider — the mailer auto-detects in priority order:
+# Resend → AWS SES → SMTP → Azure Communication Services. If none are
+# configured, emails are logged to console instead.
+#
+# Resend
+# RESEND_API_KEY=                       # API key from https://resend.com
+#
+# AWS SES (credentials resolved via the standard AWS provider chain:
+# env vars, shared config, ECS/EKS task role, EC2 instance profile, SSO)
+# AWS_SES_REGION=us-east-1
+#
+# SMTP (works with MailHog locally: host=localhost port=1025, no auth)
+# SMTP_HOST=smtp.example.com
+# SMTP_PORT=587                         # 465 = implicit TLS, 587 = STARTTLS, 25 = plain
+# SMTP_USER=                            # Optional — omit for unauthenticated relays
+# SMTP_PASS=                            # Optional — omit for unauthenticated relays
+# SMTP_SECURE=                          # Set "true" to force TLS on connect; auto-true on port 465
+#
+# Azure Communication Services
+# AZURE_ACS_CONNECTION_STRING=
+#
+# Shared sender configuration
+# FROM_EMAIL_ADDRESS="Sim <noreply@example.com>"
+# EMAIL_DOMAIN=example.com              # Fallback when FROM_EMAIL_ADDRESS is unset
 
 # Local AI Models (Optional)
 # OLLAMA_URL=http://localhost:11434  # URL for local Ollama server - uncomment if using local models

diff --git a/apps/sim/app/api/auth/oauth/utils.test.ts b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -4,14 +4,18 @@
  * @vitest-environment node
  */
 
+import { redisConfigMock, redisConfigMockFns } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 vi.mock('@/lib/oauth/oauth', () => ({
   refreshOAuthToken: vi.fn(),
   OAUTH_PROVIDERS: {},
 }))
 
+vi.mock('@/lib/core/config/redis', () => redisConfigMock)
+
 import { db } from '@sim/db'
+import { __resetCoalesceLocallyForTests } from '@/lib/concurrency/singleflight'
 import { refreshOAuthToken } from '@/lib/oauth'
 import {
   getCredential,
@@ -49,6 +53,10 @@ function mockUpdateChain() {
 describe('OAuth Utils', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    __resetCoalesceLocallyForTests()
+    redisConfigMockFns.mockGetRedisClient.mockReturnValue(null)
+    redisConfigMockFns.mockAcquireLock.mockResolvedValue(true)
+    redisConfigMockFns.mockReleaseLock.mockResolvedValue(true)
   })
 
   afterEach(() => {
@@ -107,6 +115,7 @@ describe('OAuth Utils', () => {
       }
 
       mockRefreshOAuthToken.mockResolvedValueOnce({
+        ok: true,
         accessToken: 'new-token',
         expiresIn: 3600,
         refreshToken: 'new-refresh-token',
@@ -130,7 +139,11 @@ describe('OAuth Utils', () => {
         providerId: 'google',
       }
 
-      mockRefreshOAuthToken.mockResolvedValueOnce(null)
+      mockRefreshOAuthToken.mockResolvedValueOnce({
+        ok: false,
+        errorCode: 'invalid_grant',
+        message: 'Failed',
+      })
 
       await expect(
         refreshTokenIfNeeded('request-id', mockCredential, 'credential-id')
@@ -198,6 +211,7 @@ describe('OAuth Utils', () => {
       mockUpdateChain()
 
       mockRefreshOAuthToken.mockResolvedValueOnce({
+        ok: true,
         accessToken: 'new-token',
         expiresIn: 3600,
         refreshToken: 'new-refresh-token',
@@ -237,7 +251,11 @@ describe('OAuth Utils', () => {
       mockSelectChain([mockResolvedCredential])
       mockSelectChain([mockAccountRow])
 
-      mockRefreshOAuthToken.mockResolvedValueOnce(null)
+      mockRefreshOAuthToken.mockResolvedValueOnce({
+        ok: false,
+        errorCode: 'invalid_grant',
+        message: 'Failed',
+      })
 
       const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')