before_user_created Auth Hook Returns "Invalid payload sent to hook" Error When Rejecting User Creation

[Triskae]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The before_user_created auth hook returns an "Invalid payload sent to hook" error when attempting to reject user account creation with a properly formatted HTTP 400 response. Instead of processing the rejection with the custom error message, Supabase returns an unexpected failure error.

To Reproduce

Steps to reproduce the behavior:

1. Set up a before_user_created auth hook in your Supabase project dashboard
2. Configure it to point to a custom API endpoint (e.g., using ngrok for local development)
3. Create an endpoint that conditionally rejects signups with this response:

   return response
     .status(400)
     .set('Content-Type', 'application/json')
     .json({
       error: {
         message: 'Signups from this email domain are not allowed.',
         http_code: 400,
       },
     });

4. Attempt to create a user account that should trigger the rejection logic
5. Observe the error response from Supabase

Expected behavior

When the auth hook returns HTTP 400 with the proper error payload format, Supabase should:

• Prevent the account creation
• Return the custom error message specified in the hook response
• Handle the rejection gracefully without throwing an "Invalid payload" error

Screenshots

Error response received:

{
  "code": "unexpected_failure",
  "message": "Invalid payload sent to hook"
}

System information

• OS: [Various - issue occurs on server side]
• Browser: N/A (affects API calls)
• Version of supabase-js: NA
• Version of Node.js: NA

Additional context

• The API endpoint is successfully receiving requests from Supabase (confirmed via server logs)
• The API responds with the exact JSON format as documented
• When returning HTTP 200 with an empty body, account creation proceeds without issues
• This suggests the hook connectivity is working, but error handling for HTTP 400 responses is broken
• The same issue has been reported by other users (@Entropei)
• Hook URL is accessible and properly configured in the Supabase dashboard

The problem specifically occurs when trying to reject user creation - the success path works fine, but the rejection path fails with an unhelpful error message that doesn't match the documentation.

[srini-abhiram]

The documentation is inaccurate. The JSON payload for a rejection requires a top-level message and a top-level http_code, in addition to the error object:

{
  "message": "Signups from this email domain are not allowed.",
  "http_code": 400,
  "error": {
    "message": "Signups from this email domain are not allowed."
  }
}

Please update your API endpoint to return this structure. Your response logic should look something like this:

return response
  .status(400) // Or another 4xx code
  .set('Content-Type', 'application/json')
  .json({
    message: 'Signups from this email domain are not allowed.',
    http_code: 400,
    error: {
      message: 'Signups from this email domain are not allowed.'
    }
  });

Let me know if it works; I can update the documentation to show the same.

[Triskae]

Hello, thank you for you swift answer !

Still not working unfortunately, I'm still having the exact same error as before. I can see in my ngrok dashboard, that my API is responding with

{
    "message": "Signups from this email domain are not allowed.",
    "http_code": 400,
    "error": {
        "message": "Signups from this email domain are not allowed."
    }
}

edit: typo

[srini-abhiram]

I did a little dig, here's what I found out from the docs; It is working properly:

Currently there is support for only the following status codes mentioned in table:

If any other status code is returned, then it says the following:

{
  "code": 500,
  "error_code": "unexpected_failure",
  "msg": "Unexpected status code returned from hook: 409",
  "error_id": "9807cac3f544ac6d-MAA"
}

and from the image above, it seems returning 400 is treated as internal server error from the API side. So it is working as expected.

I tried mocking a 429 response(too many requests) and it returned the following:

{
  "code": 500,
  "error_code": "unexpected_failure",
  "msg": "Service currently unavailable due to hook",
  "error_id": "9807cbb874857f44-MAA"
}

[srini-abhiram]

It should actually re surface the custom error message you pass from your API, which it is not doing now. Hopefully a fix comes up!

[Triskae]

Thank you very much for your help, mate! Indeed, for now, the finality is what we need: if we return 200, the account is created; if we return 400, the account is not created. We just need the custom error to bubble up—it's a detail, and I'm sure it will be resolved soon.

[florianjuengermann]

Looks like this is the problem in supabase/auth:

auth/internal/hooks/hookshttp/hookshttp.go

Line 237 in 01ebce1

"Invalid payload sent to hook")

Please let me know when it's fixed.

[Triskae]

I think this issue was labeled as external, but it seems to be a bug.

[joostwmd]

I also stumbled into this problem. I want to to restrict sign ups in my application to company domains.

I followed this tutorial to set everything up. The before_user_created hooks calls the edge function successfully, but no matter what I try, i cannot return the custom error message back to the client.

I always get
{ "__isAuthError": true, "name": "AuthApiError", "status": 500, "code": "unexpected_failure" }

I also found this information in the docs

403, 400 | Treated as Internal Server Errors and return a 500 Error Code

So i think the problem is that my edge function successfully returns am error code 403 which then causes supabase to return an error code 500 which also removes any custom message I want to sent to the client to inform my users that they should use their work email address instead.

I don't understand why the functionality is that way. If i want to sent a custom error message from the before_user_create hook this is basically not possible, because any error is returned as a arbitrary 500 error.

Does someone how to fix this?

[Hallidayo]

Transferred from supabase repo.

[AnuragBalhra]

I'm facing the same issue. I'm trying to use edge function to block temporary emails from signing up with a custom error message but on the client supabase auth always returns 500 with message "Invalid payload sent to hook"

[joostwmd]

I ended up using an edge function, that I call immediately after the signin request resolves successfully. In this edge function I check the email domain of the new users. If the email is not allowed, I am deleting the auth user and return the custom error message. From the users perspective I show an loading state during the sign in request AND the edge function call. Only after both resolve I show the error message or redirect to, in my case the profile page.

[AnuragBalhra]

The issue seems to be originating from this condition
https://github.com/supabase/auth/blob/a6530d54224e5fc00995c47c2e272a9ff1adf9cb/internal/hooks/hookshttp/hookshttp.go#L235C3-L237C36

Should we just parse the body and pass on the custom error message here?