> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognigy.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Send SMTP Email
Updated in 2026.3
## Description
As of Cognigy.AI 2026.4.0, the OAuth2 authentication method for the Send SMTP Email Node is deprecated. The full removal of this authentication method is planned for Cognigy.AI 2026.16.0. To avoid disruptions in AI Agents using OAuth2 in this Node, migrate to the [OAuth2 Client Credentials](/ai/agents/develop/node-reference/data/send-smtp-email#oauth2-client-credentials-recommended) authentication method before the removal date.
Use the Send SMTP Email Node to send an email via an SMTP connection to a recipient.
## Parameters
Some email providers, such as Gmail, require you to configure your mail account to allow sending mail via SMTP before you can use it.
| Parameter | Description |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Email Service | Select the Email Provider of the address you want to send from. If yours is not listed, you can select **Other SMTP Service** to do a manual configuration. |
| SMTP Settings | Depending on which Email Service selected above, you need to either enter your login credentials for that service or for the full SMTP connection information in case you selected the "Other SMTP Service" option. |
| Recipient TO Email Addresses | Comma-separated list of email addresses to send the email to. |
| Email Subject | The subject of the email. |
| Email Content | The content of the email. The field supports basic rich text editing. |
You can use one of the following authentication methods:
OAuth2 Client Credentials is a token-based authentication method. It uses a client ID and client secret to obtain an access token and authenticate with the email provider. This authentication method provides a higher level of security than Basic Auth and doesn't require refresh tokens.
To create a connection, follow these steps:
1. Next to the **OAuth2 Client Credentials Parameters** setting, click **+**.
2. Add a new connection or use an existing one:
* Connection name — enter a unique connection name.
* Token Endpoint URL — enter the email provider URL to retrieve the access token.
* Client ID — enter the registered client ID of the application.
* Client Secret — enter the registered client secret of the application.
* *(Optional)* Scope — enter the scope of the access token, as defined in [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2). Some email providers require the scope to be set. For example, use `https://outlook.office365.com/.default` if you've selected **Office365** for the **Email Service** parameter. Refer to your email provider's documentation to find the correct scope.
* User — enter the email address from which the email is sent.
3. Click **Create**.
OAuth2 is a token-based authentication method. It uses access tokens generated by the service provider to grant authorization for client applications to access user data. Access tokens are unique identifiers that contain user, client application, and permission information. They are short-lived and can be revoked if necessary, providing a higher level of security than Basic Auth. Email providers such as Google and Microsoft may use only OAuth2 for authentication.
To create a connection, follow these steps:
1. Next to the **OAuth2 Parameters** setting, click **+**.
2. Add a new connection or use an existing one:
* Connection name — enter a unique connection name.
* user — add your email address.
* clientId — add a registered client id of the application.
* clientSecret — add a registered client secret of the application.
* accessToken — add an access token. Required only if refreshToken is not available.
* refreshToken — add a refresh token. If it is provided, the Node tries to generate a new access token if existing one expires or fails.
* expiryDate — add an expiration Unix timestamp in milliseconds for the current `accessToken`.
* accessUrl — add an HTTP endpoint for requesting new access tokens. This value defaults to Gmail `https://accounts.google.com/o/oauth2/token`.
* tlsOption — specify one of the options if you want to connect with TLS:
* tls — is used by default. TLS is a separate protocol that operates on a different port (usually port 443 for HTTPS).
* starttls — is a command used to upgrade an existing insecure connection to a secure one within the same port.
* none — don't connect with TLS.
3. Click **Create**.
Cognigy caches connections by default, and for OAuth2 connections, Cognigy also caches the refresh and access tokens. To update the refresh token or access token, create a [snapshot](/ai/agents/deploy/snapshots).
Basic Auth is a simple authentication scheme where the client sends the user's credentials (username and password) to the server in the HTTP header. It's used for web applications requiring authentication and adds an Authorization header to the HTTP request. However, it has security limitations as the credentials are sent in clear text, and the server doesn't provide a way to log out.
To create a connection, follow these steps:
1. Next to the **Basic Auth Parameters** setting, click **+**.
2. Add a new connection or use an existing one:
* Connection name — enter a unique connection name.
* username — add a login that you obtained from your email provider.
* password — add a password that you obtained from your email provider.
3. Click **Create**.
By default, the **No Attachment** option is selected.
| Attachment Type | Description |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| From URL | You can specify a public Web URL or a data URL. The linked File will then be attached to that mail. You can also pick a custom filename for the attached file. |
| From Text Content | You can define a text that should be sent as an attachment. |
| From Base64 String | You can define Base64-encoded data that should be attached. |
| Custom Content Attachment | If you need to send text content with a specific MIME-Type, allowing you to define an own MIME-Type. |
| From Pregenerated MIME Node | Allows you to send a fully customized attachment body manually. |
| Option | Description |
| ------------------ | ------------------------------------------------------------------------------------------ |
| Don't store result | Default option. The result isn't stored. |
| Input | The result is stored at a specified location in the **Input Key to store Result** field. |
| Context | The result is stored at a specified location in the **Context Key to store Result** field. |
#### Stop on Error
If switched on, the flow execution will halt in case the mail-sending fails.
| Parameter | Description |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Custom From Email Address | This email address will be displayed in the "from" field (sender's address). |
| CC Email Addresses | The CC recipients of your email. |
| BCC Email Addresses | The BCC recipients of your email. |
| Reply To Address | This email address is the target for receiving mails when recipients reply to your email. |
| Define custom text Email Content | If your content contains non-text content, you can provide a customized text-only version of the mail content here for improved compatibility with limited devices. |
| Email Priority | You can use this option to set your priority to `high`, `normal` (default), or `low`. |
| Execute Request asynchronous | If switched on, the flow execution will **continue directly after** the Send Email Node was triggered. If turned-off, flow execution will **wait until the email is sent**. |
## Example
This example shows how to configure OAuth2 Client Credentials with Microsoft 365 SMTP using Microsoft Entra ID.
Before starting, ensure the following:
* Your Microsoft Entra account must have one of the following roles:
* Application Developer (minimum).
* Cloud Application Administrator or Global Administrator (recommended).
* The mailbox that will send emails must:
* Be hosted in Microsoft 365 or Exchange Online.
* Have [SMTP AUTH](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission) activated.
1. Log in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
2. In the left sidebar, select **Entra ID > App registrations**.
3. Click **New registration**. On the **Register an application** page, enter a name, for example, `Cognigy SMTP Integration`.
4. In the **Supported account types** section, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**. Follow [Microsoft best practices](https://learn.microsoft.com/en-us/entra/identity-platform/single-and-multi-tenant-apps#best-practices-for-multitenant-apps) for multitenant applications, especially regarding security and permission scope.
5. Leave **Redirect URI** empty, this field isn't required for OAuth2 Client Credentials. Click **Register**.
6. After the registration, the **Application Overview** page appears. Copy and securely store:
* Application (client) ID.
* Directory (tenant) ID.
You will need these IDs later for the Send SMTP Email Node.
1. In the created application, go to **Manage > Certificates & secrets**.
2. Click **New client secret**.
3. Enter the required information:
* **Description** – for example, `Cognigy SMTP Secret`.
* **Expiration** – specify the date according to your company's security policy.
4. Click **Add**. Copy the appeared secret value and store it securely. You will need this secret later for the Send SMTP Email Node.
1. [Add the SMTP.SendAsApp permission](https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#add-the-pop-imap-or-smtp-permissions-to-your-microsoft-entra-application) to your Microsoft Entra application. Ensure [admin consent](https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-tenant-admin-consent) is granted where required.
2. [Register a Service Principal](https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#register-service-principals-in-exchange) for your application.
1. In the Send SMTP Email Node, select **Microsoft 365** as the email service.
2. For the **Authentication Method**, select **OAuth2 Client Credentials** and click **+** to create a new connection.
3. In the connection configuration, fill in the required fields:
* **Connection Name** — enter a unique name for the connection.
* **Client ID** — enter the application (Client) ID from Microsoft Entra.
* **Client Secret** — enter the secret value created under **Certificates & Secrets** from Microsoft Entra.
* **Scope** — enter `https://outlook.office365.com/.default`
* **Token Endpoint URL** — enter `https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token` and replace `{tenant_id}` with your Directory (tenant) ID from Microsoft Entra.
* **User** — enter the email address of the sender mailbox. Make sure SMTP AUTH is activated for the user, and the user is granted the `SMTP.SendAsApp` permission.
4. Click **Create** to save the connection, then fill in the required fields for the email configuration, such as **Recipient TO Email Addresses**, **Email Subject**, and **Email Content**.
| Issue | Possible Cause | Solution |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| General errors | Typos in the configuration, expired or missing secrets. | Double-check the scope, the token endpoint, the client secret, and ensure you are using the same mailbox as the OAuth2 credentials. |
| Invalid login or authentication failed | **Custom FROM Email Address** is set, OAuth credentials mismatch, disabled SMTP AUTH, or wrong token endpoint or scope. | Leave **Custom FROM Email Address** empty, ensure credentials match the sender mailbox, enable SMTP AUTH, and verify the scope (`https://outlook.office365.com/.default`) and the token endpoint (`https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token`). |
| 401 Unauthorized | Your application lacks `SMTP.SendAsApp`, Admin consent isn't granted, the Service Principal is missing, or the `SendAs` permission is missing. | Grant the `SMTP.SendAsApp` permission, provide admin consent, ensure the Service Principal exists in Exchange, and assign the `SendAs` permission for the mailbox. |
| 535 Authentication failed | The mailbox SMTP AUTH is deactivated. | Activate SMTP AUTH in **Microsoft 365 Admin Center > Mailbox > SMTP AUTH**. |
| Multitenant app issues or token acquisition failed | App not multi-tenant, the Service Principal missing, or incorrect client ID, tenant ID, or client secret. | Ensure the app is multitenant, the Service Principal exists, and verify the client ID, tenant ID, and Client Secret used in Cognigy.AI. |