Your Office AI sends transactional email through Resend. You need two things: an API key and a verified sending domain. Both are configured on the Auth server, which is the service that owns sign-up and account flows.
Unlike most secrets, the Resend key goes in the Auth server's config: command_center_server/config/passwords.yaml. The Auth server handles identity, so it is the one that sends verification and invitation mail.
Email is required for the account lifecycle — without it, users cannot verify their address, reset a password, or accept an invitation.
| When it's sent | |
|---|---|
| Verification code | On sign-up, to confirm the user's email address. |
| Password reset | When a user requests a reset from the sign-in screen. |
| Organisation invitation | When an admin invites someone to an organisation. |
Sign up at resend.com, then open API Keys → Create API Key with sending access. Copy the key (it looks like re_…) immediately — Resend shows it only once.
In Resend → Domains, add your domain and create the SPF, DKIM, and DMARC DNS records Resend provides at your DNS host. A verified domain gives far better deliverability and keeps mail out of spam. Without one, mail sends from Resend's shared onboarding@resend.dev test sender.
In command_center_server/config/passwords.yaml set resendApiKey, and — once your domain is verified — resendFromEmail to an address on it (for example noreply@yourdomain.com). Use a different key per environment (development / staging / production).
Start the Auth server and sign up with a test address. The server logs "[EmailService] Email sent successfully", the verification email lands in the inbox, and the send shows under Logs in the Resend dashboard.
| Value | File | Key |
|---|---|---|
| Resend API key | command_center_server/config/passwords.yaml | development.resendApiKey |
| From-address (verified domain) (optional) | command_center_server/config/passwords.yaml | development.resendFromEmail |
Until you set resendFromEmail to an address on a verified domain, mail sends from onboarding@resend.dev and is likely to be filtered as spam. For any real deployment, verify your domain and set a from-address on it.
If a send fails, the Auth server logs a warning and still records the verification code in its logs, then returns a failure to the caller — the app keeps working even when email is temporarily down. Watch the server logs and the Resend dashboard's Logs view to confirm delivery.
If you would rather use SMTP — Resend's SMTP relay, or another provider such as SendGrid or AWS SES — the Auth server accepts SMTP credentials instead of the Resend HTTP API. Set the SMTP host, port, username, password, TLS flag, and from-address in the same passwords.yaml. For Resend's relay the host is smtp.resend.com on port 465 (SSL) or 587 (STARTTLS), with username resend and your API key as the password.
That completes the external-service chain. Return to the Setup & infrastructure overview to review the full checklist, or read about Security & Privacy.