Gmail: authentication fails for SMTP but works with IMAP

  authentication, gmail, javascript, nodemailer, smtp

I have my user credentials saved in Heroku config vars. My IMAP request is working but the SMTP is giving an error. Here’s the code that creates the IMAP request which I can tell is working because the emails are marked as "read" after the code runs:

const imap = new Imap({
  user: process.env.APP_MAIL_2,
  password: process.env.APP_PASSWORD_2,
  host: '',
  port: 993,
  tls: true,
  tlsOptions: { servername: '' }

Here is what I am using for the SMTP request using nodemailer:

const transporter2 = nodemailer.createTransport({
        service: 'gmail',
        auth: {
          user: process.env.APP_MAIL_2,
          password: process.env.APP_PASSWORD_2

When I leave out the SMTP, there are no errors. But when I include it, I get this error:

Error: Invalid login: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 d2sm7974192qkk.42 - gsmtp
at SMTPConnection._formatError (/app/node_modules/nodemailer/lib/smtp-connection/index.js:557:19)
 at SMTPConnection._actionAUTHComplete (/app/node_modules/nodemailer/lib/smtp-connection/index.js:1253:34)
 at SMTPConnection.<anonymous> (/app/node_modules/nodemailer/lib/smtp-connection/index.js:340:26)
 at SMTPConnection._processResponse (/app/node_modules/nodemailer/lib/smtp-connection/index.js:706:20)at SMTPConnection._onData (/app/node_modules/nodemailer/lib/smtp-connection/index.js:509:14)
at TLSSocket.<anonymous> (/app/node_modules/nodemailer/lib/smtp-connection/index.js:461:47)
at TLSSocket.emit (events.js:315:20)
at addChunk (internal/streams/readable.js:309:12)
at readableAddChunk (internal/streams/readable.js:284:9)
at TLSSocket.Readable.push (internal/streams/readable.js:223:10)
at TLSWrap.onStreamRead (internal/stream_base_commons.js:188:23) {

What I’ve tried so far: On the Gmail Account I am using two-factor authentication and an app password. (Because I needed to enable two-factor authentication in order to use an app password, I can’t use the "less secure apps" option but I tried the Unlock Captcha page and that didn’t work either. I found a somewhat related but seemingly reversed issue but nothing there helped me.

Source: Ask Javascript Questions