`hashed_token` of `email_change_new` link properties is outdated

[felixgabler]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

In contrast to the correctly working email_change_current, when I call this:

client.auth.admin.generateLink({
    type: 'email_change_new',
    email: user.email!,
    newEmail,
    options: { redirectTo: `${frontendOrigin}/app` },
})

I get an object like this:

{ action_link:
   'http://127.0.0.1:54321/auth/v1/verify?token=7353528fed7a27ef989b96a85480251849791f1031950c0b50293ba9&type=email_change&redirect_to=http://localhost:3000/app',
  email_otp: '026207',
  hashed_token: 'a7ebb4cce397f5c582c297d3b83597176edff96a8a2b1a2792c13183',
  redirect_to: 'http://localhost:3000/app',
  verification_type: 'email_change_new' }

where the hashed_token is not the same as the one in action_link and it gives me a outdated otp error when I try to validate it.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Use snippet above and compare tokens

Expected behavior

The tokens should be the same.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: macOS
• Browser (if applies): Chrome
• Version of supabase-js: 2.47.10
• Version of Node.js: v22.11.0

Additional context

Very weird that it works with email_change_current