Guides · Account

Auth & MFA.

Sign in to {{COMPANY_SHORT_NAME}}, enroll a second factor, store recovery codes, and recover access if you lose your phone.

Overview

{{COMPANY_SHORT_NAME}} authentication is built on Supabase Auth. Day-to-day sign-in is a one-tap magic link sent to your work email. For high-risk actions — rotating an API key, exporting the audit log, refunding a payment over a threshold — we step up to a second factor (TOTP app or SMS one-time code).

Every sign-in, sign-out, MFA challenge, and password reset is written to a tamper-evident audit chain. You can review the last 30 days of your own activity from Settings → Security. Workspace admins see the full chain.

What working correctly looks like

If your account is wired up correctly, you should see all of these. If any one is missing, jump to Troubleshooting.

  • Magic-link emails arrive within ~30 seconds at app.peptideclients.com/sign-in.
  • Settings → Security shows at least one enrolled factor (TOTP or SMS).
  • 10 unused recovery codes are downloaded and stored offline.
  • Last 30 days of sign-ins are listed under Settings → Security → Sign-in history.
  • High-risk actions (key rotation, refund, audit export) trigger an MFA prompt before completing.
  • Signing out from one browser ends that one session; Sign out everywhere ends all of them.

Sign in

The only sign-in URL is https://app.peptideclients.com/sign-in. Bookmark it. We never email a different one.

  1. Enter your work email.
  2. Click Send magic link (or Use password if you set one).
  3. Open the email titled “Your sign-in link” and click the button. The link expires in 15 minutes and is single-use.
  4. If MFA is enrolled, finish the second-factor challenge.
First-time invitee?

The invite email lands the same way — click the button, finish a one-time profile screen, and you’re in. The invite token expires after 7 days. Ask the inviter to resend if it does.

Auth modes

Three signal paths can authenticate you. Most operators only ever use the first.

  • Magic link (email) — default. Works without a password. The link is bound to the device that requested it.
  • Password — optional. Set one in Settings → Security → Password if you prefer typing one over waiting for email. Minimum 12 characters; we check against the breach corpus.
  • SMS one-time code — not a primary sign-in path. Used as a step-up factor for high-risk actions and as a recovery channel if you opt-in.

Enroll MFA

Go to Settings → Security → Multi-factor.

TOTP authenticator app (recommended)

  1. Click Add factor → Authenticator app.
  2. Scan the QR code with 1Password, Authy, Google Authenticator, or any RFC 6238 client.
  3. Type the current 6-digit code to confirm enrollment.
  4. Name the factor (e.g. “1Password — work laptop”) so you can tell two devices apart.

SMS factor

  1. Click Add factor → SMS.
  2. Enter your mobile number in E.164 format (+15551234567).
  3. Type the code we text you to confirm.
Use SMS as a backup, not your primary factor

SMS is susceptible to SIM-swap. Enroll TOTP as factor #1 and SMS only as a fallback. Workspace admins can require TOTP as the primary factor org-wide.

Recovery codes

The moment you finish enrolling your first factor, we generate 10 single-use recovery codes. Each looks like RC-XXXX-XXXX-XXXX.

  1. Click Download codes. We hand you a .txt file once; the plaintext never lives on our servers.
  2. Print the page or store it in your password manager. Treat it like a private key.
  3. Each code unlocks a sign-in exactly once. After 8 of 10 are consumed, we automatically prompt you to regenerate the set.
Lose them, regenerate them

If you suspect the codes leaked, click Regenerate codes in Settings → Security. The old set is invalidated immediately and a fresh 10 are issued.

Active sessions

Every browser / mobile device that has signed in shows up under Settings → Security → Active sessions: device, browser, IP city, last seen.

  • Sign out next to a row ends that session immediately. The next request from that browser drops to the sign-in screen.
  • Sign out everywhere at the bottom revokes all sessions including your current one. Use it the moment you suspect a leaked link.
  • Sessions auto-expire after 30 days of inactivity.

Sign-in audit log

Your last 30 days of authentication events live at Settings → Security → Sign-in history. Each row records:

  • eventsign_in, sign_out, mfa_challenge, mfa_success, mfa_failed, password_reset, recovery_code_used.
  • at — UTC timestamp of the event.
  • ip + city — coarse geolocation of the requesting IP.
  • device — user-agent fingerprint.
  • methodmagic_link, password, totp, sms_otp, or recovery_code.

The full chain (forever, all users in your workspace) lives in the workspace audit log for admins.

Lost your second factor

You have two paths.

  1. Use a recovery code. On the MFA prompt, click “Use a recovery code instead”, paste one of the 10 you downloaded. You sign in immediately. Re-enroll a fresh factor on the next screen.
  2. Email {{CONTACT_EMAIL}} with photo ID. Use this if recovery codes are also lost. Send a photo of a government-issued ID matching the name on the account, plus the workspace name. We’ll verify with another admin in your workspace and reset MFA within one business day. There is no automated bypass.
We will never ask for your recovery codes

{{COMPANY_SHORT_NAME}} support will never ask you to read out a recovery code, magic-link URL, or password. Anyone who does is not us. Forward the message to {{CONTACT_EMAIL}} and we’ll handle it.

Settings & permissions

Account-level settings are at Settings → Security. Workspace-wide policies are at Settings → Workspace → Security (admin-only):

  • Require MFA org-wide — new members must enroll a factor before reaching any other screen.
  • Allowed factors — allow / disallow SMS as a factor type.
  • Session lifetime — default 30 days; can be tightened to 24 hours.
  • IP allowlist — CIDR-restrict sign-ins (paid tiers).

Removing a teammate from Settings → Team revokes all their active sessions within seconds.

Troubleshooting

Most sign-in problems fall into one of these buckets.

SymptomLikely causeFix
Magic link never arrivedEmail greylisted or in SpamWhitelist noreply@peptideclients.com; check Spam; click Resend. See Can’t sign in.
“Link expired”Magic link is >15 min old or already usedRequest a fresh one.
“Invalid code” (TOTP)Phone clock driftSync time on the phone; codes are time-based.
SMS code never arrivesCarrier filter or wrong numberUse TOTP or a recovery code; fix the number under Settings → Security.
“MFA required” on every pageWorkspace policy enforces step-up for that actionFinish the prompt; the step-up unlocks for ~15 min.
Locked out, no recovery codesEmail {{CONTACT_EMAIL}} with photo ID.

The full symptom-to-fix table lives at Troubleshooting → Can’t sign in.