Guides · Troubleshooting

Can’t sign in.

Magic link expired, MFA device lost, recovery codes exhausted, account locked. Almost every sign-in problem maps to one of the sections below.

Quick check

Verify these four before going further.

  • You’re signing in at https://app.peptideclients.com/sign-in — not an old bookmark for a staging or preview URL.
  • The email address you’re using is exactly what was invited (case typically doesn’t matter, but stray spaces do).
  • If you’re typing a password, caps lock is off and you’re using the right keyboard layout.
  • You can receive email at the address you signed up with (try sending yourself a test from any other account).

The symptom

You clicked the link in a magic-link email and the resulting page says “link expired or invalid” or redirects you back to the sign-in form.

Why it happens

Magic links are valid for 60 minutes from the moment they’re issued. If you requested the link, then got pulled into something else for an hour, the link in the original email no longer works.

Magic links are also single-use. If you (or your mail client’s link previewer) clicked the link once already, the second click sees an expired token.

How to fix it

  1. Go back to https://app.peptideclients.com/sign-in and request a fresh magic link.
  2. Open the new email and click the link within the hour. Don’t forward the email or paste the URL into another app.
  3. If your mail client (Outlook, some corporate gateways) pre-fetches links, that consumes the single-use token before you ever click it. See Magic link wrong device for the workaround.

The symptom

You requested the magic link on your laptop, then opened the email on your phone, then clicked the link — it signed you in on the phone, not on the laptop. Or worse, the click on the phone consumed the link and you can’t use it back on the laptop.

Why it happens

Magic links sign you in on the device that opens the link — not on the device that requested it. This is by design (otherwise an attacker who could see your email could log into your machine).

Corporate mail gateways and Outlook’s “safe links” feature sometimes pre-resolve URLs in background, which consumes the single-use token before you click it.

How to fix it

  1. Request the link from the device you actually want to be signed in on, and open the link on that same device.
  2. If your mail client is on a different device than your browser, copy the link URL out of the email and paste it into the browser on the device you want to be signed in on — that’s the “opening” that matters.
  3. If your corporate gateway pre-fetches links and consumes the token, switch to password sign-in or contact your IT to allowlist app.peptideclients.com.

Magic link email never arrives

The symptom

You requested the magic link, the UI showed a success toast, but no email lands in your inbox or spam folder. 5, 10, 30 minutes later — still nothing.

Why it happens

The send happened (or tried to). What broke is the delivery itself — bounce, suppression, spam filter, or wrong-from-domain. This is the same problem space as any other email delivery issue.

How to fix it

Walk through Email not delivered with the magic-link template (magic_link) in mind. The common patterns:

  • Your address is on the suppression list from a prior hard bounce. Have a workspace admin remove the suppression. See On the suppression list.
  • The email went to spam. Search your spam folder for “{{COMPANY_SHORT_NAME}}”.
  • Your corporate gateway is filtering us out entirely. Use password sign-in as a workaround and ask IT to allowlist our sending domain.

While you’re sorting it out, signing in with email + password (no magic link) avoids the email-delivery dependency entirely.

Lost MFA device

The symptom

You signed in with email + password, the /mfa page is asking for an SMS code, but your phone is dead / lost / replaced and you’re no longer receiving the code.

Why it happens

2FA on this app is SMS-based (not TOTP). The OTP is sent to the phone number registered at enrollment time. If that number isn’t reachable, the code doesn’t arrive.

How to fix it

  1. On the MFA prompt, click Use a recovery code. You were given 10 single-use codes when you enrolled in 2FA — type any one.
  2. Once signed in, go straight to Settings → Security and update your phone number to the new one (the system will require a fresh OTP to the new number to confirm).
  3. Generate fresh recovery codes at the same time — the one you just used is consumed.
  4. If you have no recovery codes left, see Recovery codes used up.

All recovery codes used up

The symptom

You can’t receive the SMS OTP and your 10 recovery codes are exhausted (you used them as you lost devices over time without regenerating new ones).

Why it happens

Recovery codes are deliberately not re-issuable from outside the account. If they were, an attacker who took over your email could lock you out forever. So once they’re used up and the MFA device is gone, account-recovery requires a manual identity check.

How to fix it

  1. Email {{CONTACT_EMAIL}} from the address on your account. Subject: MFA reset request.
  2. Include a photo of a government-issued ID. We compare the name on the ID against the name on the account.
  3. Include the workspace name and an approximate sign-up date if you remember.
  4. Wait for response — typical turnaround is one business day. We’ll disable MFA on the account so you can sign in with email + password and re-enroll.
Generate fresh recovery codes after re-enrolling

Once you’re back in, go to Settings → Security → Recovery codes and regenerate. Store them somewhere offline (printed, password manager) so you’re not back at this step.

Account locked from too many failed attempts

The symptom

You typed the wrong password several times in a short window. Subsequent attempts now respond with “account temporarily locked” even when you’re typing the right password.

Why it happens

A brute-force protection auto-locks an account after 10 failed sign-in attempts in 15 minutes. The lock auto-clears 30 minutes after the most recent failure.

How to fix it

  1. Wait 30 minutes from your last failed attempt and try again. Don’t keep retrying in the meantime — each new failure resets the clock.
  2. If you suspect someone else is trying to brute-force your account (failures are coming from an IP that isn’t yours, per the sign-in log), reset your password immediately after the lock clears.
  3. If you need access now and can’t wait, request a magic link — that bypasses the password (but counts against the same lock if it’s also failing).

Signed in successfully but see no data

The symptom

You signed in (no error), the app shell loaded, but the orders list / clients list / dashboard are all empty. You know there’s data — you can see it on someone else’s screen.

Why it happens

You’re signed into the wrong workspace. Many users belong to multiple workspaces (e.g. you’re an operator at two clinics, or you have a personal sandbox plus a production org). The picker defaults to the most recently used — which may not be the one with the data you’re looking for.

How to fix it

  1. Look at the top-right of the app shell — there’s a workspace switcher with the current workspace name. Click it.
  2. Pick the correct workspace from the dropdown. Every module reloads with that workspace’s data.
  3. If you only see one workspace and it’s the wrong one, you’re not actually a member of the workspace you need. The workspace owner needs to invite you (see Role removed).

Your access was removed

The symptom

You used to be able to sign in to a workspace and now you can’t see it in the picker. Or you can sign in but every page says “you don’t have permission”.

Why it happens

A workspace owner or admin removed your membership, or downgraded your role to one that doesn’t include the module you’re trying to access.

How to fix it

  1. Contact the workspace owner (the person who originally invited you) and ask them to either re-invite you or restore your role.
  2. The owner can do this in Settings → Team — click Invite and re-add your email, or click your name and adjust the role.
  3. If the workspace owner left the company and there’s no one with admin rights remaining, email {{CONTACT_EMAIL}} — we’ll work with you to do a manual ownership transfer (requires identity verification, same process as recovery code reset).

Reading the diagnostics

Settings → Security → Sign-in log shows your own sign-in events for the last 30 days. (You see your own log; workspace admins also see all events for their workspace in Settings → Team → Audit log.)

ColumnWhat to look at
attempted_atWhen the attempt happened (UTC). Match against when you remember trying.
source_ipThe IP the attempt came from. If you see attempts from IPs you don’t recognize, treat as a security event — rotate password and turn on 2FA.
user_agentThe browser / app that attempted. Useful for spotting bots vs real attempts.
successtrue / false. A run of false rows is your account-lockout window.
reasone.g. invalid_password, mfa_required, magic_link_expired, account_locked. Maps to the sections above.
Don’t see your own log?

You can only see Settings → Security → Sign-in log once you’re signed in. Catch-22 if you can’t sign in at all — in that case, jump straight to the escalation step below.

When to write to support

If none of the above gets you back in, email {{CONTACT_EMAIL}} with:

  1. The email address on the account.
  2. The workspace name (or names if you have several).
  3. An approximate last successful sign-in date — helps us scope the audit log lookup.
  4. What you’ve already tried — reset password, requested magic link, used a recovery code, etc.
  5. For MFA / recovery code resets specifically: a photo of a government-issued ID (we compare the name to the account).

Related: Security & MFA feature guide · Email not delivered · Troubleshooting hub.