Troubleshoot Account Access
Diagnose hosted sign-in, SSO, workspace selection, MFA, subscription, and connection gates without exposing credentials.
Account access can be blocked by identity, workspace membership, MFA policy, subscription state, or required financial connections. Identify the page and message you see before changing anything.
Protect Credentials First
Never send or paste:
- password or magic-link contents
- MFA QR code, manual secret, or six-digit code
- session cookie
- OAuth access or refresh token
- API key or webhook secret
- bank login credentials
- full payment-card details
Support can investigate with the sign-in email, organization domain, workspace, time, page URL, and exact non-secret error text.
1. Identify the Blocking Stage
| What you see | Likely stage |
|---|---|
| Sign-in page repeats | Hosted identity start or callback |
| SSO Setup Required | Organization/domain configuration |
| Create your Canvas workspace | No active workspace membership |
| Set up two-factor authentication | MFA enrollment |
| Six-digit verification page | Workspace MFA policy or fresh sign-in verification |
| Choose the plan or Verifying subscription | Subscription gate |
| Non-dismissible Stripe and bank setup | Initial connection requirement |
| Permission error inside Settings | Role does not allow the requested write |
Work the relevant section below. Do not create a second account or workspace until you confirm the first one is actually missing.
2. Retry the Hosted Sign-In Method
Use the same method used previously:
- Apple
- GitHub
- email through the hosted identity flow
- company SSO
The app remembers the last used provider in the browser and marks it Last used. That hint is local to the browser, not proof of the account's identity provider.
If a protected-page link sent you to sign-in, keep the return_to destination and complete authentication in the same browser. Unsafe external return destinations are rejected.
Rate-limited sign-in
The authentication start endpoint allows a limited number of attempts in a 15-minute window. Stop retrying repeatedly, wait for the window to clear, then try once.
Callback failed
If sign-in returns with an authentication-callback error:
- start again from the Sign-in page
- use the same provider
- allow required cookies in the browser
- avoid opening multiple simultaneous callback tabs
- record the time and final URL if it fails again
3. Resolve SSO Setup Required
The SSO error page appears when domain-based authentication cannot find a configured team or organization.
If you are a member
Contact the organization owner. Send the company domain and the SSO error text. Do not create a separate personal workspace unless the owner directs you to.
If you are the owner
- sign in through an available non-SSO owner identity
- open Settings → Account → Organizations
- create or select the organization
- confirm its company domain
- open the available identity administration link
- complete SSO configuration there
- test with a non-owner user
The workspace Security page does not configure SSO.
4. Restore Workspace Selection
A new user with no membership is sent to workspace creation. A user with more than one membership and no selected workspace must choose one rather than having the server guess.
If an existing user sees workspace creation unexpectedly:
- open the Teams page if available
- confirm the invitation was accepted by the same email used to sign in
- ask an owner to verify membership and role
- switch to the intended workspace
- reload the original page
Workspace invitations are email-specific. Signing in with another provider email can create or select a different local identity.
5. Recover MFA Access
No factor is enrolled
When the workspace requires MFA and no factor exists, the verification flow sends you to setup.
- generate the QR code
- add it to a TOTP authenticator
- enter the current six-digit code
- verify and return to the requested page
A valid code is rejected
- confirm the code belongs to the displayed account
- enable automatic time on the authenticator device
- wait for the next code and enter it once
- do not reuse a code after regenerating enrollment
A device is lost
Use another enrolled factor if one exists. After access is restored, open Settings → Account → Security, add a replacement, verify it, then remove the lost factor.
If every factor is unavailable, use public Contact. The current app does not show recovery codes or a self-service factor-reset path.
Last factor cannot be removed
The active membership is subject to the future-member MFA policy. Add another factor first.
6. Resolve Subscription Verification
New users without active access can be redirected to plan setup. After successful checkout, subscription activation can take time to synchronize.
- keep the checkout return page open
- wait for status polling
- use Retry status check after its timeout
- compare hosted billing before purchasing again
For an established workspace, open Settings → Billing and Manage billing. A billing restriction can permit reads but reject writes across the app.
7. Complete the Required Connections
Protected pages can show a blocking setup modal until the active workspace has:
- Stripe connected
- at least one bank connection
If one is already connected, the flow skips it. If the modal remains after both appear present:
- confirm both belong to the same active workspace
- wait for bank account selection and sync to complete
- refresh once
- return to the summary and select Finish setup
- contact support with provider, institution, time, and page URL if the checker remains stale
8. Diagnose Settings Permission Errors
Page visibility and write permission are separate.
- General workspace changes require Owner.
- Workspace Security changes require Owner.
- Custom email-domain lifecycle requires Owner.
- Billing delegates require Owner.
- Notification writes require Owner or Member.
- Plan checkout, portal, and cancellation allow Owner or Member.
- Viewer can read team-scoped settings but cannot write them.
Switching to an owner account is safer than repeatedly submitting a visible control that the server rejects.
9. Profile Email and Sign-In Identity Differ
Changing Settings → Account → General → Email updates the local Eigenn profile. It does not verify or update the hosted identity provider in the same operation.
If sign-in still recognizes the old email, continue using the identity provider's address until its supported update process is complete. Ask an organization administrator for SSO identities.
10. Escalate Safely
When signed in, use Settings → Account → Support. When signed out, use the public Contact page and its published email.
Include:
- sign-in method
- profile email and company domain
- workspace name
- blocking page and URL
- exact error message
- timestamp and timezone
- last successful access
- whether another user can enter the workspace
Do not include secrets even when asked for more detail.