Authentication Troubleshooting
Use this page when a user, administrator, or integration owner reports that they cannot sign in, cannot reach the right tenant, cannot see the expected product area, or receives authentication errors from an integration.
Start by separating authentication from authorization. Authentication answers whether the identity is accepted. Authorization answers whether the accepted identity can perform the requested task.
Prerequisites
Before changing roles or resetting credentials, confirm the environment, affected identity, sign-in method, and exact failed task. Avoid changing multiple access layers at once, because it makes the root cause harder to prove.
Triage flow
Inputs
| Evidence | Why it matters |
|---|---|
| User identity | Confirms the exact account, email, user claim, or service identity. |
| Environment URL | Prevents mixing production, staging, private cloud, or on-premises deployments. |
| Timestamp and timezone | Lets administrators compare FactVerse logs and IdP logs. |
| Sign-in method | Password login, enterprise SSO, client login, API key, or service account. |
| Error text or screenshot | Helps distinguish account, redirect, tenant, package, or product permission problems. |
| Browser or client version | Login behavior can depend on embedded browser, redirect handling, cookie policy, or client version. |
| First failed task | Shows whether the issue is login, tenant access, navigation, or a product permission. |
Common symptoms
| Symptom | First checks |
|---|---|
| Login page does not load | Environment URL, network route, DNS, VPN, proxy, firewall, or service availability. |
| Password login fails | Account status, password reset state, tenant policy, and whether SSO is required. |
| SSO redirect loops | Callback URL, browser cookie policy, IdP app assignment, domain mismatch, or blocked embedded web view. |
| SSO succeeds but user is unknown | User identifier claim, account provisioning, tenant membership, or user mapping. |
| User can sign in but sees no tenant | Tenant membership, project assignment, invited account status, or wrong environment. |
| Product area is hidden | Role package, product entitlement, navigation permission, or project scope. |
| API call returns unauthorized | API key value, endpoint slice, key scope, environment URL, header name, or key revocation. |
| AI workflow cannot access content | Workflow identity, service account scope, product permission, folder rule, dataset scope, or document classification. |
Troubleshooting steps
- Confirm the environment URL and whether the issue happens in web, desktop, mobile, or API access.
- Confirm the identity and sign-in method.
- Test with a known working account in the same environment when allowed by the support process.
- Compare the user against the expected tenant, project, role, and product package.
- For SSO, collect the IdP application assignment, redirect timestamp, and visible error.
- For API keys, confirm the key is active, scoped for the endpoint, and sent in the expected header.
- For product task failures, open the product-specific permission page and check object-level access.
Validation
After applying a fix, repeat the smallest task that originally failed. Record the user or service identity, environment, timestamp, result, and the access layer that changed. If SSO or API key settings changed, validate both a successful identity and an identity that should remain blocked.
Expected result
The issue is ready to close when the identity can authenticate through the intended method, reach the correct tenant, see only the expected product areas, and complete the target task. The final note should state whether the root cause was account status, SSO, tenant membership, role package, product permission, object scope, session state, or API key scope.
Escalation package
When escalating to the DataMesh or customer IT team, include:
- environment URL;
- user or service identity;
- sign-in method;
- exact timestamp with timezone;
- failed URL or API endpoint;
- error message or screenshot;
- expected tenant, project, product, and task;
- recent access changes, role changes, SSO changes, certificate rotation, or key rotation.
Related pages
- Use Enterprise SSO for IdP configuration review.
- Use Users, Roles, and Permissions when authentication succeeds but access is missing.
- Use Service Accounts and API Keys for non-human access failures.