Troubleshooting Login and Access

Cannot log in / wrong password

Symptom:Entering your email and password returns an "Invalid credentials" error or a blank page reload with no error message.

1. 1

   Confirm you are using the correct email address

   Nuxari accounts are identified by the email address used when you were invited. If your organization uses multiple email domains, ensure you are entering the exact address shown in your invitation email, not an alias.

2. 2

   Use the Forgot Password flow

   Click Forgot Password on the login page. Enter your email and click Send Reset Link. Check your inbox including the spam folder. The reset link is valid for 30 minutes.

3. 3

   Clear browser cookies and cache for the Nuxari domain

   Stale cookies can cause the login form to submit to an old session endpoint. Open your browser developer tools, navigate to Application > Cookies, delete all cookies for app.nuxari.io, then try logging in again.

4. 4

   Try a different browser or incognito window

   Browser extensions such as password managers or ad blockers can interfere with form submission. Try logging in from a private/incognito window to rule out extension conflicts.

5. 5

   Contact your workspace admin if the problem persists

   If none of the above resolve the issue, your account may have been deactivated or the email address may have been changed. Ask your Nuxari workspace admin to verify your account status in Settings > User Management.

Account locked

Symptom:Login returns "Account locked. Too many failed attempts." You cannot log in even with the correct password.

1. 1

   Wait 30 minutes for automatic unlock

   Account lockouts expire automatically after 30 minutes. After the lockout period, try logging in with the correct credentials.

2. 2

   Ask a workspace admin to unlock your account immediately

   An admin can go to Settings > User Management, find your account, and click Unlock. This immediately removes the lockout without waiting for the cooldown timer.

3. 3

   Reset your password if you are unsure of the correct one

   Once unlocked, use the Forgot Password flow to set a new password before attempting to log in again. This prevents re-triggering the lockout.

4. 4

   Check for automated tooling using old credentials

   If your account is being locked repeatedly, an automated system (CI pipeline, script, or browser-saved password) may be sending repeated failed login attempts. Update the credentials in all places they are stored.

SSO login failing (Entra ID, Keycloak)

Symptom:Clicking "Sign in with SSO" redirects to the identity provider but returns an error such as "Access denied", "Invalid redirect URI", or "SAML response validation failed", then redirects back to the Nuxari login page without completing sign-in.

1. 1

   Confirm your account exists in the identity provider

   SSO requires your account to exist in the configured identity provider (Entra ID or Keycloak) with an email address that matches your Nuxari account. Ask your IdP admin to verify your user record is active and the email attribute is correctly set.

2. 2

   Verify the SSO application is assigned to your account

   In Entra ID, applications can be restricted to specific groups or users. Ask your Entra admin to confirm your account is in a group assigned to the Nuxari application registration. In Keycloak, verify your user is in a realm that has the Nuxari client configured.

3. 3

   Check for a redirect URI mismatch

   The 'Invalid redirect URI' error means the redirect URL configured in your IdP does not match the one Nuxari sends. In Entra ID, open the Nuxari app registration and confirm the Redirect URI is set to https://app.nuxari.io/auth/callback. Ask Nuxari support for the exact URI for your workspace.

4. 4

   Clear IdP session cookies and retry

   A stale IdP session can cause silent failures. Sign out of your identity provider completely (Entra ID: login.microsoftonline.com; Keycloak: your Keycloak URL), then retry the Nuxari SSO flow.

5. 5

   Check workspace SSO configuration

   A workspace admin can go to Settings > Security > SSO and verify that the integration configuration is correct — tenant ID, client ID, and metadata URL. Any recent change to the IdP configuration may have invalidated the integration.

6. 6

   Review the browser console for error codes

   Open the browser developer tools (F12), navigate to the Network tab, and attempt SSO again. Look for failed requests and any error_description query parameters in the redirect URL. These codes can pinpoint the exact IdP-side failure.

Session expired unexpectedly

Symptom:You are logged in and working, then Nuxari suddenly redirects you to the login page with a "Session expired" message, even though you were actively using the product.

1. 1

   Check your workspace session timeout policy

   A workspace admin can review the session timeout setting in Settings > Security. If the inactivity timeout is set aggressively (e.g., 15 minutes), even brief periods of reading without interacting with the UI can expire the session.

2. 2

   Confirm your system clock is accurate

   Session tokens are time-bounded. If your local clock drifts significantly from the server's UTC time, JWT tokens will appear expired to the server. Sync your system clock with an NTP source.

3. 3

   Check for browser cookie restrictions

   Some browsers block third-party cookies or aggressively clear session cookies. Ensure your browser allows cookies from app.nuxari.io and is not set to clear cookies on tab close.

4. 4

   Disable browser extensions that clear cookies

   Extensions that manage privacy (such as Privacy Badger or cookie-clearing plugins) may delete the Nuxari session cookie. Add app.nuxari.io to the extension's allow list.

Access denied to a page or feature

Symptom:You are logged in but navigating to a specific page returns "Access denied" or "You do not have permission to view this page", or a feature button is grayed out with a tooltip indicating insufficient permissions.

1. 1

   Check your current role in the workspace

   Go to your profile menu (top right) and click Account. Your current workspace role is displayed. Compare it against the permissions required for the feature you are trying to access.

2. 2

   Identify which role is required

   The Workspaces and Roles documentation lists which roles can access which features. For example, the Audit Log page requires the Auditor or Admin role; the Remediation page requires at least the Operator role.

3. 3

   Ask a workspace admin to update your role

   If you need access to a feature, ask a workspace admin to go to Settings > User Management, find your account, and update your role. Changes take effect immediately after saving.

4. 4

   Verify you are in the correct workspace

   If your organization has multiple workspaces, confirm you are logged into the correct one. Your role in workspace A does not grant access in workspace B. Switch workspaces from the workspace selector in the top navigation.

Invite link expired or invalid

Symptom:Clicking an invite link returns "This invitation has expired" or "Invalid invitation token".

1. 1

   Confirm the invite has not already been used

   Nuxari invite links are single-use. If you or someone else already completed signup using this link, it will report as invalid on a second use.

2. 2

   Check if the invite expired

   Invites expire after 7 days by default (workspace admins can configure this). If the invite is older than 7 days, it is no longer valid.

3. 3

   Ask the admin to resend the invite

   A workspace admin can go to Settings > User Management, find the pending invite, delete it, and send a new one. The new invite link will be valid for 7 days.

4. 4

   Check your spam folder for the newest invite

   If the admin has already resent the invite, the new email may have landed in spam. Check your spam or junk folder and whitelist the sending domain (nuxari.io) for future emails.

User cannot see their tenant after login

Symptom:Login succeeds, but the user lands on an empty workspace selection screen or sees "No workspaces found" even though they have been invited to a workspace.

1. 1

   Confirm the invite was accepted under the correct email address

   If the user signed up with a different email address than the one the invite was sent to, the invite and the account will not be linked. The admin should check which email was used to register and update the workspace membership accordingly.

2. 2

   Check that the user account is active

   A workspace admin should go to Settings > User Management and verify the user's account status is Active, not Deactivated or Pending.

3. 3

   Re-send the workspace invitation

   If the user was invited but never completed the invite flow, the workspace assignment may be incomplete. The admin should delete the old invite and send a fresh one to the correct email address.

4. 4

   Check for domain allowlist restrictions

   If the workspace has a domain allowlist configured in Settings > Security, accounts registered with email addresses not on the allowlist will not be permitted to join the workspace. The admin should either add the user's domain to the allowlist or change the user's email to a permitted domain.