Hook SecurityHook Docs
Troubleshooting

Troubleshoot sign-in problems

Diagnose the common login errors — not invited, not authorized, expired code, and different-browser magic-link failures.

Most sign-in problems on the Hook portal come down to one of a handful of specific errors, and each one points at a different fix. This page walks through the exact messages you'll see on the login screen, what each one means under the hood, and how to clear it — whether you sign in with a one-time code, a magic link, or a password. Use it when you (or a teammate) are stuck at /auth/login and want to know whether it's an account problem, a code problem, or a browser problem.

Two sign-in tabs

The login screen has two tabs: OTP Code (the default — Hook emails you a one-time code) and Password. Magic links sent by email complete on a shared callback page rather than the tab itself. The fixes below are grouped by the error message, not the tab.

"This email has not been invited"

The full message is "This email has not been invited. Please contact your administrator." (error code not_invited).

Hook is invitation-only. When you verify a code or magic link, Hook looks up your email address in its own user list. If there's no matching account, Hook signs you out immediately and shows this message — even though the email or code itself was valid.

What to do: your account hasn't been provisioned yet. Ask your organization admin (or your Hook CSM, if you're an admin yourself) to add you as a user. Double-check the spelling and domain of the address you're signing in with — signing in as you@acme.com won't match an invite sent to you@acme.co.

Login screen showing the red "This email has not been invited" banner above the OTP and Password tabs

"Not authorized"

The full message is "This account is not authorized to sign in. If you believe this is an error, please contact your administrator. If you are attempting to complete training, please go to https://school.hooksecurity.net" (error code not_authorized).

This one is different from not invited: your account does exist in Hook, but it isn't linked to an active PhishingBox console user. Hook requires an active PhishingBox user to sign in to the admin and MSP portals — an account with no PhishingBox user, or one that's been deactivated in PhishingBox, is rejected here.

What to do depends on who you are:

  • You're trying to complete assigned training (a learner). You're in the wrong place. Training lives on the learner site — https://school.hooksecurity.net. Go there to take your courses; the portal at the Hook app URL is for admins.
  • You're an admin and expected portal access. Your PhishingBox link is missing or deactivated. Contact your organization admin or support@hooksecurity.co to get your account reactivated.

Same message on the Password tab

If you sign in with a password and your account is valid but not authorized, Hook shows this same not authorized guidance (so training users get pointed to the right site). Every other password failure stays deliberately generic — see Password sign-in errors below.

The full message is "Please click the magic link in the same browser where you requested it." (error code different_browser).

Magic links use PKCE, a security handshake that ties the link to the browser that requested it. The browser stores a secret when you ask for the link; the link only completes if that same secret is present when you open it. If you request the link in one browser and open it in another, Hook can't find the secret and rejects the exchange with this message.

This usually happens when:

  • You request the link on your phone but tap it from a desktop email client (or vice versa).
  • Your email app opens links in its own in-app browser instead of the browser you started in.
  • You requested the link in a private/incognito window that has since closed.

What to do: open the link in the same browser you used to request it. The most reliable fix is to skip the magic link entirely and use the OTP Code tab instead — a one-time code works no matter which device or browser you type it into.

Login screen showing the "Please click the magic link in the same browser where you requested it" banner

One-time code (OTP) problems

On the OTP Code tab, you enter your email, Hook sends a code, and you type it back in to verify. A few things trip people up:

The code is exactly six numeric digits

The code field only accepts digits — anything you type that isn't a number is stripped out automatically — and it caps at six characters. The Verify Code button stays disabled until you've entered exactly six digits, so if the button looks greyed out, you're a digit short (or have an extra one). Copy the code straight from the email to avoid transcription slips.

Codes expire quickly

If you see "Your code has expired. Please request a new one." (otp_expired) or "Invalid or expired code. Please try again." (otp_invalid), the code is no longer good — it timed out or didn't match. Request a fresh one with Resend code and use it promptly.

Resend has a 30-second cooldown

After a code is sent, the Resend code link counts down from 30 seconds ("Resend in 30s") before it's clickable again. This is normal — wait for the countdown to finish, then resend. If you hammer it, you may hit "Too many attempts. Please wait a moment before trying again." (otp_rate_limited); give it a minute and try once more.

Use a different email

If you typed the wrong address, click Use different email to go back to the email step and start over.

Didn't get the code at all?

If no email arrives, check spam and confirm the address is spelled correctly. Hook deliberately doesn't tell you whether an address is on file when you request a code (to prevent account fishing), so a missing email can also mean the account simply isn't invited — see This email has not been invited.

Password sign-in errors

On the Password tab, a failed sign-in shows a single generic message: "Invalid email or password".

This is intentional. Hook does not tell you whether the email exists, whether the password was wrong, or whether the account is inactive — revealing that would let an attacker probe for valid accounts (account enumeration). The one exception is the not authorized case described above, which surfaces the training-site guidance.

What to do:

  • Re-check the email and password for typos.
  • If you're not sure of the password, click Forgot your password? below the form. That starts the reset flow: you enter your email, Hook verifies your identity with a one-time code (the same OTP step as code sign-in), and then you set a new password on the next screen. The new password must be at least 8 characters and is confirmed twice. Once it's saved you're signed out and returned to the login screen with "Password updated successfully. You can now sign in."
  • If the password genuinely isn't working and reset doesn't help, fall back to the OTP Code tab — code sign-in doesn't depend on a password at all.

Reset session can expire

If you land on the set-new-password screen without a valid verified session, Hook bounces you back with "Your password reset link has expired or is invalid. Please request a new one." (invalid_reset_link). This usually means the verification step timed out — just start over from Forgot your password? and complete the reset promptly.

When to escalate to support

If you've worked through the relevant section above and still can't sign in, email support@hooksecurity.co. To get a fast answer, include:

  • The exact error message shown on the login screen (copy it word-for-word, or attach a screenshot).
  • The email address you're signing in with.
  • Which tab you used — OTP Code, Password, or a magic link from email.
  • The device and browser (e.g. "iPhone Safari" or "Windows Chrome"), especially for different browser errors.
  • The approximate time you tried, so support can match it to login logs.

If you're an admin reporting on behalf of a teammate, note whether the person should have portal access (admin) or only training access (learner) — that's the single most common source of not authorized confusion.

On this page