This article covers sign-in issues with the Torq App at https://app.torq.io (US), https://app.eu.torq.io (EU), or https://app.jp.torq.io (JP). For Torq Academy login issues, email academy@torq.io. For Torq Support Portal access, sign in to the Torq App first, then use the Knowledge Hub widget.
"Incorrect email or password" after redirecting back from your IdP
You're redirected to your IdP, sign in successfully, get redirected back to Torq, then see "Incorrect email or password" (or similar).
Often caused by a stale browser session, a missing or mismatched email claim mapping, your IdP not sending the attribute Torq expects (roles, groups, memberOf), or group claim values sent as full distinguished names (CN=GroupName,OU=Groups,O=Domain) instead of short group names.
Try signing in from a private or incognito browsing window. If that works, you're dealing with a stale browser session.
Clear cookies for
torq.ioand your IdP, then retry.If the issue persists, go to Settings → Security → SSO → Claim mappings and confirm the configured names and values match what your IdP is sending in the token.
If the email claim mapping was removed or changed during debugging, restore it. The email claim is the fallback that prevents administrator lockout.
If claim mappings look correct and your IdP-side configuration matches them, but users still can't sign in, the cached claim state on Torq's side may be stale - file a ticket. See Admin Self-Service for the escalation path.
Blank screen or sign-in form behaves erratically
The Torq UI loads a blank page after a successful sign-in - or, on the sign-in page itself, the email field clears as soon as you click away, or the Sign In button never enables.
Often caused by stale browser tokens, third-party cookie blocking, or a browser extension interfering with the page or form (ad blockers, password managers, or any extension that injects scripts or auto-fills fields).
Try signing in from a private or incognito browsing window. If that works, an extension or cached state is the culprit.
Disable browser extensions for
torq.io, or use per-site exclusion features if available.If extensions can't be disabled (e.g., they're managed by IT policy), close all browser windows and reopen before retrying - that often clears the interference for the next session.
Confirm your browser's cookie settings allow third-party cookies for
torq.io.
Also possible: if a user signs in via SSO successfully but lands on a stripped-down UI (no workflows, no cases, settings missing), their SSO claim may not match any of your workspace's claim mappings. In that state, the user gets Interact-only access. See "Incorrect email or password" after redirecting back from your IdP for the claim-mapping troubleshooting path.
If the issue persists in incognito with no extensions and across multiple browsers, file a ticket with a HAR file capturing the failed load.
Authenticator (2FA) prompt won't accept the code
The user signs in successfully with their password, sees the 2FA prompt, enters a code from their authenticator app, and gets a "Something went wrong" error.
Usually caused by the authenticator app being set up for the wrong account, device clock drift, or the user having lost access to their previous authenticator (new phone, device reset).
Confirm the user's authenticator app is configured for their Torq account, not another account on the same app.
Confirm the device clock is synchronized.
If the user lost access to their authenticator, a Workspace Owner can reset 2FA at Settings → Users → [user] → Reset 2FA. The user is prompted to scan a new barcode on the next sign-in.
If 2FA was reset and the user still can't complete the prompt, file a ticket.
Users can't sign in (some or all)
A subset of users can't sign in via SSO while others on the same IdP can - or, all users suddenly can't sign in even though nothing changed on your side.
Some users only. Usually caused by affected users not being in the right IdP group, stale cached claim state on Torq's side after recent IdP changes, or a claim mapping change that matched some users but not others.
Confirm the affected users are in the correct group(s) in your IdP, and that group membership has propagated.
Compare your IdP's attribute output against your Torq claim mappings. Group names are sometimes sent as full distinguished names rather than short names.
All users at once. Usually caused by an IdP-side outage or an expired certificate, client secret, or other credential.
Confirm your IdP is operational.
Check whether your IdP signing certificate, client secret, or other credentials have expired or been recently rotated.
Microsoft Entra ID users seeing AADSTS7000215: Invalid client secret provided?
The secret Torq is sending doesn't match what your Entra application expects. Two common causes:
You pasted the Secret ID in Torq instead of the Secret Value. Entra displays both fields - only the Value works.
The client secret has expired. Generate a new one in Entra, then update it in Torq at Settings → Security → SSO.
Still stuck? File a support ticket.
Include: the exact error message and URL, a HAR file (browser dev tools → Network → Export HAR), browser name and version, the affected user's email, the time the issue started, whether all or only some users are affected, and any recent IdP-side changes (group membership, certificate rotation, secret update, anything).
If the issue isn't preventing your admins from accessing the workspace, Grant Temporary Workspace Access to Torq Support to speed things up.