Skip to main content
ClientNest365ClientNest365

Clients and invitations

What to do when a client can't get back into their portal

The three ways a client loses access to their portal and exactly how to get them back in. Covers expired sessions, consumed magic-links, and lost emails.

Audience: owner · 3 min read · Last reviewed

The most common support ticket on any client portal: "the link you sent me doesn't work anymore." Here's what's actually happening and three ways to fix it, ordered by how often each one applies.

What's actually happening

Magic links are one-time use for security. The first click consumes the token and creates a 30-day session cookie in that browser. So the typical sequence is:

  1. Client clicks the email link in the morning, on their phone. Lands in the portal. Session cookie set.
  2. Evening: client opens their laptop, clicks the same email link again. Token already used. They hit "this invite link doesn't work."

Three things they should know:

  • The email link is one-time use.
  • The portal URL (https://yourdomain.com/portal/c/<their-slug>) is what they should bookmark after the first login. Valid for 30 days from the last session refresh.
  • If they cleared cookies, switched browsers, or used incognito, the session is gone and they need a fresh link.

Fix 1: The client recovers themselves (preferred)

We added a self-serve recovery page. Send the client to https://yourdomain.com/portal-resume (also reachable from the "this invite link doesn't work" page). They enter the email you have on file. A fresh magic link is in their inbox within a minute.

This works without you doing anything. Tell every new client about this URL during onboarding, even include it in your welcome message. Most "I can't get back in" tickets stop existing.

A few details worth knowing:

  • The page never reveals whether an email exists in the system. The confirmation message is identical for hit and miss, so no one can fish for valid client emails.
  • The page is rate-limited to 5 attempts per 10 minutes per IP. Legitimate clients won't hit it; brute-force email-guessing will.
  • The new link is valid for 14 days and one-time use, same as the original invite.

Fix 2: You resend from your workspace (1 click)

  1. Go to /app/clients in your workspace
  2. Click the client
  3. Top right of the client detail page: Send fresh magic link button
  4. Click. A new email goes out within a few seconds.

The button is idempotent. Click it twice by accident, two emails go out, only the most recent one works (well, both are technically valid; the client uses whichever they see first). No data is lost on the client side; they keep all their files, messages, approvals, invoices.

Fix 3: If they've lost access to the email account itself

If your client no longer has access to the email address you originally invited (job change, account deleted, etc.):

  1. Get the new email address from them by phone or another channel
  2. Go to /app/clients/[their client]
  3. Click into the email field (we're shipping inline edit next release; for now contact us at support@clientnest365.com and we'll update it via direct DB write)
  4. Send fresh magic link to the new address

Why it happens (under the hood)

There are three failure modes:

Token consumed. The most common. Token has been used once; the second click hits a /portal-invalid?reason=consumed page. Self-serve recovery handles this.

Token expired. Magic-link tokens have a 14-day TTL. If the client never clicked, then waited 15 days, the token is invalid. Self-serve recovery handles this too.

Session expired. Session cookies are valid for 30 days from the last activity. If the client visited 35 days ago and never since, the cookie is gone. Self-serve recovery handles this case the same way.

In all three cases, the answer is the same: get them to /portal-resume, or send them a fresh link yourself. The underlying client record, files, message history, approval status, invoices, all of it stays put. We never delete data when a session expires.

Best practice: bake recovery into onboarding

Two things to add to your client welcome message:

Bookmark this page: https://yourdomain.com/portal/c/<client-slug>. That's your permanent portal URL. The link in this email is one-time use, but the bookmarked URL keeps you signed in for 30 days at a time.

Lost access? Go to https://yourdomain.com/portal-resume and enter your email. We'll send you a fresh sign-in link.

Five seconds in the welcome message saves you the support ticket later.