Authentication Errors
The most common sign-in and re-auth issues, with fixes.
SSO timeout
By far the most common auth issue. Symptoms:
- A banner at the top of the app: "Your session has expired"
- Estate scans suddenly fail across all profiles in your tenant
- The chat returns "Session expired — please sign in again"
Why it happens
Your team's identity provider (Okta, Azure AD, Google Workspace, etc.) issues sign-in tokens with a fixed lifetime. When that lifetime is reached, your session expires and Escher can no longer call its backend services on your behalf. Your cloud credentials (AWS / Azure) are unaffected — those live in your local CLI config and don't time out via SSO.
Fix
- Re-authenticate via the sign-in action in the app (typically prompted directly in the expired-session banner; otherwise sign out and back in)
- Your IdP opens in a browser window
- Re-authenticate (most teams require MFA at this point)
- The browser closes and Escher resumes
- Cloud profiles re-activate automatically — you don't need to reconnect them
Total time to recover: about 30 seconds.
TIP
If your team enforces a short SSO lifetime (e.g. 4 hours), expect to re-auth a few times a day. There's no "stay signed in forever" option — that's policy from your IdP.
"Authentication failed" on initial sign-in
You're trying to sign in for the first time and getting rejected.
| Cause | Fix |
|---|---|
| You're using an email that's not provisioned for your team's Escher tenant | Ask a team admin to invite you from the team-management area of Settings |
| Your team uses SSO and you're not in the right IdP group | Confirm with your IdP admin that you're a member of the group mapped to Escher access |
| Network / VPN blocking Tessell auth endpoints | Try off-VPN. If it works, ask IT to allow *.tessell.com and Cognito endpoints |
"Token expired" mid-session
Use the refresh-sign-in action in the app (typically reachable from the user / avatar menu). If that doesn't work, sign out and back in.
Cloud profile shows "Auth failed"
This is not an Escher SSO issue — it's the cloud's CLI credential. The fix depends on the provider:
AWS
aws sts get-caller-identity --profile your-profile-nameIf this fails outside of Escher, the problem is with your AWS CLI config, not Escher.
If you use AWS SSO:
aws sso login --profile your-profile-nameIf you use long-lived access keys and they've been rotated, run aws configure --profile your-profile-name and paste the new key.
Azure
Re-run from a terminal:
az loginThen re-test access for the affected subscription from Settings → Profiles.
GCP
GCP support is on the roadmap — no auth flow to retry yet. See Connect GCP.
"Cannot connect to keychain" on macOS
The desktop app uses the macOS Keychain to store your sign-in token. If the keychain is locked or has a corrupted entry:
- Open Keychain Access
- Search for
escher - Delete any entry that looks locked or stale
- Re-launch Escher and sign in fresh
I'm seeing a "rate limited" message during sign-in
Too many sign-in attempts in a short window. Wait 5 minutes, then try again. If you hit this repeatedly, contact support@tessell.com — there's likely a misconfiguration in your IdP that's looping the SSO flow.
What's next
- Troubleshooting — broader diagnostic procedures
- FAQ — other common questions