Can't log in or access problems
Most access problems map directly to a deliberate security behaviour. Here's how to recognise and resolve each.
"Invalid email or password"
This generic message is returned for an unknown email, a wrong password, and a deactivated account — by design, so attackers can't tell accounts apart. If you're certain the password is right, confirm the agent account is still active.
"Account locked. Try again after HH:MM UTC"
Repeated failed logins lock the account until the displayed UTC time. Lockout thresholds come from your security settings, and trusted IPs can be whitelisted there. Wait out the window or have another admin clear it; the lockout is recorded in the audit log.
Login is rate-limited
The login endpoint allows 5 attempts per minute. Exceeding this returns a rate-limit error regardless of whether the password was correct — wait a minute and retry.
"Session expired. Please try again."
This is a CSRF check failure on the login form, usually from a stale tab or a browser that drops cookies. Reload the login page to get a fresh token, ensure cookies are enabled, and try again.
You're forced to change your password or set up 2FA
After a successful password check, SummitPSA may redirect you through a setup step: a forced password change (e.g. first login or admin-required reset), 2FA enrollment if two-factor is required but not yet set up, or the 2FA verification prompt if you already have an authenticator enrolled. Complete the step to reach the app. New passwords must meet complexity rules and cannot reuse your last 5 passwords.
Logged out unexpectedly (?timeout=1)
An idle-timeout middleware clears the session after a period of inactivity — defaulting to 8 hours for agents and 4 hours for the client portal, configurable in settings (clamped between 5 minutes and 24 hours). The timeout is sliding: every request resets it. A separate absolute cookie lifetime also applies.