Troubleshooting
Fixes for the issues we see most often. If your problem isn't here, check the FAQ or reach out through Support. When you contact us, include your app version (Settings → About) and, for the CLI, the output of sablefort --version.
Quick reference
| Symptom | Most common cause | First thing to try |
|---|---|---|
| Can't sign in | Wrong master password or 2FA drift | Confirm caps lock; check device clock |
| Sync stuck | Network / stale session | Force a manual sync, then re-login |
| Autofill not working | Extension not connected to app | Reconnect the browser extension |
| CLI auth errors | Expired or wrong-scope token | Re-run sablefort login |
Can't sign in
Sign-in has two parts: authenticating your identity and unlocking with your master password. Work through them in order.
"Incorrect master password"
- Check Caps Lock and keyboard layout. The master password is case-sensitive.
- Remember that your master password is not your SSO/IdP password. If your org uses SSO, you still unlock with your own master password after the IdP step.
- Sablefort cannot reset a master password for you. If it is truly lost, follow Backup & recovery — contact your administrator for admin-assisted recovery.
Two-factor code rejected
- Time-based codes fail if your device clock drifts. Enable automatic date/time on the device running your authenticator.
- Wait for the next code rather than reusing one that's about to expire.
- If you've lost your second factor, use a saved recovery code, or ask an administrator to reset your 2FA enrollment.
"SSO required for this organization"
Your org enforces SSO, so start sign-in from the SSO flow (or the desktop app's Sign in with SSO button) rather than a password prompt. If the IdP itself errors, your administrator should check the connection in Single sign-on settings.
Sync stuck
If changes aren't appearing on another device, or the app shows "Syncing…" indefinitely:
- Check connectivity. Sync needs HTTPS access to
api.sablefort.com. On a corporate network, confirm a proxy or firewall isn't blocking it. - Force a manual sync. Open Settings → Sync and choose Sync now. Note the "Last synced" time.
- Confirm you're on a current build. If your org pins a minimum app version, an out-of-date client is blocked from syncing until it updates. Update the app.
- Re-establish the session. Sign out and back in to refresh the sync session. Your vaults re-download; nothing is lost because the server holds the encrypted source of truth.
Autofill not working
Browser autofill relies on the extension talking to the desktop app.
- App running and unlocked. The extension pulls from the desktop app. If the app is closed or locked, autofill has nothing to offer — open and unlock it.
- Extension connected. Open the extension and confirm it shows "Connected." If not, click Reconnect and approve the prompt in the desktop app.
- Right vault access. You can only autofill credentials from vaults you're a member of. If a login is missing, confirm you have access to the vault that holds it.
- Site URL match. Autofill matches on the item's saved website. If a login doesn't appear on a page, open the item and check its URL field matches the site.
- Browser permissions. Ensure the extension is enabled for the site and allowed to run in the current window (including private/incognito, which is off by default).
CLI authentication errors
"401 Unauthorized" / "session expired"
Your cached session has expired or was cleared. Re-authenticate:
$ sablefort login
Confirm which account you're using:
$ sablefort whoami
ada@example.com (org: Example, Inc.)
"403 Forbidden" reading an item
You're authenticated, but this account or service-account token isn't a member of the vault. Grant access to the vault (or widen the token's scope) and retry. Every read is checked against vault membership.
CI: no browser available
In a pipeline the interactive browser login can't run. Provide a service-account token via the environment instead:
$ export SABLEFORT_TOKEN="sk_live_…"
$ sablefort vault list
If this still fails, the token may be expired, revoked, or scoped to different vaults. Reissue it in the admin console under Service accounts. See CLI for the full CI setup.
TLS or proxy errors
Errors mentioning certificates or connection resets usually point at an intercepting proxy. Ensure your environment trusts the proxy's CA and that api.sablefort.com is reachable over HTTPS from the runner.
Still stuck?
Collect your app/CLI version and a description of the steps that reproduce the issue, then contact Sablefort Support. Never paste actual secret values into a support ticket.