Magic Link Expired or Invalid Token
If you click your Canyou login link and immediately see a "link expired" or "invalid token" message, here's what's likely happening.
Why this happens
Canyou uses magic links to log you in. When you request a login link, a secure one-time-use token is generated and attached to the link. The token is designed to be used exactly once — the moment it's clicked, it's marked as used so it can't be reused by anyone else. This is what keeps the login process secure.
The problem is that many email providers and security tools — such as antivirus software, corporate spam filters, or "safe link" scanners (Microsoft Safe Links and Proofpoint are common examples) — automatically open links inside incoming emails before you ever see them. They do this to check whether the link leads somewhere malicious. When they do this, they're effectively clicking the link on your behalf, which uses up the one-time token. So when you click it yourself moments later, the system correctly sees that the token has already been used and shows it as expired.
This is especially common with work or business email accounts, since IT departments often have these automated scanning tools switched on by default for all incoming mail.
How to fix it
-
Request a new link and try again. Some scanners don't trigger on every email, so a second attempt sometimes works.
-
Ask your IT team to whitelist Canyou's sending domain. If this keeps happening, your organisation's IT team can add our domain to their security tool's exclusion list so links from us aren't automatically scanned and consumed before you click them.
-
Log in with Google or Xero instead. If you have one of these connected to your account, you can use it to log in — this skips the magic link process entirely.
If you've tried the above and it's still not working, contact us via live chat and we'll dig in further.