How do team members log in for the first time?

When you invite someone to your Valid Email Checker account, there is no "click this link to accept" round-trip. The system creates the team-member account immediately, generates a secure temporary password, and emails the member their login email and password together. They can sign in straight away — no setup link, no welcome wizard, no extra steps before they are productive.

The exact sequence on the member side

1. Email arrives. Subject is something like 'You have been added to a Valid Email Checker team.' Body contains the login email, the temporary password, and a button labeled 'Sign in to your account.'
2. They click the button. It opens https://app.validemailchecker.com/auth/login in their browser.
3. Enter the credentials. Email and password from the invite mail. Cloudflare Turnstile runs invisibly on most signins.
4. Land on the dashboard. They arrive at /overview. The credit balance widget already shows your shared total. The sidebar shows the team-member-restricted nav (no Buy Credits, no Developer, no Billing).
5. Change the password. They should open Account Settings → Security and set a new password. The generated one was just a bootstrap — the member should pick their own and store it in a password manager.

What the generated password looks like

We use generateSecurePassword in the browser to produce a high-entropy random string (mixed-case letters, digits, symbols, around 16-20 characters). The password is generated client-side before the invite call is made, sent to the edge function alongside the email, and stored hashed in Supabase Auth like any other password. We do not retain the plaintext after the invite is processed.

What if they already have a Valid Email Checker account?

There is a special case worth knowing: if the email you invite already belongs to a Valid Email Checker user (they signed up on their own previously), the invite endpoint does not create a new account or send a new password. It adds the existing user to your team and they keep their current credentials. If they were already an owner account with their own credit balance, the invite is rejected outright — owner accounts cannot become team members of someone else's account.

Day-1 setup we recommend

Once the team member is logged in, two things take five minutes and save real headaches later:

1. Change the password (Security tab) and store the new one in a password manager.
2. Enable authenticator-app 2FA. Shared accounts hold real credit balances and a working 2FA setup on every member is the cheapest security improvement you can make.

Common first-login bumps

• 'Invalid credentials.' Almost always a typo when copying the password from the email. Use Copy-to-clipboard if your email client supports it, or have the owner re-share the password from the dashboard.
• 'Please verify your email.' Should not happen — team-member accounts are auto-confirmed by the system. If it does, contact support; it indicates the auto-confirm flag did not stick during account creation.
• '2FA challenge appears.' If the member already had a Valid Email Checker account before being invited and had 2FA enabled, the challenge still runs on first login.