HCP Terraform: “Invalid confirmation token” Error When Confirming Profile

Issue

When a user attempts to confirm their HCP Terraform profile via the confirmation email link, the following error occurs:

Invalid confirmation token

This prevents the user from successfully confirming their account.

Cause

This issue is typically caused by email security or link rewriting systems modifying the confirmation URL before the user clicks it. These systems — such as secure email gateways or URL scanners — can append additional parameters or tracking characters to the confirmation link. This corrupts the confirmation token, making it invalid when HCP Terraform Cloud attempts to process it.

Example

The original link sent by HCP Terraform contains a valid confirmation token:

https://app.terraform.io/confirmation?confirmation_token=7d935MuxdNwLot18fjy7

An email security system may modify this link to include extra characters or parameters:

https://app.terraform.io/confirmation?confirmation_token=7d935MuxdNwLot18fjy7__;!!EwdynJtsh...

These additional values are not part of the valid token and cause HCP Terraform to reject the request with:

Resolution

Option 1 — Open the Unmodified URL

1. In the confirmation email, right-click the confirmation link.
2. Select Copy link address.
3. Paste the link into a text editor.
4. Remove everything after the valid token (everything following the first set of alphanumeric characters).
5. Paste the resulting link into your browser and click enter.

Option 2 — Whitelist the Terraform Domain

Coordinate with your IT or email security team to either disable link rewriting or whitelist the domain:

https://app.terraform.io/*

This would prevent additional parameters from being appended to the confirmation link and would provide a solution for a wider audience (perfect for company-wide use of HCP Terraform)

• A HAR file recorded during the issue reproduction. Here is a guide on how to collect this.
• Any email security gateway or link scanning in use