Help center
Doc Requests

Inviting your first client to the portal

Clients don't get BopSuite accounts. They get magic links: secure URLs that grant access to one specific thing (a doc request, an invoice, a signature). One click, no signup, no password. Here's why and how.

The first email

When you send a doc request, your client receives an email like:

[Your firm name] has requested some documents

Hi [client name],

[Your firm] needs the following to move forward with your matter:

  • W-2 forms
  • Prior year tax return
  • Bank statements (last 3 months)
  • Driver's license

Click below to upload — no account needed.

[Continue uploading] ← branded button in your accent color

The button links to /p/<long-secure-token>. The token is a 24-character nanoid — unguessable, unique to this request, unique to this client.

What they see when they click

A mobile-optimized portal page. Top: your firm's logo + name. Below: each requested item with a status pill (Pending / Submitted / Approved). Each item has the right input:

  • Text fields for SSNs, names, addresses (with format validation — SSN gets XXX-XX-XXXX masking, etc.)
  • Date pickers for things like birth dates
  • Yes/no toggles for filing status questions
  • Multi-choice dropdowns for things like state of residence
  • File upload zones with drag-and-drop + camera/file picker on mobile

About 70% of clients open the portal on a phone. We optimized for that — touch targets are big, the upload zone takes a photo of a document via camera, and progress saves automatically as they fill in each field.

They can leave and come back

Clients don't have to finish in one sitting. They can:

  • Close the tab and come back via the same email link (the link is good for ~365 days by default)
  • Click the link from a desktop after starting on mobile
  • Re-upload a file if they realize they sent the wrong one

Their progress saves on every field blur — no "Save" button to remember.

What happens on each upload

When a client uploads a file:

  1. It uploads to Supabase Storage under a per-request path
  2. AI auto-renames the file based on the field's semantic_type. Examples:
    • IMG_4521.jpg (uploaded for W-2 field) → Smith - W-2 - 2026.pdf
    • Scan_2026_03_15_001.pdf (bank statement) → Smith - Bank Statement - Mar 2026 - Chase.pdf
    • id-photo.jpg (driver's license) → Smith - Driver's License.pdf
  3. AI extracts metadata — period, institution, tax year, etc. — and shows it as a tag on the review screen
  4. The firm gets a notification — "Sarah just uploaded W-2"

Your client doesn't see any of this — to them, it's just "I uploaded the file." But on your side, the document arrives clean, named, and tagged.

Status feedback

After each field is submitted, the client sees:

  • Pending → grey circle (haven't done it yet)
  • Submitted → blue circle (uploaded; firm review pending)
  • Approved → green check (firm reviewed and accepted)
  • Rejected → red exclamation + a comment from the firm explaining what to re-upload

When you reject a field with a comment ("This is the March statement; we need February"), the client gets an email with the comment + a link back to that specific field, ready to re-upload.

Cross-portal interactions

If you've also sent the client:

  • A signature request → they get a separate email + magic link for that
  • An invoice → another email + magic link for the payment page
  • An intake form (already converted) → no follow-up, that flow is already done

Each magic link is one-purpose. We don't try to merge them into a unified client portal yet — that's a v2 design problem.

What we don't do (intentionally)

  • No client login — the magic link IS the login. Trying to remember another password is friction we won't add.
  • No client account section — clients don't have a "settings" page. They don't manage anything; they just complete the work you sent.
  • No internal client-team-collaboration — if your client wants their accountant to also see the doc request, the simplest path is: they forward the email. The link is shareable (anyone with the link has access).

The "shareable link" property is intentional but worth knowing. If a request contains highly sensitive content, mention to the client to not forward the email widely. For most doc requests this isn't a concern.

Mobile flow specifics

If you're testing what your client sees:

  1. Send a doc request to your own personal email
  2. Open the email on your phone
  3. Click the magic link
  4. Try uploading a photo from camera (most clients do this for IDs)
  5. Try a long-text field on mobile keyboard (we optimize the input mode — tel/email/numeric)

If anything's awkward, email us — mobile is a top-priority surface for the doc-collection module.

What's next

Back to help center

Was this helpful?

Email us at hello@bopsuite.com with feedback or suggestions.