Understanding a Certificate of Analysis (COA)
A Certificate of Analysis is the single most useful document a peptide buyer can learn to read — and one of the easiest to fake. This guide explains what a COA actually verifies, what every legitimate report must contain, the three checks that catch most fraudulent ones, and how to tell a real report from an official-looking forgery.
What a COA Is — and What It Isn’t
A Certificate of Analysis is essentially a lab report for a peptide compound. It verifies the identity, purity, quantity, and general safety of what’s in the vial. Deeper safety panels exist, but the COA is the floor — the minimum you should expect to see before using anything. If a supplier cannot or will not provide one, treat that as a significant red flag and walk away.
Here’s the part most buyers miss: a COA is a layer of assurance, not a guarantee. You never truly know with absolute certainty what’s in a vial, because deception at the supplier level is always possible. What a COA from a reputable third-party lab does is dramatically reduce that risk — and among the tools available to an individual researcher, it’s one of the strongest indicators of product quality there is. The goal isn’t certainty. It’s stacking enough independent verification that fraud becomes impractical.
Where COAs Come From
COAs typically originate from third-party testing facilities — independent labs with no financial relationship to the company selling the peptide. That independence is the entire point: it removes the bias that exists whenever a company grades its own homework.
Some companies test in-house. That doesn’t automatically mean their results are wrong or fabricated, but it does mean there’s no independent verification behind them. Given the choice, third-party testing always carries more weight, because the lab has no incentive to produce a favorable result for any particular client.
The companies that take quality seriously tend to verify at multiple points. They hold a batch until testing is complete, often have the product custom-manufactured and tested by the manufacturer, and then test it again independently once it arrives. That means the compound is checked at several stages before it ever reaches you. Companies that skip these steps are cutting corners — testing is expensive and slow, and skipping it prioritizes revenue over accountability.
Never trust a vendor COA. A vendor COA is a certificate produced by the manufacturer themselves, not by an independent lab. When the manufacturer controls the whole process, they can test a single vial they know is good and ship whatever they like — swapping caps, relabeling product, or presenting results that don’t reflect the batch you receive. A vendor COA is not the same thing as a third-party COA. If the only certificate available comes from the manufacturer, treat that information with caution.
Why a Displayed COA Isn’t Automatically Real
Showing a COA proves nothing on its own. Across the industry, dishonest suppliers reuse the same COA across multiple batches, alter results digitally, or borrow certificates from other suppliers entirely — precisely because they know most buyers don’t understand what they’re looking at. That’s the whole reason learning to read one matters. A batch number on the label that matches the batch number on the COA is one more thread tying the vial in your hand to a specific set of results. It isn’t foolproof, since it can be fabricated too, but it’s another layer credible companies bother to maintain and corner-cutters usually don’t.
What Every COA Should Tell You
Formats differ between labs, but the substance is the same — only the layout changes. A legitimate report contains all of the following, with nothing missing or redacted. If any element is obscured, removed, or withheld, treat it as a concern.
Client name. Who sent the sample in for testing. This needs to match the company you’re buying from. If the client listed is a different company, it isn’t their COA — and borrowing someone else’s certificate is one of the most common ways dishonest suppliers mislead buyers.
Sample / product name. What the company submitted — essentially their claim about what the compound is. It should match the label on the vial you receive.
Batch or lot number. Better to have one than not. It doesn’t affect the testing itself, but it lets you tie a specific vial back to a specific set of results. Some companies omit it, which simply makes verification harder.
Manufacturer. Often blank, or showing the company that ordered the test rather than the actual maker. Most suppliers don’t disclose who manufactures their peptides — think of how a restaurant doesn’t publicize its ingredient suppliers. This field isn’t critical; it’s just worth understanding what it represents.
Analysis date. When the sample was received and tested. It gives you a sense of how recent the results are relative to your purchase.
Identity confirmation. Confirmation that the compound tested as the compound it was claimed to be. This is the most basic and most important result on the entire report.
Quantity. The total amount of active compound in the vial. If you bought a 10 mg vial and it tested at 10.81 mg, that’s a normal overage of 0.81 mg. This is the number to look at when deciding whether to adjust dosing for overages.
Purity. Expressed as a percentage — how much of the vial’s contents is the target compound versus impurities. Higher is better: look for at least 98%, with 99% or above being ideal. Less than 100% doesn’t mean dangerous contamination; the remainder could be broken peptide bonds, residual moisture, or trace manufacturing byproducts. But lower numbers warrant more scrutiny.
HPLC chromatogram. The graph on most COAs, showing the results of High-Performance Liquid Chromatography. You want to see one large, dominant peak representing the target compound. A couple of tiny blips alongside it are normal, especially at high purity. What you don’t want is multiple large peaks or significant secondary spikes — that signals other substances present in meaningful quantities, which could be harmless, could be degradation, or could be something else entirely.
Molecular weight confirmation. Some labs include a mass spectrometry result comparing the expected molecular weight against the measured one. When they match, the compound’s identity is confirmed at the molecular level.
The verification key is the linchpin. Reputable third-party labs print a unique code or QR code on each report that lets anyone look the COA up directly on the lab’s own website, confirming it’s authentic, unaltered, and tied to a real test. This is the one element that makes everything else trustworthy. If a supplier provides a COA but the key is missing, blurred, or withheld, that is a major red flag — without it, you have no way to confirm the report is real. And no excuse for withholding it holds up: the only thing the verification reveals is the COA itself, which is exactly what they’re already showing you. “Customer privacy” is not a reason; preventing independent verification is the real one.
The Three Checks That Catch Most Fraud
You don’t need to be an analytical chemist. Three quick checks, done every time, will catch the majority of fraudulent or misleading COAs:
- 1Does the client name match your supplier? If the company on the COA isn’t the company selling you the product, the certificate isn’t theirs.
- 2Does the batch number on the COA match the batch number on your vial? This ties your specific vial to these specific results.
- 3Does the verification key actually work? Look the report up on the lab’s website and confirm the results independently. If you can’t, nothing else on the page can be trusted.
How to Spot a Fake COA
The most dangerous forgeries are the ones that look right at a glance. A document can carry the visual branding of a well-known third-party lab and still be missing every element that would let you verify it. Here’s what gives a fake away. You can check out COA examples in our free Skool Group too
No verification key
The single biggest red flag. Legitimate reports from this lab carry a unique code at the bottom that anyone can use to look up the results on the lab’s website. With no key anywhere on the page, there’s no way to confirm the lab ever produced it — it could have been created in any document editor.
No signature
The signature line is present but blank. Authentic reports include the analyst’s signature as part of the completed document. A blank field suggests the template was copied but never actually completed by the lab.
No HPLC chromatogram
No graph backing the chromatography analysis. Legitimate COAs from this lab include it as standard. Without it, there’s no visual confirmation of identity or purity to support the numbers in the results table.
No molecular weight confirmation
No mass spectrometry data showing expected versus measured molecular weight — another standard element simply absent from the report.
Put together, the lesson is simple: a results table can say anything. Without the verification key, the chromatogram, the signature, and the molecular-weight data behind it, those numbers are unsupported. A document that looks official falls apart the moment you know what should be there and check for it.
A Note on “Labs Take Payments” Claims
You’ll eventually run into claims online that certain well-known testing labs accept payments to produce favorable results. Apply the same skepticism you’d apply to a COA. For an established lab processing thousands of tests a day at real cost per test, falsifying results doesn’t make financial sense — the reputational risk would dwarf anything a single company could pay, and it would be cheaper for that company to simply source a quality product than to compromise a lab built on credibility. Be especially wary when the claim comes from a source with a vested interest in discrediting independent testing. The principle running through this entire guide applies here too: don’t take anyone’s word for it, and verify independently wherever you can.
The Bottom Line
A COA won’t make you certain, but it changes the odds enormously in your favor. Insist on third-party testing, refuse vendor-only certificates, and run the three checks — client name, batch number, verification key — every single time. Learning to actually read the report, rather than being reassured that one exists, is what separates an informed researcher from an easy target.