How to read a Certificate of Analysis (COA)

Certificates of Analysis report lab testing results for peptide samples. Understanding how to read them helps you evaluate whether vendor claims are supported by data.

What you'll learn in this guide

A Certificate of Analysis (COA) is a document established by the lab that formally reports testing results for a specific sample. For peptides, Finnrick requires COAs to include identity confirmation, purity, and potency (quantity), and could also include potential contaminants.

This guide breaks down the key sections of a peptide COA, explains common testing methods, and identifies red flags like missing batch numbers or altered documents. You'll learn what COAs can verify, what they can't, and how to read them critically.

What is a Certificate of Analysis?

A COA is issued by a testing laboratory after analyzing a sample. The document includes:

• Sample identification information
• Testing methods used
• Results for each test performed
• Sometimes, pass/fail status based on specified criteria
• Lab identification, technician signature and date
• Sometimes, raw test results such as chromatographs

The COA represents testing results for the specific sample submitted. It does not verify what vendors sell in other batches or shipments.

Key sections of a peptide COA

Sample information

This section identifies what was tested, as submitted to the lab. Look for:

• Product name (e.g., "Semaglutide")
• Stated amount (e.g., 5mg, also known as "label claim")
• Vendor name and batch or lot number, or Finnrick identifier
• Date received by the lab
• Sample description, sometimes sample photos

Vendor name and batch ID (critical)

For COAs presented by vendors, you should find the exact vendor name that you are dealing with, and a batch ID. Without vendor name and batch ID, a vendor-supplied COA is entirely worthless and should be ignored altogether.

The batch identifier links the COA to a specific production run. Vendors should provide a batch ID for all products they sell. If they can't, you can ignore COAs entirely.

The Finnrick approach:

Most Finnrick COAs do not feature this information, as samples are anonymized before they are sent to the lab, to mitigate possible conflicts of interests. Instead, you'll find a Finnrick Record ID as unique identifier of the sample, and you can confirm the match on the Finnrick web page for that test, or via finnrick.com/verify.

Testing methods

COAs list the analytical techniques used for each test. Common methods for peptides include:

HPLC (High-Performance Liquid Chromatography): Used to measure purity and identify the peptide. Executed by running a controlled quantity of sample diluted in two distinct solvents through a machine with a visual sensor, and measuring the light that shines through the flow of liquid. Different HPLC methods exist - UV detection quantifies purity, while mass spectrometry confirms molecular identity.

HPLC / Mass Spectrometry: Confirms the molecular weight of the peptide matches the expected compound. Unlike UV, MS is used to verify identity (mass) rather than estimate purity from a UV signal.

HPLC / UV: Measures peptide purity by detecting absorption of ultraviolet light. Most common method for routine purity analysis. Unlike MS, UV is used to quantify purity from the chromatogram signal, but it does not on its own confirm the exact molecular identity. 

LAL or Recombinant Assay: Common methods for detecting bacterial endotoxin contamination. Different assay types provide different output formats - some binary (detected/not detected), others numerical.

ICP-MS (Inductively Coupled Plasma Mass Spectrometry): Detects heavy metals like lead, arsenic, cadmium, and mercury.

Testing methods matter because different techniques have different sensitivity levels and limitations.

Test results

This section presents the data. For peptides, typical results include:

Identity confirmation: Often listed as "confirmed" or "pass" when mass spectrometry matches the expected molecular weight of the sample with that of a reference standard. If the identity is not confirmed, it could be because the vial contains:

• Another peptide (substitution)
• Several peptides (for example, a blend instead of a single product)
• Peptide fragments (from degradation due to heat or improper storage), or other peptide-related species that prevent a clean match to the expected mass.
• No peptide at all (just fillers)

Purity: Share of peptides in the sample that are the expected peptide, reported as a percentage (e.g., 98.2%). This is calculated from the UV chromatogram (typically monitored around ~214–220 nm), comparing the expected peptide peak area to other UV-detectable peptide-related peaks. Important: This metric only detects peptides and peptide-related impurities like degradation products or synthesis byproducts. It does NOT measure salts, fillers, excipients, water content, endotoxins, or heavy metals; meaning a product with "99.9% purity" could still contain significant amounts of these substances. Higher purity percentages indicate fewer peptide-related impurities, but say nothing about non-peptide contaminants.

Quantity (or Potency): Reported as milligrams (mg) and often also expressed as a percentage of the stated amount (the label claim). This value is calculated from an HPLC assay, typically comparing the peptide’s signal to a reference standard and calculating an estimate, then reported as mg of active substance in the vial and % of the label claim. It is not directly measured by weighing the active peptide.

Endotoxins: Reported in arbitrary Endotoxin Units, can be expressed in a numerical form in various units such as per milliliter of reconstituted solution (EU/mL), per milligram of active substance (EU/mg), or per sample (EU/sample) – or as "detected/not detected." Lower numbers indicate less contamination. Read more about endotoxins testing.

Heavy metals: Reported in parts per million (ppm) or as "not detected." The goal is non-detection or levels below specified thresholds.

For all test types, a “Limit of Quantification” (LOQ) will often be specified, expressing the lowest possible amount detected by the test setup, which means that anything below that amount will not be identified. This is basically the lower boundary of sensitivity of the test, and is set to ensure effective detection of meaningful amounts.

Raw data

Identity:

‍

This graph shows an LC‑MS identity confirmation spectrum from Krause Analytical for a Tirzepatide sample, comparing an unknown sample (green, top) against a certified reference standard (red, bottom) using electrospray ionization in positive mode (ES+). The x‑axis is m/z (mass-to-charge ratio). 

Because large peptides form multiple charge states under electrospray, the same molecule appears as a characteristic envelope of peaks rather than a single peak. Identity confirmation here is based on whether the unknown sample’s charge‑state envelope matches the reference. 

In this example, the dominant peaks align at m/z 1205 and 1206, and the higher‑m/z region is consistent, with shared features around m/z 1606 and 1615. Minor differences in relative intensity are expected and do not change the identity call. What would be disqualifying is a major peak present in one spectrum but absent in the other, or a clearly shifted envelope consistent with a different molecular mass.

Purity and quantity (or potency):

In this example of Retatrutide HPLC/UV analysis from TrustPointe, the chromatogram shows how much ultraviolet light the injected material absorbs over time (a UV signal), with six calibration standards and seven samples plotted for comparison. 

The first takeaway is retention time consistency: retatrutide produces a peak at approximately 6.19 minutes across injections, so a sample peaking at a meaningfully different time would be inconsistent with retatrutide under these conditions (formal identity confirmation requires LC‑MS). 

The second takeaway is potency: by comparing peak heights and areas from the standards (known concentrations), the lab can build a calibration curve and back-calculate the concentration in each unknown sample. 

The third takeaway is a purity signal: a clean, single sharp peak with a stable baseline is consistent with fewer UV-detectable impurities, while shoulders, split peaks, or additional peaks elsewhere in the run can indicate impurities or degradation products. The blank trace is a system control, showing no meaningful peaks and helping confirm that peaks in other runs are attributable to the injected material rather than carryover.

Are the graphs actually used for analysis?

No. The graphs are a human-readable visualization of the underlying raw data, useful for sanity-checking and reporting, but the actual identity confirmation is done computationally.

For MS identity, the lab software calculates the deconvoluted molecular weight from the charge state envelope, essentially working backwards from the observed m/z peaks to reconstruct the neutral mass of the molecule. That calculated mass is then compared against the theoretical molecular weight of the target peptide. If they match within the instrument's mass accuracy tolerance (typically a few ppm for high-resolution instruments), identity is confirmed. This is a precise numerical result, not a visual judgment call.

Similarly for HPLC purity, the software integrates peak areas mathematically and computes the percentage contribution of each peak to the total signal, again a calculation, not an eyeball estimate off the chromatogram.

The graphs are nonetheless valuable: they're included in lab reports as supporting documentation, they allow an experienced analyst to quickly spot anomalies that might warrant a closer look at the data, and they're useful for communicating results to non-specialists. But the pass/fail determination is always grounded in the numbers.

Lab information and signatures

The bottom of the COA typically includes:

• Laboratory name and accreditation information
• Signature of the analyst or lab director
• Date of analysis
• Contact information for the lab

This information allows verification that the COA came from a legitimate testing facility.

The Critical Importance of Batch Identification

No batch ID on a sample = No valid test.

Every sample needs a batch identifier. Without it, testing is meaningless. A batch identifier connects the specific product you received to the manufacturing batch. If a vendor cannot provide batch identification, ignore their testing entirely, as there is no way of telling if the testing is related to the product you purchase.

Why batch IDs matter

A Certificate of Analysis is only valid for a single product batch. COAs from previous batches might give you a sense of historical trends, but they are not a good predictor of future quality. Each batch can vary significantly in purity, potency, and contamination levels.

The batch number on your product vial must match the batch number on the COA. Without this match, you cannot verify that the testing applies to what you received.

What COAs tell you (and what they don't)

What a COA shows

• Testing results for the specific sample analyzed
• Whether that sample met predetermined quality criteria
• Which testing methods were used
• When the analysis was performed

What a COA doesn't show

• Whether all products from a vendor match the tested sample
• Whether future batches will have similar results
• Chain of custody (who submitted the sample and whether it matches what's sold)
• Long-term stability of the product

A COA is a snapshot of one sample at one point in time.

Common issues with peptide COAs

Missing information

Some COAs lack critical details like:

• Batch numbers (making it impossible to match the COA to a specific product)
• Testing dates (outdated results may not reflect current products)
• Testing methods (different methods produce different results)
• Lab contact information (preventing verification)

Incomplete COAs make it difficult to evaluate reliability.

Altered or fabricated documents

COAs can be edited after issuance. Testing data can be changed, dates modified, or entire documents created without lab involvement. This is a massive problem, we have seen multiple examples of doctored COAs being distributed.

Always request a URL to verify the original COA document online.

Many labs (and Finnrick) allow you to verify the original COA on their website. Vendors should provide a URL so you can see the original document directly from the testing lab's website, rather than just sharing a PDF.

PDFs can be easily modified or forged, but accessing the original document through Finnrick or the lab's official website provides much stronger verification that the test results are authentic and unaltered.

Verification options include:

• Accessing the original document via the URL listed on the COA (easiest verification method)
•  online verification system, and searching for the COA's details
  
  • Janoshik: https://janoshik.com/verification/
  • Chromate: https://chromate.org/ (“verify” button)
  • Freedom Analytics: https://freedomdiagnosticstesting.com/search-for-your-coa-based-on-the-unique-accession-number/ 
  • Finnrick: https://www.finnrick.com/verify 
• Comparing COA format and signatures to known examples from that lab

Do not contact Finnrick or the labs directly to ask for verification: use publicly-available information.

The Finnrick Certificate Verification feature allows users to check if a COA matches testing data in the Finnrick database by entering the test certificate ID at finnrick.com/verify.

Mismatched batch numbers

A vendor might provide a COA for batch A while selling batch B. Without matching batch numbers on both the COA and the product label, you cannot confirm the testing applies to what you received. That a vendor would make  such a deceptive attempt is a negative sign of their trustworthiness.

Ideally, vendors will provide COAs for the batch they are currently selling, as part of the sales process. However, making COAs available as part of delivery is acceptable.

Testing gaps

COAs only report tests that were performed. A COA might show purity results but omit endotoxin testing, heavy metals, or sterility testing.

Vendors can choose which tests to order from labs. A clean COA for purity does not guarantee the sample is free of contaminants that weren't tested for.

Third-party vs vendor testing

Third-party testing (conducted by an independent company) is often considered as offering more clarity than vendor self-testing. However, third-party testing without proper batch identification is useless and should not be accepted, and vendor-controlled testing (regardless of first or third party) can never be considered as absolutely credible.

Some vendors conduct their own testing, which offers less independence but can still be valuable when properly documented with batch identification: it documents the vendor's own belief about their products.

Third-party testing without batch ID is worse than vendor testing with proper batch identification, and third-party testing initiated by the vendor can never be fully independent. You should always conduct your own testing or at least review publicly-available Finnrick testing.

Vendor name consistency

A third-party COA should mention the exact vendor name that matches the company you're buying from. Vendors who change names frequently or sell under different brands make it much harder to identify and trace specific batches.

If the vendor name on the COA doesn't match the company you're dealing with, ask for clarification about the relationship between the entities and how batch traceability is maintained.

Note about Finnrick COAs:

Finnrick's approach differs from typical third-party testing. Vendor names appear on the test result page on Finnrick's website, but not on the downloadable COA itself. This design prevents selective distribution; vendors cannot download a COA showing favorable results while hiding unfavorable ones from the same batch or supplier.

Finnrick COAs are intended for verification through the Finnrick platform, where the full testing history for each vendor and product remains visible. This maintains transparency by keeping all results in context rather than allowing individual COAs to circulate independently.

How Finnrick approaches COA data

Finnrick publishes testing results in a standardized format that includes:

• Sample identification (product, vendor, batch number if available)
• All tests performed
• Raw numerical results
• Testing date and lab used
• Pass/fail status based on configurable criteria

Finnrick acquires samples in three ways:

• For samples marked “Public”, Finnrick's model relies on users submitting samples. The sample tested is whatever was submitted - we can't verify it matches the vendor's entire production. This limitation applies to all independent testing. Users should consider Finnrick's data as one input, not absolute proof of vendor quality across all batches.
• For samples marked “Vendor”, Finnrick received payment to process and publish tests as part of the Launch with Finnrick program, and the samples were submitted by the vendor. This gives us the ability to collect samples we can compare to public submissions.
• For samples marked “Finnrick", we purchased the samples ourselves, either openly with a Finnrick email, or through mystery shopping.

Reading COAs critically

When reviewing a COA, consider:

Is the batch number on the COA matchable to a product? Without this, you cannot link the testing to what's being sold.

When was the sample tested? Older COAs may not reflect current production quality.

Which tests were performed? Identify what wasn't tested, not just what passed.

Can you verify the COA with the lab? Legitimate labs will confirm or deny issuing a document.

Does the vendor provide COAs consistently? Vendors who test every batch demonstrate ongoing quality control. Single COAs for multiple batches are less reliable.

Why COAs matter in the peptide marketplace

The peptide marketplace operates without regulatory oversight. Vendor claims about product quality are common. Independent testing data is rare.

This creates an information imbalance. Users often make decisions based on vendor marketing rather than verified results.

COAs provide a mechanism for verification, but only if:

• The COA is legitimate (not altered or fabricated, obtained directly from Finnrick or from the testing lab)
• The tested sample matches what's being sold (vendor name or batch numbers align, or the vendor points to a Finnrick web page directly)
• The tests performed are relevant (covers the contaminants you're concerned about)

Reading COAs critically helps you evaluate whether testing supports product claims or if gaps exist.

Guidelines for vendors using Finnrick testing

• Vendors may share a link to their product on the Finnrick website
• Vendors may not share Finnrick PDFs directly
• Finnrick PDFs should never be modified (that's true for any COA, actually: no alterations should be made to the contents produced by the lab)

If a vendor is sending you a Finnrick PDF, feel free to point them to finnrick.com/vendor-support.

View COA data on Finnrick

Finnrick's database includes testing results organized by vendor, product, and product/vendor combinations. You can:

• Compare results across vendors
• View historical testing for the same product
• Configure your own pass/fail criteria
• Submit samples for independent testing

View Finnrick Database

Submit a Sample

Verify a COA

Information accurate as of 23 February 2026. For current test results and methodology, see Finnrick testing methodology.