Home / Source Safety Education / Certificates of analysis

Certificates of analysis: what they prove and what they don’t

What a certificate of analysis actually is

A certificate of analysis is a lab-produced document that reports the results of analytical testing on a specific batch of material. It is standard in pharmaceutical manufacturing, in food science, in cosmetics, in almost every regulated material-handling industry. When a pharmacy or manufacturer releases a batch of anything, the batch is tested, and the results of those tests are summarized on a COA that references that batch by lot number.

In the peptide conversation, the term gets used loosely. A legitimate 503A pharmacy can produce a COA from its own lab (one type of document) or share a third-party COA from an independent analytical lab (a different, stronger type of document). A gray-market seller can generate a PDF with the word “COA” in the header that does not actually describe any testing at all.

Calling all three things “a COA” is how readers get into trouble. The document type is the same. The evidence behind the document is wildly different.

The four things a COA typically tests for

The four core categories are identity, purity, potency, and sterility. Each one answers a different question, and a complete COA reports on all four.

Identity

Is the substance in the vial actually the substance on the label? Mass spectrometry or similar analytical methods can confirm the peptide’s molecular weight and sequence. A pass on identity means the molecule in the sample is what was claimed. A fail means you were about to self-administer something else entirely.

Purity

What percentage of the material is the claimed compound, versus impurities, fragments, or degraded peptide. High-performance liquid chromatography (HPLC) is the standard method. Purity is usually reported as a percentage (for example, 98.5%). The missing percentage is everything else in the vial, and “everything else” matters when you are about to put it into your body.

Potency

How much active compound is actually present in the stated quantity. A vial labeled with a specific amount should contain that amount, measured by a validated assay. Potency testing confirms the label matches the contents.

Sterility

Is the material free from microbial contamination? For anything that will be mixed with sterile water and introduced into the body, sterility testing is not optional. USP <71> is the United States Pharmacopeia sterility test standard. A real pharmacy-produced COA references that standard (or an equivalent) explicitly.

Many gray-market COAs skip sterility entirely, because it is the most expensive test to run and the hardest to fake. That omission is diagnostic.

How to actually read a COA

A legitimate COA is boring. That is the first thing to internalize. It is a structured document with specific fields. Here is what to look for, field by field.

1. Testing lab name and address. A real lab is a real company with a physical address, a website, and (in the US) a CLIA or equivalent accreditation where applicable.
2. Sample identification. The compound name, the batch or lot number, and the date the sample was received by the lab.
3. Test methods. HPLC for purity, mass spec for identity, USP <71> (or international equivalent) for sterility. Real methods are named.
4. Specification versus result. Every test line should show the specification (the pass criterion) and the actual measured result. A line that only shows “pass” with no number is not a real test report.
5. Date of testing. Not the date the COA was typed up. The date the test was performed.
6. Analyst signature or initials. A real lab attributes the test to a specific analyst. A digital stamp with no name is a weaker signal.
7. Lot and batch tracing. The lot number on the COA must match the lot number on the vial. If those numbers do not match, the COA is describing a different batch than the one you are looking at.

When readers send me a COA to review, I read those seven fields first. If three or more are missing or vague, the document is not doing the work a COA is supposed to do, regardless of what the top of the page says.

Red flags in COAs

These are the specific tells that the document in front of you is not what it claims to be.

Why a COA alone is not enough

This is the part most readers skip, and it is the whole point.

Even a perfect COA from a top-tier independent lab tells you about the sample the lab tested. It does not tell you about the vial in your hand. Between the lab and your medicine cabinet, a number of things can happen: the lab tested Batch A and the seller shipped you Batch B; the vial you received was filled by a different facility than the one that was tested; the material was tested before it was repackaged; or the lab report is real but attached to a product line that has since changed formulation.

In a legitimate 503A workflow, a compounded preparation comes with documentation that ties the specific preparation to the specific patient it was filled for. The COA is one piece of a chain of custody. On the gray market, no such chain exists. There is the vial and there is a PDF, and the connection between the two is whatever the seller says it is.

A COA without chain of custody is a snapshot of a different day in a different room. Useful context, not a guarantee.

The difference between a COA and a full chain of custody

Chain of custody is the documentation that tracks a substance from raw material through final release to a specific patient. In pharmaceutical manufacturing and legitimate compounding, that chain includes:

• Incoming raw material COA from the active pharmaceutical ingredient supplier
• Internal batch records documenting how the preparation was compounded, by whom, and when
• Release testing before the finished preparation leaves the pharmacy
• A patient-specific fill record tying the finished preparation to a specific prescription
• Storage and shipping documentation (temperature, time in transit)

A COA sits at one point on that chain. It is the most visible piece, which is why it is the piece gray-market operations imitate. The rest of the chain is what makes it real, and the rest of the chain is what gray-market operations do not have.

When I ask readers what they have been given by a seller, “a COA” is usually the only document. That is a signal. In a legitimate pathway, the COA is one document in a larger file. On the gray market, it is the only document, and it is doing a job it is not designed to do.

My honest take

Questions to ask any seller about their COA

These are the questions I use when readers forward me a sample COA and ask me to read it. Ask the seller these before you trust the document.

1. Which independent lab performed the testing, and can I contact them to verify the report?
2. Does the lot number on the COA match the lot number on the specific vial you are shipping me?
3. Do the test results include identity, purity, potency, and sterility?
4. What specification was used for the sterility test, and is the result reported as a specific value or only “pass”?
5. What is the date the sample was actually tested, and what was the date it was collected from the batch?
6. Can you provide the raw HPLC chromatogram or mass spectrum, not just the summary report?

What to do next

Sources

• United States Pharmacopeia. General Chapter <71> Sterility Tests.
• United States Pharmacopeia. General Chapter <621> Chromatography, including HPLC methods.
• FDA. Current Good Manufacturing Practice (cGMP) resources for pharmaceutical preparation.
• FDA. Compounding Quality Act and 503A compliance guidance.
• International Council for Harmonisation (ICH) Q6A: Specifications for New Drug Substances and New Drug Products.

Regulatory and analytical references only. No seller names appear anywhere on this site.

Related reading