User Password Reset
Learn how to reset user's password
Important
In the Development Environment, email, SMS, and/or WhatsApp will not be sent for any of your user activities (including sending user's reset password link).
You can use activity logs to display all attempts at your user base.
For a user with direct identifier, a password value can be assigned to an identifier.
Whether an identifier is currently having a password value is signified via the is_password_enabled flags.
Process
Anonymous/Unauthenticated
Anonymous/unauthenticated password request can only be done via Frontend API. The default flow should be:
- User request a password reset attempt with Frontend API's
POST /v1/reset_password/attempts - User receives a password reset link
- User prompted for a new password. If all meets the requirement, the password succesfully changed
Authenticated
Authenticated password request can be done via both Frontend API and Backend API. The default flow should be:
- If you're using Frontend API, use the
POST /v1/me/reset_passwordendpoint - If you're using Backend API, use the
POST /v1/identifiers/:identifier_id/set_passwordendpoint
Password Reset Link
On the anonymous/unauthenticated flow, user's will receive a password receive link. By default, this link has a default format. For example:
- App URL: is your app domain or web app tha tyou use to reset your password.
- Reset password path: is page path for password reset page. You can set the target on the
target_urlof the API payload - Token: Random token that secures the password reset attempt
- Attempt ID: Unique ID that signifies current password reset attempt
Both token and attempt ID search params name (__cakeauth_token & __cakeauth_attempt) are both static (means it's not customizable) yet. But we plan for it to be customizable in the near future.
Who can reset their password?
The following identifiers can reset their password:
Passwordis turned on in the authentication strategies settings- Currently Email & Username identifier supports password authentication. Thus those two identifiers also supports password reset process
- A direct identifier with
is_password_enabled=false, but the environment allows to use password authentication (as per point #1), can reset their password too. This will changes the flagis_password_enabled=true.
Last updated on