POST /v1/auth/password/reset/verify - Verify the 4-digit code from the password reset email and set a new password. This completes the password reset flow and revokes all existing user sessions.
Validates the 4-digit verification code sent via email and updates the user's password. All existing refresh tokens are revoked, forcing re-authentication on all devices. The code expires after 5 minutes and is single-use only.
email string required
User's email address. Must match the email used in the password reset request.
verification_code integer required
4-digit verification code (1000-9999) received via email. Code expires after 5 minutes.
new_password string required
New password. Must meet complexity requirements: minimum 8 characters and at least one special character.
A Password Reset Verify Response object containing confirmation of successful password reset.
success boolean
Indicates if the password was reset successfully. Always true for successful resets.
message string
Success message confirming the password reset.
User enters their email on the "Forgot Password" page.
POST /v1/auth/password/reset
{ "email": "user@example.com" }Email contains:
- 4-digit verification code (e.g., 1234)
- Password reset link with pre-filled email and code
- Username for reference
- Expiry time (5 minutes)
Example link: https://freddy-hub.aitronos.com/auth/reset-password?email=user@example.com&code=1234
User is taken to the password reset page where:
- Email is pre-filled from URL parameter
- Code is pre-filled from URL parameter (or user enters manually)
- User enters their new password
- User confirms the new password
POST /v1/auth/password/reset/verify
{
"email": "user@example.com",
"verification_code": 1234,
"new_password": "NewSecurePassword123!"
}- Password is updated
- All existing sessions are revoked
- User is redirected to login page
- User logs in with new password
- Time-limited codes: Verification codes expire after 5 minutes
- One-time use: Codes are marked as used after successful verification
- Password validation: New password must meet strength requirements
- Session revocation: All existing refresh tokens are revoked on success
- Rate limiting: Prevents brute force attacks on verification codes
- Automatic cleanup: Expired codes are automatically cleaned up
- Minimum length: 8 characters
- Special character: At least one special character required
- Not common: Password cannot be in the common weak passwords list
- Maximum length: 72 characters (bcrypt limit)
| Error Code | Status | Description |
|---|---|---|
VERIFICATION_CODE_INVALID | 422 | Code is invalid, expired, or already used |
USER_NOT_FOUND | 404 | No user exists with the provided email |
INVALID_PASSWORD_FORMAT | 422 | New password doesn't meet requirements |
VERIFICATION_CODE_EXPIRED | 422 | Code has expired (>5 minutes old) |
- Pre-fill from URL: Extract email and code from URL parameters when user clicks the email link
- Show expiry timer: Display countdown showing when the code expires
- Validate password client-side: Check password requirements before submitting
- Handle errors gracefully: Show user-friendly error messages
- Redirect to login: After successful reset, redirect to login page
- Clear sensitive data: Don't store the verification code in browser storage
- Request new code: Provide option to request a new code if expired