If a user has forgotten their password, they can request a temporary single-use reset code with which they can set a new password. The code will be sent to them in an email.
See the specification for the related API endpoints: User information v2#/Password%20Reset
Endpoints overview:
| Endpoint | HTTP method | Purpose |
|---|---|---|
/api/users/v2/reset_password | POST | Request password reset code |
/api/users/v2/confirm_reset_password | POST | Set new password with the requested reset code |
The client may request a single-use temporary reset code by calling /api/users/v2/reset_password. The reset-code is sent to the user's email. See Email sending for more information on how the email is sent.
Reset email
Typically the email should contain a link to some UI page where the password and user email are hidden for a better user experience. The dynamic data sent in the email is as follows:
{
"email": "example@24i.com",
"code": "c94bf0808298486a1e9dd3c5bb373b44"
}
The code will expire after a configured amount of time has passed, after which the user must request a new reset code if they still wish to reset their password.
The email is also provided as it is required to be passed on to the confirm password reset endpoint.
Confirm password reset
After the user has received the reset code, they may then use that code to call /api/users/v2/confirm_reset_password with a new password of their choice. If the code is valid and not expired, the user's password will be changed to the provided one. The reset code will be revoked and no longer usable.
The user can now login with their new password.