/
Contact usSee pricingStart building
    Introduction
    Overview
    Postman
    Organizations
      Organization object
      Create an organization
      Get an organization
      Update an organization
      Search for organizations
      Delete an organization
    Members
      Member object
      Create a Member
      Get a Member
      Get a Member (Dangerous)
      Update a Member
      Reactivate a Member
      Search for Members
      Unlink Retired Email
      Start Member Email Update
    • Delete

      • Delete a Member
        Delete Member password
        Delete Member MFA phone number
        Delete Member MFA TOTP
    RBAC
      Resource object
      Role object
      Scope object
      Get RBAC Policy
    Email magic links
    • Organization

      • Send login or signup email
        Send invite email
        Authenticate Magic Link
    • Discovery

      • Send discovery email
        Authenticate discovery Magic Link
    Email one-time passcodes (OTP)
    • Organization

      • Send login or signup OTP
        Authenticate OTP
    • Discovery

      • Send discovery OTP
        Authenticate discovery OTP
    OAuth
    • Discovery

      • Use Google for discovery
        Use Microsoft for discovery
        Use HubSpot for discovery
        Use Slack for discovery
        Use GitHub for discovery
        Authenticate discovery OAuth
    • Organization

      • Login with Google
        Login with Microsoft
        Login with HubSpot
        Login with Slack
        Login with GitHub
        Authenticate OAuth
    • Token

      • Get Google Access Token
        Get Microsoft Access Token
        Get HubSpot Access Token
        Get Slack Access Token
        Get GitHub Access Token
    Session management
      Session object
      Get JWKS
      Get Session
      Authenticate Session
      Exchange Session
      Revoke Session
      Migrate Session
      Attest Session
      Exchange Access Token
    Single sign-on (SS0)
      SAML Connection object
      OIDC Connection object
      External Connection object
    • SAML

      • Create SAML Connection
        Update SAML Connection
        Update SAML Connection by Metadata URL
        Delete Encryption Private Key
        Delete SAML Verification Certificate
    • OIDC

      • Create OIDC Connection
        Update OIDC Connection
        Get OIDC Access Token
    • External

      • Create External Connection
        Update External Connection
    • Shared

      • Get SSO Connections
        Delete SSO Connection
        Start SSO Authenticate
        Complete SSO Authenticate
    SCIM
      SCIM Connection Object
    • Connection management

      • Create SCIM Connection
        Update SCIM Connection
        Delete SCIM Connection
        Get SCIM Connection
    • Token management

      • Start SCIM Token Rotation
        Complete SCIM Token Rotation
        Cancel SCIM Token Rotation
    • SCIM groups

      • Get SCIM Connection Groups
    Discovery
      Discovered Organization object
      Create Organization via Discovery
      List Organizations
      Exchange Intermediate Session
    Passwords
      Authenticate
      Discovery Authenticate
      Strength check
      Migrate
    • Create or Reset Options

      • Password reset by email start
        Password reset by email
        Password reset by existing password
        Password reset by session
        Discovery Password reset by email start
        Discovery Password reset by email
        Require Password reset by email
    Multi-Factor Authentication (MFA)
    • One-time passcodes

      • Send SMS OTP
        Authenticate SMS OTP
    • Time-based one-time passcodes

      • Create TOTP
        Authenticate TOTP
        Migrate TOTP
    • Recovery codes

      • Get recovery codes
        Recover
        Rotate recovery codes
    M2M Authentication
      M2M Client Object
    • TOKEN

      • Get Access Token
        Authenticate Access Token
    • M2M Client

      • Create M2M client
        Get M2M client
        Search M2M clients
        Update M2M client
        Delete M2M client
    • Rotate secret

      • Start secret rotation
        Rotate secret
        Cancel secret rotation
    Connected Apps
      Exchange Authorization Code
      Exchange Refresh Token
    • Tokens

      • Connected App ID Token Object
        Connected App Access Token Object
    • Configuration

      • Get JWKS
        Get OpenID Configuration
    • Methods

      • Introspect Token
        Authenticate Access Token (Local)
        Revoke Token
        Get UserInfo
    • Consent Management

      • Start OAuth Authorization
        Submit OAuth Authorization
        Get Authorized Connected Apps for an Organization
        Get Connected App Details
        Get Authorized Connected Apps for a Member
        Revoke Connected App Access to a Member
    • Application Management

      • Dynamic Client Registration
        Create Connected App
        Get Connected App
        Search Connected Apps
        Update Connected App
        Delete Connected App
    • Rotate secret

      • Start secret rotation
        Rotate secret
        Cancel secret rotation
    Impersonation
      Authenticate Token
    Resources
      Organization authentication settings
      Common email domains
      Member states
      Email templates
      URL validation
      Metadata
      SAML overview
      SAML Certificates
    Errors
      Overview
      Error object
      400
      401
      403
      404
      405
      429
      499
      500
      503
Get support on SlackVisit our developer forum

Contact us

B2B SaaS Authentication

/

API reference

/

Passwords

/

Create or Reset Options

/

Password reset by email start

Email reset start

POST
https://test.stytch.com/v1/b2b/passwords/email/reset/start

Initiates a password reset for the email address provided. This will trigger an email to be sent to the address, containing a magic link that will allow them to set a new password and authenticate.

This endpoint adapts to your Project's password strength configuration. If you're using zxcvbn, the default, your passwords are considered valid if the strength score is >= 3. If you're using LUDS, your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration on the Passwords Policy page in the Stytch Dashboard.


Body parameters


organization_id* string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.


email_address* string

The email address of the Member to start the email reset process for.


reset_password_redirect_url string

The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the reset password flow. If this value is not passed, the default reset_password_redirect_url that you set in your Dashboard is used. If you have not set a default reset_password_redirect_url, an error is returned.


login_redirect_url string

The URL that the member clicks from the reset without password link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the magic link flow. If this value is not passed, the default login_redirect_url that you set in your Dashboard is used. This value is only used if magic links are enabled for the member. If you have not set a default login_redirect_url and magic links are not enabled for the member, an error is returned.


reset_password_template_id string

Use a custom template for reset password emails. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Reset Password.


verify_email_template_id string

Use a custom template for verification emails sent during password reset flows. When cross-organization passwords are enabled for your Project, this template will be used the first time a user sets a password via a password reset flow. By default, it will use your default email template. The template must be a template using our built-in customizations or a custom HTML email for Passwords - Email Verification.


locale string

Used to determine which language to use when sending the user this delivery method. Parameter is a IETF BCP 47 language tag, e.g. "en".

Currently supported languages are English ("en"), Spanish ("es"), French ("fr") and Brazilian Portuguese ("pt-br"); if no value is provided, the copy defaults to English.

Request support for additional languages here!


reset_password_expiration_minutes int

Sets a time limit after which the email link to reset the member's password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes.


code_challenge string

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device.


Response fields


request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.


status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.


member_id string

Globally unique UUID that identifies a specific Member.


member_email_id string

Globally unique UUID that identifies a member's email


member object

The Member object

organization_id string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_id string

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

external_id string

The ID of the member given by the identity provider.

email_address string

The email address of the Member.

email_address_verified boolean

Whether or not the Member's email address is verified.

status string

The status of the Member. The possible values are: pending, invited, active, or deleted.

name string

The name of the Member.

sso_registrations array[objects]

An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.

connection_id string

Globally unique UUID that identifies a specific SSO connection_id for a Member.

registration_id string

The unique ID of an SSO Registration.

external_id string

The ID of the member given by the identity provider.

sso_attributes object

An object for storing SSO attributes brought over from the identity provider.

scim_registration object

A scim member registration, referencing a SCIM Connection object in use for the Member creation.

connection_id string

The ID of the SCIM connection.

registration_id string

The unique ID of a SCIM Registration.

external_id string

The ID of the member given by the identity provider.

scim_attributes object

An object for storing SCIM attributes brought over from the identity provider.

is_breakglass boolean

Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.

member_password_id string

Globally unique UUID that identifies a Member's password.

oauth_registrations array[object]

A list of OAuth registrations for this member.

provider_type string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_subject string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.

profile_picture_url string

If available, the profile_picture_url is a URL of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Google profile picture.

locale string

If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.

member_oauth_registration_id string

The unique ID of an OAuth registration.

mfa_enrolled boolean

Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to REQUIRED_FOR_ALL.

mfa_phone_number string

The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

mfa_phone_number_verified boolean

Whether or not the Member's phone number is verified.

retired_email_addresses array[object]

A list of retired email addresses for this member. A previously active email address can be marked as retired in one of two ways:

  • It's replaced with a new primary email address during an explicit Member update.
  • A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired.

A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.

email_id string

The globally unique UUID of a Member's email.

email_address string

The email address of the Member.

trusted_metadata object

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

untrusted_metadata object

An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.

roles array[objects]

Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

  • stytch_member
  • stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

sources array[objects]

A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.

type string

The type of role assignment. The possible values are: direct_assignment – an explicitly assigned Role.

Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint. email_assignment – an implicit Role granted by the Member's email domain, regardless of their login method.

Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint. sso_connection – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection.

SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint. sso_connection_group – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.

SAML group implicit role assignments can be updated by passing in the saml_group_implicit_role_assignments argument to the Update SAML connection endpoint.

scim_connection_group – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.

SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.

details object

An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows: direct_assignment – no additional details. email_assignment – will contain the email domain that granted the assignment. sso_connection – will contain the connection_id of the SAML connection that granted the assignment. sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment. scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.

is_admin boolean

Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.

created_at string

The timestamp of the Member's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

updated_at string

The timestamp of when the Member was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
  email_address: "sandbox@stytch.com",
};

client.passwords.email.resetStart(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
RESPONSE 200
200
​
{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
  "member_email_id": "member-email-test-1dd089b3-8904-47ef-b943-987968e549d4",
  "member": {...}
}
RESPONSE 404
200
​
{
  "status_code": 404,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "member_password_not_found",
  "error_message": "Member password not found",
  "error_url": "https://stytch.com/docs/api/errors/404"
}
RESPONSE 429
200
​
{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}
RESPONSE 500
200
​
{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Common Error Types

  • inactive_email
  • invalid_email
  • invalid_expiration
  • invalid_password_reset_redirect_url
  • invalid_pkce_code_challenge
  • no_password_reset_redirect_url
  • operation_restricted_by_organization_auth_methods
  • pkce_required_for_native_callback
  • retired_member_email