Reset by email

The resetByEmail method wraps the Password reset by email API endpoint. This endpoint resets the Member's password and authenticates them. The provided password needs to meet your Stytch project's password strength requirements, which can be checked in advance using the password strength check method.

If this method succeeds, the Member will be logged in, granted an active session, and the session cookies will be minted and stored in the browser.

If there is a current Member Session, the SDK will call the endpoint with the session token. This will add the new factor to the existing Member Session.

If there is an intermediate session token, the SDK will call the endpoint with it. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a Member Session. If not, the same intermediate session token will be returned.

If this method succeeds and the Member is not required to complete MFA, the Member will be logged in, granted an active session, and the session data will be persisted on device.

If this method succeeds and MFA is required, the intermediate session token will be persisted on device.

You can listen for successful login events anywhere in the codebase with the stytch.session.onChange() method or useStytchMemberSession hook.

Method parameters

password_reset_token*string

The password reset token to authenticate.

password*string

The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.

session_duration_minutes*int

Set the session lifetime to be this many minutes from now. This will return both an opaque session_token and session_jwt for this session, which will automatically be stored in the browser cookies. The session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time.

This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the Frontend SDK page of the Stytch Dashboard.

A successful authentication will continue to extend the session this many minutes.

Response fields

request_idstring

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_codeint

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

member_idstring

Globally unique UUID that identifies a specific Member.

session_tokenstring

A secret token for a given Stytch Session.

intermediate_session_tokenstring

The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.

member_authenticatedboolean

Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.

mfa_requiredobject

Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.

secondary_auth_initiatedstring

If null, indicates that no secondary authentication has been initiated. If equal to "sms_otp", indicates that the Member has a phone number, and a one time passcode has been sent to the Member's phone number. No secondary authentication will be initiated during calls to the discovery authenticate or list organizations endpoints, even if the Member has a phone number.

member_optionsobject

Information about the Member's options for completing MFA.

mfa_phone_numberstring

The Member's MFA phone number.

totp_registration_idstring

The Member's MFA TOTP registration ID.

member_email_idstring

Globally unique UUID that identifies a member's email

memberobject
organization_idstring

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_idstring

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

external_idstring

The ID of the member given by the identity provider.

email_addressstring

The email address of the Member.

email_address_verifiedboolean

Whether or not the Member's email address is verified.

statusstring

The status of the Member. The possible values are: pending, invited, active, or deleted.

namestring

The name of the Member.

sso_registrationsarray[objects]
connection_idstring

Globally unique UUID that identifies a specific SSO connection_id for a Member.

registration_idstring

The unique ID of an SSO Registration.

external_idstring

The ID of the member given by the identity provider.

sso_attributesobject

An object for storing SSO attributes brought over from the identity provider.

scim_registrationobject

A scim member registration, referencing a SCIM Connection object in use for the Member creation.

connection_idstring

The ID of the SCIM connection.

registration_idstring

The unique ID of a SCIM Registration.

external_idstring

The ID of the member given by the identity provider.

scim_attributesobject

An object for storing SCIM attributes brought over from the identity provider.

is_breakglassboolean

Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.

member_password_idstring

Globally unique UUID that identifies a Member's password.

oauth_registrationsarray[object]

A list of OAuth registrations for this member.

provider_typestring

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_subjectstring

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.

profile_picture_urlstring

If available, the profile_picture_url is a URL of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Google profile picture.

localestring

If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.

member_oauth_registration_idstring

The unique ID of an OAuth registration.

mfa_enrolledboolean

Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to REQUIRED_FOR_ALL.

mfa_phone_numberstring

The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

mfa_phone_number_verifiedboolean

Whether or not the Member's phone number is verified.

retired_email_addressesarray[object]

A list of retired email addresses for this member. A previously active email address can be marked as retired in one of two ways:

  • It's replaced with a new primary email address during an explicit Member update.
  • A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired.

A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.

email_idstring

The globally unique UUID of a Member's email.

email_addressstring

The email address of the Member.

trusted_metadataobject

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

untrusted_metadataobject

An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.

rolesarray[objects]

Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

role_idstring

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

  • stytch_member
  • stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

sourcesarray[objects]

A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.

typestring

The type of role assignment. The possible values are: direct_assignment – an explicitly assigned Role.

Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint. email_assignment – an implicit Role granted by the Member's email domain, regardless of their login method.

Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint. sso_connection – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection.

SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint. sso_connection_group – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.

SAML group implicit role assignments can be updated by passing in the saml_group_implicit_role_assignments argument to the Update SAML connection endpoint.

scim_connection_group – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.

SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.

detailsobject

An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows: direct_assignment – no additional details. email_assignment – will contain the email domain that granted the assignment. sso_connection – will contain the connection_id of the SAML connection that granted the assignment. sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment. scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.

is_adminboolean

Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.

created_atstring

The timestamp of the Member's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

updated_atstring

The timestamp of when the Member was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

member_deviceobject

If Protected Auth is enabled and returned fingerprinting results, the member_device response field will contain information about the member's device attributes.

ip_addressstring

The IP address of the member's device.

ip_address_detailsobject

Information about the ip_address.

is_newboolean

Whether this ip_address has been seen before for this member.

first_seen_atstring

When this ip_address was first seen for this member. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_atstring

When this ip_address was last seen for this member. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_countrystring

The country code where the IP address is located.

ip_geo_country_detailsobject

Information about the ip_geo_country.

is_newboolean

Whether this ip_geo_country has been seen before for this member.

first_seen_atstring

When this ip_geo_country was first seen for this member. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_atstring

When this ip_geo_country was last seen for this member. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_citystring

The city where the IP address is located.

ip_geo_regionstring

The region where the IP address is located.

import React, { useCallback } from 'react';
import { Text, TouchableOpacity, View } from 'react-native';
import { useStytchB2BClient } from '@stytch/react-native/b2b';

export const ResetPassword = ({ token }) => {
  const stytch = useStytchB2BClient();

  const resetPassword = useCallback(() => {
    stytch.passwords.resetByEmail({
      password_reset_token: token,
      password: 'xuEvs9sBi8I4x8rCXJPZ',
      session_duration_minutes: 60,
    });
  }, [stytch, token]);

  return (
    <View>
      <TouchableOpacity onPress={resetPassword}>
        <Text>Reset Password</Text>
      </TouchableOpacity>
    </View>
  );
};
RESPONSE 200
{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "member_id": "",
    "session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
    "intermediate_session_token": "",
    "member_authenticated": true,
    "mfa_required": null,
    "member_email_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
    "member": {...}
}
RESPONSE 400
{
  "status_code": 400,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "weak_password",
  "error_message": "password doesn't meet our strength requirements. Try hitting our /v1/passwords/strength_check endpoint to learn why.",
  "error_url": "https://stytch.com/docs/api/errors/400"
}
RESPONSE 401
{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unauthorized_credentials",
  "error_message": "Unauthorized credentials.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}
RESPONSE 429
{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}
RESPONSE 500
{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}