Reset by Email Start - Stytch Docs

passwords.resetByEmailStart wraps the Reset By Email Start Password API endpoint. This endpoint initiates a password reset for the email address provided. This will trigger an email to be sent to the address, containing a magic link that will allow the member to set a new password and authenticate.

Parameters

email_address

string

required

The email address of the Member.

organization_id

string

required

Globally unique UUID that identifies a specific Organization. You may also use the organization_slug or organization_external_id here as a convenience.

reset_password_redirect_url

string

The URL that the Member clicks from the reset password link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch’s authenticate endpoint and finishes the reset password flow. If this value is not passed, the default reset_password_redirect_url that you set in your Dashboard is used. If you have not set a default reset_password_redirect_url, an error is returned.

The URL that Members are redirected to upon clicking the “Log in without password” button in password reset emails.After Members are redirected to the login redirect URL, your application should retrieve the token value from the URL parameters and call the Magic Link Authenticate endpoint to log the Member in without requiring a password reset. If this value is not provided, your project’s default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned.

reset_password_expiration_minutes

number

Sets a time limit after which the email link to reset the member’s password will no longer be valid. The minimum allowed expiration is 5 minutes and the maximum is 10080 minutes (7 days). By default, the expiration is 30 minutes.

reset_password_template_id

string

Use a custom template for reset password emails. By default, it will use your default email template. Templates can be added in the Stytch dashboard using our built-in customization options or custom HTML templates with type “Passwords - Reset Password”.

Response

member_id

string

The ID of the Member.

member_email_id

string

The ID of the Member Email.

member

object

Show child attributes

organization_id

string

Globally unique UUID that identifies a specific Organization.

member_id

string

Globally unique UUID that identifies a specific Member.

external_id

string

The ID of the Member given by the identity provider.

email_address

string

The email address of the Member.

email_address_verified

boolean

Whether or not the Member’s email address is verified.

status

string

The status of the Member. The possible values are: pending, invited, active, or deleted.

name

string

The name of the Member.

sso_registration

object[]

An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.

Show sso_registration properties

connection_id

string

Globally unique UUID that identifies a specific SSO connection_id for a Member.

registration_id

string

The unique ID of an SSO Registration.

external_id

string

The ID of the Member given by the identity provider.

sso_attributes

object

An object for storing SSO attributes brought over from the identity provider.

scim_registration

object

Sets whether the Member is enrolled in MFA.

Show sso_registration properties

connection_id

string

The id of the SCIM Connection.

registration_id

string

The unique ID of a SCIM Registration.

external_id

string

The ID of the Member given by the identity provider.

sso_attributes

object

An object for storing SCIM attributes brought over from the identity provider.

is_breakglass

boolean

Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization’s settings.A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.

member_password_id

string

Globally unique UUID that identifies a Member’s password.

oauth_registrations

object[]

A list of OAuth registrations for this Member.

Show oauth_registrations properties

provider_type

string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

profile_picture_url

string

If available, the profile_picture_url is a URL of the User’s profile picture set in the OAuth identity provider that the User has authenticated with, e.g. Google profile picture.

locale

string

If available, the locale is the Member’s locale set in the OAuth identity provider that the user has authenticated with.

member_oauth_registration_id

string

The unique ID of an OAuth registration.

mfa_enrolled

boolean

Sets whether the Member is enrolled in MFA.If true, the Member must complete an MFA step whenever they wish to log in to their Organization.If false, the Member only needs to complete an MFA step if the Organization’s MFA policy is set to REQUIRED_FOR_ALL.

mfa_phone_number

string

The Member’s phone number. A Member may only have one phone number.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

mfa_phone_number_verified

boolean

Whether or not the Member’s phone number is verified.

retired_email_addresses

object[]

A list of retired email addresses for this Member. A previously active email address can be marked as retired in one of two ways:

It’s replaced with a new primary email address during an explicit Member update.
A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member’s primary email address and the old primary email address is retired. A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.

Show properties

email_id

string

The globally unique UUID of a Member’s email.

email_address

string

The email address of the Member.

trusted_metadata

object

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

untrusted_metadata

object

An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.

roles

object[]

Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

Show roles properties

role_id

string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

sources

object[]

A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member’s email domain.

Show sources properties

type

string

The type of role assignment. The possible values are:

direct_assignment – an explicitly assigned Role. Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint.
email_assignment – an implicit Role granted by the Member’s email domain, regardless of their login method. Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint.
sso_connection – an implicit Role granted by the Member’s SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection. SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint.
sso_connection_group – an implicit Role granted by the Member’s SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
scim_connection_group – an implicit Role granted by the Member’s SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.

details

object

An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows:

direct_assignment – no additional details.
email_assignment – will contain the email domain that granted the assignment.
sso_connection – will contain the connection_id of the SAML connection that granted the assignment.
sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment.
scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.

is_admin

boolean

Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.

created_at

string

The date and time the Member was created.

updated_at

string

The date and time the Member was last updated.

request_id

string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code

number

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

​Parameters

​Response

Parameters

Response