Password reset by email

POSThttps://test.stytch.com/v1/passwords/email/reset

Reset the user’s password and authenticate them. This endpoint checks that the magic link token is valid, hasn’t expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request.

The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated.

Note that a successful password reset by email will revoke all active sessions for the user_id.


Body parameters


token*string

password*string

optionsobject

attributesobject

session_custom_claimsmap<string, any>

session_duration_minutesint

session_jwtstring

session_tokenstring

code_verifierstring

Response fields


status_codeint

request_idstring

user_idstring

userobject

session_jwtstring

session_tokenstring

sessionobject
curl --request POST \
  --url https://test.stytch.com/v1/passwords/email/reset \
  -u 'PROJECT_ID:SECRET' \
  -H 'Content-Type: application/json' \
  -d '{
    "token": "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
    "password": "Ilo7%SqcKnWz3n4R"
  }'

RESPONSE

200
{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6"
}