Stytch - Auth platform for developers

The resetByEmail method wraps the Reset By Email Password API endpoint. This endpoint the user’s password and authenticate them. This endpoint checks that the magic link token is valid, hasn't expired, or already been used. The provided password needs to meet our password strength requirements, which can be checked in advance with the Strength Check Password API endpoint.

If this method succeeds, the user will be logged in, granted an active session, and the session cookies will be minted and stored in the browser.

You can listen for successful login events anywhere in the codebase with the stytch.session.onChange() method or useStytchSession hook if you are using React.

Method parameters

token* string

The token to authenticate.

password* string

The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.

session_duration_minutes* int

Set the session lifetime to be this many minutes from now. This will return both an opaque session_token and session_jwt for this session, which will automatically be stored either in the browser cookies if you're using our JavaScript SDK, or in the iOS Keychain/ Android SharedPreferences if you're using one of our mobile SDKs. The session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time.

This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the Frontend SDK page of the Stytch Dashboard.

A successful authentication will continue to extend the session this many minutes.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

user_id string

The unique ID of the affected User.

user_device object

If Protected Auth is enabled and returned fingerprinting results, the user_device response field will contain information about the user's device attributes.

ip_address string

The IP address of the user's device.

ip_address_details object

Information about the ip_address.

is_new boolean

Whether this ip_address has been seen before for this user.

first_seen_at string

When this ip_address was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at string

When this ip_address was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_country string

The country code where the IP address is located.

ip_geo_country_details object

Information about the ip_geo_country.

is_new boolean

Whether this ip_geo_country has been seen before for this user.

first_seen_at string

When this ip_geo_country was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at string

When this ip_geo_country was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_city string

The city where the IP address is located.

ip_geo_region string

The region where the IP address is located.

Reset by email

Method parameters

Response fields