Request Password Reset
Initiate a password reset flow.
Endpoint
/auth/admin/password/reset/requestRequest a password reset. A reset token will be sent to the admin's email address.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Content-Type | string | Yes | application/json |
Request Body- Email address for reset
{
"email": "admin@example.com"
}Response- Reset initiated
{
"reset_id": "550e8400-e29b-41d4-a716-446655440000",
"expires_at": "2025-01-14T11:30:00Z",
"token": "secure_reset_token"
}Error Responses
| Status | Code | Description |
|---|---|---|
| 401 | reset_invalid | Reset could not be initiated (email not found) |
| 429 | rate_limit_exceeded | Rate limit: 5/min, 25/day per email/IP |
Security Notes
The response is intentionally vague to prevent email enumeration attacks. The same response format is returned regardless of whether the email exists.
Confirm Password Reset
Complete the password reset with a new password.
Endpoint
/auth/admin/password/reset/confirmComplete the password reset by providing the token and new password.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Content-Type | string | Yes | application/json |
Request Body- Reset token and new password
{
"token": "secure_reset_token_from_email",
"new_password": "NewSecurePassword123!"
}Response- No content on success (HTTP 204)
Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | validation_failed | Password must be at least 8 characters |
| 401 | reset_invalid | Reset token invalid or expired |
| 429 | reset_locked | Too many failed attempts (5/min, 50/day) |
Request Body Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| token | string | Yes | Reset token from email |
| new_password | string | Yes | New password (min 8 characters) |
Change Password
Change password while authenticated.
Endpoint
/auth/admin/password/changeChange password for the authenticated admin. Requires current password verification.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer {access_token} |
Content-Type | string | Yes | application/json |
Request Body- Current and new password
{
"current_password": "CurrentPassword123",
"new_password": "NewSecurePassword456!",
"mfa_code": "123456"
}Response- No content on success (HTTP 204)
Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | validation_failed | New password must be at least 8 characters |
| 401 | password_change_failed | Current password incorrect or MFA code invalid |
Request Body Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| current_password | string | Yes | Current password for verification |
| new_password | string | Yes | New password (min 8 characters) |
| mfa_code | string | Conditional | Required if MFA is enabled |
Password Requirements
Password policy and security requirements.
Requirements
| Requirement | Value |
|---|---|
| Minimum length | 8 characters |
| Maximum length | 128 characters |
| Character types | Any Unicode characters allowed |
| Reuse policy | Cannot reuse last 5 passwords |
Best Practices
We recommend using a password manager to generate strong, unique passwords. Consider enabling MFA for additional security.