provider Passwords POST /v1/passwords/email/reset
@utdk/stytch /v1/passwords/email/reset
Reset
Reset the user's password and authenticate them. This endpoint checks that the magic link `token` is valid, hasn't expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request. The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated. Note that a successful password reset by email will revoke all active sessions for the `user_id`.

Try it

Authentication
Configure credentials for Stytch API
Gateway
The gateway proxies requests and injects credentials server-side. Configure credentials above, then enter your gateway URL.

Saved automatically to browser storage.

apiPasswordV1PasswordsEmailReset
POST/v1/passwords/email/reset
Reset the user's password and authenticate them. This endpoint checks that the magic link `token` is valid, hasn't expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request. The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated. Note that a successful password reset by email will revoke all active sessions for the `user_id`.

Input

required

The Passwords `token` from the `?token=` query parameter in the URL. In the redirect URL, the `stytch_token_type` will be `login` or `reset_password`. See examples and read more about redirect URLs [here](https://stytch.com/docs/workspace-management/redirect-urls).

required

The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.

The `session_token` associated with a User's existing Session.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time. This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes. If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created.

The `session_jwt` associated with a User's existing Session.

A base64url encoded one time secret used to validate that the request starts and ends on the same device.

Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.

If the `telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the User. Your workspace must be enabled for Device Fingerprinting to use this feature.

Enter a gateway URL above to enable sending.

Code snippet
Updates live as you fill in the form above.

TypeScript

import stytch from '@utdk/stytch';

await stytch.apiPasswordV1PasswordsEmailReset()