Skip to main content
PUT
/
api
/
auth
/
password
Change Password
curl --request PUT \
  --url https://api.example.com/api/auth/password \
  --header 'Content-Type: application/json' \
  --data '
{
  "currentPassword": "<string>",
  "newPassword": "<string>"
}
'
{
  "success": true,
  "message": "<string>",
  "data": null
}

Overview

Allows an authenticated user to change their password. Requires the current password for verification and enforces security requirements on the new password.
This action cannot be undone. Ensure users confirm their new password before submitting.

Authentication

Required: Bearer token in Authorization header 
Authorization: Bearer <your_jwt_token>

Request Body

currentPassword
string
required
The user’s current password for verification
newPassword
string
required
The new password. Must meet security requirements:
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Response

success
boolean
Indicates if the password was updated successfully
message
string
Confirmation message
data
null
Always null for password change responses

Examples

curl -X PUT "http://localhost:4000/api/auth/password" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "currentPassword": "MyOldPassword123!",
    "newPassword": "MyNewSecurePass456!"
  }'

Response Examples

Success (200 OK)

{
  "success": true,
  "message": "Contraseña actualizada exitosamente",
  "data": null
}

Missing Fields (400)

{
  "success": false,
  "message": "Se requieren ambas contraseñas: actual y nueva"
}

Weak Password (400)

{
  "success": false,
  "message": "La contraseña debe tener al menos 8 caracteres, una mayúscula, una minúscula, un número y un carácter especial"
}

Incorrect Current Password (401)

{
  "success": false,
  "message": "La contraseña actual es incorrecta"
}

User Not Found (404)

{
  "success": false,
  "message": "Usuario no encontrado"
}

Error Responses

Status CodeDescription
400Missing fields or password doesn’t meet security requirements
401Invalid token or incorrect current password
404User account not found
500Internal server error

Password Requirements

All passwords must meet these security criteria:
  • Length: Minimum 8 characters
  • Uppercase: At least one (A-Z)
  • Lowercase: At least one (a-z)
  • Number: At least one (0-9)
  • Special Character: At least one (!@#$%^&*()_+-=[]|;:,.?)

Security Notes

The API verifies the current password using bcrypt before allowing the change. This prevents unauthorized password changes if a token is compromised but the attacker doesn’t know the password.
New passwords are hashed using bcrypt with 10 salt rounds before storage. Passwords are never stored in plain text.
After changing the password, the current JWT token remains valid until expiration. The user does not need to log in again immediately.
  • Require password confirmation on the client side before submitting
  • Display password strength indicators to users
  • Consider implementing password history to prevent reuse
  • Log password change events for security auditing

Update Profile

Update name and email information

Login

Log in with new password

Source Code Reference

  • Route: src/routes/auth.routes.js:371
  • Controller: src/controllers/authController.js:changePassword
  • Validation: src/utils/validators.util.js:isValidPassword

Build docs developers (and LLMs) love

Get started for freeTalk to us