Skip to main content

PATCH /api/admin/users/:id/password

Reset or change a user’s password. This endpoint allows administrators to set a new password for any user account without requiring the old password.
This endpoint bypasses normal password change authentication. Use only for legitimate password reset requests or account recovery.

Authentication

This endpoint requires:
  1. Valid JWT token in the Authorization header
  2. User must have ADMIN role
Authorization: Bearer <admin-token>

Path Parameters

id
string
required
UUID of the user whose password should be changed

Request Body

password
string
required
New password for the user (minimum 8 characters recommended)

Response

Returns a success message.
message
string
Confirmation message

Example Request

cURL
curl -X PATCH http://localhost:3000/api/admin/users/user-uuid-123/password \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "newSecurePassword123"
  }'
JavaScript
const userId = 'user-uuid-123';
const response = await fetch(`http://localhost:3000/api/admin/users/${userId}/password`, {
  method: 'PATCH',
  headers: {
    'Authorization': `Bearer ${adminToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    password: 'newSecurePassword123'
  })
});

const result = await response.json();
Python
import requests

user_id = 'user-uuid-123'
headers = {'Authorization': f'Bearer {admin_token}'}
data = {'password': 'newSecurePassword123'}

response = requests.patch(
    f'http://localhost:3000/api/admin/users/{user_id}/password',
    headers=headers,
    json=data
)

result = response.json()

Example Response

{
  "message": "Password updated successfully"
}

Password Security

The new password is automatically:
  • Hashed using bcrypt with salt rounds (typically 10)
  • Never stored in plain text
  • Validated for minimum length requirements
The password is hashed on the server before storage. The bcrypt algorithm with salt ensures passwords cannot be reversed or easily cracked.

Error Responses

{
  "statusCode": 403,
  "message": "Forbidden resource"
}
User does not have ADMIN role.
{
  "statusCode": 404,
  "message": "User not found"
}

{
  "statusCode": 400,
  "message": "Password must be at least 8 characters long"
}

{
  "statusCode": 400,
  "message": "Cannot change password for OAuth users"
}
Users who authenticated via Google OAuth don’t have local passwords.
{
  "statusCode": 401,
  "message": "Unauthorized"
}

Best Practices

Notify User

Send an email notification when password is reset by admin

Log Action

Record admin ID, timestamp, and user ID for audit trail

Temporary Password

Generate a temporary password and require change on first login

Verify Request

Confirm the password reset request is legitimate

Password Requirements

Enforce these password requirements in your application:
At least 8 characters (configurable in the backend validation)
Check against a list of commonly used passwords

Use Cases

Account Recovery

Help users who forgot their password and can’t receive reset emails

Support Requests

Assist users locked out of their accounts

Security Incidents

Force password change after suspected account compromise

Initial Setup

Set initial passwords for manually created accounts

Security Considerations

  • Never send the new password in plain text via email
  • Consider implementing multi-factor authentication
  • Log all admin password changes for security audits
  • Invalidate existing user sessions after password change
  • Consider requiring the user to change the admin-set password on next login

List Users

View all users in the system

Delete User

Permanently delete a user account

Build docs developers (and LLMs) love

Get started for freeTalk to us