Skip to main content

Endpoint

POST /auth/change-password
endpoint
Change the password for the currently authenticated user

Authentication

This endpoint requires authentication. Include a valid JWT token in the Authorization header.
Authorization: Bearer YOUR_JWT_TOKEN

Request Body

currentPassword
string
required
The user’s current password for verification
newPassword
string
required
The new password to set. Should meet minimum security requirements.

Response

success
boolean
required
Indicates whether the password change was successful
message
string
Human-readable message describing the result

Example Request

curl -X POST https://api.invenicum.example/v1/auth/change-password \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -d '{
    "currentPassword": "oldPassword123",
    "newPassword": "newSecurePassword456"
  }'

Example Response

Success Response (200 OK)

{
  "success": true,
  "message": "Password updated successfully"
}

Error Response (400 Bad Request)

{
  "success": false,
  "message": "La contraseña actual no es correcta"
}

Error Response (401 Unauthorized)

{
  "success": false,
  "message": "Authentication required"
}

Error Codes

Status CodeDescription
200Password changed successfully
400Current password is incorrect
401Not authenticated or invalid token
422Validation error (e.g., weak password)
500Internal server error

Password Requirements

While not enforced by the API shown in the source code, follow these best practices:

Password Security Guidelines

  • Minimum 8 characters
  • Mix of uppercase and lowercase letters
  • At least one number
  • At least one special character
  • Should not match common passwords
  • Should not contain user’s email or name

Implementation Details

The password change endpoint (from api_service.dart:60-82):
  1. Validates the current password on the backend
  2. If valid, updates to the new password
  3. Returns success status or error message
  4. Error messages can be in message or error fields
After changing the password, the user’s current session remains valid. The JWT token is not invalidated, so the user can continue using the application without re-logging in.

Common Errors

The currentPassword field does not match the user’s actual password. The error message may be in Spanish: “La contraseña actual no es correcta”.Solution: Verify the user is entering their correct current password.
The JWT token in the Authorization header is missing, malformed, or expired.Solution: Redirect the user to the login page to obtain a fresh token.
Network connectivity issues or backend unavailability.Solution: Display a user-friendly error message and allow retry. The error is caught as “Error de conexión al cambiar contraseña”.

Security Notes

  • Always use HTTPS in production to protect credentials in transit
  • The current password is verified before allowing changes
  • Consider implementing rate limiting to prevent brute force attacks
  • Log password change events for security auditing
  • Consider requiring re-authentication after password change for sensitive accounts
  • Login - Authenticate and obtain token

Build docs developers (and LLMs) love

Get started for freeTalk to us