Skip to main content
The password reset functionality is split into two endpoints: one to request a reset token and another to actually reset the password.

Request Password Reset

POST /api/auth/forgot-password
Initiates the password reset process by sending a reset token to the user’s email address.

Request Body

email
string
required
User’s email address. Must be a valid email format.

Response

success
boolean
Indicates whether the request was successful.
data
object

Status Codes

200
Success
Request processed successfully.
400
Bad Request
Invalid email format.

Example Request

cURL
curl -X POST https://api.pcfix.com/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'
JavaScript
const response = await fetch('https://api.pcfix.com/api/auth/forgot-password', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    email: '[email protected]'
  })
});

const data = await response.json();
console.log(data);

Example Response

{
  "success": true,
  "data": {
    "message": "Correo enviado"
  }
}

Notes

  • The reset token is valid for 1 hour (3600 seconds)
  • An email with the reset link is sent asynchronously
  • For security reasons, the response is always successful even if the email doesn’t exist
  • The token is a 32-byte random hex string

Reset Password

POST /api/auth/reset-password
Completes the password reset process using the token received via email.

Request Body

token
string
required
The reset token received via email.
newPassword
string
required
The new password. Must be at least 6 characters long.

Response

success
boolean
Indicates whether the request was successful.
data
object

Status Codes

200
Success
Password reset successful.
400
Bad Request
Invalid token, expired token, or validation error.

Error Response

{
  "success": false,
  "error": "Token inválido o expirado"
}

Example Request

cURL
curl -X POST https://api.pcfix.com/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "newPassword": "nuevaPassword123"
  }'
JavaScript
const response = await fetch('https://api.pcfix.com/api/auth/reset-password', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    token: resetToken,
    newPassword: 'nuevaPassword123'
  })
});

const data = await response.json();
console.log(data);
Python
import requests

response = requests.post(
  'https://api.pcfix.com/api/auth/reset-password',
  json={
    'token': reset_token,
    'newPassword': 'nuevaPassword123'
  }
)

data = response.json()
print(data)

Example Response

{
  "success": true,
  "data": {
    "message": "Contraseña actualizada"
  }
}

Notes

  • The reset token expires 1 hour after generation
  • Once a password is successfully reset, the token is cleared and cannot be reused
  • The new password is securely hashed using bcrypt before storage
  • Both resetToken and resetTokenExpires fields are set to null after successful reset

Complete Password Reset Flow

  1. User requests password reset: Send POST request to /api/auth/forgot-password with email
  2. System sends email: User receives email with reset token (valid for 1 hour)
  3. User clicks reset link: Frontend extracts token from URL
  4. User enters new password: Send POST request to /api/auth/reset-password with token and new password
  5. Password updated: User can now log in with the new password

Security Considerations

  • Reset tokens are cryptographically secure random strings
  • Tokens expire after 1 hour
  • Tokens are single-use (cleared after successful reset)
  • The forgot-password endpoint doesn’t reveal whether an email exists in the system
  • Password reset clears any existing reset tokens

Build docs developers (and LLMs) love

Get started for freeTalk to us