Skip to main content
The password reset flow consists of two endpoints: requesting a reset token and using that token to set a new password.

Request Password Reset

Sends a password reset email to the user with a reset token. For security, this endpoint always returns success even if the email doesn’t exist.
This endpoint has strict rate limiting: 5 requests per 15 minutes in production.

Request Body

email
string
required
User’s email address. Must be a valid email format.

Response

message
string
Generic success message that doesn’t reveal if the email exists.

Example Request

curl -X POST https://api.tresacontafy.com/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'

Example Response

{
  "message": "Si el email está registrado, se enviará un correo con las instrucciones para restablecer tu contraseña."
}

Reset Password

Resets the user’s password using the token received via email.

Request Body

token
string
required
The password reset token received in the reset email.
password
string
required
New password. Must be at least 8 characters long.

Response

message
string
Success message confirming the password was reset.

Error Responses

400 Bad Request

Returned when:
  • Token or password is missing or invalid type
  • Password is less than 8 characters
  • Token is invalid or not found in the database
  • Token has expired (tokens expire after 1 hour)

500 Internal Server Error

Returned when:
  • Database query fails
  • Password hashing fails
  • User update fails

Example Request

curl -X POST https://api.tresacontafy.com/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "password": "newSecurePassword123"
  }'

Example Response

{
  "message": "Contraseña restablecida correctamente. Ya puedes iniciar sesión con tu nueva contraseña."
}

Error Response Examples

Invalid Token

{
  "error": "Token inválido",
  "message": "El token proporcionado no es válido o ha expirado."
}

Expired Token

{
  "error": "El token ha expirado",
  "message": "El token de restablecimiento ha expirado. Por favor solicita uno nuevo."
}

Password Too Short

{
  "error": "Contraseña inválida",
  "message": "La contraseña debe tener al menos 8 caracteres"
}

Implementation Details

  • Reset tokens are stored as hashed values in the database for security
  • Tokens expire 1 hour after generation (stricter than email verification)
  • New passwords are hashed using bcrypt with a salt rounds of 10
  • Upon successful reset:
    • The password hash is updated
    • The reset token and expiration date are cleared from the database
  • For security, the request endpoint doesn’t reveal if an email exists in the system

Password Reset Flow

  1. User requests password reset by providing their email
  2. If the email exists, a reset token is generated and sent via email
  3. User clicks the link in the email (containing the token)
  4. User submits the token along with their new password
  5. Password is updated and user can log in with the new password
Reset tokens expire after 1 hour. If the token expires, the user must request a new password reset.

Build docs developers (and LLMs) love

Get started for freeTalk to us