Skip to main content

POST /api/auth/forgot-password

Initiates the password reset process by sending a password reset link to the user’s email. For security, the response does not reveal whether the email exists in the system.

Request body

email
string
required
Email address of the account to reset

Response

success
boolean
Always returns true for security reasons
message
string
Generic success message that doesn’t reveal account existence

Status codes

  • 200 - Request processed (email sent if account exists)
  • 400 - Email parameter missing or invalid
  • 500 - Internal server error
The password reset token expires after 1 hour. Users must complete the reset process before expiration.
For security reasons, this endpoint always returns the same success message whether or not the email exists in the system. This prevents email enumeration attacks.

Examples

curl -X POST https://api.campusbite.com/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'

Success response (200)

{
  "success": true,
  "message": "If an account with that email exists, a password reset link has been sent."
}

Error response (400)

{
  "success": false,
  "message": "Email is required."
}

Implementation details

When a valid email is found:
  1. A 32-character hexadecimal reset token is generated
  2. The token is stored in the user’s record with a 1-hour expiration
  3. A password reset email is sent containing the token
  4. Previous reset tokens for the user are invalidated
If sending the email fails:
  • The token is still saved to the database
  • The error is logged server-side but not exposed to the client
  • The success message is returned to maintain consistent behavior

Build docs developers (and LLMs) love

Get started for freeTalk to us