POST /api/auth/reset-password/:token
Resets a user’s password using the token received via the forgot password email. All existing refresh tokens are invalidated after a successful password reset.Path parameters
Password reset token from the email (32-character hexadecimal string)
Request body
New password. Must meet the same requirements as registration:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
Response
Indicates if the password reset was successful
Human-readable response message
Status codes
200- Password reset successful400- Invalid or expired reset token, or missing password500- Internal server error
After a successful password reset, the user must log in again with their new password. All existing sessions are invalidated.
Examples
Success response (200)
Error response (400) - Invalid token
Error response (400) - Missing fields
Security measures
The password reset process includes several security features:- Token expiration: Reset tokens expire after 1 hour
- Single use: Once used, the token is removed from the user record
- Session invalidation: All refresh tokens are deleted, forcing re-authentication
- Password hashing: New passwords are hashed with bcrypt (12 rounds)
- Token cleanup: Both the reset token and expiration date are cleared after use