Change Users' Passwords

Notice

This information applies to those using Change Password flow v2. If you are using the old Change Password flow or Lock 8, check the notice panels like this one for information on differences between the two flows.

To determine the flow you are using, navigate to Dashboard > Tenant Settings > Advanced to check if the Change Password flow v2 toggle is enabled. If it is, use Lock 9+. If not, use an older version of Lock to trigger the old Change Password flow.

We strongly encourage you to enable Change Password flow v2. To learn more about the vulnerability and migration, please see Vulnerable Password Flow. To learn more about migrating to Lock 11, please take a look at the Lock 11 Migration Guide.

You can change your users' passwords using one of the following methods:

  • Authentication API: Send a POST call to the Authentication API to send a password reset email to the user.
  • Management API: Send a PATCH call to the Management API to update the user's password manually.
  • Lock: Use the Lock login screen to trigger a password reset email to the user.
  • Dashboard: Use the Users section of the Dashboard to manually change the user's password.

You can only change passwords for users signing in using database connections. Users signing in using social or enterprise connections need to reset their passwords with the appropriate system.

Using the Authentication API

To reset a user's password using the Authentication API, make a POST call specifying the email address of the user account whose password you would like to reset in the email field. If the call is successful, the user will receive an email prompting them to change their password.

If you're calling this from the browser, don't forget to add your URL to the the Allowed Web Origins list in the Dashboard.


curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/dbconnections/change_password' \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","email": "","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/dbconnections/change_password");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/dbconnections/change_password"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://YOUR_AUTH0_DOMAIN/dbconnections/change_password")
  .header("content-type", "application/json")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/dbconnections/change_password",
  "method": "POST",
  "headers": {
    "content-type": "application/json"
  },
  "processData": false,
  "data": "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'POST',
  url: 'https://YOUR_AUTH0_DOMAIN/dbconnections/change_password',
  headers: { 'content-type': 'application/json' },
  body: 
   { client_id: 'YOUR_CLIENT_ID',
     email: '',
     connection: 'Username-Password-Authentication' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"email": @"",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/dbconnections/change_password"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/dbconnections/change_password",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("POST", "/YOUR_AUTH0_DOMAIN/dbconnections/change_password", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/dbconnections/change_password")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "email": "",
  "connection": "Username-Password-Authentication"
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/dbconnections/change_password")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Custom Database

If your Connection is a custom database and the user exists in the database, invoke the Authentication API for changePassword.

If the POST call is successful, the user receives an email containing a link to reset their password.

Clicking the link will send the user to a password reset page.

The reset password link in the email is valid for one use only, and it must be used before the time specified in the URL Lifetime field elapses. Modify the URL Lifetime field in the Dashboard where you customize the Change Password email. See the Change User Password for DB Connections Authentication API endpoint for more information.

Using the Management API

To reset a user's password using the Management API, make a PATCH call to the Update a User endpoint.

Users will not receive notification that their password has been manually changed.


curl --request PATCH \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID' \
  --header 'content-type: application/json' \
  --data '{"password": "NEW_PASSWORD","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID"

	payload := strings.NewReader("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.patch("https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID")
  .header("content-type", "application/json")
  .body("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID",
  "method": "PATCH",
  "headers": {
    "content-type": "application/json"
  },
  "processData": false,
  "data": "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'PATCH',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID',
  headers: { 'content-type': 'application/json' },
  body: 
   { password: 'NEW_PASSWORD',
     connection: 'Username-Password-Authentication' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"password": @"NEW_PASSWORD",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request.body = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "password": "NEW_PASSWORD",
  "connection": "Username-Password-Authentication"
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Generating Password Reset Tickets

On the Password Reset Universal Login Page (ULP) screen, you can create a ticket endpoint that generates a URL to ULP. You can use the generated URL to create a redirect for the user from your site, based on a separate user validation, or you can send the URL in a custom email if the default password reset email is not appropriate. The end result will be to render the Password Reset ULP screen, and upon successful reset, the user will be redirected to the URL generated by the ticket endpoint.

Using Lock

Users can change their own passwords using the Lock screen.

  1. The user clicks on the Don't remember your password? link on the Lock screen:

  1. The user enters their email address:

Notice

If you are using Lock version 8, the user will be asked, immediately after clicking the Don't remember your password? link on the Lock screen, to provide their email address and their new password. The user would then confirm this action via email.

However, this flow is not considered safe. We recommend that you upgrade to Lock 9 or later to utilize a more secure flow. To learn more about migrating Lock, see Vulnerable Password Flow.

The user will receive an email containing a link to reset the password:

  1. The user clicks the link in the email. The link sends the user to a password reset page where they can enter their new password:

After submitting the new password, the user will be able to login with their new credentials:

Customizing Change Password Emails

You can change the content of the Change Password emails in the Emails > Templates section of the Dashboard. Select the Change Password template to edit the email fields:

Email templates can only be changed for those not using Auth0's built-in email provider. For more information, please see: Customizing Your Emails.

Manually Set Users' Passwords

Users will not receive notification that their password has been manually changed.

Anyone with administrative privileges to your Auth0 tenant can manually change a user's password in the Users section of the Dashboard.

  1. Click on the username to select the user for whom you want to change the password.

  2. Click on the Actions button on the right side of the page, and select Change Password.

  1. Enter the new password and click Save.

Change Password Expiration Settings using Rules

You can use a rule to achieve the set a password expiration period.

  1. Go to Dashboard > Rules.
  2. Click + Create Rule.
  3. Click the template Check Last Password Reset.
  4. Modify the script according to your requirements and click Save.