Docs

Change Users' Passwords

Change Users' Passwords

This article covers how to reset a user's password. If you are trying to configure the custom Password Reset page for your tenant, see Password Reset Page. If you are a user of Auth0 and are trying to reset the password to your Auth0 account, see Reset Your Auth0 Account Password.

There are two basic methods of changing a password:

You can only change passwords for users signing in using database connections. Users signing in using social or enterprise connections need to reset their passwords with the relevant identity provider.

Trigger an interactive password reset flow

An interactive password reset flow can be triggered in three ways, depending on your use case:

  • Universal Login Page: If your app uses Universal Login, the user uses the Lock widget on the Login screen to trigger a password reset email.
  • Authentication API: Send a POST call to the Authentication API to send a password reset email to the user.

Use Universal Login

If your application is using Universal Login, the user will be able to trigger a password reset from the login page. With the New Universal Login Experience, the user will click the Don't remember your password? link and then enter their email address.

This will fire off a POST request to Auth0 that will trigger the password reset process. Once the password reset has been triggered, the user will now receive a password reset email.

Use the Authentication API

If your application uses an interactive password reset flow using the Authentication API, make a POST call specifying the email address of the user account whose password you would like to reset in the email field. If the call is successful, the user will receive an email prompting them to change their password.

If you're calling this from the browser, don't forget to add your URL to the Allowed Web Origins list in the Dashboard.


curl --request POST \
  --url 'https://YOUR_DOMAIN/dbconnections/change_password' \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","email": "","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_DOMAIN/dbconnections/change_password");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_DOMAIN/dbconnections/change_password"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://YOUR_DOMAIN/dbconnections/change_password")
  .header("content-type", "application/json")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var request = require("request");

var options = {
  method: 'POST',
  url: 'https://YOUR_DOMAIN/dbconnections/change_password',
  headers: {'content-type': 'application/json'},
  body: {
    client_id: 'YOUR_CLIENT_ID',
    email: '',
    connection: 'Username-Password-Authentication'
  },
  json: true
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"email": @"",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/dbconnections/change_password"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_DOMAIN/dbconnections/change_password",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("POST", "/YOUR_DOMAIN/dbconnections/change_password", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/dbconnections/change_password")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "email": "",
  "connection": "Username-Password-Authentication"
] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/dbconnections/change_password")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Custom Database

If your Connection is a custom database and the user exists in the database, invoke the Authentication API for changePassword.

Once the password reset has been triggered, the user will now receive a password reset email.

Password reset emails

Regardless of how the password reset process was triggered, the user receives an email containing a link to reset their password.

Clicking the link will send the user to the password reset page.

After submitting the new password, confirmation that the user will be able to login with their new credentials appears:

The reset password link in the email is valid for one use only, and it must be used before the time specified in the URL Lifetime field elapses. You can modify the URL Lifetime field in the Dashboard where you customize the Change Password email. See the Change User Password for DB Connections Authentication API endpoint for more information.

If multiple password resets emails are requested, only the password link in the most recent email will be valid.

Customize Change Password Emails

You can change the content of the Change Password emails in the Emails > Templates section of the Dashboard. Select the Change Password template to edit the email fields.

Email templates can only be changed for those not using Auth0's built-in email provider. For more information, please see: Customizing Your Emails.

Generate Password Reset Tickets

The Management API v2 provides an additional endpoint, Generate a password reset ticket, which will generate a URL similar to the one that users receive in the password reset email message. You can use the generated URL if the email delivery method is not appropriate. Keep in mind that in the default flow the email delivery is used as a way to verify the identity of the user (an impostor wouldn't have access to the email inbox), so if you use the ticket URL, the application is responsible for verifying the identity of the user in some other way.

In the Classic Universal Login Experience you can configure a url to redirect users after completing the password reset. The URL will receive a success indicator and a message. The New Experience will redirect the users to the default login route when it succeeds, and will handle the error cases as part of the Universal Login flow. The Redirect URL in the email template will be ignored.

Directly set the new password

There are also two ways of directly setting a new password for the user rather than sending a password reset email:

  • Management API: Send a PATCH call to the Management API to update the user's password manually.
  • Dashboard: Use the Users section of the Dashboard to manually change the user's password.

Use the Management API

If you want to implement your own password reset flow, you can directly change a user's password from a server request to the Management API. To reset a user's password using the Management API, make a PATCH call to the Update a User endpoint.

Users will not receive notification that their password has been manually changed.


curl --request PATCH \
  --url 'https://YOUR_DOMAIN/api/v2/users/USER_ID' \
  --header 'content-type: application/json' \
  --data '{"password": "NEW_PASSWORD","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_DOMAIN/api/v2/users/USER_ID");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_DOMAIN/api/v2/users/USER_ID"

	payload := strings.NewReader("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.patch("https://YOUR_DOMAIN/api/v2/users/USER_ID")
  .header("content-type", "application/json")
  .body("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var request = require("request");

var options = {
  method: 'PATCH',
  url: 'https://YOUR_DOMAIN/api/v2/users/USER_ID',
  headers: {'content-type': 'application/json'},
  body: {password: 'NEW_PASSWORD', connection: 'Username-Password-Authentication'},
  json: true
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"password": @"NEW_PASSWORD",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/users/USER_ID"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/users/USER_ID",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/YOUR_DOMAIN/api/v2/users/USER_ID", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/api/v2/users/USER_ID")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request.body = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "password": "NEW_PASSWORD",
  "connection": "Username-Password-Authentication"
] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/users/USER_ID")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Manually set users' passwords using the Dashboard

Users will not receive notification that their password has been manually changed.

Anyone with administrative privileges to your Auth0 tenant can manually change a user's password in the Users section of the Dashboard.

  1. Click on the username to select the user for whom you want to change the password.
  2. Scroll down to the bottom of the user page, then click on the red CHANGE button in the red Change Password box.
  3. Enter the new password, and click Save.