Changing a User's Password

Notice

This information applies to those using Change Password flow v2. If you are using the old Change Password flow or Lock v. 8, check the notice panels (like this one) for information on differences between the two flows.

To determine the flow version you are using, navigate to Dashboard > Account Settings > Advanced to check if the Change Password flow v2 toggle is enabled. If it is, use Lock version 9/10. If not, use an older version of Lock to trigger the old Change Password flow.

We strongly encourage you to enable Change Password flow v2 and upgrade to Lock version 9 and above. To learn more about the vulnerability and migration, please see Vulnerable Password Flow.. To learn more about migrating to Lock 10, please take a look at the Lock 10 Migration Guide.

You can change your users' passwords using one of the following methods:

  • Authentication API: Send a POST call to the Authentication API to send a password reset email to the user.
  • Management API: Send a PATCH call to the Management API to update the user's password manually.
  • Lock: Use the Lock login screen to trigger a password reset email to the user.
  • Dashboard: Use the Users section of the Dashboard to manually change the user's password.

NOTE: You can only change passwords for users signing in using Database connections. Users signing in using Social or Enterprise connections need to reset their passwords with the appropriate system.

Using the Authentication API

To reset a user's password using the Authentication API, make a POST call specifying the email address of the user account whose password you would like to reset in the email field. If the call is successful, the user will receive an email prompting them to change their password.


curl --request POST \
  --url https://youraccount.auth0.com/dbconnections/change_password \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","email": "","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://youraccount.auth0.com/dbconnections/change_password");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://youraccount.auth0.com/dbconnections/change_password"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://youraccount.auth0.com/dbconnections/change_password")
  .header("content-type", "application/json")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://youraccount.auth0.com/dbconnections/change_password",
  "method": "POST",
  "headers": {
    "content-type": "application/json"
  },
  "processData": false,
  "data": "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'POST',
  url: 'https://youraccount.auth0.com/dbconnections/change_password',
  headers: { 'content-type': 'application/json' },
  body: 
   { client_id: 'YOUR_CLIENT_ID',
     email: '',
     connection: 'Username-Password-Authentication' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"email": @"",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://youraccount.auth0.com/dbconnections/change_password"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://youraccount.auth0.com/dbconnections/change_password",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("youraccount.auth0.com")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("POST", "/dbconnections/change_password", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://youraccount.auth0.com/dbconnections/change_password")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "email": "",
  "connection": "Username-Password-Authentication"
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://youraccount.auth0.com/dbconnections/change_password")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Custom Database

If you have a custom database set up for your Connection and the user exists in the database, invoke the Authentication API for changePassword.

If the POST call is successful, the user will receive an email containing a link to reset their password.

Clicking the link will send the user to a password reset page.

NOTE: The reset password link in the email is valid for one use only, and it must be used before the time specified in the URL Lifetime field elapses. The URL Lifetime field can be modified in the Dashboard where you customize the Change Password email.

Please see the Change User Password for DB Connections Authentication API endpoint for more information.

Using the Management API

To reset a user's password using the Management API, make a PATCH call to the Update a User endpoint.

Notice

Users will not receive notification that their password has been manually changed.


curl --request PATCH \
  --url 'https://https://manage.auth0.com/api/v2/users/%7Bid%7D' \
  --header 'content-type: application/json' \
  --data '{"password": "NEW_PASSWORD","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://https://manage.auth0.com/api/v2/users/%7Bid%7D");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://https://manage.auth0.com/api/v2/users/%7Bid%7D"

	payload := strings.NewReader("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.patch("https://https://manage.auth0.com/api/v2/users/%7Bid%7D")
  .header("content-type", "application/json")
  .body("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://https://manage.auth0.com/api/v2/users/%7Bid%7D",
  "method": "PATCH",
  "headers": {
    "content-type": "application/json"
  },
  "processData": false,
  "data": "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'PATCH',
  url: 'https://https://manage.auth0.com/api/v2/users/%7Bid%7D',
  headers: { 'content-type': 'application/json' },
  body: 
   { password: 'NEW_PASSWORD',
     connection: 'Username-Password-Authentication' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"password": @"NEW_PASSWORD",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://https://manage.auth0.com/api/v2/users/%7Bid%7D"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://https://manage.auth0.com/api/v2/users/%7Bid%7D",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/https://manage.auth0.com/api/v2/users/%7Bid%7D", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://https://manage.auth0.com/api/v2/users/%7Bid%7D")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request.body = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "password": "NEW_PASSWORD",
  "connection": "Username-Password-Authentication"
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://https://manage.auth0.com/api/v2/users/%7Bid%7D")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Using Lock

Users can change their passwords using the Lock screen.

To begin the password change process, the user would click on the Don't remember your password? link on the Lock screen:

They would then enter their email address:

Notice

If you are using Lock version 8, the user will be asked, immediately after clicking the Don't remember your password? link on the Lock screen, to provide their email address and their new password. The user would then confirm this action via email.

However, this flow is not considered safe. We recommend that you upgrade to Lock 9 or later to utilize a more secure flow. To learn more about migrating Lock, see Vulnerable Password Flow.

The user will then receive an email containing a link to reset the password:

Clicking the link will send the user to a password reset page where they can enter their new password:

After submitting the new password, the user will be able to login with their new credentials:

Manually Setting a User's Password

Notice

Users will not receive notification that their password has been manually changed.

You, or anyone with sufficient administrative privledges to your Auth0 account, can manually change a user's password in the Users section of the Dashboard.

Click on the name of the user for whom you want to change the password. Then, click on the Actions button on the right side of the page, and select Change Password.

Enter the new password and click Save.

Customizing the Change Password Email

You can change the content of the Change Password emails in the Emails > Templates section of the Dashboard. Select the Change Password Confirmation tab to edit the email fields:

NOTE: Email templates can only be changed for those not using Auth0's built-in email provider. For more information, please see: Customizing Your Emails.