Change Users' Passwords
This information applies to those using Change Password flow v2. If you are using the old Change Password flow or Lock 8, check the notice panels like this one for information on differences between the two flows.
To determine the flow you are using, navigate to Dashboard > Tenant Settings > Advanced to check if the Change Password flow v2 toggle is enabled. If it is, use Lock 9+. If not, use an older version of Lock to trigger the old Change Password flow.
We strongly encourage you to enable Change Password flow v2. To learn more about the vulnerability and migration, please see Vulnerable Password Flow. To learn more about migrating to Lock 11, please take a look at the Lock 11 Migration Guide.
There are two basic methods of changing a password:
- an interactive password reset flow where the user receives an email with a link that opens an Auth0 hosted page to enter the new password.
- directly setting the new password either using the Management API v2 or the Dashboard.
Trigger an interactive password reset flow
An interactive password reset flow can be triggered in two ways:
- Authentication API: Send a
POSTcall to the Authentication API to send a password reset email to the user.
- Lock: The user uses the Lock login screen to trigger a password reset email.
Use the Authentication API
To start an interactive password reset flow using the Authentication API, make a
POST call specifying the email address of the user account whose password you would like to reset in the
If your Connection is a custom database and the user exists in the database, invoke the Authentication API for
POST call is successful, the user receives an email containing a link to reset their password.
Clicking the link will send the user to the customizable hosted password reset page.
After submitting the new password, confirmation that the user will be able to login with their new credentials appears:
Customize Change Password Emails
You can change the content of the Change Password emails in the Emails > Templates section of the Dashboard. Select the Change Password template to edit the email fields:
Email templates can only be changed for those not using Auth0's built-in email provider. For more information, please see: Customizing Your Emails.
Generate Password Reset Tickets
The Management API v2 provides an additional endpoint, Generate a password reset ticket, which will generate a URL similar to the one that users receive in the password reset email message. You can use the generated URL if the email delivery method is not appropriate. Keep in mind that in the default flow the email delivery is used as a way to verify the identity of the user (an impostor wouldn't have access to the email inbox), so if you use the ticket URL, the application is responsible for verifying the identity of the user in some other way.
Users can start the password reset flow on their own by using the Lock widget.
- The user clicks on the Don't remember your password? link on the Lock screen:
- The user enters their email address:
If you are using Lock version 8, the user will be asked, immediately after clicking the Don't remember your password? link on the Lock screen, to provide their email address and their new password. The user would then confirm this action via email.
However, this flow is not considered safe. We recommend that you upgrade to Lock 9 or later to utilize a more secure flow. To learn more about migrating to Lock, see Vulnerable Password Flow.
The user will receive an email containing a link to reset the password, and the flow continues exactly as if the Authentication API method was used.
Directly set the new password
There are two ways of directly setting a new password for the user:
- Management API: Send a
PATCHcall to the Management API to update the user's password manually.
- Dashboard: Use the Users section of the Dashboard to manually change the user's password.
Use the Management API
If you want to implement your own password reset flow, you can directly change a user's password from a server request to the Management API. To reset a user's password using the Management API, make a
PATCH call to the Update a User endpoint.
Manually Set Users' Passwords using the Dashboard
Anyone with administrative privileges to your Auth0 tenant can manually change a user's password in the Users section of the Dashboard.
Click on the username to select the user for whom you want to change the password.
Click on the Actions button on the right side of the page, and select Change Password.
- Enter the new password, and click Save.
Change Password Expiration Settings using Rules
You can use a rule to check for a password expiration period.
- Go to Dashboard > Rules.
- Click + Create Rule.
- Click the template Check Last Password Reset.
- Modify the script according to your requirements, and click Save.