Change Users' Passwords

This topic describes different ways to reset the password for a user in your database. You can change passwords for users in your database connections only. Users signing in with social or enterprise connections must reset their passwords with the identity provider (such as Google or Facebook).

There are two basic methods for changing a user's password:

Resetting a user's password makes their session expire.

Not what you're looking for?

Trigger an interactive password reset flow

There are two ways to trigger an interactive password reset flow, depending on your use case: through the Universal Login page or the Authentication API.

Universal Login Page

If your application uses Universal Login, the user can use the Lock widget on the Login screen to trigger a password reset email. With the New Universal Login Experience, the user can click the Don't remember your password? link and then enter their email address. This fires off a POST request to Auth0 that triggers the password reset process. The user receives a password reset email.

Authentication API

If your application uses an interactive password reset flow through the Authentication API, make a POST call. In the email field, provide the email address of the user who needs to change their password. If the call is successful, the user receives a password reset email.

If you call the API from the browser, be sure the origin URL is allowed: Go to Auth0 Dashboard > Applications > Applications and add the URL to the Allowed Origins (CORS) list.

If your connection a custom database, check to see if the user exists in the database before you invoke the Authentication API for changePassword.


curl --request POST \
  --url 'https://YOUR_DOMAIN/dbconnections/change_password' \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","email": "","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_DOMAIN/dbconnections/change_password");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_DOMAIN/dbconnections/change_password"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://YOUR_DOMAIN/dbconnections/change_password")
  .header("content-type", "application/json")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://YOUR_DOMAIN/dbconnections/change_password',
  headers: {'content-type': 'application/json'},
  data: {
    client_id: 'YOUR_CLIENT_ID',
    email: '',
    connection: 'Username-Password-Authentication'
  }
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"email": @"",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/dbconnections/change_password"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://YOUR_DOMAIN/dbconnections/change_password",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => [
    "content-type: application/json"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("POST", "/YOUR_DOMAIN/dbconnections/change_password", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/dbconnections/change_password")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "email": "",
  "connection": "Username-Password-Authentication"
] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/dbconnections/change_password")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Password reset email

Regardless of how the password reset process was triggered, the user receives email containing a link to reset their password.

Clicking the link sends the user to the password reset page.

After submitting the new password, the user sees confirmation that they can now log in with their new credentials.

Notes on password resets:

  • The reset password link in the email is valid for one use only.
  • If the user receives multiple password reset emails, only the password link in the most recent email is valid.
  • The URL Lifetime field determines how long the link is valid. From the Auth0 dashboard, you can customize the Change Password email and modify the link's lifetime.

In the Classic Universal Login Experience you can configure a url to redirect users after completing the password reset. The URL receives a success indicator and a message.

The New Experience redirects the user to the default login route when it succeeds, and handles the error cases as part of the Universal Login flow. This experience ignores the Redirect URL in the email template.

Generate Password Reset Tickets

The Management API v2 provides an additional endpoint, Generate a password reset ticket, that generates a URL like the one in the password reset email. You can use the generated URL when the email delivery method is not appropriate. Keep in mind that in the default flow, the email delivery verifies the identity of the user. (An impostor wouldn't have access to the email inbox.) If you use the ticket URL, your application is responsible for verifying the identity of the user in some other way.

Directly set the new password

To set a new password directly for the user without sending a password reset email, use either the Management API or the Auth0 Dashboard.

Users do not receive notification when you change their password.

Use the Management API

If you want to implement your own password reset flow, you can directly change a user's password from a server request to the Management API: make a PATCH call to the Update a User endpoint.


curl --request PATCH \
  --url 'https://YOUR_DOMAIN/api/v2/users/USER_ID' \
  --header 'content-type: application/json' \
  --data '{"password": "NEW_PASSWORD","connection": "Username-Password-Authentication"}'
var client = new RestClient("https://YOUR_DOMAIN/api/v2/users/USER_ID");
var request = new RestRequest(Method.PATCH);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_DOMAIN/api/v2/users/USER_ID"

	payload := strings.NewReader("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.patch("https://YOUR_DOMAIN/api/v2/users/USER_ID")
  .header("content-type", "application/json")
  .body("{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}")
  .asString();
var axios = require("axios").default;

var options = {
  method: 'PATCH',
  url: 'https://YOUR_DOMAIN/api/v2/users/USER_ID',
  headers: {'content-type': 'application/json'},
  data: {password: 'NEW_PASSWORD', connection: 'Username-Password-Authentication'}
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"password": @"NEW_PASSWORD",
                              @"connection": @"Username-Password-Authentication" };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/users/USER_ID"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/users/USER_ID",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "PATCH",
  CURLOPT_POSTFIELDS => "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}",
  CURLOPT_HTTPHEADER => [
    "content-type: application/json"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

headers = { 'content-type': "application/json" }

conn.request("PATCH", "/YOUR_DOMAIN/api/v2/users/USER_ID", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/api/v2/users/USER_ID")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Patch.new(url)
request["content-type"] = 'application/json'
request.body = "{\"password\": \"NEW_PASSWORD\",\"connection\": \"Username-Password-Authentication\"}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "password": "NEW_PASSWORD",
  "connection": "Username-Password-Authentication"
] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/users/USER_ID")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

Manually set users' passwords using the Auth0 Dashboard

Anyone with administrative privileges to your Auth0 tenant can manually change a user's password at Auth0 Dashboard > User Management > Users.

  1. Select the name of the user whose password you want to change.
  2. Locate the Danger Zone at the bottom of the page.
  3. In the red Change Password box, click CHANGE.
  4. Enter the new password and click Save.