Forgot Password

POST 
/auth/forgot-password

Begin the password-reset flow (SCRIFT-82).

Always 202, regardless of whether the email matches a user - the response body is identical on both paths so a caller cannot enumerate registered addresses by inspecting responses or timing.

Rate limit: 3/hour per client IP (slowapi, :func:slowapi.util.get_remote_address). Matches the /auth/resend-verification precedent - both are unauthenticated outbound-mail triggers and share the same abuse vector.

Errors never surface as 4xx; the only error path is a slowapi 429 when the IP exhausts the budget.

Request

Responses

202

Successful Response

422

Validation Error