Reset Password

POST /auth/reset-password

Consume a reset link and rewrite the user's password (SCRIFT-82).

On success, the response is a static 200 message and the client must redirect to /auth/login - we do not mint tokens here by design. Every refresh token for the user is revoked inside the same transaction as the password update (NIST SP 800-63B §5.1.1.2), so any previously-issued session is dead the moment the response returns.

Errors (via exception_handlers):

400 reset_token_invalid - hash not found
400 reset_token_expired - past 1h expires_at
400 reset_token_already_used - second click, or race-loser in the guarded mark_used UPDATE
422 weak_password - fails :meth:AuthService.validate_password_strength

Request

Responses

Successful Response

Reset Password

/auth/reset-password

Request​

Responses​

Request

Responses