Invalidate Password when Sending Password Reset Email
Sep 10, 2025
Overview
Is it possible to invalidate a user's current password when the user requests a password reset? This way, they are unable to log in with the existing password until they have completed the reset process.
Solution
One possible solution would be to manage the reset flow directly. This would involve having a custom button that, when clicked, will set the user's password to a random value with high entropy (so it cannot realistically be brute-forced) and subsequently send the password reset email.
Here's what the flow would look like:
- User clicks the custom reset password button, which fires a request to a custom service's backend.
- The service updates the user's password to a random value via the management API (see Use the Management API )
curl --request PATCH \
--url 'https://{yourDomain}/api/v2/users/%7BuserId%7D' \
--header 'authorization: Bearer {yourMgmtApiAccessToken}' \
--header 'content-type: application/json' \
--data '{"password": "newPassword","connection": "connectionName"}'
This prevents the user from authenticating with their old password.
- The service then sends the reset password email using the authentication API (see Authentication API)
curl --request POST \
--url 'https://{yourDomain}/dbconnections/change_password' \
--header 'content-type: application/json' \
--data '{"client_id": "{yourClientId}","email": "","connection": "Username-Password-Authentication"}'
- The user can only log in once they click the link and reset their password as a new password has been set in step 2.
This assumes, however, that the user has been authenticated in another manner, so there is some certainty that it's not someone else attempting to issue the reset. As mentioned above, if anyone can issue a reset for any email address, it opens up a vector for blocking any user at will.
