This article explains why calling the /dbconnections/change_password endpoint through Postman, will fail when Bot Detection is enabled. This configuration will result in the following error message.

Status Code 401 - Suspicious request requires verification

• Bot Detection
• Change Password
• Database Connection

The "Suspicious request requires verification" error occurs because enabling Bot Detection for the change password flow introduces a CAPTCHA challenge. This challenge is designed to be solved by a human through a visual interface.

Non-interactive clients, like Postman or server-side scripts, cannot render or complete the CAPTCHA challenge. As a result, the request is flagged as suspicious and blocked before the password change email is sent.

When Bot Detection is enabled, triggering the https://tenant.auth0.com/dbconnections/change_password endpoint requires a visual interface. This is because a CAPTCHA must be completed by the user before the password change email can be successfully sent. Due to this endpoint being a public endpoint, attack protection needs to apply here to prevent abuse.

Essentially, for the Change Password flow to work with Bot Detection, the user needs a browser or application capable of displaying and allowing interaction with the CAPTCHA challenge.

Alternatives would be:

1. Disable Bot Detection for the Password Reset Flow. Security > Attack Protection > Bot Detection > Under the Response section, set Enforce CAPTCHA for the password reset flow to Never. Please proceed with caution here as the public endpoint is then open to abuse unless a reverse proxy is in place to provide additional monitoring.
2. Switch to the Management API where the attack protection does not apply as the endpoints are secured. However, the behaviour here is different as this generates a ticket URL to redirect the user to the change password Universal Login screens and does not send an email to the user; therefore, this would also require changes to the customer flows to adapt to this behaviour.

If the use case requires the endpoint https://tenant.auth0.com/dbconnections/change_password to be used alongside Bot Detection with password reset flow enabled, submit a product feedback detailing the use case and requirements.