Administrators may need to immediately invalidate existing sessions and force password resets for a large number of users identified as compromised during a security incident. This prevents further unauthorized access while analysis continues. Since the platform lacks a single endpoint for bulk password resets, this article explains how to programmatically address this issue by scripting against the Management and Authentication APIs.

• Management API
• Authentication API
• Compromised Accounts

Follow these steps to revoke access and enforce password changes for affected users. Scripting these API calls is recommended for bulk operations.

NOTE: When scripting changes for a large number of users, adhere to the Management API rate limits to prevent requests from being blocked.

1. Invalidate Existing Sessions

To prevent further unauthorized access using current tokens, invalidate sessions and refresh tokens immediately.

1. • Use the user-revoke-access endpoint to revoke a user's sessions, refresh tokens, and other resources in a single call.

   • Alternatively, target specific resources using the delete-refresh-tokens-for-user endpoint or the delete-sessions-for-user endpoint.

2. Force Password Resets

Once sessions are invalidated, trigger a password reset using one of the following methods:

1. • Email via Authentication API: Make a POST call to the /dbconnections/change_password endpoint to send a reset email. Refer to database-connections/password-change for details.

   • Email via Management API: Create a password change ticket that sends a reset email using the tickets/post-password-change endpoint.

     • NOTE: For both email methods, the reset link is single-use, and only the most recently generated link remains valid.

   • Post Login Action: Set a custom value in a user's app_metadata (e.g., "force_reset": true). Create a Post Login Action to check for this value, deny access, and prompt the user to reset their password before logging in.

   • Direct Update: Set a new, random password via a PATCH call to the /api/v2/users/{id} endpoint. Users must then select the "I forgot my password" link on the login page to set a new password. Proceed with caution on this option and ensure a different random password is set for each user being reset, and some mechanism exists to check the user has changed it; otherwise, new attack vectors may inadvertently be introduced. 

2. Implement Future Protection

To enhance security and enforce password policies moving forward:

• • Enable Breached Password Detection to prevent the use of known compromised passwords.

  • Use the Password Rotation Action from the marketplace to require password changes after a set number of days.

  • Customize the implementation found in Force Users to Reset their Password After a Certain Amount of Days for Specific Connections.