Generate Reset Token
Endpoint
Request Body
The user’s ID (can be external user ID or SuperTokens user ID)
The user’s email address. Required for CDI >= 4.0.
Response
The status of the request. Either
OK or UNKNOWN_USER_ID_ERROR.The generated password reset token. Only present when status is
OK.Response Examples
Implementation Details
User ID Mapping
The endpoint supports both external and internal user IDs:- Accepts either external user ID or SuperTokens user ID
- If user ID mapping exists, converts to internal SuperTokens user ID
- Generates token using the internal user ID
Token Generation
For CDI >= 4.0:- Requires both user ID and email
- Token includes email validation
- More secure against user enumeration
- Only requires user ID
- Uses legacy token generation method
Multi-tenancy
The endpoint is tenant-specific:- Verifies Email Password is enabled for the tenant
- User must belong to the tenant
- Token is scoped to the tenant
Consume Reset Token
Endpoint
This endpoint only validates the token and returns user information. To actually reset the password, use the Reset Password endpoint with the token and new password.
Request Body
The password reset token to consume
Response
The status of the request. Either
OK or RESET_PASSWORD_INVALID_TOKEN_ERROR.The user’s ID (external user ID if mapped, otherwise SuperTokens user ID). Only present when status is
OK.The user’s email address. Only present when status is
OK.Response Examples
Implementation Details
Token Validation
The endpoint validates that:- Token exists and is valid
- Token has not expired
- Token has not been consumed already
User ID Mapping
After consuming the token:- Retrieves the internal SuperTokens user ID from the token
- Looks up user ID mapping if it exists
- Returns the external user ID in the response (if mapped)
Multi-tenancy
The endpoint is tenant-specific:- Token must be valid for the tenant
- User must belong to the tenant
Reset Password (Deprecated)
Endpoint
Request Body
The reset method. Must be
"token".The password reset token
The new password. Cannot be an empty string.
Response
The status of the request. Either
OK or RESET_PASSWORD_INVALID_TOKEN_ERROR.The user’s ID (external user ID if mapped, otherwise SuperTokens user ID). Only present when status is
OK and CDI >= 2.12.Response Examples
Implementation Details
Password Validation
The API validates that:- New password is not an empty string
- Additional password strength requirements should be enforced at the application level
Token Consumption
The token is consumed during the password reset, meaning:- Each token can only be used once
- After successful reset, the token is invalidated
- Token cannot be reused
User ID Mapping
After resetting the password:- Uses the internal SuperTokens user ID for the reset operation
- Looks up user ID mapping if it exists
- Returns the external user ID in the response (if mapped)
Password Reset Flow
The complete password reset flow typically works as follows:-
User requests password reset
- Your application collects the user’s email
- You look up the user ID from the email
- Call Generate Reset Token with the user ID and email
-
Send reset email
- Send the token to the user’s email
- Include a link to your password reset page with the token
-
User clicks reset link
- Your application receives the token from the URL
- Optionally call Consume Reset Token to validate the token
- Show password reset form to the user
-
User submits new password
- Your application collects the new password
- Call Reset Password (deprecated) or use a direct password update API
- Show success message and redirect to login
Security Considerations
Token Expiration
Password reset tokens have a limited lifetime:- Configure token expiration time in your SuperTokens configuration
- Tokens are automatically invalidated after expiration
- Users must request a new token if theirs expires
Token Storage
Password reset tokens:- Are cryptographically secure
- Should be transmitted over HTTPS only
- Should not be logged or stored in your application
- Expire after use or time limit
Rate Limiting
Consider implementing rate limiting for:- Token generation (prevent email flooding)
- Token consumption (prevent brute force attacks)
- Password reset completion
Email Verification
For enhanced security:- Only allow password reset for verified email addresses
- Require email verification before generating reset token
- Send notification email when password is changed
Error Cases
UNKNOWN_USER_ID_ERROR
Returned by Generate Reset Token when:- User ID does not exist
- User does not belong to the tenant
- User does not have email/password login method
RESET_PASSWORD_INVALID_TOKEN_ERROR
Returned by Consume Reset Token and Reset Password when:- Token does not exist
- Token has expired
- Token has already been consumed
- Token format is invalid
Bad Request (400)
Returned when:- Required fields are missing
- Password is an empty string
- Method is not “token” (for Reset Password endpoint)
- Invalid JSON in request body
Internal Server Error (500)
Returned when:- Database query fails
- Tenant or app not found
- Permission errors
- Other internal errors
Code References
- Generate Token: GeneratePasswordResetTokenAPI.java:57
- Consume Token: ConsumeResetPasswordAPI.java:55
- Reset Password: ResetPasswordAPI.java:57