Update Password

Overview

This endpoint allows users to update their password using a secure reset token obtained through the password reset flow. The token contains an encrypted OTP that must be valid to allow the password update.

API Details

Request Format

token

string

required

Reset token received via email

password

string

required

New password meeting security requirements

parentPublicKey

string

Required only for child accounts

curl -X POST https://api.authiqa.com/auth/update-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "YOUR_RESET_TOKEN",
    "password": "NewSecureP@ss123"
  }'

Try It Out

Test the API by providing your reset token and new password:

token

required

Reset token from email

password

required

New password

Hide Headers

Content-Type

Process Flow

Token Validation

Check token presence
Validate token format
Decrypt reset token
Extract email and OTP

Password Validation

Validate password format
Check password requirements:
- Minimum 8 characters
- One uppercase letter
- One lowercase letter
- One number
- One special character

OTP Verification

Verify user exists
Check OTP matches stored value
Validate OTP hasn’t expired
Verify correct parent public key (for child accounts)

Password Update

Hash new password
Update user’s password
Clear reset token and OTP
Record password change timestamp

Response Examples

200: Success

{
  "success": true,
  "data": {
    "message": "Password updated successfully"
  }
}

400: Invalid Token

{
  "success": false,
  "error": {
    "code": "INVALID_TOKEN",
    "message": "Invalid or malformed reset token"
  }
}

400: Invalid Password

{
  "success": false,
  "error": {
    "code": "INVALID_PASSWORD_FORMAT",
    "message": "Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character"
  }
}

Error Codes

400 Bad Request

TOKEN_NOT_PROVIDED - Reset token required
INVALID_TOKEN - Invalid/malformed token
INVALID_PASSWORD_FORMAT - Password requirements not met
MISSING_PARENT_PUBLIC_KEY - Parent public key required for child accounts
INVALID_PARENT_PUBLIC_KEY_FORMAT - Invalid public key format

401 Unauthorized

INVALID_PARENT_PUBLIC_KEY - Invalid parent public key

403 Forbidden

OTP_EXPIRED - Reset code has expired
INVALID_OTP - Invalid reset code

404 Not Found

USER_NOT_FOUND - No account found for token

Password Requirements

Password Rules

Minimum 8 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character
No common patterns or sequences

Token Security

Token Rules

One-time use only
15-minute expiration
Contains encrypted:
- User email
- OTP code
- Parent public key (for child accounts)

Overview

Authentication APIs

Organization APIs

Billing APIs

Overview

API Details

Request Format

Try It Out

Process Flow

Response Examples

Error Codes

Password Requirements

Password Rules

Token Security

Token Rules

Overview

Authentication APIs

Organization APIs

Billing APIs

​Overview

​API Details

​Request Format

​Try It Out

​Process Flow

​Response Examples

​Error Codes

​Password Requirements

Password Rules

​Token Security

Token Rules

Overview

API Details

Request Format

Try It Out

Process Flow

Response Examples

Error Codes

Password Requirements

Token Security