Overview

Key Concepts
  • Trigger a password reset using Auth0 Dashboard or the Management API.
This topic describes different ways to reset the password for a user in your database. You can change passwords for users in your database connections only. Users signing in with social or enterprise connections must reset their passwords with the (such as Google or Facebook), and the following instructions work only if the user’s email address is known. There are two basic methods for changing a user’s password:
Resetting a user’s password makes their session expire.

Not what you're looking for?

Trigger an interactive password reset flow

There are two ways to trigger an interactive password reset flow, depending on your use case: through the page or the Authentication API.

Universal Login page

If your application uses Universal Login, the user can use the Lock widget on the Login screen to trigger a password reset email. With Universal Login, the user can click the Don’t remember your password? link and then enter their email address. This fires off a POST request to Auth0 that triggers the password reset process. The user receives a password reset email.

Authentication API

If your application uses an interactive password reset flow through the Authentication API, make a POST call. In the email field, provide the email address of the user who needs to change their password. If the call is successful, the user receives a password reset email. If you call the API from the browser, be sure the origin URL is allowed: Go to Auth0 Dashboard > Applications > Applications, and add the URL to the Allowed Origins (CORS) list. If your connection is a custom database, check to see if the user exists in the database before you invoke the Authentication API for changePassword. 
curl --request POST \
  --url 'https://{yourDomain}/dbconnections/change_password' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}","email": "","connection": "Username-Password-Authentication"}'

Password reset email

Regardless of how the password reset process was triggered, the user receives email containing a link to reset their password.
Password Reset Email
Clicking the link sends the user to the password reset page. After submitting the new password, the user sees confirmation that they can now log in with their new credentials. Notes on password resets:
  • The reset password link in the email is valid for one use only.
  • If the user receives multiple password reset emails, only the password link in the most recent email is valid.
  • The URL Lifetime field determines how long the link is valid. From the Auth0 dashboard, you can customize the Change Password email and modify the link’s lifetime.
  • You can extend the password reset flow to include another factor with Auth0 Actions. To learn more, read Password Reset Flow.
With Classic Login, you can configure a URL to redirect users to after completing the password reset. The URL receives a success indicator and a message. To learn more, read the “Configuring the Redirect-To URL” section in Customize Email Templates. Universal Login redirects the user to the default login route when it succeeds, and handles the error cases as part of the Universal Login flow. This experience ignores the Redirect URL in the email template.

Generate Password Reset tickets

The Management API provides the Create a Password Change Ticket endpoint, which generates a URL like the one in the password reset email. You can use the generated URL when the email delivery method is not appropriate. Keep in mind that in the default flow, the email delivery verifies the identity of the user. (An impostor wouldn’t have access to the email inbox.) If you use the ticket URL, your application is responsible for verifying the identity of the user in some other way.

Directly set the new password

To directly set a new password for the user without sending a password reset email, use either the Management API or the Auth0 Dashboard.
Users do not receive notification when you change their password.

Use the Management API

If you want to implement your own password reset flow, you can directly change a user’s password from a server request to the Management API: make a PATCH call to the Update a User endpoint.
If you use Management API to set or update a user’s password via the Update a User endpoint, the strength policy you set in Auth0 Dashboard applies.
cucurl --request PATCH \
  --url 'https://{yourDomain}/api/v2/users/%7BuserId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json' \
  --data '{"password": "newPassword","connection": "connectionName"}'

Manually set users’ passwords using the Auth0 Dashboard

Anyone with administrative privileges to your Auth0 tenant can manually change a user’s password at Auth0 Dashboard > User Management > Users.
  1. Select the name of the user whose password you want to change.
  2. Locate the Danger Zone at the bottom of the page.
  3. In the red Change Password box, select Change.
    Manually set password
  4. Enter the new password, and select Save.