faviconRS-AUTH
faviconRS-AUTH
readme
docs
githubExternal
get started

Reset Password

Request a password reset and complete the reset flow.

Two endpoints power the reset flow:

POST/auth/forgot

Request a password reset without leaking whether an email exists.

POST/auth/reset

Consume a reset token, update the password hash, and revoke active sessions.

POST /auth/forgot always returns success to avoid leaking whether an email exists.

POST /auth/reset:

  • validates the reset token
  • replaces the password hash
  • revokes all active sessions for that user

This keeps password reset behavior safe by default.

Security

Resetting a password revokes all active sessions for the user so older session cookies cannot keep authenticating after a reset.

Verify Email

Verify an email address with a token.

Session

Fetch the current authenticated session.