As part of one of our batch account creation workflows, we use the /api/v2/tickets/password-change endpoint and send that along with a context-specific onboarding email.
For the first time, we hit the rate limit exception during this process (I am currently working on handling that better, and that is not directly my question). This rate limit incident coincided with multiple users encountering a “link expired” message on the password reset links. When this has happened previously, the problem is usually one of process - we send two emails, the second invalidates the first, and then the user clicks the expired link from the first email.
I’ll also note that we set “ttl_sec” to multiple days in this situation, and the recorded incidents all occurred within a 12 hour period between ticket generation and reported error.
So my question is - is it at all possible that hitting the rate limit somehow invalidated the recent tickets?
I am grasping as straws here to explain the expired links based on what is probably a coincidence, but I thought it was worth asking.
Thank you for your time,