Change Password Confusion

We are trying to implement Change Password “properly” from our React Native and React (Web) clients. What we want to do it provide a screen with a “Current Password” and “New Password” field for logged in users. What’s confusing us is that there doesn’t seem to be an API call to Auth0 that handles this very standard method for changing password. There’s a ChangePassword call that allows you to pass the user’s email address and a new password and simply changes the password for that user but there doesn’t seem to be a way to validate their existing password first without doing a new login and getting a new token, which seems unnecessary. Can anyone help me understand how this flow should properly be handled including API calls? THANKS!!!

Hi @Husslup,

Welcome to the Auth0 Community!

I understand you want to provide a password change form directly in your client-side application. You can accomplish this with the Update User Endpoint. You will need to proxy this request through your backend, as a client-side app should not have access to management API tokens with the necessary scopes.

As for how it should be properly handled; Ideally, you will send your user a password change email and have them reset their password via the Auth0 UI. This limits the attack surface of your app. Here is the endpoint for creating a password change request.

Let me know if you have any questions!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.