Change Password Flow

Hi Team,

An admin has two options to trigger a password reset on behalf of user through the API.

  1. Using the Authentication API. This method auto sends the password reset email.
  2. Using the management API. This method generates the URL and admin has to manually send the email including the URL.

We are leaning towards Option1, and would like to know if are not foreseeing any limitations in it.

Thanks
idm_hunt

Hi @idm_hunt !

The option 1 is recommended because Auth0 controls the email delivery to a relevant user (the user’s identity is verified because only the relevant user has access to their email inbox - this way preventing an impostor from taking control over the password change).

Some customers prefer taking control over the flow (one case I remember was the customer with many different customers (b2b) and applications and they preferred to trigger the email delivery with a reset link on their backend with their own templates, hosted on their servers).

However, please note that with the default flow (option 1), you can still customize the email templates with liquid syntax and extend the flow with the Actions feature.

Please let me know if there are any other questions on that!

1 Like