Auth0 Home Blog Docs

hosted password change realtime webhook

I’ve been looking through docks and I’m trying to find a way to get realtime notifications that a password change has been completed. We are using the hosted password reset page. Ideally Auth0 there would be a webhook that would post the event to endpoint I control. Crawling logs on schedule will not yield the result we want.

We do not currently have a realtime webhook for password change events. Our Hooks feature is in beta, however currently have limited extensibility points - we are working on adding more, but I can’t commit to which events we will be adding, or an ETA for when they will be built.

We have our Authentication API webhooks extension, however this is essentially a CRON job that will call your endpoint, at fastest, every 5 minutes.

Thanks for your reply. I’ve reviewed a number of community questions related to changing passwords. In alot of those posts, it is recommended that we use the new password change flow. I agree that it is a more secure option, but with no extension points, it is extremely limiting in what we are capable of doing without realtime webhooks, and I suspect, would be a barrier to adoption.

@meyer.craig.e I have submitted a feature request to have a Hook for password change events. Can you elaborate on your use case more, to help me understand what you are trying to achieve with a realtime webhook for password change events?

@prashant, we have specific rules around logging users out of application sessions when a password changes. Since the Auth0 password change use case happens outside of our control, we want to be able to do either a or b below as soon as the pasword change is complete.

For the applications we need this functionality for we are using database connections only.

a. Provide a endpoint that Auth0 will post a payload to when the change password is complete. We would need the payload minimally to include the email address, but it would be great if there were a way we could specify parameters from the user including those from the app_metadata.


b. Have the ability to write a function that will call our endpoint similar to how rules/hooks currently are utilized.

I would think option a. would be most efficient method as Auth0 would not be concerned with running someone else’s code, but either would work for us.

With the above, our platform will know that the password change has occurred, and we can take steps to invalidate sessions across devices, machines, etc.

@prashant, see my answer below

I have submitted this feature request internally. Unfortunately, I can’t guarantee or commit to an ETA for the release of this feature.

@prashant is there any sort of public list/board that shows Auth0 features that are backlogged or roadmap?