In what scenario "POST https://YOUR_DOMAIN/dbconnections/change_password" would fail?

I am calling POST https://YOUR_DOMAIN/dbconnections/change_password after the user creation is done. I have noticed that even if I send invalid email in the body, I get 200 response which is weird.

Questions:

  • Is there on validation for email on Auth0 side?
  • What are the cases where this endpoint would fail? assuming client_id and connection is valid.

Request:

{
    "client_id": "{{client_id}}",
    "email": "invalidEmail",
    "connection": "Username-Password-Authentication"
}

Background:

  • Call POST api/v2/users to create the user. This includes dummy password because this is Auth0 requirement to send password.
  • Call POST /dbconnections/change_password to change password so that user can set password.

Hi @gunjan.prmr,

Welcome to the Auth0 Community!

I understand you have questions about the Authentication API’s /dbconnections/change_password endpoint.

This is the expected behavior since we do not want to give away any clues as to whether an email address exists or not. Otherwise, we could introduce security risks when exposing the email address.

Hence, Auth0 will send a change password link to the user if they exist in the provided client_id and connection parameters. The response will show We've just sent you an email to reset your password. regardless of whether the email address is valid.

The endpoint will only fail if the request does not provide the required client_id and connection parameters or if they are invalid.

Lastly, based on your current implementation, you may find our Send Email Invitations for Application Signup documentation relevant.

I hope this helps answer your questions.

Please let me know if you have any further questions.

Thank you.