Hello,
We need to remove the email being passed in the query parameter when the user submits the password reset form. I’ve followed the instructions in this link:
However, even though the PATCH request to management API goes through, successfully changing the flag to false, we can still observe the email in the redirect link which looks like:
Our app is failing an important security assessment due to plainly visible email (considered PII) in the URL. As we’ve changed the flag as per the other thread and it’s not working, please suggest other steps.
We’re using classic universal login with custom Password Reset page for reference.
Sharing the solution that I received from the support team here:
If you’re using management API’s “Create a password change ticket” endpoint as we are doing, you’ve to set the flag to false in the “Create a password change ticket” call, as it defaults to true, overriding the steps in the first link in my question.
