includeEmailInRedirect flag is not working for removing Email from Redirect Link

Hello,
We need to remove the email being passed in the query parameter when the user submits the password reset form. I’ve followed the instructions in this link:

However, even though the PATCH request to management API goes through, successfully changing the flag to false, we can still observe the email in the redirect link which looks like:

http://ourRedirectUrl/?email=user123%40ourdomain.com&success=true&message=You%20can%20now%20login%20to%20the%20application%20with%20the%20new%20password.&invitation=false

Our app is failing an important security assessment due to plainly visible email (considered PII) in the URL. As we’ve changed the flag as per the other thread and it’s not working, please suggest other steps.

We’re using classic universal login with custom Password Reset page for reference.

Sharing the solution that I received from the support team here:
If you’re using management API’s “Create a password change ticket” endpoint as we are doing, you’ve to set the flag to false in the “Create a password change ticket” call, as it defaults to true, overriding the steps in the first link in my question.

Thank you @afra.n for sharing the solution with us! :+1:

thanks to @matt.spence for his help, i’m just relaying here

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.