Last Updated: Aug 13, 2024
Overview
This article explains the behavior of the /api/v2/tickets/password-change endpoint for a non-existent user.
- The password change ticket is a generated URL that the user can consume to start a reset password flow.
- A reset password ticket is provided whether or not the user exists.
Applies To
- Password Change
- Password Reset
- Management API
Solution
A ticket is generated with the /api/v2/tickets/password-change endpoint regardless of whether the user exists in the Auth0 database.
This is intentional behavior to prevent enumeration attacks.