Password Change Behaviour for a Non-Existent User

rueben.tiow · August 12, 2022, 7:32pm

Last Updated: Aug 13, 2024

Overview

This article explains the behavior of the /api/v2/tickets/password-change endpoint for a non-existent user.

The password change ticket is a generated URL that the user can consume to start a reset password flow.
A reset password ticket is provided whether or not the user exists.

A ticket is generated with the /api/v2/tickets/password-change endpoint regardless of whether the user exists in the Auth0 database.

This is intentional behavior to prevent enumeration attacks.

Topic		Replies	Views
How can I create a password reset link without emailing the user? Knowledge Articles password-reset , management-api , change-password	1	10018	May 8, 2019
/api/v2/tickets/password-change Help management-api , password-change	3	13853	July 5, 2019
How to Create a password change ticket in secondary identity? Help auth0 , api , password-reset	6	2310	September 26, 2022
Can you modify change password ticket response URL? Help change-password	2	1880	September 23, 2022
Want to create action where after user is created a change password email is sent to them Help user-management , user-password-management	2	235	May 3, 2024