Password Change Behaviour for a Non-Existent User

Last Updated: Aug 13, 2024

Overview

This article explains the behavior of the /api/v2/tickets/password-change endpoint for a non-existent user.

  • The password change ticket is a generated URL that the user can consume to start a reset password flow.
  • A reset password ticket is provided whether or not the user exists.

Applies To

  • Password Change
  • Password Reset
  • Management API

Solution

A ticket is generated with the /api/v2/tickets/password-change endpoint regardless of whether the user exists in the Auth0 database.

This is intentional behavior to prevent enumeration attacks.