Auth0 Home Blog Docs

Password Reset Email Validity



When requesting a password reset, only the most recent email remains valid. Even if the old emails are not expired, clicking on them notes access expired.

Is there a way to make all password reset emails remain valid until the links timeout?


We do not support having multiple valid password reset links for a single user. This behaviour is a security measure, to prevent the use of older reset emails by potentially malicious users.


When someone clicked a link that expired due to the existence of a newer email, could the error message be changed to be more helpful? Something like:

Please use the most recent password change email.


@prashant - One more question. When a user requests a password reset multiple times, they will obviously get many emails. Email clients like GMail will group these together, and hide the body as quoted text due to them being essentially the same email.

This makes it very difficult for users to find the latest password reset email and click it. Do you have any suggestions on how to improve this experience? Can we add a timestamp in the email somewhere via the template to make the email show up as distinct in email clients?


To answer my own question on this, you can use Liquid variables in the templates. Below will get the current date to show up. Adding this to the subject & body seems to get clients like GMail to split emails out as distinct conversations.

({{ "now" | date: "%Y-%m-%d %H:%M:%S" }} GMT)


We currently don’t support custom error messages for the Change Password widget.


This is what got me past the problem. Adding the liquid syntax below to the subject and the body caused GMail to split each email as it’s own thread.

({{ "now" | date: "%Y-%m-%d %H:%M:%S" }} GMT)