Password reset mail not checking the email is valid or not

HI

while calling password reset , the api is not checking email is valid or not.

actual working is like this ? or how can I validate my email

Hi @monika.prakash,

Could you please explain a bit more about the API checking whether an email is valid or not?

  • Are you referring to making a request to the Management API’s POST/api/v2/tickets/password-change enpoint, or when a user initiates a password reset from the login page?
  • By valid do you mean whether the format of the email matches a valid email address (e.g. contains an @ and .com/.something, etc.) or do mean whether the email address is verified (e.g. the user’s email_verified attribute is true)?

Thanks in advance!

Stephaanie

Hi @stephanie.chamblee thank you for your replay

I am using this end point - https://{{auth0_domain}}/dbconnections/change_password

body
{

“client_id”: “”,

username":"test@gmail.com”,

“connection”: “”

}

here always return 'We’ve just sent you an email to reset your password.". not checking the username is registered email.

is this is the actual work flow ? or possible to check the username(the email) is registered and verified.

I see, thank you for clarifying that!

That is the intended behavior to protect your application from brute force attacks by not exposing information about whether the email address exists in the system.

Unfortunately, there is no way to change this behavior. If this is something you require, I’d recommend sharing your use case in a feature request in our feedback category for our product team to review:

Thank you!

1 Like

hi @stephanie.chamblee

Thankyou :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.