URL for custom reset password page

I tried to link my password reset page with an a href to my custom login page, but I struggle with the url:
shouldn’t it be something like: https://{my-domain}.auth0.com/{link-to-custom-password-reset-page}
I already tried /reset and /password-reset but got an error.
Is this even possible on a free plan or do you need to use the preconfigured page/api

Hi @felix.schaipp

I tried to link my password reset page with an a href to my custom login page

Not sure exactly what you are referring to here. When you say “my password reset page”, are you talking about a page in your own application? Are you trying to initiate the password reset flow from your app?

You won’t be able to link directly to Auth0’s password reset page, if that’s what you are after. The password reset page will only be displayed after the user clicks on the link sent via email (this flow ensures that the user actually owns the email address).

If you want to use Auth0’s standard password reset flow you can use the POST /dbconnections/change_password endpoint (see docs) that takes an email address, and initiates the standard flow (pretty much what Lock does too when the user clicks on “Forgot password”).

You can also host your own password reset flow in your app if you wanted to (after the user authenticates) by getting the new password from the user and using the Management API v2 to set the new password (this endpoint), but this can only be done from a backend server (that can securely obtain a token and call the Management API v2).

Hope that helps!

Hi @nicolas_sabena

Thank you for the fast and detailed answer.

To be clear about the page:
We integrated auth0 in our Electron App as the first screen you see when you start the application. Currently we only have an email and password field with a login button and a text below which says “Reset Password”. When u click on the Reset Password link a new page should open where you can enter your email address and auth0 should send you the reset mail to that mail. I expected the custom password reset page to be available in the same fashion as the custom login (via a url https://{my-domain}.auth0.com/login), but from

You won’t be able to link directly to Auth0’s password reset page, if that’s what you are after. The password reset page will only be displayed after the user clicks on the link sent via email (this flow ensures that the user actually owns the email address).

I think that is not possible isn’t it?

Thank you for your time!

I guess we should clarify and separate two distinct password-reset-related pages:

  • The first step, where you ask the user for the email address.
  • The second step, where you ask the user for the new password.

The first step involves asking the user for the email address and hitting the /dbconnections/change_password (see docs). This starts the flow (Auth0 will send an email message to the address, with a link to continue the flow). If you use Lock, this step is handled by the Lock widget itself. If you built your own custom UI using Auth0.js, you’ll have to gather the input and make a request to that endpoint. But there’s no linking anywhere here, you hit that endpoint and Auth0 sends the email message.
If you use Lock, you can also use the forgotPasswordLink option to send the user to a specific URL when the “Forgot password” link is clicked. This URL should basically do the same that Lock does: ask the user for the email address and hit the /dbconnections/change_password to start the reset flow.

The second step is handled by an Auth0 hosted page that you can customize. This is done from the “Password Reset” tab in the “Universal Login” section:

I expected the custom password reset page to be available in the same fashion as the custom login (via a url https://{my-domain}.auth0.com/login)

Neither the login page or the password reset flow are meant to be used directly (you should never be linking directly to https://{my-domain}.auth0.com/login).
Auth0 will show the login page when needed as a result of an application requesting an authentication/authorization token via OAuth2 (/authorize) or one of the other supported protocols. The same for the password page: it will be displayed as a result of the user clicking on the link received in the email message, but you never link there directly.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.