I’m looking at using the Public Authorization API Change password endpoint,
/dbconnections/change_password, to send a “reset password” email. In testing it seems that even when I send an email that doesn’t have an existing Auth0 account it still responds with the result,
We've just sent you an email to reset your password.
Is this a security measure so someone can’t probe the endpoint for valid account email addresses? How can I let a user who might have mistyped and email or entered the wrong email there is not a email match if the response is always “success”?