Skip to main content
The password reset flow is a two-step process: request a reset link via email, then submit the new password with the token from that email. Staff accounts can also reset other users’ passwords.

Request a password reset

POST /api/password-reset with action=request Sends a one-time password reset link to the user’s registered email address. The link expires after 1 hour. Permission: Public — no authentication required for self-service reset
Staff resetting another user’s password require the api.users.edit permission and a valid Bearer token.
action
string
required
Must be request.
email
string
required
Email address of the account to reset.
curl -X POST "https://propops.yourcompany.com/api/password-reset" \
  -H "Content-Type: application/json" \
  -d '{"action": "request", "email": "jane.smith@yourcompany.com"}'

{
  "success": true,
  "message": "If an account exists for that address, a reset link has been sent."
}
The response is intentionally vague to prevent user enumeration. The message is identical whether or not the email address matches an account.

Complete the password reset

POST /api/password-reset with action=reset Sets a new password using the one-time token delivered via the reset email.
action
string
required
Must be reset.
token
string
required
The reset token extracted from the email link.
password
string
required
The new password. Must meet the platform’s password complexity requirements (minimum 8 characters, at least one uppercase letter, one number, and one special character).
curl -X POST "https://propops.yourcompany.com/api/password-reset" \
  -H "Content-Type: application/json" \
  -d '{"action": "reset", "token": "d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3", "password": "NewP@ssw0rd!"}'

{
  "success": true,
  "message": "Password reset successfully. You can now log in."
}
Error — token expired or invalid: 
{
  "success": false,
  "error": "Reset token is invalid or has expired."
}

Admin password reset

Staff with the api.users.edit permission can reset another user’s password directly without the email flow. This is useful when a user is locked out. POST /api/password-reset with action=admin_reset Required permission: api.users.edit
Requires CSRF token.
action
string
required
Must be admin_reset.
user_uuid
string
required
UUID of the user whose password to reset.
new_password
string
required
Temporary password to set. The user will be prompted to change it on next login.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/password-reset" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "admin_reset",
    "user_uuid": "660e8400-e29b-41d4-a716-446655440010",
    "new_password": "Temp#P@ss99",
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "message": "Password reset. The user will be prompted to change it on next login."
}