POST /auth/reset

Use a password reset token to change a local user's password. Authentication is not required.

Request format

When Forming RBAC API requests to this endpoint, the content type is application/json. The body must be a JSON object using the following keys:

token: A password reset token obtained from the POST /users/<uuid>/password/reset endpoint.
password: A new password to assign to the user attached to the password reset token.

Authentication is not required.

For example:

curl -X POST "https://$(puppet config print server):4433/rbac-api/v1/auth/reset" \
-H "Content-type: application/json" \
-d '{"token": "0FlAtJ-84LMswcyzC8h9c2Hkreq1l4W6UeWKJJScYUUk",
     "password":"W3lcome!"}'

The body doesn't explicitly identify the user, because the user is identified through the password reset token.

Response format

Returns 200 OK if the password reset token is valid and the password was successfully changed. The user can now log in with the new password.

This endpoint only resets the password; it does not establish a valid log-in session for the user.

Error responses

Returns 403 Forbidden if the password reset token was already used or has expired.

Password reset tokens can be used only once, and these tokens have a limited lifetime. The lifetime is based on the value of the rbac_password_reset_expiration parameter. The default is 24 hours. For more information, refer to Configure RBAC and token-based authentication settings.

For other errors, refer to RBAC service errors .