Validate a password change
Request#
This API is used to validate whether a request to change a user's password will require MFA (via a trustToken). There are 3 ways to call the endpoint:
- Validate a
changePasswordIdwithout authentication - Validate user password change using a JWT
- Validate user password change using a
loginIdwith API key
The first case will also verify that a changePasswordId is valid. This usage is generally intended to be part of an email or SMS workflow and does not require authentication. The changePasswordId used on this API request will have been previously generated by the Start Forgot Password API or by using the Forgot Password workflow on the FusionAuth login page. Use this API to validate the changePasswordId before requesting a password change.
Using a change password ID#
OpenAPI Spec
Request Parameters#
changePasswordIdStringrequiredThe changePasswordId that is used to identify the user after the Start Forgot Password workflow has been initiated.
ipAddressStringoptionalAvailable since 1.62.0The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of the client, the value will be that of the X-Forwarded-For header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
metaData.device.descriptionStringoptionalAvailable since 1.62.0A human readable description of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.lastAccessedAddressStringoptionalAvailable since 1.62.0The IP address which made this request.
metaData.device.nameStringoptionalAvailable since 1.62.0A human readable name of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.typeStringoptionalAvailable since 1.62.0The type of device represented by the device parameter.
Prior to version 1.46.0, this value was restricted to the following types:
BROWSERDESKTOPLAPTOPMOBILEOTHERSERVERTABLETTVUNKNOWN
In version 1.46.0 and beyond, this value can be any string value you'd like, have fun with it!
This meta data is used to describe the refresh token that may be generated for this request.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
The "Validate user password change using a JWT or loginId" cases are used to verify whether MFA is required to change a user's password based solely on the user's JWT or loginId. It does not validate a specific changePasswordId and is instead meant to validate whether MFA is required before changing the user's password using a JWT or loginId.
Using a JWT#
OpenAPI Spec
Request Parameters#
ipAddressStringoptionalAvailable since 1.62.0The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of the client, the value will be that of the X-Forwarded-For header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
metaData.device.descriptionStringoptionalAvailable since 1.62.0A human readable description of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.lastAccessedAddressStringoptionalAvailable since 1.62.0The IP address which made this request.
metaData.device.nameStringoptionalAvailable since 1.62.0A human readable name of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.typeStringoptionalAvailable since 1.62.0The type of device represented by the device parameter.
Prior to version 1.46.0, this value was restricted to the following types:
BROWSERDESKTOPLAPTOPMOBILEOTHERSERVERTABLETTVUNKNOWN
In version 1.46.0 and beyond, this value can be any string value you'd like, have fun with it!
This meta data is used to describe the refresh token that may be generated for this request.
Using a login ID#
OpenAPI Spec
Request Parameters#
loginIdStringrequiredThe login identifier of the user. The login identifier can be one of the following (see loginIdTypes for information on which of these identifiers will be used):
- Email address
- Phone number (if
phoneNumberis included in loginIdTypes) - Username
loginIdTypesArray<String>optionalDefaults to [email, username]Available since 1.61.0The identity types that FusionAuth will compare the loginId to. Can be one or more of the following:
emailphoneNumberusername
["email", "username"] is supplied with a loginId value of terry@example.com, then a user with terry@example.com as their email address will match first before any user with terry@example.com as their username.ipAddressStringoptionalAvailable since 1.62.0The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of the client, the value will be that of the X-Forwarded-For header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
metaData.device.descriptionStringoptionalAvailable since 1.62.0A human readable description of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.lastAccessedAddressStringoptionalAvailable since 1.62.0The IP address which made this request.
metaData.device.nameStringoptionalAvailable since 1.62.0A human readable name of the device used. This meta data is used to describe the refresh token that may be generated for this request.
metaData.device.typeStringoptionalAvailable since 1.62.0The type of device represented by the device parameter.
Prior to version 1.46.0, this value was restricted to the following types:
BROWSERDESKTOPLAPTOPMOBILEOTHERSERVERTABLETTVUNKNOWN
In version 1.46.0 and beyond, this value can be any string value you'd like, have fun with it!
This meta data is used to describe the refresh token that may be generated for this request.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response#
This JSON response body will only be returned when a validation error occurs.
A successful response will not contain a response body.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful and can be used as part of a request to change the user's password. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. Beginning in version 1.33.0 a status code of 400 may also be used to indicate additional MFA trust is requiredto change the user's password. In this case the following error will be returned. Example Response JSON trustToken using a Multi-Factor Login request. |
| 404 | The changePasswordId is incorrect or expired or the user could not be found. |