Reference / Auth

Change the current user's password: verify the old password, enforce the per-app policy, rotate the hash, and (honoring `revoke_others_on_credential_change`) sign out every *other* session. Self-service (requires an end-user session).

POST /v1/auth/change-password
End-user session operationId: change_password

Authorization

Called from the browser with the publishable application id (x-application-id); the access token lives in memory.

Request body · required

  • current_password string required
  • new_password string required

Responses

200 Password changed
401 Old password incorrect or no session
422 New password fails the policy

Request

curl -X POST "http://localhost:8080/v1/auth/change-password" \
  -H "Content-Type: application/json" \
  -d '{
  "current_password": "string",
  "new_password": "string"
}'

Try it

live request
POST http://localhost:8080/v1/auth/change-password

Request body

application/json