Password Flow
Overview
SYSTEM password operations cover first-time password setup, forgot-password recovery, and authenticated password change. The published SYSTEM docs include forgot, reset, init, and change, with secure-channel encryption on the write operations.
Prerequisites
X-PORTAL-ACCESS-CODE: <system-portal-code>- secure-channel support for encrypted request bodies
X-Client-Hashfor pre-login flows- Turnstile token support for forgot-password
- a JWT for authenticated change-password
Shared Headers
bash
X-PORTAL-ACCESS-CODE: <system-portal-code>
X-Client-Hash: <browser-fingerprint>
X-Secure-Channel-Session-Id: <secure-channel-session-id>
Content-Type: application/jsonAuthenticated change-password adds:
bash
Authorization: Bearer <accessToken>Forgot Password Flow
1. Start recovery
API endpoint: POST /web/v1/tenant/auth/password/forgot The published SYSTEM contract sends a reset link/token rather than a separate password-OTP API.
bash
curl -X POST 'https://api.example.com/web/v1/tenant/auth/password/forgot' \
-H 'X-PORTAL-ACCESS-CODE: <system-portal-code>' \
-H 'X-Client-Hash: <browser-fingerprint>' \
-H 'X-Secure-Channel-Session-Id: <secure-channel-session-id>' \
-H 'X-Turnstile-Token: <turnstile-token>' \
-H 'Content-Type: application/json' \
-d '{"email":"admin@example.com","turnstileToken":"<turnstile-token>"}'json
{"code":"2000","message":"SUCCESS","data":{"success":true,"message":"If the email exists, a reset link will be sent"}}2. Capture the reset token from the email link
API endpoint: no separate API call is currently published The frontend should extract the token and move directly to reset.
json
{"tokenSource":"email-link","token":"reset-token-xxx"}3. Reset the password
API endpoint: POST /web/v1/tenant/auth/password/reset
bash
curl -X POST 'https://api.example.com/web/v1/tenant/auth/password/reset' \
-H 'X-PORTAL-ACCESS-CODE: <system-portal-code>' \
-H 'X-Client-Hash: <browser-fingerprint>' \
-H 'X-Secure-Channel-Session-Id: <secure-channel-session-id>' \
-H 'Content-Type: application/json' \
-d '{"token":"reset-token-xxx","newPassword":"NewP@ssw0rd!"}'json
{"code":"2000","message":"SUCCESS","data":{"success":true,"message":"Password reset successful"}}Change Password Flow
4. Change password inside an authenticated session
API endpoint: POST /web/v1/tenant/auth/password/change
bash
curl -X POST 'https://api.example.com/web/v1/tenant/auth/password/change' \
-H 'X-PORTAL-ACCESS-CODE: <system-portal-code>' \
-H 'Authorization: Bearer <accessToken>' \
-H 'X-Secure-Channel-Session-Id: <secure-channel-session-id>' \
-H 'Content-Type: application/json' \
-d '{"currentPassword":"OldP@ss!","newPassword":"NewP@ssw0rd!"}'json
{"code":"2000","message":"SUCCESS","data":{"success":true,"message":"Password changed successfully"}}First-Time Password Initialization
5. Initialize a password for a new or invited account
API endpoint: POST /web/v1/tenant/auth/password/init
bash
curl -X POST 'https://api.example.com/web/v1/tenant/auth/password/init' \
-H 'X-PORTAL-ACCESS-CODE: <system-portal-code>' \
-H 'X-Client-Hash: <browser-fingerprint>' \
-H 'X-Secure-Channel-Session-Id: <secure-channel-session-id>' \
-H 'Content-Type: application/json' \
-d '{"sessionId":"init-session-xxx","password":"NewP@ssw0rd!"}'json
{"code":"2000","message":"SUCCESS","data":{"bizId":"ACC_USR_00000001","email":"user@example.com","status":10010202}}Decision Points
- use
forgotplusresetwhen the user cannot authenticate - use
changewhen the user is already logged in and knows the current password - use
initwhen the account exists but has not set a password yet - do not expect a dedicated forgot-password OTP verification endpoint in current SYSTEM docs
Error Handling
REQUEST.RATE_LIMITEDon forgot-password should disable retry until the window resetsAUTH.PASSWORD_RESET_TOKEN_INVALIDmeans the token is expired, reused, or wrongAUTH.CURRENT_PASSWORD_INCORRECTshould stay in the change-password form without logout- validation failures often mean the secure-channel header or encrypted body is missing