I realised that with the code I could get a new password with
$body = array( 'email' => $email, "code"=>$code, "new_password"=> $newPassword);
My mistake was I was still using reset=true. Which should not be added when calling with the password reset api call with the "code".
I have the same issue Im still not sure how I would implement this.
I have created a password reset form on my custom.com site. It communicates with api.df.com and sends a password reset link (customised with my own link back to custom.com). However aren't we back to square 1 because there is no api call to update the password - without knowing a security question, or being logged in?