Forgot password API?


Looking through the API Documents for the user, I noticed that there was no option for a Forgot Password scenario.

Is there any other way we can do this through Rest?


Although not in API Docs (testing it would invalidate the credentials and session you’re using to access API Docs, which is probably a Bad Thing to do in testing), the API call would be:


The payload would take the format:

{email: "", password: "password", reset: true}

Of course, /rest/user is the email provided, and unless you have the current password, I’m not sure this call will work.


Thanks for the response. But I don’t think this will work since the user forgot the password. Or is the password mentioned in the payload the “new” password?

I was hoping for something like the system requesting the email address registered to the user. Then system sends the user an email with a link to reset the password. This kind of approach.

Can this be implemented through customization? Or possibly creating a new application with this feature?

Best Regards,

Right, that’s why I started there and explained the basic call with a known password first. Again, the same function can be handled several ways so the API Docs are a bit limited in letting you know the possibilities. There are two ways to go, depending on your desired setup and UX:

1) Security question + answer

Assuming you have /user/profile set up something like this:

  "first_name": "User",
  "last_name": "Name",
  "display_name": "User Name",
  "email": "",
  "security_question": "What is the airspeed velocity of an unladen swallow?",
  "security_answer": "Less than twelve parsecs."

Then to reset the user’s password,



  "email": "",
  "security_answer":  "Less than twelve parsecs.",
  "new_password": "newpassword"

If you need security_question returned to the client to display the challenge in your app, simply POST with just the email, and security_question will be returned.

2) Email reset code



  "email": "",
  "reset": true

This will generate an email to the user’s email address that includes a reset link and confirmation code. This email will be sent using the email service and template you’ve configured under Config > Password Reset.

From: App Name <>
Date: Wed, 01 Jul 2015 15:17:58 -0400
Subject: Password Reset

Hi User,

You have requested to reset your password. Go to the following url, enter the code below, and set your new password.

Confirmation Code: cdcb9df20bb2edd3037b86080572a2bb

App Name

I believe email reset will only work if the user in question does not have security_question and security_answer set up in his profile.

Probably yes, but the API already has this functionality so these options should only be necessary in the narrowest of use cases.

@jeffreystables Can you please clarify where would this “Confirmation code” be added to email?
Should it be added to the API call used to generate email or should it be added to parameter list of email service on Dreamfactory?

I have actually tried both and receiving code in email but on making call to this api:

POST /api/v2/user/password

with parameters:

code : “12345”,
email : "",
new_password : “my_new_password”

I am getting this response message:

The supplied email and/or confirmation code were not found in the system

Any clues on what I might be doing wrong?

To initiate a password reset request

POST user/password?reset=true

POST user/password

This will email you a confirmation code.
Once you receive the code, you may reset your password with

POST user/password
{"email":"","code":"the confirmation code from the email","new_password":"your new password"}

1 Like


We’re using the API recommended by @drewpearce and it works, but only for the first time. We first request the code and then send the code to set the new password of a user, and works. The second time we test, the code request works (reset=true), but the set new password call fails due to:
{"error":{"context":null,"message":"Error processing password reset.\nThe token has been blacklisted","code":500,"trace":["0 /home/ubuntu/dreamfactory-2.2.0-0/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Resources/UserPasswordResource.php(69)...

We’re using DF v2.2.0.

Any ideas why this happens?


Token Blacklisted indicates that the session token provided in the API call is no longer valid.
You do not need to pass a session token on the confirmation part of a password reset call.

1 Like

We are not passing any session token. Still, we get the token blacklisted error. Any other reason why this happens?

Is this being done in browser? It’s possible that the browser is still trying to reuse a session.

Yes, I’m doing this from the browser. I have tried to localStorage.clear(); and sessionStorage.clear(); before sending the request and it still dosn’t work. The thing is that it always work for the first reset, but on any reset for the same user after that, the token gets permanently blacklisted and the password can’t be changed, not even from the admin panel. However, the user can still log in to the system with the old password. So this really seems to be a bug in Dreamfactory.

Just to clearify. The localStorage.clear(); do clear all the sessions, but it still does only work a couple of times and then it get blacklisted.

Sorry. I’m not able to duplicate the error, after much trying. Can you be very specific about how this is happening?
What version of DramFactory? What exactly are you doing, password recovery (“i forgot my password”) or password reset of an already logged in user. Are you logging out and logging in between the two attempts? Are you using the DreamFactory admin application for this or a custom built application?

take a look at our latest blog post:

You can reset keys and passwords via SQL or SQlite for instance.

Link broken…Valid link pls?

Hi @Im_PJ,

Which environment would like more info on? We took the post down momentarily as there were a couple of grammatical errors in it.