circle-check
Akinon Release Notes 02/16/2026) are now live! Click here to learn what's new.
arrow-up-right
search
Docs Portal

Password

Password set, reset, and change operations

hashtag
Set password for guest users

post

Sets password for guest users (users with user_type=guest, typically created during checkout without registration).

Access Control:

  • Anonymous users: Returns redirect_url to home page

  • Registered users (already have password): Returns redirect_url to password change page

  • Guest users: Can set password and become registered users

User Type Transition: Upon successful password set, user's user_type is changed from guest to registered.

Password Validation: Password strength validated according to AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Response Behavior:

  • Non-AJAX requests: HTTP 302 redirect to location URL

  • AJAX requests (X-Requested-With: XMLHttpRequest): JSON with location field

Authorizations
sessionidstringRequired

Session cookie for authentication

Header parameters
CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

X-Requested-Withstring · enumOptional

Set to 'XMLHttpRequest' for AJAX requests to receive JSON response

Possible values:
Body
password1string · passwordRequired

New password

password2string · passwordRequired

Confirm new password (must match password1). Validated against AUTH_PASSWORD_VALIDATORS setting.

Responses
chevron-right
200

Password set successfully (AJAX request). Returns location URL for redirect.

application/json
locationstringOptional

URL to redirect (typically same endpoint)

Example: /users/password/set/
post
/users/password/set/

hashtag
Set password with SMS OTP verification (guest users)

post

Sets password for authenticated guest users with phone number verification via SMS OTP. This is a two-step process that transitions guest users to registered users.

Step 1 - Request OTP: Send phone, password1, password2 without code. System validates fields, sends SMS verification code, and stores confirmation data in session. Returns 202 status.

Step 2 - Verify and Set Password: Send all fields including code. System verifies the code against session confirmation data. If valid:

  • Password is set and validated against AUTH_PASSWORD_VALIDATORS

  • User type changes from guest to registered

  • Phone number is saved to user profile

  • verified_phone attribute is set to true

  • Old password is saved to user profile history Returns 200 with success message.

Resend OTP: Use resend: true to request a new code. Subject to SMS resend interval restrictions (configured via SMS_OTP_RESENT_TIME_GAP system setting). Returns 202 status.

Phone Validation: Phone must be unique among active users (uses UNIQUE_VALIDATOR_PHONE_MESSAGE dynamic setting for error message).

Password Validation: Password strength validated according to AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Throttling scope: register.

Authorizations
sessionidstringRequired

Session cookie for authentication

Header parameters
CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

Body
password1string · passwordRequired

New password

password2string · passwordRequired

Confirm new password (must match password1)

phonestring · max: 60Required

Phone number for SMS verification

codestringOptional

SMS verification code. Omit on first request to receive OTP.

resendbooleanOptional

Set to true to request a new verification code

Default: false
Responses
chevron-right
200

Password set successfully (Step 2 completed)

application/json
messagestringOptional

Success message

Example: New password has been saved.
post
/users/password-sms-otp/set/

hashtag
Request password reset via email

post

Initiates password reset flow by sending a reset link via email.

User Filtering: Only sends email to users who:

  • Are registered users (not guest users)

  • Have verified email addresses

  • Are active users

Email Content: Email is rendered using template from RESET_EMAIL_HTML_TEMPLATE setting (Dynamic Configuration). The email contains:

  • Password reset link with unique token

  • Frontend ID in extra context (from X-Frontend-ID header if valid)

Security: Always returns success (200) to prevent email enumeration, regardless of whether the email exists in the system.

User Translation: Email is sent in user's preferred language (user.language_code).

Throttling scope: password-reset.

Header parameters
X-Frontend-IDstringOptional

Frontend identifier for multi-frontend setups. Must be in VALID_FRONTEND_IDS setting (Dynamic Configuration). Passed to email template context as frontend_id.

Body
emailstring · emailRequired

Email address for password reset link

Responses
chevron-right
200

Reset email sent if address exists. Response is identical for existing and non-existing emails to prevent enumeration.

application/json
detailstringOptional

Confirmation message

post
/users/password/reset/

hashtag
Request password reset via SMS

post

Initiates password reset flow by sending a reset SMS with a password reset link to the provided phone number.

User Lookup: Searches for active users by phone number. Only sends SMS if:

  • Phone number exists in the system

  • User is active

SMS Content: SMS contains:

  • Site name

  • Password reset URL with token (format: /password-reset/{uid}/{token}/)

  • User information

Token Generation: A secure, time-limited token is generated for password reset confirmation.

Security: Always returns success message (200) to prevent phone number enumeration, regardless of whether the phone exists in the system.

Throttling scope: password-reset.

Body
phonestring · max: 60Required

Phone number for password reset SMS

Responses
chevron-right
200

Success response (always returned regardless of phone existence). SMS is sent only if phone belongs to an active user.

application/json
successstringOptional

Confirmation message (translated)

Example: If the phone number you specified is registered, a password reset sms has been sent.
post
/users/password/reset-with-phone/

hashtag
Change password for authenticated user

post

Changes password for the currently authenticated user. Requires verification of the old password and two matching new password entries.

Password Validation: New password is validated against AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Side Effects:

  • Old password is saved to user profile history

  • User type is updated to registered if not already

  • Notification email is sent asynchronously

Email Notification: A confirmation email is sent to the user with subject "Password Changed". CC/BCC recipients can be configured via EMAIL_BCC_AND_CC setting.

Audit Logging: Password change events are logged for security audit purposes. Password values are not stored in audit logs.

Error Handling: Invalid old password returns "Invalid password." error message.

Authorizations
sessionidstringRequired

Session cookie for authentication

Header parameters
CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

Body
old_passwordstring · passwordRequired

Current password

new_password1string · passwordRequired

New password

new_password2string · passwordRequired

Confirm new password (must match new_password1)

Responses
chevron-right
200

Password changed successfully

application/json
detailstringOptional

Success confirmation message (translated)

Example: New password has been saved.
post
/users/password/change/
PreviousAuthenticationNextOrders

Last updated

Was this helpful?