Password

Password set, reset, and change operations

Set password for guest users

post

Sets password for guest users (users with user_type=guest, typically created during checkout without registration).

Access Control:

Anonymous users: Returns redirect_url to home page
Registered users (already have password): Returns redirect_url to password change page
Guest users: Can set password and become registered users

User Type Transition: Upon successful password set, user's user_type is changed from guest to registered.

Password Validation: Password strength validated according to AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Response Behavior:

Non-AJAX requests: HTTP 302 redirect to location URL
AJAX requests (X-Requested-With: XMLHttpRequest): JSON with location field

Authorizations

sessionidstringRequired

Session cookie for authentication

Header parameters

CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

X-Requested-Withstring · enumOptional

Set to 'XMLHttpRequest' for AJAX requests to receive JSON response

Possible values:

Body

password1string · passwordRequired

New password

password2string · passwordRequired

Confirm new password (must match password1). Validated against AUTH_PASSWORD_VALIDATORS setting.

Responses

200

Password set successfully (AJAX request). Returns location URL for redirect.

application/json

302

Password set successfully (non-AJAX request), redirects to location

400

Validation errors (AJAX request):

Password mismatch (password1 != password2)
Weak password (fails AUTH_PASSWORD_VALIDATORS)

application/json

post

/users/password/set/

POST /users/password/set/ HTTP/1.1
Host: sandbox.akinon.com
X-CSRFToken: text
Content-Type: application/json
Accept: */*
Content-Length: 47

{
  "password1": "password",
  "password2": "password"
}

{
  "location": "/users/password/set/"
}

Set password with SMS OTP verification (guest users)

post

Sets password for authenticated guest users with phone number verification via SMS OTP. This is a two-step process that transitions guest users to registered users.

Step 1 - Request OTP: Send phone, password1, password2 without code. System validates fields, sends SMS verification code, and stores confirmation data in session. Returns 202 status.

Step 2 - Verify and Set Password: Send all fields including code. System verifies the code against session confirmation data. If valid:

Password is set and validated against AUTH_PASSWORD_VALIDATORS
User type changes from guest to registered
Phone number is saved to user profile
verified_phone attribute is set to true
Old password is saved to user profile history Returns 200 with success message.

Resend OTP: Use resend: true to request a new code. Subject to SMS resend interval restrictions (configured via SMS_OTP_RESENT_TIME_GAP system setting). Returns 202 status.

Phone Validation: Phone must be unique among active users (uses UNIQUE_VALIDATOR_PHONE_MESSAGE dynamic setting for error message).

Password Validation: Password strength validated according to AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Throttling scope: register.

Authorizations

sessionidstringRequired

Session cookie for authentication

Header parameters

CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

Body

password1string · passwordRequired

New password

password2string · passwordRequired

Confirm new password (must match password1)

phonestring · max: 60Required

Phone number for SMS verification

codestringOptional

SMS verification code. Omit on first request to receive OTP.

resendbooleanOptional

Set to true to request a new verification code

Default: false

Responses

200

Password set successfully (Step 2 completed)

application/json

202

SMS verification code sent (Step 1 or resend). Confirmation data stored in session.

application/json

400

Validation errors:

Password mismatch (password1 != password2)
Weak password (fails AUTH_PASSWORD_VALIDATORS)
Phone already exists for another active user
Phone format invalid
Incorrect OTP code during verification

401

Authentication required (must be logged in)

429

Too many requests:

Throttling limit exceeded (register scope)
SMS resend interval not elapsed

post

/users/password-sms-otp/set/

POST /users/password-sms-otp/set/ HTTP/1.1
Host: sandbox.akinon.com
X-CSRFToken: text
Content-Type: application/json
Accept: */*
Content-Length: 91

{
  "password1": "password",
  "password2": "password",
  "phone": "text",
  "code": "text",
  "resend": false
}

{
  "message": "New password has been saved."
}

Request password reset via email

post

Initiates password reset flow by sending a reset link via email.

User Filtering: Only sends email to users who:

Are registered users (not guest users)
Have verified email addresses
Are active users

Email Content: Email is rendered using template from RESET_EMAIL_HTML_TEMPLATE setting (Dynamic Configuration). The email contains:

Password reset link with unique token
Frontend ID in extra context (from X-Frontend-ID header if valid)

Security: Always returns success (200) to prevent email enumeration, regardless of whether the email exists in the system.

User Translation: Email is sent in user's preferred language (user.language_code).

Throttling scope: password-reset.

Header parameters

X-Frontend-IDstringOptional

Frontend identifier for multi-frontend setups. Must be in VALID_FRONTEND_IDS setting (Dynamic Configuration). Passed to email template context as frontend_id.

Body

emailstring · emailRequired

Email address for password reset link

Responses

200

Reset email sent if address exists. Response is identical for existing and non-existing emails to prevent enumeration.

application/json

429

Too many reset requests

post

/users/password/reset/

POST /users/password/reset/ HTTP/1.1
Host: sandbox.akinon.com
Content-Type: application/json
Accept: */*
Content-Length: 26

{
  "email": "[email protected]"
}

{
  "detail": "text"
}

Request password reset via SMS

post

Initiates password reset flow by sending a reset SMS with a password reset link to the provided phone number.

User Lookup: Searches for active users by phone number. Only sends SMS if:

Phone number exists in the system
User is active

SMS Content: SMS contains:

Site name
Password reset URL with token (format: /password-reset/{uid}/{token}/)
User information

Token Generation: A secure, time-limited token is generated for password reset confirmation.

Security: Always returns success message (200) to prevent phone number enumeration, regardless of whether the phone exists in the system.

Throttling scope: password-reset.

Body

phonestring · max: 60Required

Phone number for password reset SMS

Responses

200

Success response (always returned regardless of phone existence). SMS is sent only if phone belongs to an active user.

application/json

400

Validation errors:

Phone format is invalid

429

Throttling limit exceeded (password-reset scope)

post

/users/password/reset-with-phone/

POST /users/password/reset-with-phone/ HTTP/1.1
Host: sandbox.akinon.com
Content-Type: application/json
Accept: */*
Content-Length: 16

{
  "phone": "text"
}

{
  "success": "If the phone number you specified is registered, a password reset sms has been sent."
}

Change password for authenticated user

post

Changes password for the currently authenticated user. Requires verification of the old password and two matching new password entries.

Password Validation: New password is validated against AUTH_PASSWORD_VALIDATORS setting (Dynamic Configuration).

Side Effects:

Old password is saved to user profile history
User type is updated to registered if not already
Notification email is sent asynchronously

Email Notification: A confirmation email is sent to the user with subject "Password Changed". CC/BCC recipients can be configured via EMAIL_BCC_AND_CC setting.

Audit Logging: Password change events are logged for security audit purposes. Password values are not stored in audit logs.

Error Handling: Invalid old password returns "Invalid password." error message.

Authorizations

sessionidstringRequired

Session cookie for authentication

Header parameters

CookiestringOptional

Session cookie in format sessionid=<value>. May use site-specific cookie name (e.g., osessionid).

X-CSRFTokenstringRequired

CSRF token for state-changing requests

Body

old_passwordstring · passwordRequired

Current password

new_password1string · passwordRequired

New password

new_password2string · passwordRequired

Confirm new password (must match new_password1)

Responses

200

Password changed successfully

application/json

400

Validation errors:

Invalid old password ("Invalid password.")
Password mismatch (new_password1 != new_password2)
Weak password (fails AUTH_PASSWORD_VALIDATORS)

application/json

401

Authentication required

post

/users/password/change/

POST /users/password/change/ HTTP/1.1
Host: sandbox.akinon.com
X-CSRFToken: text
Content-Type: application/json
Accept: */*
Content-Length: 81

{
  "old_password": "password",
  "new_password1": "password",
  "new_password2": "password"
}

{
  "detail": "New password has been saved."
}

PreviousAuthentication NextOrders

Last updated 28 days ago

Was this helpful?

hashtagSet password for guest users

hashtagSet password with SMS OTP verification (guest users)

hashtagRequest password reset via email

hashtagRequest password reset via SMS

hashtagChange password for authenticated user

Set password for guest users

Set password with SMS OTP verification (guest users)

Request password reset via email

Request password reset via SMS

Change password for authenticated user