Password Reset Endpoints
Base URL:
https://auth.calimatic.com/api/v1/auth/headlessPassword reset endpoints use App Client authentication. The send endpoint is anti-enumeration safe — it always returns 200 to prevent disclosure of which emails are registered.
Authentication
All endpoints in this group use App Client authentication:
| Header | Value | Description |
|---|---|---|
x-client-id | cca_... | Your app client ID |
x-client-secret | ccas_... | Your app client secret |
Content-Type | application/json | Required for POST requests |
Endpoints Overview
| Method | Endpoint | Description |
|---|---|---|
POST | /password/reset-send | Send a password reset email |
POST | /password/reset-confirm | Set a new password using the reset token |
POST /api/v1/auth/headless/password/reset-send
Send a password reset email to the user. The email contains a single-use token that must be passed to POST /password/reset-confirm.
Anti-enumeration: Always returns 200 even if the email does not exist in the system.
Authentication: App Client (x-client-id + x-client-secret)
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address to send the password reset link to |
Response (200 OK)
Always returns an empty body. No information is disclosed about whether the email is registered.
{}
Error Codes
| Code | HTTP Status | Description |
|---|---|---|
RATE_LIMITED | 429 | Request rate limit exceeded |
INVALID_CLIENT | 401 | App client credentials are missing or invalid |
VALIDATION_ERROR | 400 | Email format is invalid |
SDK Method
await client.password.resetSend({ email: 'user@example.com' });
curl Example
curl -X POST https://auth.calimatic.com/api/v1/auth/headless/password/reset-send \
-H "Content-Type: application/json" \
-H "x-client-id: cca_aBcDeFgHiJkL" \
-H "x-client-secret: ccas_xYzAbCdEfGhI" \
-d '{
"email": "user@example.com"
}'
POST /api/v1/auth/headless/password/reset-confirm
Confirm a password reset using the token from the reset email. Validates the token and updates the user's password. The token is single-use and expires after a configured duration.
Authentication: App Client (x-client-id + x-client-secret)
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
token | string | Yes | Reset token from the password reset email link |
newPassword | string | Yes | New password (min 8 chars, must include uppercase, lowercase, and digit) |
Response (200 OK)
Returns an empty body on success. The user's password is updated and the token is invalidated.
{}
Error Codes
| Code | HTTP Status | Description |
|---|---|---|
VALIDATION_ERROR | 400 | Token is invalid, expired, or password does not meet policy requirements |
RATE_LIMITED | 429 | Request rate limit exceeded |
INVALID_CLIENT | 401 | App client credentials are missing or invalid |
SDK Method
await client.password.resetConfirm({ token: resetToken, newPassword: 'NewPass1!' });
curl Example
curl -X POST https://auth.calimatic.com/api/v1/auth/headless/password/reset-confirm \
-H "Content-Type: application/json" \
-H "x-client-id: cca_aBcDeFgHiJkL" \
-H "x-client-secret: ccas_xYzAbCdEfGhI" \
-d '{
"token": "rt_eyJhbGciOiJIUzI1NiJ9...",
"newPassword": "NewSecurePass1!"
}'