Urban Store’s password reset flow is a two-step process: first the user requests a 6-digit reset code, which is sent to their registered email address; then they submit that code alongside the new password to complete the reset. No authentication token is required for either step. The reset code expires in 1 hour, which is shorter than the registration verification code, and a 2-minute cooldown prevents repeated code requests.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ALEJ4NDRO2025/urban-store/llms.txt
Use this file to discover all available pages before exploring further.
Request a reset code
Call
POST /api/users/request-password-reset/ with the account email. If the account exists and is active, a 6-digit code is sent to that address.POST /api/users/request-password-reset/
Send a 6-digit password reset code to the user’s registered email address.Authentication
None required. This endpoint is publicly accessible.Request Body
The email address of the Urban Store account for which the password reset is being requested.
Behavior
- If the email exists and the account is active (
is_active=True), a new 6-digit code is generated, stored inverification_token, and emailed to the user. verification_token_expiresis set to 1 hour from now (UTC).last_verification_sent_atis updated andverification_attemptsis reset to0.- A 2-minute cooldown is enforced between requests using
last_verification_sent_at. Requests within the cooldown window return429with the exact seconds remaining. - If the email is not found, the endpoint still returns
200— this prevents user enumeration (an attacker cannot determine which emails are registered by probing this endpoint).
Request Example
Response — 200 OK
Confirmation that the reset code has been dispatched. Always returns
200 even when the email is not registered.Error Responses
| Status | Body | Cause |
|---|---|---|
429 | { "error": "Debes esperar N segundos antes de solicitar otro código." } | A reset code was already requested within the last 2 minutes; N is the exact seconds remaining |
403 | { "error": "Cuenta desactivada" } | The account exists but is_active is False |
400 | { "error": "El email es requerido" } | Request body did not include the email field |
The response for an unregistered email is intentionally identical to the success response (
200 with a generic message). This ensures the endpoint cannot be used to discover which email addresses have Urban Store accounts.POST /api/users/confirm-password-reset/
Validate the reset code and set a new password for the account. The code must matchverification_token, must not be expired, and the new password must meet the minimum length requirement.
Authentication
None required. This endpoint is publicly accessible.Request Body
The email address of the account being reset. Must match an existing user record.
The 6-digit reset code received by email from the request step. Example:
"382910".The desired new password. Must be at least 6 characters long. Stored as a new bcrypt hash.
Behavior on Success
When the code is valid and not expired the API:- Hashes the new password with bcrypt and saves it to
user.password. - Clears
verification_token→None. - Clears
verification_token_expires→None. - Resets
verification_attempts→0.
POST /api/users/login/.
Request Example
Response — 200 OK
Confirmation that the password was updated successfully.
Error Responses
| Status | Body | Cause |
|---|---|---|
400 | { "error": "Código incorrecto" } | The submitted code does not match the stored verification_token |
400 | { "error": "El código ha expirado. Solicita uno nuevo." } | The code’s verification_token_expires timestamp is in the past (codes expire after 1 hour) |
400 | { "error": "La contraseña debe tener al menos 6 caracteres" } | new_password is fewer than 6 characters |
400 | { "error": "Email, código y nueva contraseña son requeridos" } | One or more required fields are missing from the request body |
404 | { "error": "Usuario no encontrado" } | No user record found for the provided email |