Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Antonelli-Tech-Solutions/spades/llms.txt

Use this file to discover all available pages before exploring further.

The password reset flow allows a player who has forgotten their password to set a new one via a time-limited link sent to their registered email address. The reset token expires 1 hour after it is issued. Any previously issued reset token for the same account is deleted before a new one is generated, so only the most recently sent link is ever valid.

POST /api/auth/forgot-password

Looks up the email address in the database and, if found, sends a password reset link. Any existing reset token for the account is revoked before the new one is issued.
MethodPOST
Path/api/auth/forgot-password
Auth requiredNone

Request body

email
string
required
The email address associated with the account. The lookup is case-insensitive.

Example request

curl -X POST http://localhost:3000/api/auth/forgot-password \
  -H 'Content-Type: application/json' \
  -d '{"email": "alice@example.com"}'

Response codes

StatusMeaning
200Request accepted. If the email is registered, a reset link has been sent.
This endpoint always returns 200 regardless of whether the email address exists in the database. This behaviour is intentional — it prevents account enumeration by ensuring an unauthenticated caller cannot determine whether a given email is registered. The web client always shows a “check your email” confirmation screen after submission.

POST /api/auth/reset-password

Validates the reset token and, if it is valid and unexpired, updates the player’s password. The token is deleted immediately after use so it cannot be reused.
MethodPOST
Path/api/auth/reset-password
Auth requiredNone

Request body

token
string
required
The UUID reset token from the password reset email link. Tokens are single-use and expire 1 hour after they are issued.
newPassword
string
required
The new password to set for the account. Minimum 8 characters. Stored as a bcrypt hash.

Example request

curl -X POST http://localhost:3000/api/auth/reset-password \
  -H 'Content-Type: application/json' \
  -d '{"token": "d9428888-122b-11e1-b85c-61cd3cbb3210", "newPassword": "newpassword123"}'

Response codes

StatusMeaning
200Password updated. The player can now sign in with the new password.
400Token is missing, invalid, or has expired; or newPassword is fewer than 8 characters.

200 response body

{
  "message": "Password has been reset. You can now log in with your new password."
}
The reset link URL follows the pattern <APP_URL>/#/reset-password?token=<uuid>. For example, with the default local configuration: http://localhost:3000/#/reset-password?token=d9428888-122b-11e1-b85c-61cd3cbb3210.The web client handles this route at #/reset-password?token=<uuid> — it reads the token from the query string and submits it alongside the new password to POST /api/auth/reset-password. On success the player is shown a confirmation screen; on failure (invalid or expired token) an error screen is shown with a link back to the forgot password form.

Build docs developers (and LLMs) love

Get started for freeTalk to us