Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Taykl12/Classify/llms.txt

Use this file to discover all available pages before exploring further.

The password recovery endpoint accepts an email address and calls Supabase’s resetPasswordForEmail method. When the Supabase side succeeds, a reset link is sent to the inbox; the link points back to APP_ORIGIN/login where the user can set a new password. Crucially, the API always returns the same success message whether the supplied email is registered or not — this prevents attackers from enumerating valid accounts by probing the endpoint. No Authorization header is required to call this endpoint.

Request

POST /api/auth/recover-password
Content-Type: application/json

Body parameters

email
string
required
The email address to send the password-reset link to. The response will be identical whether or not this address exists in the system.

Response 200 OK

The response is always the same, regardless of whether the email is registered.
message
string
A fixed message confirming that instructions were sent if the address exists. Never indicates whether the email was found.
{
  "message": "Si el correo existe, enviamos instrucciones"
}

Redirect behavior

The reset link embedded in the email uses the redirectTo parameter set to:
<APP_ORIGIN>/login
Where APP_ORIGIN is the environment variable configured on the server (e.g. http://localhost:5173 in development). After clicking the link, Supabase appends the recovery token as a URL fragment; your /login route is responsible for detecting it and calling supabase.auth.updateUser({ password: newPassword }) to complete the reset.

Error responses

StatusCondition
400The email field is missing from the request body
400Supabase returned an error while attempting to send the reset email
{ "error": "Email is required" }

Examples

curl -X POST http://localhost:3001/api/auth/recover-password \
  -H "Content-Type: application/json" \
  -d '{ "email": "ada@example.com" }'
Do not display different UI feedback based on whether the email is known to your system. The endpoint intentionally returns an identical response for both registered and unregistered addresses to prevent user enumeration attacks.

Build docs developers (and LLMs) love