Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/eggarcia98/auth-backend/llms.txt

Use this file to discover all available pages before exploring further.

Password reset is a two-step flow: the user requests a reset link by email, then submits a new password using the token from that link.

Flow overview

1

Request a reset link

The client posts the user’s email to POST /api/v1/auth/forgot-password. Supabase sends a password-reset email with a link pointing to FRONTEND_URL/auth/reset-password?token=....
2

User clicks the email link

The user opens the email and clicks the link. The browser opens the frontend reset-password page with an access token in the URL.
3

Frontend extracts the token

The frontend reads the token query parameter from the URL and stores it temporarily in memory (not in localStorage).
4

Submit the new password

The client posts the new password to POST /api/v1/auth/reset-password, passing the token as a Bearer token in the Authorization header.

Request

curl
curl -X POST https://your-domain.com/api/v1/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Request body

FieldTypeRequiredDescription
emailstringYesEmail address of the account to reset

Response

{
  "success": true,
  "data": {
    "message": "Password reset email sent"
  }
}
The API returns the same success response regardless of whether the email address is registered. This prevents account enumeration.

Step 2 — Submit the new password

Request

curl
curl -X POST https://your-domain.com/api/v1/auth/reset-password \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer TOKEN_FROM_EMAIL_LINK" \
  -d '{"token": "TOKEN_FROM_EMAIL_LINK", "password": "NewSecur3Pass"}'

Request body

FieldTypeRequiredDescription
tokenstringYesReset token from the email link (also required in Authorization header)
passwordstringYesNew password — must meet all requirements below

Authorization header

The reset token from the email link must be sent as a Bearer token: 
Authorization: Bearer <token>

Response

{
  "success": true,
  "data": {
    "message": "Password reset successfully"
  }
}

Password requirements

New passwords are validated by resetPasswordSchema in src/schemas/auth.schemas.ts. All four rules must pass:
RuleRequirement
Minimum lengthAt least 8 characters
Uppercase letterAt least one A–Z character
Lowercase letterAt least one a–z character
NumberAt least one 0–9 digit

Frontend integration

TypeScript
// Step 1: request reset email
await fetch('/api/v1/auth/forgot-password', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ email }),
});

// Step 2: on the reset-password page, extract token from URL
const token = new URLSearchParams(window.location.search).get('token');

// Step 3: submit the new password
const res = await fetch('/api/v1/auth/reset-password', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': `Bearer ${token}`,
  },
  body: JSON.stringify({
    token,           // required by request body schema
    password: newPassword,
  }),
});

const result = await res.json();
if (result.success) {
  // Redirect to login
  window.location.href = '/login';
}
The reset token is single-use and short-lived (controlled by Supabase). Do not store it in localStorage — keep it only in memory or in the URL while the user is on the reset page.

Error cases

ScenarioHTTP statusError message
Missing or invalid email400Invalid email address
Password too short400Password must be at least 8 characters
Password missing uppercase400Password must contain at least one uppercase letter
Password missing lowercase400Password must contain at least one lowercase letter
Password missing number400Password must contain at least one number
Missing Authorization header401Missing or invalid authorization header
Invalid or expired reset token400Supabase validation error message

Error response format

{
  "success": false,
  "error": {
    "message": "Validation failed",
    "code": "VALIDATION_ERROR",
    "details": [
      {
        "code": "invalid_string",
        "path": ["password"],
        "message": "Password must contain at least one uppercase letter"
      }
    ]
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us