POST /api/passwordmanagement/sendPasswordResetCode

Validates the email address provided in the request, generates a password reset code, and sends the reset code in an email to the validated address. This operation is called when a user requests a password reset.

For additional information about password reset, see The Password Reset Process.

Note: The platform includes enhanced security settings that can be activated via a configuration setting. The Site Admin can use this to restrict user enumeration in a password reset scenario. In the enhanced security scenario, a different notification is emailed to the user if the email address provided by the user doesn't match any existing account, and yet another if the email address matches a third-party provider account (for example, login with Google). In these scenarios, the password reset code is not sent, but the operation still returns a 200. For more information on this setting, refer to the Site Admin user help: How can I protect from vulnerability in Signup and Forgot Password scenarios?

Authorization Roles/Permissions: For the password reset to complete successfully, the email address must correspond with a valid registered user.

This topic includes the following sections:

HTTP Method


Back to top



Back to top

Sample Request

The example below shows a reset code request for the specified email address. The email address is encoded.

Request URL


Sample request headers

POST /api/passwordmanagement/sendPasswordResetCode HTTP/1.1
Host: {hostname}
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Sample request body

Back to top

Request Headers

For general information on request header values, refer to HTTP Request Headers.

Header Description
Accept application/json, application/vnd.soa.v71+json
Content-Type application/x-www-form-urlencoded
X-Csrf-Token_{fedmemberID} The CSRF prevention header; may or may not be required, depending on platform settings. See CSRF Prevention on the Platform. By default, the CSRF header is not required for GET operations and is required for all others, with a few exceptions relating to user login.

Back to top

Request Parameters

Parameter Parm Type Data Type Required Description
emailAddress Form string Required The email address for the account for which the user is requesting a password reset.

Back to top


If successful, this operation returns HTTP status code 200. There is no response body.

Back to top

Sample Response

TThe sample response below returns an HTTP code 200 which shows that the operation completed successfully.

Sample response headers

HTTP/1.1 200 OK
Mon, 18 Aug 2014 14:34:41 GMT

Sample response body

Not applicable.

Back to top

Response Headers

For general information on response header values, refer to HTTP Response Headers.

Header Description
Content-Type application/json, application/vnd.soa.v71+json

Back to top

Response Body

Not applicable.

Back to top

Error Codes/Messages

If the call is unsuccessful an error code/message is returned. One or more examples of possible errors for this operation are shown below.

Item Value
401 Unauthorized. For example, you would get this response if you didn't include the custom X-Csrf-Token_{fedmemberID} header in the request, when it was required by the platform settings; or if you included an invalid or expired value for this header. You would also get this response for any operation that requires login (almost all) if the login cookie was missing.
405 Method Not Allowed. For example, you might get this if you specified an invalid Accept header or omitted a required Content-Type header, or used the wrong HTTP verb.
500 An error occurred processing the call.

More information about Akana API Platform API error messages.

Back to top

Related Topics