Password Management
Forget, reset, and change passwords.
The PasswordManagementPlugin provides endpoints for password reset flows and password changes.
Setup
use std::sync::Arc;
use better_auth::plugins::{
PasswordManagementPlugin,
password_management::SendResetPassword,
};
struct ResetSender;
#[async_trait::async_trait]
impl SendResetPassword for ResetSender {
async fn send(
&self,
user: &serde_json::Value,
url: &str,
token: &str,
) -> better_auth::AuthResult<()> {
let _ = (user, url, token);
Ok(())
}
}
let auth = BetterAuth::new(config)
.database(database)
.plugin(
PasswordManagementPlugin::new()
.reset_token_expiry_hours(24)
.require_current_password(true)
.send_reset_password(Arc::new(ResetSender))
)
.build()
.await?;Plugin Options
| Option | Type | Default | Description |
|---|---|---|---|
reset_token_expiry_hours | i64 | 24 | Hours before reset token expires |
require_current_password | bool | true | Require current password for changes |
send_email_notifications | bool | true | Send email on password changes |
Forget Password
Initiates a password reset flow.
This endpoint requires PasswordManagementPlugin::send_reset_password(...).
Configuring a global EmailProvider alone does not enable
POST /request-password-reset.
POST /request-password-reset
Content-Type: application/json{
"email": "alice@example.com",
"redirectTo": "https://example.com/reset"
}Response
{
"status": true
}Always returns success regardless of whether the email exists (prevents enumeration).
Reset Password
Completes the password reset using a token from the email link.
POST /reset-password
Content-Type: application/json{
"newPassword": "new_secure_password",
"token": "reset_token_from_email"
}Response
{
"user": { ... }
}| Status | Condition |
|---|---|
| 400 | Token missing or expired, password too short |
Validate Reset Token
Check if a reset token is still valid before showing the reset form.
GET /reset-password/{token}Returns 200 if valid, 400 if expired or invalid.
Change Password (Authenticated)
Change password for the currently signed-in user.
POST /change-password
Authorization: Bearer <token>
Content-Type: application/json{
"currentPassword": "old_password",
"newPassword": "new_password",
"revokeOtherSessions": "true"
}| Field | Required | Description |
|---|---|---|
currentPassword | Yes | Current password for verification |
newPassword | Yes | New password (must meet policy) |
revokeOtherSessions | No | Revoke all other sessions after change |
Response
{
"user": { ... },
"token": "session_new..."
}