POST /api/auth/forgot-password
Send an OTP to initiate the password reset process.
This endpoint sends a one-time password (OTP) to the user’s email address to begin the password reset process.
The OTP must be verified using the reset password endpoint to complete the password change.
When to use
- When a user forgets their password
- When initiating a secure password reset flow
Request
HTTP
POST /api/auth/forgot-password
Content-Type: application/jsonRequest Body
{
"email": "user@example.com"
}Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
| string | Yes | Registered user email |
Response
Success (200 OK)
Response
{
"success": true,
"message": "Password reset OTP sent"
}The response is intentionally generic to avoid revealing whether the email exists.
Errors
Invalid request (400)
Error
{
"success": false,
"message": "Email is required"
}Rate limited (429)
Error
{
"success": false,
"message": "Too many requests"
}Notes
- The same response is returned whether or not the email exists
- OTPs are time-limited and single-use
- Email delivery depends on SMTP configuration
Related APIs
- POST
/api/auth/set-new-password– Reset password - POST
/api/auth/verify-otp– Verify OTP