POST /api/auth/set-new-password
Reset a user’s password using a valid OTP.
This endpoint resets a user’s password after verifying a valid OTP.
It completes the password reset flow initiated by the forgot password endpoint.
When to use
- After receiving a password reset OTP
- When the user submits a new password
Request
HTTP
POST /api/auth/set-new-password
Content-Type: application/jsonRequest Body
{
"email": "user@example.com",
"otp": "123456",
"newPassword": "new-strong-password"
}Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
| string | Yes | Registered user email | |
| otp | string | Yes | Password reset OTP |
| newPassword | string | Yes | New user password |
Response
Success (200 OK)
Response
{
"success": true
}The user can now log in using the new password.
Errors
Invalid or expired OTP (400)
Error
{
"success": false,
"message": "Invalid or expired OTP"
}Invalid request (400)
Error
{
"success": false,
"message": "Invalid request"
}Rate limited (429)
Error
{
"success": false,
"message": "Too many attempts"
}Notes
- Passwords are securely hashed before storage
- All existing sessions may be invalidated after reset
- The OTP is invalidated after use
Related APIs
- POST
/api/auth/forgot-password– Send reset OTP - POST
/api/auth/login– Log in with new password