Change the current user's password: verify the old password, enforce the per-app policy, rotate the hash, and (honoring `revoke_others_on_credential_change`) sign out every *other* session. Self-service (requires an end-user session).
POST
End-user session operationId: change_password/v1/auth/change-password Authorization
Called from the browser with the publishable application id (x-application-id); the access token lives in memory.
Request body · required
current_passwordstring requirednew_passwordstring required
Responses
200 Password changed
401 Old password incorrect or no session
422 New password fails the policy
Request
curl -X POST "http://localhost:8080/v1/auth/change-password" \
-H "Content-Type: application/json" \
-d '{
"current_password": "string",
"new_password": "string"
}'Try it
live requestPOST
http://localhost:8080/v1/auth/change-password