← Back to Blog

Self-Service Recovery & Interactive API Reference

Implementing account password recovery endpoints and exploring live administrative OpenAPI definitions

This document details the account recovery workflow and exposes standard administrative endpoints to manage user credentials. Developers can test these endpoints in real-time using the embedded Swagger interactive tool below.

1. Forgot Password & Recovery API Flow

Prevent account enumeration attacks. The recovery API returns 200 OK with the same generic payload whether or not the email exists in the database.

POST /api/auth/forgot-password

Initiate the reset protocol. Zero IDS validates the user and sends a temporary token:

Request Body Schema:
{
  "email": "user@example.com",
  "method": "email" // Supports "email" or "sms" (based on provider configurations)
}

Response Body Schema (Success):
{
  "success": true,
  "message": "If the account exists, a recovery token has been dispatched."
}

POST /api/auth/reset-password

Submit the received token and specify the new password:

Request Body Schema:
{
  "token": "3a0b81e8-782a-4a6f-b14f-698f1234abcd", // Hexadecimal UUID token received
  "password": "NewSecurePassword123!" // Must satisfy organization password policies
}

Response Body Schema (Success):
{
  "success": true,
  "message": "Password updated successfully. You may now log in."
}

Response Body Schema (Invalid/Expired Token):
{
  "success": false,
  "error": "Invalid or expired recovery token."
}

2. Interactive Swagger API reference

Test OIDC, client, user management, and organization operations directly from this console page:

OIDC Series Guides