Reset password
The password recovery feature will be automatically enabled to you when you have a valid Email connector or SMS connector configured. User can reset their password by providing their registered email address or phone number.
Forgot password for account recovery
Once the reset password feature is enabled, a "Forgot password" link button will be displayed under the sign-in form. Users can click the "Forgot password" link to initiate a password reset process.
Not seeing the "Forgot password" link? Make sure you have a valid Email or SMS connector configured.
- Visit sign-in page: User visits the sign-in page.
- Click on Forgot password link: User clicks on the "Forgot password" link.
- Enter email/phone: After clicking on the "Forgot password" link, user will be redirected to a new page where they can enter their registered email address or phone number.
- Send verification code: Logto will send a verification code to the user provided email address or phone number and redirect to the code verification page.
- Enter verification code: User enters the verification code received in their email or phone. Logto will verify the code and identity of the user associated with the email address or phone number.
- Enter new password: User will be prompted to enter a new password once the verification code is successfully verified
- Successful password reset: If the provided password meets the password policy requirements, the password will be updated successfully.
- Redirect to sign-in page: User will be redirected to the sign-in page to sign in with the new password
Update password after sign-in
Authenticated users can change (or initially set) their password via your in‑app account settings experience. See Account settings for how to build this with the Account API.
Check if user has a password
User data exposes a boolean field hasPassword indicating whether the user currently has a password credential stored.
You can obtain hasPassword by:
- Management API: e.g.
GET /api/users/:id(included in the user object) - Custom token claims: Inject
hasPasswordinto ID/access tokens (so your frontend can branch UI without an extra API call)
Then call the Account API endpoint to set or update the password (see the Account settings guide for request details). For users who never had a password, you do NOT need (and should not require) the old password field.
Even if your sign‑up methods require “Set a password” for email / phone / username registrations, users created through pure social sign-in skip password creation by default to reduce friction. These users will have hasPassword = false until they explicitly set one later. Avoid forcing immediate password setup right after social sign-up unless required by your security model—delayed, context-aware prompts usually convert better.
Custom password policy
Customize password length, character requirements, and word restrictions to meet your business's security needs while providing a good user experience. These settings can be configured in the Security > Password policy section. Check the password policy doc to learn more.
FAQs
How to sign-out a user after a successful password reset?
Subscribe to the PostResetPassword webhook event to receive a notification when a user successfully resets their password. You can then trigger a sign-out action to invalidate the user's current session and redirect them to the sign-in page.
How to implement the password reset flow on my custom UI?
You can implement your own password reset flow by using the Logto's Management API and Account API. Checkout account settings for more details.
How can I send a password reset link to the user's email?
You can create a self-hosted password reset endpoint and utilize the Logto SDK to initiate a sign-in request with first_screen set to reset-password. This will seamlessly redirect the user to the password reset page.