# POST /auth/reset-password

> Set a new password using the reset token

Set a new password using the token from the password reset email. The token is typically passed in the request body or as a query parameter (see your project's reset link format).

## Endpoint

```http
POST /v1/public/projects/:projectSlug/auth/reset-password
```

## Request Parameters

### Path Parameters

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `projectSlug` | string | ✅ | Your project's unique slug |

### Request Body

| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `token` | string | ✅ | Reset token from the email link |
| `newPassword` | string | ✅ | New password (minimum 8 characters, mixed case, numbers, special chars) |

### Example Request Body

```json
{
  "token": "reset-token-from-email",
  "newPassword": "NewSecurePassword123!"
}
```

## Response

### Success (200 OK)

```json
{
  "message": "Password updated successfully. You can now sign in."
}
```

After success, the user can log in with the new password via [POST /auth/login](/reference/authentication/login). The reset token is invalidated.

### Error Responses

| Status Code | Error Code | Description |
|-------------|------------|-------------|
| 400 | `INVALID_REQUEST` | Invalid token or password (e.g. too weak) |
| 401 | `INVALID_TOKEN` | Token expired or already used |
| 429 | `RATE_LIMIT_EXCEEDED` | Too many attempts |
| 500 | `INTERNAL_SERVER_ERROR` | Server error |

## Available Hooks

- **Event**: `auth.password.reset.completed`
  - **When**: After password is successfully reset
  - **Can do**: Security logging, notify user, revoke other sessions

Configure in **Project → Hooks**. [Learn more about hooks →](/features/hooks)

## Related Endpoints

- [POST /auth/reset-password-request](/reference/authentication/reset-password-request) - Request the reset email
- [POST /auth/login](/reference/authentication/login) - Login with new password
