Password reset changed?

I have a script that I use to send password reset emails to users, so they can access the web portal after receiving a license. I haven’t used it for a while, since changing the way my license keys are distributed (around the end of June, beginning of July).

I’ve tried using it again recently, and the script now returns:

403 {"message":"Invalid access token or required permissions are missing!"}

It’s going through the same API sending method and authentication as my other calls, which are working. Has something changed recently? I noticed new methods for getting reset tokens, but it’s not clear if that’s required here, or how to use them.

Hi Jason,

Which API endpoint are you using? Is the access token still valid?

The access token is the same as the one I use to run my other processes, and they work (create user, assign user to license, increase activations count, extend trial, etc), so yes it should be valid. I’m using a Authorization: Bearer xxxxx licensing token in the header, added to all requests through the same POST method.

I meant to include the endpoint with the first message. It’s this one:

Hi Jason,

This endpoint only generates token for users with USER role.{id}/update-password

Ensure that you are not using this for user with admin role.

I’m using reset-password-request, not update-password.

I’m trying to send a user the ability to change their password from a not-stored, random password, created when I create the user, to something they want it to be. It has worked in the past, but doesn’t now.

The API endpoint you are using sends the password reset email. What you need is password reset token which you can use to generate the password reset link:{id}/reset-password-token

Try adding an admin user, and check the email received by the admin user. It contains a password reset link instead of the password.

I can generate a reset token, and I can reset a user password to something of my choosing, but functionality used to exist that sent the user an email and allowed them to set their own new password immediately.

I do not have a custom portal. All the docs you’re pointing me to say, “should only be used for custom portals to implement password reset”.

The documentation for the send-password-reset function makes no mention of an access token. Is it just that the docs are wrong and need updating? (Edit: tried adding the reset token to the params for send-password-reset and still get the previous error)

If the previously existing functionality has been removed, I can live with setting a random password to give the user and sending the email myself. The function did exist, and did work as described, and now doesn’t, so I was wondering if it was an error, a simple change, or something more fundamental.

Hi Jason,

The API which sends the password reset mail:

does work. In fact, the forgot password page uses the same API endpoint. This endpoint is public and doesn’t require any access token.

On the forgot page of Cryptlex Dashboard, open the developer tools in chrome and you can see this in action.

I got it to work with adding Origin: (My domain https…) int the Header and including “accountAlias”: “cryptlexDomainAlias” in the payload together with the user email,