Skip to main content

Product Rules

  1. Sign-in and registration share the same magic-link flow
  2. Users do not set password during first signup
  3. Password can be set only after authenticated login
  4. Password reset starts by sending a magic reset link

Set Password (Authenticated)

After login, call:
  • POST /users/me/password
Payload: 
{
  "new_password": "new-secret",
  "confirm_password": "new-secret",
  "current_password": "optional-if-required"
}

Reset Password (Flow)

  1. Request reset link via POST /auth/magic-link with flow: "reset"
  2. User opens reset verification link
  3. Verification authenticates session
  4. User sets new password via POST /users/me/password
This keeps password changes behind verified identity.

UX Guidance

  • Primary CTA should be email-link based
  • Clearly state that first-time users are created after email verification
  • Keep password login as secondary path
  • Keep reset copy explicit: “Open secure email link first”