> ## Documentation Index
> Fetch the complete documentation index at: https://docs.apilens.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Passwordless and Password

> How APILens combines magic-link auth with optional password setup and reset.

## Product Rules

1. Sign-in and registration share the same magic-link flow
2. Users do **not** set password during first signup
3. Password can be set only after authenticated login
4. Password reset starts by sending a magic reset link

## Set Password (Authenticated)

After login, call:

* `POST /users/me/password`

Payload:

```json theme={null}
{
  "new_password": "new-secret",
  "confirm_password": "new-secret",
  "current_password": "optional-if-required"
}
```

## Reset Password (Flow)

1. Request reset link via `POST /auth/magic-link` with `flow: "reset"`
2. User opens reset verification link
3. Verification authenticates session
4. User sets new password via `POST /users/me/password`

This keeps password changes behind verified identity.

## UX Guidance

* Primary CTA should be email-link based
* Clearly state that first-time users are created after email verification
* Keep password login as secondary path
* Keep reset copy explicit: "Open secure email link first"
