POST /v1/users/me/password
Change the caller's password. Requires the current password as a second factor.
::: tip Auth Required: cookie or Bearer. :::
Request
POST /v1/users/me/password
| Header | Required | Notes |
|---|---|---|
Cookie: identsphere_at=... OR Authorization: Bearer ... | yes | — |
Content-Type: application/json | yes | — |
Body
{
"current_password": "old-secret",
"new_password": "shiny-new-secret-with-12-chars-min",
"sign_out_other_sessions": true
}
| Field | Type | Required | Notes |
|---|---|---|---|
current_password | string | yes | The user's current password. |
new_password | string | yes | 12–256 chars. Must differ from current. |
sign_out_other_sessions | bool | no | Default false. Recommended true on any user-initiated password change. |
Response
204 No Content
Error responses
| Status | Code | When |
|---|---|---|
| 400 | invalid_input | Length validation failed, or new password equals current. |
| 401 | authentication_required | Current password doesn't match. |
| 404 | not_found | User no longer exists. |
Notes
- An audit entry (
users.password_changed) is recorded. - When
sign_out_other_sessionsis true, every active session for this user EXCEPT the current one is revoked. last_password_changeis bumped.