This web service updates a user's password.
| Method | Endpoint |
|---|---|
PUT |
|
| Path parameter | Type | Description |
|---|---|---|
{userId} |
String | The user's identifier. See the List users or Search users web services to find a user's ID. |
Request example
The following lines show an example of a JSON request body:
{
"password": "New password"
}
| Field | Type | Required? | Description |
|---|---|---|---|
password |
String | Yes | The user's new password. |
| Return code | Description |
|---|---|
200 OK |
The request is valid and returns data. |
400 BAD REQUEST |
A required parameter is missing or the password does not follow the security policy. |
401 UNAUTHORIZED |
The authorization header was not provided or is invalid. |
403 FORBIDDEN |
The user is not the account owner, or the user or API key does not have the ADMIN or USERS_ADMIN role. |
404 NOT FOUND |
No user exists with this ID. |
For a comprehensive list of all possible return codes, see Return codes.
- It is only possible to change the password of users created from an internal realm.
- The new password must meet the security requirements as defined for the internal realm.
- Administrators with specific roles cannot change each other's password. For example, a
USER_ADMINcannot change the password for anotherUSER_ADMIN, nor can they change the password of aPORTAL_ADMIN. Users with theADMINrole can change the password ofUSER_ADMINandPORTAL_ADMINusers.
In compliance with the OWASP Secure Software Development Lifecycle Requirement #2.3.1, tokens to reset a password expire after a short period (2 hours).