Skip to main content

Change Password

Change the password for the authenticated user.
If MFA is enabled, you must provide a valid MFA code.

Request

curl -X POST https://fucksornot.com/api/auth/change-password \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "currentPassword": "OldPassword123!",
    "newPassword": "NewPassword456!",
    "confirmPassword": "NewPassword456!",
    "mfaCode": "123456"
  }'

Response

{
  "success": true,
  "message": "Password changed successfully. Please log in again.",
  "requireRelogin": true
}
After changing password, you’ll need to log in again with the new credentials.
If MFA is enabled on the account and mfaCode is omitted, the endpoint responds with 401:
{
  "statusCode": 401,
  "statusMessage": "Unauthorized",
  "message": "Additional verification required",
  "data": {
    "challenge": "verification_required"
  }
}

Forgot Password

Request a password reset email.

Request

curl -X POST https://fucksornot.com/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Response

{
  "message": "If an account with that email exists, a password reset link has been sent."
}
The response is always the same whether the email exists or not, to prevent email enumeration attacks.

Reset Password

Complete the password reset using the token from the email.

Request

curl -X POST https://fucksornot.com/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "reset-token-from-email",
    "password": "NewPassword456!"
  }'

Response

{
  "message": "Password has been reset successfully. You can now log in with your new password."
}
If MFA is enabled on the account, an mfaCode field is also required in the request body. If it’s omitted, the endpoint responds with 401:
{
  "statusCode": 401,
  "statusMessage": "Unauthorized",
  "message": "Additional verification required",
  "data": {
    "challenge": "verification_required"
  }
}

Token Expiry

Reset tokens expire after a short period. If expired, request a new one via the forgot password endpoint.