Change Password
Change the password for the authenticated user.
If MFA is enabled, you must provide a valid MFA code.
Request
curl -X POST https://fucksornot.com/api/auth/change-password \
-H "Cookie: auth-token=YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"currentPassword": "OldPassword123!",
"newPassword": "NewPassword456!",
"confirmPassword": "NewPassword456!",
"mfaCode": "123456"
}'
Response
{
"success": true,
"message": "Password changed successfully. Please log in again.",
"requireRelogin": true
}
After changing password, youβll need to log in again with the new credentials.
If MFA is enabled on the account and mfaCode is omitted, the endpoint responds with 401:{
"statusCode": 401,
"statusMessage": "Unauthorized",
"message": "Additional verification required",
"data": {
"challenge": "verification_required"
}
}
Forgot Password
Request a password reset email.
Request
curl -X POST https://fucksornot.com/api/auth/forgot-password \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com"}'
Response
{
"message": "If an account with that email exists, a password reset link has been sent."
}
The response is always the same whether the email exists or not, to prevent email enumeration attacks.
Reset Password
Complete the password reset using the token from the email.
Request
curl -X POST https://fucksornot.com/api/auth/reset-password \
-H "Content-Type: application/json" \
-d '{
"token": "reset-token-from-email",
"password": "NewPassword456!"
}'
Response
{
"message": "Password has been reset successfully. You can now log in with your new password."
}
If MFA is enabled on the account, an mfaCode field is also required in the request body. If itβs omitted, the endpoint responds with 401:{
"statusCode": 401,
"statusMessage": "Unauthorized",
"message": "Additional verification required",
"data": {
"challenge": "verification_required"
}
}
Token Expiry
Reset tokens expire after a short period. If expired, request a new one via the forgot password endpoint.