> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fucksornot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Management

> Change password and reset forgotten passwords

## Change Password

Change the password for the authenticated user.

<Note>
  If MFA is enabled, you must provide a valid MFA code.
</Note>

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/change-password \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "currentPassword": "OldPassword123!",
    "newPassword": "NewPassword456!",
    "confirmPassword": "NewPassword456!",
    "mfaCode": "123456"
  }'
```

### Response

```json theme={null}
{
  "success": true,
  "message": "Password changed successfully. Please log in again.",
  "requireRelogin": true
}
```

After changing password, you'll need to log in again with the new credentials.

<Note>
  If MFA is enabled on the account and `mfaCode` is omitted, the endpoint responds with `401`:

  ```json theme={null}
  {
    "statusCode": 401,
    "statusMessage": "Unauthorized",
    "message": "Additional verification required",
    "data": {
      "challenge": "verification_required"
    }
  }
  ```
</Note>

***

## Forgot Password

Request a password reset email.

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'
```

### Response

```json theme={null}
{
  "message": "If an account with that email exists, a password reset link has been sent."
}
```

<Note>
  The response is always the same whether the email exists or not, to prevent email enumeration attacks.
</Note>

***

## Reset Password

Complete the password reset using the token from the email.

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "reset-token-from-email",
    "password": "NewPassword456!"
  }'
```

### Response

```json theme={null}
{
  "message": "Password has been reset successfully. You can now log in with your new password."
}
```

<Note>
  If MFA is enabled on the account, an `mfaCode` field is also required in the request body. If it's omitted, the endpoint responds with `401`:

  ```json theme={null}
  {
    "statusCode": 401,
    "statusMessage": "Unauthorized",
    "message": "Additional verification required",
    "data": {
      "challenge": "verification_required"
    }
  }
  ```
</Note>

### Token Expiry

Reset tokens expire after a short period. If expired, request a new one via the forgot password endpoint.
