nicjac•15h ago

Password Reset: Verification Code Format + Code Verification Endpoint

Hi team, I have a couple questions regarding the password reset workflow using the API. I got it working end-to-end, but we are unable to match our requirements with the system as it behaves out-of-the-box: - We would expect a numerical verification code but instead, Zitadel uses an alphanumerical format. While not the end of the world, it would be good to be able to align ourselves with what is typically industry standard (and much easier to input on mobile devices). Is there a way to stipulate the verification code format? - We couldn't find a way to verify the OTP before sending the password reset request with the new password. This means that we can't implement the expected flow of checking the OTP before asking the user to input their desired new password. This results in slightly awkward UX. Any help would be much appreciated! Thanks! Nicolas

1 Reply

Ask Inkeep•15h ago

Hi @nicjac, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer Verification Code Format You can customize the verification code format through ZITADEL's Secret Generator settings (1) . This allows you to configure how the codes should look and their lifetime . Access this through the Console under Default Settings > Secret Generator . Verifying OTP Before Password Reset I wasn't able to find a direct answer about verifying the OTP before submitting the password reset. The documented flow shows the password reset request combines both the verification code and new password in a single API call (2) (3) :

curl --request POST \
  --url <https://$%7BCUSTOM_DOMAIN%7D/v2/users/$USER_ID/password> \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer '"$TOKEN"'' \
  --header 'Content-Type: application/json' \
  --data '{
  "newPassword": {
    "password": "Secr3tP4ssw0rd!",
    "changeRequired": false
  },
  "verificationCode": "48CDAP"
}'

curl --request POST \
  --url <https://$%7BCUSTOM_DOMAIN%7D/v2/users/$USER_ID/password> \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer '"$TOKEN"'' \
  --header 'Content-Type: application/json' \
  --data '{
  "newPassword": {
    "password": "Secr3tP4ssw0rd!",
    "changeRequired": false
  },
  "verificationCode": "48CDAP"
}'

(2) The sources don't document a separate endpoint to validate the verification code independently before the password change (2) (3) . If you'd like a general answer based on my knowledge about potential workarounds, let me know. Otherwise, you might want to click "Ask for help" to have a team member review this specific UX requirement. To learn more, see the sources I considered: [1] Password reset code lifeatime [2] Password Reset/Change in a Custom Login UI [3] Request a code to reset a password Feel free to tag @Ask Inkeep with additional questions.

Password Reset: Verification Code Format + Code Verification Endpoint

Did you find this page helpful?