Password reset in the Loginapp REST API / UI

The Loginapp REST password reset API allows end-users to reset their own passwords. The service is typically accessed by the end-user via a Forgot password? link on the login page. It is configured as a public self-service flow.

The API is publicly accessible. Special consideration regarding user enumeration and security, in general, is therefore essential.

Basic concepts and flow steps

Arbitrary steps may be configured in the public self-service flow. Therefore the password reset flow may be very individual and differ from the example given below.

  1. A typical password reset flow consists of the following phases:
  2. User identification (enter username).
  3. Identity verification (e-mail, SMS, or alike).
  4. Password reset actions:
    1. Set a new password.
    2. Order new letter.
    3. Unlock account - optionally combined with 2nd-factor approval step.
  • Most important password reset flow steps:
  • User Identification Step
  • Identity verification steps:
    • E-Mail Identity Verification Step
    • Send Email Link Step (in combination with the Flow Continuation Step)
    • SMS Identity Verification Step
    • Secret Questions Identity Verification Step
  • 2nd-factor steps for password reset approval:
    • Airlock 2AF Factor Step
    • Cronto Factor Step
    • mTAN Factor Step
  • Set Password Step
  • Password Letter Order Step
  • Unlock User Step (Password Reset)
  • Selection Step for Password Reset
  • E-Mail Notification Step

Backward compatibility to password reset REST API

Airlock IAM 7.1 introduced the flow-based password reset feature exposing a REST API. The feature has been moved to the public self-service flows with IAM 7.5. With this move, the following things changed in IAM.




The password reset flow is now configured as a public self-service flow.

The configuration is automatically migrated. No manual action is required.


The password reset REST API is now accessible using public self-service URLs (see example REST flows) instead of the password reset URLs.

If a password reset flow was configured before the migration to IAM 7.5, the old REST API resources (URLs) still work for this flow so REST clients do not have to be adapted.

If using the old URLs, do not change the flow ID of the migrated public self-service flow. It is essential to identify the correct flow if a REST client calls the old REST API without the flow selection call.

Web browser URLs

If using the Loginapp REST UI, the URLs of the password reset feature changes. Bookmarks and external links may have to be adapted.

As an alternative, use the Path Rewrite feature in Airlock Gateway (WAF)'s virtual host configuration to rewrite old URLs.

Loginapp REST UI customization

Translation keys and page IDs have changed. See Manual changes for Loginapp REST UI SDK upgrade from UI SDK 2.0 to 2.1 with IAM 7.5 for details.