> ## Documentation Index
> Fetch the complete documentation index at: https://spreecommerce.org/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Reset password

> Consumes a password reset token (the `token` query param from the
emailed link), sets the new password, and signs the admin in: the
response carries a JWT access token and the rotatable refresh token is
set in an HttpOnly cookie. The token is single-use — it invalidates as
soon as the password changes.




## OpenAPI

````yaml /api-reference/admin.yaml patch /api/v3/admin/auth/password_resets/{id}
openapi: 3.0.3
info:
  title: Admin API
  contact:
    name: Spree Commerce
    url: https://spreecommerce.org
    email: hello@spreecommerce.org
  description: >
    Spree Admin API v3 - Administrative API for managing products, orders, and
    store settings.


    ## Authentication


    The Admin API requires a secret API key passed in the `x-spree-api-key`
    header.

    Secret API keys can be generated in the Spree admin dashboard.


    ## Response Format


    All responses are JSON. List endpoints return paginated responses with
    `data` and `meta` keys.

    Single resource endpoints return a flat JSON object.


    ## Resource IDs


    Every resource is identified by an opaque string ID (e.g. `prod_86Rf07xd4z`,

    `variant_k5nR8xLq`, `or_UkLWZg9DAJ`). Use these IDs everywhere — URL paths,

    request bodies, and Ransack filters all accept them directly.


    ## Error Handling


    Errors return a consistent format:

    ```json

    {
      "error": {
        "code": "validation_error",
        "message": "Validation failed",
        "details": { "name": ["can't be blank"] }
      }
    }

    ```
  version: v3
servers:
  - url: http://{defaultHost}
    variables:
      defaultHost:
        default: localhost:3000
security: []
tags:
  - name: Authentication
    description: Admin user login, logout, token refresh, and current user profile
  - name: Allowed Origins
    description: CORS allowlist for storefront and admin client origins
  - name: API Keys
    description: Secret and publishable API keys
  - name: Channels
    description: Sales channels and product publication across channels
  - name: Custom Fields
    description: >-
      Custom field definitions for products, variants, customers, and other
      resources
  - name: Customer Groups
    description: >-
      Customer groups for segmenting customers (e.g. wholesale, VIP) used by
      pricing and promotions
  - name: Customers
    description: Customer profiles, addresses, credit cards, and store credits
  - name: Exports
    description: Async CSV exports of admin resources
  - name: Fulfillments
    description: Order fulfillments — shipments, fulfill, cancel, resume, split
  - name: Gift Cards
    description: Gift cards and gift card batches
  - name: Markets
    description: >-
      Markets — geographic groupings of countries used for pricing, tax, and
      fulfillment rules
  - name: Option Types
    description: >-
      Option types and option values used to build product variants (e.g. Size,
      Color)
  - name: Orders
    description: Orders, order items, applied gift cards, and applied store credits
  - name: Payment Methods
    description: Configured payment providers and their available types
  - name: Payments
    description: Order payments — list, capture, void
  - name: Pricing
    description: >-
      Prices and price lists for currency-, market-, and customer-group-specific
      pricing
  - name: Products
    description: >-
      Products, taxons/categories, product custom field values, and bulk product
      operations
  - name: Promotions
    description: Promotions, promotion rules, promotion actions, and coupon codes
  - name: Refunds
    description: Order refunds
  - name: Settings
    description: Store-level settings — store profile, tags, store credit categories
  - name: Staff
    description: Admin users, roles, and invitations to the store
  - name: Stock Locations
    description: Warehouses and physical fulfillment locations
  - name: Variants
    description: >-
      Product variants — the individual SKUs (size/color combinations) sold
      under a product
  - name: Webhooks
    description: Webhook endpoints and webhook delivery history
paths:
  /api/v3/admin/auth/password_resets/{id}:
    patch:
      tags:
        - Authentication
      summary: Reset password
      description: |
        Consumes a password reset token (the `token` query param from the
        emailed link), sets the new password, and signs the admin in: the
        response carries a JWT access token and the rotatable refresh token is
        set in an HttpOnly cookie. The token is single-use — it invalidates as
        soon as the password changes.
      parameters:
        - name: x-spree-api-key
          in: header
          required: true
          schema:
            type: string
        - name: id
          in: path
          description: The reset token from the emailed link
          required: true
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                password:
                  type: string
                  example: new-password-123
                password_confirmation:
                  type: string
                  example: new-password-123
              required:
                - password
                - password_confirmation
      responses:
        '200':
          description: password reset
          content:
            application/json:
              example:
                token: >-
                  eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX3R5cGUiOiJhZG1pbiIsImp0aSI6IjliNzNlYzliLWUzZmItNGVlZC1iNzdmLTkyODY3ZjRkNWMwYSIsImlzcyI6InNwcmVlIiwiYXVkIjoiYWRtaW5fYXBpIiwiZXhwIjoxNzgzNDU1ODIzfQ.1F880snWFAYKU8h7UMH-sHzf8oXwqcbFKlBOcvy76VY
                user:
                  id: admin_UkLWZg9DAJ
                  email: admin@example.com
                  first_name: Fatimah
                  last_name: Larson
                  full_name: Fatimah Larson
                  selected_locale: null
                  created_at: '2026-07-07T19:23:43.601Z'
                  updated_at: '2026-07-07T19:23:43.884Z'
                  avatar_url: null
                  roles:
                    - id: role_UkLWZg9DAJ
                      name: admin
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '422':
          description: invalid or expired token
          content:
            application/json:
              example:
                error:
                  code: password_reset_token_invalid
                  message: Password reset token is invalid or has expired.
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security:
        - api_key: []
      x-codeSamples:
        - lang: javascript
          label: Spree Admin SDK
          source: >-
            import { createAdminClient } from '@spree/admin-sdk'


            const client = createAdminClient({
              baseUrl: 'https://your-store.com',
              secretKey: 'sk_xxx',
            })


            // The token comes from the emailed link's ?token= param. On success
            the admin

            // is signed in: a JWT comes back and the refresh token is set as an
            HttpOnly cookie.

            const auth = await
            client.auth.resetPassword('reset-token-from-email', {
              password: 'new-password-123',
              password_confirmation: 'new-password-123',
            })
        - lang: bash
          label: Spree CLI
          source: >-
            spree api patch /auth/password_resets/{id} -d
            '{"password":"new-password-123","password_confirmation":"new-password-123"}'
components:
  schemas:
    AuthResponse:
      type: object
      properties:
        token:
          type: string
          description: JWT access token
        user:
          $ref: '#/components/schemas/AdminUser'
      required:
        - token
        - user
    ErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: record_not_found
            message:
              type: string
              example: Record not found
            details:
              type: object
              description: Field-specific validation errors
              nullable: true
              example:
                name:
                  - is too short
                  - is required
                email:
                  - is invalid
          required:
            - code
            - message
      required:
        - error
      example:
        error:
          code: validation_error
          message: Validation failed
          details:
            name:
              - is too short
            email:
              - is invalid
    AdminUser:
      type: object
      properties:
        id:
          type: string
        email:
          type: string
        first_name:
          type: string
          nullable: true
        last_name:
          type: string
          nullable: true
        full_name:
          type: string
          nullable: true
        selected_locale:
          type: string
          nullable: true
        created_at:
          type: string
        updated_at:
          type: string
        avatar_url:
          type: string
          nullable: true
        roles:
          type: array
          items:
            $ref: '#/components/schemas/AdminUserRoleAssignment'
      required:
        - id
        - email
        - first_name
        - last_name
        - full_name
        - selected_locale
        - created_at
        - updated_at
        - avatar_url
        - roles
      x-typelizer: true
    AdminUserRoleAssignment:
      type: object
      description: A role assignment for the current store on a staff member
      properties:
        id:
          type: string
          description: Prefixed role ID
          example: role_abc123
        name:
          type: string
          description: Role name
          example: admin
      required:
        - id
        - name
  securitySchemes:
    api_key:
      type: apiKey
      name: x-spree-api-key
      in: header
      description: Secret API key for admin access

````