If the user exceeds the maximum number of invalid attempts to recover the password while using the recovery OTP, the password status is changed to the PASSWORD_LOCKED_OUT. The POST /environments/{environmentId}/users/{userId}/password endpoint is also used to reset the locked-out password using a recovery code. This operation uses the application/vnd.pingidentity.password.recover+json custom media type as the content type in the request header, and it requires the recoveryCode and the newPassword attributes in the request body.