The POST /environments/{environmentId}/users/{userId}/password endpoint is called to recover a forgotten password. It sends a one-time-password (OTP) that is used to reset the password. The OTP is a randomly generated eight-character alphanumeric string sent to the user’s email address, and the code is valid for five minutes. This operation uses the application/vnd.pingidentity.password.sendRecoveryCode+json custom media type as the content type in the request header.

The sample shows the POST /environments/{environmentId}/users/{userId}/password operation to recover a password for the user identified by the environment ID and user ID.

If the user exceeds the maximum number of invalid attempts to recover the password while using the recovery OTP, the password status is changed to PASSWORD_LOCKED_OUT. The POST /environments/{environmentId}/users/{userId}/password endpoint is also used to reset the locked-out password using a recovery code. This operation uses the application/vnd.pingidentity.password.recover+json custom media type as the content type in the request header, and it requires the recoveryCode and the newPassword attributes in the request body.