Consume a reset token and set a new password

Validates the reset token from `POST /v1/auth/forgot-password`, sets a new password (hashed with bcrypt cost 12), and clears the token so it cannot be reused. The new password must satisfy the same strength rules as signup (returns `400 WEAK_PASSWORD` if not). The user must log in again after resetting — no JWT is issued in the response. Rate-limited to 20 requests per minute per source IP.

Request

This endpoint expects an object.
tokenstringRequired

Reset token from the password-reset email. Single-use.

passwordstringRequired>=8 characters
New password. Must satisfy the workspace password policy.

Response

Password updated successfully
messagestring

Human-readable confirmation message

Errors

400
Reset Password Request Bad Request Error
429
Reset Password Request Too Many Requests Error