Consume a reset token and set a new password
Validates the reset token from `POST /v1/auth/forgot-password`,
sets a new password (hashed with bcrypt cost 12), and clears the
token so it cannot be reused. The new password must satisfy the
same strength rules as signup (returns `400 WEAK_PASSWORD` if
not). The user must log in again after resetting — no JWT is
issued in the response.
Rate-limited to 20 requests per minute per source IP.
Request
This endpoint expects an object.
token
Reset token from the password-reset email. Single-use.
password
New password. Must satisfy the workspace password policy.
Response
Password updated successfully
message
Human-readable confirmation message
Errors
400
Reset Password Request Bad Request Error
429
Reset Password Request Too Many Requests Error