Passwords

Forte supports password-based sign-in alongside OTP and Google OAuth. Users can optionally set a password during sign-up (or later) and then sign in with any of their verified contact methods plus that password. OTP login remains available regardless of whether a password is set, so users always have a recovery path.

Client-side API

The flows on this page are part of Forte's client-side API (forte.users.*). Call them from your frontend — Forte sets the Forte-User-Session-Token cookie on successful responses. Never call these from code that holds FORTE_API_TOKEN.

Toggle Password login on under your project's authentication settings. While there, choose:

Strength rules — minimum length plus optional requirements for uppercase letters, lowercase letters, digits, and symbols.
Reset behaviour — either Send a new password or Send a reset link (see Password Reset below).

When reset behaviour is Send a reset link, you must also set a reset link target URL — the page on your site that handles the new-password form.

Strength Rules

When set, strength rules apply on:

Sign-up (the password field on forte.users.register),
Self-service change (forte.users.changePassword),
Resets that complete with a user-chosen password (forte.users.completePasswordReset),
Admin force-set in sandbox projects.

Forte enforces a hard floor of 6 characters and a ceiling of 128. Project-configured minLength is clamped into that range.

Pass password on the register call. The user is registered with the password already set — they can sign in with it as soon as their contact method is verified.

typescript

const result = await forte.users.register({
  projectId,
  email: "alice@example.com",
  password: "correct-horse-battery-staple",
});
 
// result.userObject.hasPassword === true

Errors you may see:

PASSWORD_LOGIN_NOT_ENABLED — the project doesn't have password login turned on yet.
PASSWORD_TOO_WEAK — the password doesn't meet the project's strength rules.

forte.users.passwordLogin takes a single contactValue — Forte auto-detects whether it's an email or phone number. The contact method must be verified.

typescript

const result = await forte.users.passwordLogin({
  projectId,
  passwordLoginRequest: {
    contactValue: "alice@example.com",
    password: "correct-horse-battery-staple",
  },
});
 
// result.userObject — the authenticated user
// result.sessionToken.sessionToken — set automatically as a cookie

Errors:

INVALID_CREDENTIALS — wrong password, no user, or the contact method isn't verified. Forte returns the same error for all three (and matches response timing) to prevent account enumeration.
PASSWORD_LOGIN_NOT_ENABLED — the project doesn't have password login turned on.
THROTTLED — too many failed attempts from your IP within 15 minutes. Try again later.

Changing a Password (Self-Service)

An authenticated user can change their own password by calling forte.users.changePassword with their current password plus the new one. If the user has no password yet (first set), currentPassword may be omitted.

typescript

await forte.users.changePassword({
  projectId,
  changePasswordRequest: {
    currentPassword: "old-pw",
    newPassword: "new-stronger-pw",
  },
});

On success, the user's current session stays valid; every other session for that user is revoked.

Password Reset

When a user clicks "Forgot password?" your frontend calls forte.users.requestPasswordReset({ contactValue }). Forte looks up the user and dispatches a reset notification to their first verified contact method.

The exact contents of that notification depend on your project's reset mode:

Mode 1: Send a New Password

Forte generates a 16-character alphanumeric password, sets it on the user (revoking all existing sessions), and emails or texts it to them. The user then signs in with that generated password. Your project's email template should advise the user to change it.

Mode 2: Send a Reset Link

Forte mints a single-use reset token (30-minute expiry) and dispatches a link in the form:

javascript

https://app.example.com/reset-password?pwdResetToken=<token>

Your frontend reads pwdResetToken from the query string, asks the user for a new password, and calls forte.users.completePasswordReset:

typescript

const params = new URLSearchParams(window.location.search);
const token = params.get("pwdResetToken");
 
const result = await forte.users.completePasswordReset({
  projectId,
  completePasswordResetRequest: {
    token,
    newPassword: "the-user-chose-this",
  },
});
 
// User is signed in immediately — session token is set in the cookie.
console.log("Welcome back,", result.userObject.fullName);

If the token has expired, been used, or has more than 5 failed attempts, Forte returns INVALID_RESET_TOKEN. The new password must satisfy the project's strength rules or Forte returns PASSWORD_TOO_WEAK.

Request Behaviour

requestPasswordReset always returns 204 regardless of whether the user exists, the contact method is verified, or the request was throttled — preventing account enumeration. Internally Forte rate-limits per user to one request every 60 seconds.

Customizing the Reset Notification

The reset notification has one template — Forte renders either {{newPassword}} or {{resetUrl}} depending on the active mode. You can write a single template that handles both modes using Mustache sections:

mustache

{{#newPassword}}Your new password is {{newPassword}}. Please change it after signing in.{{/newPassword}}
{{#resetUrl}}Reset your password: {{resetUrl}} (expires in 30 minutes).{{/resetUrl}}

Available variables: {{newPassword}}, {{resetUrl}}, {{projectName}}, {{userFullName}}, {{contactValue}}.

Customize the subject, HTML body, and SMS body under Notifications → Password reset in project settings. Leave fields blank to use Forte's built-in defaults.

Admin Operations

In the console, open a user's detail page to see the Authentication card:

Reset password — runs the same flow as forte.users.requestPasswordReset but on behalf of the admin. Available on every project.
Force set password — sandbox projects only. Lets the admin type a specific password directly. Revokes all of the user's existing sessions. Useful for end-to-end testing.

Both actions are audited in the user's action logs (PASSWORD_ADMIN_RESET and PASSWORD_ADMIN_FORCE_SET).

Error Codes

Error code	Meaning
`PASSWORD_LOGIN_NOT_ENABLED`	Password login is off on this project.
`PASSWORD_TOO_WEAK`	Password fails the project's strength rules.
`INVALID_CREDENTIALS`	Password mismatch or no user/verified contact for the supplied value.
`INVALID_RESET_TOKEN`	Reset token is missing, expired, consumed, or has too many failed attempts.
`PASSWORD_CONFIG_INVALID`	Project's password configuration isn't valid (e.g. missing reset mode).
`PASSWORD_RESET_TARGET_URL_REQUIRED`	Reset mode is Send a reset link but no target URL is set.
`SANDBOX_MODE_REQUIRED`	Tried to force-set a password on a non-sandbox project.
`THROTTLED`	Too many recent failed login attempts from this IP.

Next Steps

Authentication — Google OAuth and OTP login.
Sessions — how Forte session tokens work.
Administration — managing users from the console.

Passwords

Enabling Password Login

Strength Rules

Sign Up With a Password

Sign In With a Password

Changing a Password (Self-Service)

Password Reset

Mode 1: Send a New Password

Mode 2: Send a Reset Link

Request Behaviour

Customizing the Reset Notification

Admin Operations

Error Codes

Next Steps

Search