Confirm a password reset code and set a new password
POST/auth/forgot-password/confirm
Calls Cognito ConfirmForgotPassword. On password-policy failure the response includes the tenant's active policy plus a human-readable message so the SPA can surface the rules. Unknown emails return { ok: true } for enumeration safety.
Request
Responses
- 200
- 400
- 429
Password reset (or unknown user — response is identical for enumeration safety).
Bad request: missing fields, invalid/expired code, password policy violation (returns policy + message), or other reset failure.
Cognito rate limit hit.