bichito
Account

Password reset

Forgot-password flow, token TTL, what to do if you never had a password.

If you forget your password, hit Forgot password on /login, enter your email, and check your inbox for a reset link.

How it works

  1. We mint a one-shot reset token, store only its SHA-256 hash in the DB, and email you a link with the plaintext.
  2. You click the link → a form asks for a new password.
  3. We hash-compare what's in the URL with the stored hash, mark the token used, and update your password.

The plaintext token never sits in our DB — a database leak doesn't let anyone reset accounts.

Token expiry

  • Valid for 1 hour from the moment the email is sent.
  • Single-use — clicking the link a second time after a successful reset returns "this link has been used".
  • Requesting a new reset email invalidates the previous token.

OAuth-only accounts

If you signed up with Google / GitHub and never set a password, the forgot-password flow still works — entering a new password on the reset form adds a password to your account. Going forward you can sign in with either method.

Rate limits

POST /auth/forgot-password is throttled per email submitted to 5 requests / hour. We never disclose whether the email exists in our system — the response is the same for "we sent you a link" and "no such account" so an attacker can't enumerate users.

Lost everything (no email access, no password)

If you've lost access to the email AND the password, we can't recover the account through the standard flow. Get in touch from any address you've used with us before — we'll verify ownership manually and re-set things.

Email verification

6-digit code sent at signup. 24-hour expiry, one-shot use, on-demand resend.

Notification preferences

Mute the email events you don't want. Default is everything on.

On this page

How it worksToken expiryOAuth-only accountsRate limitsLost everything (no email access, no password)