User authentication in Arcadier is based on token-driven access control. All protected API endpoints require a valid authorization token issued upon successful authentication.
Password management supports two primary operational scenarios: forgotten password recovery and credential update for known passwords.
Forgotten Password Reset
When a user has forgotten their password, the reset process requires two separate API interactions to ensure secure identity verification.
The reset workflow involves:
The typical sequence is as follows:
- The user initiates a password reset request.
- The Reset User Password API triggers the reset process and identity verification mechanism.
- The Update User Password API is invoked to finalize and persist the new password.
This two-step process ensures that credential recovery follows controlled verification procedures before allowing password modification.
Changing a Known Password
If a user knows their current password and wishes to update it, only the Update User Password API is required. In this scenario:
- No reset token or identity recovery process is initiated.
- The system validates the existing password.
- The new password is updated upon successful validation.
This flow is simpler because identity verification has already been established through authenticated access.