The reset email delivery setup below (provider, sender, template, redirect URL) is configured under theemail:key ofstartApp. To run code on related auth events, register callbacks underauth:— see Auth Hooks.
Configuration
Configure password reset emails in your server setup:redirectUrl is the page in your app where the user enters their new password. Modelence redirects here after validating the token and storing it in an httpOnly cookie, so this URL never carries the token. This is also where you call resetPassword({ password }).
How It Works
- User requests a password reset by providing their email
- A secure reset token is generated, hashed, and stored in the database (only the hash is stored, never the raw token)
- An email with a reset link is sent to the user
- The link points at a Modelence server route, not your SPA page. That route validates the token, stores it in a short-lived
httpOnlycookie, and redirects to your configuredredirectUrlwithout the token in the URL - On that page, the user enters their new password and you call
resetPassword({ password })— the token is read server-side from the cookie, so it never reaches client JavaScript - Password is updated and the token is invalidated (single-use)
- If the user’s email was not yet verified, it is automatically marked as verified
The reset token never reaches your client code or appears in a browser URL — it is exchanged server-side through an
httpOnly cookie. This closes the window where a token could leak via the address bar, browser history, or the Referer header.The token cookie is sent with credentialed requests, so it works even when your SPA and Modelence API are on different origins. For that cross-origin case, the API must respond with
Access-Control-Allow-Credentials: true and a specific (non-wildcard) allowed origin, otherwise the browser drops the cookie and the reset fails.Base URL requirement
The reset email link is built from your site’s base URL, so you must set it via the_system.site.url config (or the MODELENCE_SITE_URL environment variable). If it isn’t set, sending a reset token fails with a clear error rather than emailing a broken link.
Client Implementation
Request Password Reset
Reset Password
The user lands on yourredirectUrl page after clicking the email link. The token is already held in an httpOnly cookie, so you only collect the new password — don’t pass a token: