How do I reset a user's password?
Short answer
Section titled “Short answer”On the user detail page, Password section, you have two options: set a new password directly (optionally e-mailing it to the user) or send a reset link to the address on file, letting the user choose their own password. If someone has locked themselves out of two-factor sign-in, reset 2FA in the Two-Factor section.
Requirements
Section titled “Requirements”Instructions
Section titled “Instructions”-
Open a user. Administration → User Management → click a user.
-
Set a password. In the Password section, enter a new password (or have a secure 14-character one generated) and click “Set password”. If you also enable “E-mail the new password to the user”, the user receives the password via a secure one-time link — never in plain text.
Screenshot pendingadmin-benutzer-05Password section on the user detail page, with 'Set password' and 'Send reset link'Set a password directly, invite by e-mail, or send a reset link. -
Alternative: send a reset link. With “Send reset link”, the user receives an e-mail through which they set a new password themselves.
-
Reset 2FA (in case of lockout). In the Two-Factor section, use “Disable 2FA” to remove all of the user’s authenticator devices — for example, after a lost device.
Set a password directly (optionally as a one-time link by e-mail):
curl -X POST https://demo.notory.io/api/v1/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055/password \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "new_password": "Neues-Kennwort-2026", "send_email": false }'Send a reset link (the user chooses their own password):
curl -X POST https://demo.notory.io/api/v1/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055/password-reset-link \ -H "Authorization: Bearer inv_dein_token"Reset two-factor (remove all devices):
curl -X DELETE https://demo.notory.io/api/v1/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055/totp \ -H "Authorization: Bearer inv_dein_token"Possible errors: 403 (not an administrator), 404 (user not in your own tenant),
422 (password shorter than 8 characters), 503 (e-mail requested, but no SMTP
configured), 502 (e-mail could not be delivered).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Mandatory password change. If an administrator sets a password directly, Notory flags the account as “password change required”: at the next login, the user must choose a password of their own before they can use the app. So the password an administrator sets directly is just a transport secret.
- No plain text by e-mail. With “send by e-mail”, the password lands on a One-Time-Secret instance; the e-mail contains only the one-time link (“Show password”), which expires after being opened once. If no one-time-link service is reachable, Notory falls back to a reset link — never to plain text.
- The reset token is single-use and time-limited. The reset link contains a single-use, time-limited token. It becomes invalid after expiry or use.
- Argon2id. Every new password is hashed with Argon2id; plain text is never
stored. Every password change creates an audit log entry (
password_change). - Self-service reset. Whether users may request a reset link themselves from the login screen is controlled centrally (instance setting “Self-service password reset”). To prevent account enumeration, Notory always responds neutrally either way.
- 2FA reset. Disabling removes all devices and resets
totp_enabled. If 2FA is enforced, the user is guided through setup again at their next login.
Related topics
Section titled “Related topics”- Create a user — including invitation during onboarding
- Deactivate or delete a user
- Branding — login & security — self-service reset and mandatory 2FA