Magic link for reset password

Hi there,
is there a way to check if the token as expired from a password reset link before submitting the reset password request?
Currently I have my reset password screen, but if the token is expired I’d like to show a message to the user before they try to change their password and their request fails

Hey Gabriel – thanks for posting!

We don’t currently provide a way to check whether or not a password reset token is valid before calling our /passwords/email/reset endpoint, though I’ll raise that with our team as a feature request. I can certainly see how that would be useful.

As a workaround, one idea would be to pass a timestamp of the current time as a query parameter on your reset_password_redirect_url value when calling our /passwords/email/reset/start endpoint. You could then grab the timestamp after the redirect back to your application, determine whether or not the token has expired, and then decide whether or not to surface an error. Note that this would not cover the case where a token is invalid rather than expired (for example, if it has already been used).

If you do choose to implement this, you’ll need to add a query parameter template to your allowlisted redirect URL in the Stytch Dashboard. For example:{}

I’ll raise this with our team so that we can hopefully support this use case in the future!

Another (perhaps better) workaround would be to call our /passwords/email/reset endpoint with an empty string as the password value upon receiving the redirect. If the token is invalid, you’ll receive an unable_to_auth_magic_link error and can surface an error instead of collecting a password from the user.

If the token is valid, you’ll receive a weak_password error, and can then collect the new password from the user and call the /passwords/email/reset endpoint again.

The benefit of this workaround over the previous one that I mentioned is that cases where tokens are invalid (rather than expired) will be handled as well.