Change Password
const url = 'https://example.com/api/auth/change-password';const options = { method: 'POST', headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'}, body: '{"current_password":"example","new_password":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/auth/change-password \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data '{ "current_password": "example", "new_password": "example" }'Change the authenticated user’s password.
Authenticated endpoint — requires the current password and a new password of at least 8 characters.
Authorizations
Section titled “Authorizations ”Request Body required
Section titled “Request Body required ”object
Example generated
{ "current_password": "example", "new_password": "example"}Responses
Section titled “ Responses ”Successful Response
Response from POST /auth/change-password.
The change-password endpoint does NOT re-issue a full LoginResponse
(which requires access_token + user). It returns a minimal
{"changed": true} body, optionally accompanied by a fresh
access_token when a JWT service is available. Refresh tokens are
set as HttpOnly cookies (D6 fix, May 2026), never returned in the body.
NOTE: this model corrects the response_model mismatch introduced when
response_model=LoginResponse was added in the May 8 audit agents
commit — LoginResponse’s required fields would force a 500 on every
successful password change.
object
Example generated
{ "changed": true, "access_token": "example"}Validation Error
object
object
object
Example generated
{ "detail": [ { "loc": [ "example" ], "msg": "example", "type": "example", "input": "example", "ctx": {} } ]}