Authentication

Password Reset Emails

Send secure password reset links with time-limited tokens.

How it works

1

Generate Secure Token

Create a signed JWT token with user ID and expiry (15 to 60 minutes).

2

Send Reset Link

Send an email with a secure link containing the reset token.

3

Handle Callback

Validate the token, allow password change, and invalidate the token immediately.

Capabilities

Signed Tokens

Use JWT or similar to create tamper-proof reset links.

Configurable Expiry

Set token expiry from 15 to 60 minutes for security balance.

One-Time Use

Invalidate tokens after use to prevent replay attacks.

Branded Templates

Use custom HTML templates for consistent brand experience.

Password Reset Flow

typescript
import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET;

function generateResetToken(userId: string) {
    return jwt.sign({ userId }, JWT_SECRET, { expiresIn: '30m' });
}

async function sendPasswordResetEmail(email: string, userId: string) {
    const token = generateResetToken(userId);
    const resetLink = `https://yourdomain.com/reset?token=${token}`;

    await fetch('https://api.xmit.sh/email/send', {
        method: 'POST',
        headers: {
            'Authorization': 'Bearer YOUR_API_KEY',
            'Content-Type': 'application/json',
        },
        body: JSON.stringify({
            to: email,
            from: 'noreply@yourdomain.com',
            subject: 'Reset Your Password',
            html: `<p>Click the link below to reset your password:</p>
                <a href="${resetLink}" style="display:inline-block;padding:12px 24px;background:#3b82f6;color:white;text-decoration:none;border-radius:6px;">Reset Password</a>
                <p>This link expires in 30 minutes.</p>`,
        }),
    });
}

Related features

Webhooks

Email Webhooks

Real-time notifications for email events. Get instant delivery, bounce, open, click, and complaint data pushed to your endpoint.

Core

Transactional Email API

Ultra-low latency delivery for critical applications. 99.99% uptime SLA with sub-200ms processing time.

Design

Email Templates

Design once, send everywhere. Powerful Liquid templating with version control and real-time previews.

Frequently Asked Questions

How secure are password reset tokens?
Use signed JWT tokens with expiry, store them server-side if needed, invalidate after use, and only send them in response to a user-initiated request from their session.
Can I add additional security requirements?
Yes, combine password reset with email verification, require the user to confirm their email before sending the link, or add CAPTCHA for suspicious activity.
What if the token is stolen?
Tokens expire in 15 to 60 minutes and are one-time use. Monitor for suspicious patterns like multiple reset requests and add CAPTCHA or rate limiting.
Get started in minutes

Start sending with Transmit

Set up in minutes. Volume-based pricing starts at $2/month.